Tuesday, August 20, 2013

Security Researcher Hacks Mark Zuckerberg’s Wall To Prove His Exploit Works

GREG KUMPARAK

Sunday, August 18th, 2013
665 Comments
Screen Shot 2013-08-18 at 3.23.27 PM
Earlier this week, security researcher Khalil Shreateh discovered a Facebook bug that allowed a hacker to post on anyone’s wall — even if they weren’t that person’s friend.
While he was able to prove to Facebook that his bug was legit (despite an initial response that it wasn’t a bug at all), Facebook wasn’t too happy with the way he did it: by using the bug to post on Zuckerberg’s otherwise friends-only wall.
Security research can be a pretty tough balancing act. If you don’t follow a company’s responsible reporting terms to a T, you might be robbing yourself of your fair share of recognition and, if the company is one of many that gives bug bounties, a chunk of cash. Alas, exploiting your way onto Zuck’s timeline… doesn’t exactly comply with Facebook’s reporting rules.
In his initial report of the bug, Khalil demonstrated that he was able to post on anyone’s wall by submitting a link to a post he’d made on the wall of Sarah Goodin (a college friend of Zuck’s, and the first woman on Facebook.)
Unfortunately, the member of the Facebook Security team who clicked the link wasn’t friends with Goodin, whose wall was set to be visible to friends only. As a result, they couldn’t see Khalil’s post. (While Facebook Security can almost certainly over-ride privacy settings to see anything posted on the site, they didn’t seem to do that here)
“I don’t see anything when I click the link except an error”, responded Facebook’s Security team.
Khalil submitted the bug with the same link again, explaining that anyone investigating the link would need to either be Goodin’s friend or would need to “use [their] own authority” to view the private post.
“I am sorry this is not a bug”, replied the same member of the Security team, seemingly failing to grasp what was going on.
Khalil responded by taking his demonstration to the next level; if posting on one of Mark Zuckerberg’s friend’s walls didn’t get his point across, perhaps posting on Zuck’s own wall would?
On Thursday afternoon, Khalil posted a note into Zuckerberg’s timeline. “Sorry for breaking your privacy [to post] to your wall,” it read, “i [had] no other choice to make after all the reports I sent to Facebook team”.
zuck timeline
Within minutes, Facebook engineers were reaching out to Khalil. He’d made his point.
Through Facebook’s whitehat exploit disclosure program, security researchers are paid at least $500 for each critical bug they report responsibly. $500 is just the minimum — the size of the bounty increases with the severity of the bug, with no set maximum.
Alas, there would be no bug bounty for Khalil. Amongst other terms, Facebook’s bug disclosure policy requires researchers to use test accounts for their investigations and reports, rather than the accounts of other Facebook users. By posting to Goodin and Zuck’s walls, he’d broken those rules pretty much right out of the gate. His reports also didn’t include enough detail of how to reproduce the bug, says Facebook:
Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.
We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.
Since Khalil’s initial post went up on Friday, there’s been a healthy debate as to whether or not Facebook should be paying him a bounty. On one hand, he broke their disclosure rules (perhaps unknowingly — as many have pointed out, Facebook’s disclosure terms are only available in English, which doesn’t seem to be Khalil’s first language); on the other, he was seemingly trying to report it responsibly rather than selling it to spammers.
Even Facebook’s own engineers have entered the discussion. On Hacker News, Facebook Security Engineer Matt Jones laid things out as he saw them:
For background, as a few other commenters have pointed out, we get hundreds of reports every day. Many of our best reports come from people whose English isn’t great – though this can be challenging, it’s something we work with just fine and we have paid out over $1 million to hundreds of reporters. However, many of the reports we get are nonsense or misguided, and even those (if you enter a password then view-source, you can access the password! When you submit a password, it’s sent in the clear over HTTPS!) provide some modicum of reproduction instructions. We should have pushed back asking for more details here.
However, the more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat. We allow researchers to create test accounts here:https://www.facebook.com/whitehat/accounts/ to help facilitate responsible research and testing. In this case, the researcher used the bug he discovered to post on the timelines of multiple users without their consent.
What say you? Should Facebook bend the rules and shell out? Would breaking the rules set a dangerous precedent?

Companies:Facebook
Mark Zuckerberg is the founder and CEO of Facebook, which he started in his college dorm room in 2004 with roomates Dustin Moskovitz and Chris Hughes. Zuckerberg is responsible for setting the overall direction and product strategy for the company. He leads the design of Facebook’s service and development of its core technology and infrastructure. Mark studied computer science at Harvard University before moving the company to Palo Alto, California. Earlier in life, Zuckerberg developed a music recommendation system called...

Saturday, August 10, 2013

Five Things Entrepreneurs Should Never Do

JAMES ALTUCHER

posted yesterday
43 Comments
woods
Editor’s note: James Altucher is an investor, programmer, author, and several-times entrepreneur. His latest book, “Choose Yourself!” (foreword by Dick Costolo, CEO of Twitter) came out on June 3. Follow him on Twitter @jaltucher.
I’m breaking all the rules.
I’m at a silent retreat for the week. No talking!
My wife is two doors down. She said to me before we went silent for the week, “put your computer on airplane mode.”
It’s in a beautiful area. There are paths and trees and birds and flowers and benches to sit on with sprawling landscapes and blah blah blah.
I like to stay in my room and write. And I break rules. I won’t open my mouth but I will break rules.
Don’t tell my wife.
A friend of mine has a startup. It’s a neat little product. He’s still in stealth mode so it’s not important what the product is.
But I thought of a company that could use the product and I like to help my friends.
I called the CEO of the company (before the retreat). They have about a billion in revenues and are very profitable. I said, “can you use this?” And I described something that I felt they really needed that could make a lot of money. The CEO said, “we would love this”.
The head of sales of the billion revenue company got all the data I needed to help my friend make a demo.
I called my friend, sent a spec of what I wanted, and said “can you make a demo of what this company needs.” He said, “absolutely. It would literally take minutes to do.”
Then he made the following mistakes.
To be fair, I wish I had had been as smart as him when I was 26 years old. One thing he’s done very well at is keeping in touch with me with a “Hi, hope things are well” every month for the past six years. But here are his mistakes.
1) He was late. 
This was perfectly set up for the software of his company. A week later I had to remind him about what he said. He replied, “oh yeah, sorry.” And within an hour he had something to me although it wasn’t quite what I asked for (more below).
Why was he late?
2) He was focused on raising money.
He was busy building a prototype of something to show venture capitalists. I get it. Raising money is important. But don’t be an idiot.
A billion-revenues company is either a potential investor, a potential acquirer, a partner, a distribution channel, or something you can show off to venture capitalists to both increase your valuation and raise money. Or all of the above.
3) He under-delivered.
The first thing he showed me had four or five glaring mistakes that were either different than what I asked or things I didn’t think to ask because they were clearly not what the client wanted.

THERE’S A BIG DIFFERENCE BETWEEN WINNING AT A HACKATHON AND MAKING MONEY.

He tried too hard to fit his exact software with the data I was giving him.
If you have no clients and no revenues then it becomes your job to find clients and revenues — not make people use your product.
The client doesn’t pivot. You pivot.
There’s a big difference between winning at a hackathon and making money.
The hackathon culture that sprung up in the past two or three years by venture capitalists is bullshit. It’s not business.
As corny as it sounds, the reason I thought his product was good (with tweaks) and that this major company could use it was because it could actually help people live better lives and make more money. That’s how you know your business has value – when you provide greater value to others. Not because you win hackathons.
4) He didn’t solve his own problems. 
The first version he showed me had some very basic problems. With a little thought he could have solved those problems. Instead, I outlined how he could solve them. He solved them and I was finally able to show them to the client.
Actually, that’s not true. He forgot basic aspects of my original spec (see “under-deliver”) and I had to remind him and he said, “Oops. Sorry.” And within minutes he had a new version. These aspects of my original spec were designed to protect the client from losing millions of dollars should they ever roll out my friend’s product.
5) He didn’t offer new ideas.
In the final version he showed me there were some basic things he could have over-delivered on to impress the client. They were very basic. He even said, “of course!” when I brought these features up to him.

IF YOU LOOK GOOD AND THEY ASK YOU TO DANCE, THEN YOU BETTER BE LIGHT ON YOUR TOES OR YOU WILL FALL.

It’s one thing if he were not already developing software for this business and he was a developer I was trying to contract. Then he might not know the industry. But he already had software designed for this very industry and it only involved seconds of tweaking for him to massively over deliver. And, I have to repeat it, a billion-revenue client was interested when he had no clients at all.
He’s clearly interested. He ultimately delivered and did everything and it was great. I showed it to the potential client and they loved it. Good things will come of this.
What do I get out of it? Absolutely nothing. Don’t be a fucking pig all the time and try to have your hand out. If you create value for others, then sooner or later value is created for you.
So, what should you do?
You will make a lot of money if you simply: 
  • Deliver on time
  • Don’t focus on venture capitalists (the customer is your audience, not the venture capitalist)
  • Over-deliver (it is so easy to over-deliver and so few do it)
  • Catch and solve easy problems before the client sees them
  • Come up with new and continuing ideas so that the client views you as a partner and not just another bullshit vendor trying to scrape money out of them. Keep in touch with the client and see how you can brainstorm every few days or so to come up with new ideas for them.
It’s really that simple to make a ton of money.
Another very important thing: The site he is developing for this potential client is slightly different than his initial software. He had to tweak it to make it fit my needs. Always assume that you have no ideawhat your customers want. In 99.9 percent of cases, remember, the startup pivots and not the client.
All you can hope to do is get close enough to what the customer wants so that they then notice you. If you look good and they ask you to dance, then you better be light on your toes or you will fall.
Now I better shut up.
[Image via Shutterstock]