isolating facebook

[mike acker]

as we know Facebook likes to collect and sell our personal information to advertisers

if I create an alternate user ID in my system and run FB in that user ID only that should stop FB from snooping thru the data in my /home area.

( javascript isn't supposed to be able to read/write anything on the client computer other than cookies, but .....????? )

will running FB under an alternate User stop it from accessing things such as the real machine owner, mac address,-- i.e. the hard ID data ?

thoughts ?



see also: http://www.dailytech.com/Facebook+to+Us ... e36623.htm

[1.618]

if I create an alternate user ID in my system and run FB in that user ID only that should stop FB from snooping thru the data in my /home area.

How does FB get into my/home ? without some kind of deliberate hacking going on?

I always assumed facebook collected data from websites with the 'like' button, it sends your ip address back to facebook and they know you've looked at that page, regardless of wether you actually clicked on their little button, and that's how they know what sort of stuff to post as adverts on your FBIBook page.

[niowluka]

as we know Facebook likes to collect and sell our personal information to advertisers

Yes, but not from your /home or your local drive. Facebook uses data associated with your online accounts, not offline. Your facebook account details, your posts, your google searches, etc etc.

[1.618]

will running FB under an alternate User stop it from accessing things such as the real machine owner, mac address,-- i.e. the hard ID data ?

This was in the comments of the link you posted

Every time you visit a page with the icon, the script runs and Facebook reads a unique cookie it's placed on your browser to determine which individual computer visited that page, and adds it to a database of other pages that have been visited by that computer.

They build up a history of which sites and pages your computer has visited this way. When you login to your Facebook account, they can link that history to your identity via Facebook. If you don't have a Facebook account, they still know that *a* computer out there has that browsing history. If you get an email from a friend inviting you to join Facebook and you click on it using a web-based email service, your friend has now revealed your identity to Facebook, and they can now read that cookie to your computer's browsing history your identity, even if you don't have a Facebook account.

So it would seem that creating a new account really wouldn't make a lot of difference as it's your machine that's being tracked, not the user that is actually logged on to the machine, but they could still determine who the user is from other sites you might log into

There was also this link to a browser addon called Privacy badger, i had a read through and it appears to stop trackers eventually but also keeps a list of the cookies that have been on your machine in able for it to stop them tracking you. having a list of those cookies could be a problem in itself

https://www.eff.org/privacybadger

And this, there are quite a few companies out there involved in your data

http://mediamemo.allthingsd.com/files/2 ... ad-map.jpg

I suppose if you're not going to use facebook you could block the url in your router if it allows it, that way no traffic would get sent back to facebook, regardless of where you are browsing, I have that set for a couple of google addresses.

[niowluka]

If you get an email from a friend inviting you to join Facebook and you click on it using a web-based email service, your friend has now revealed your identity to Facebook, and they can now read that cookie to your computer's browsing history your identity, even if you don't have a Facebook account.

In Firefox Privacy tab, you can setup exceptions and block specific sites from storing cookies on your computer. Just add facebook.com to that list. I'm sure most other browsers have similar option.

Make sure you delete all the currenlty stored cookies after you do that

[xenopeek]

You can use firejail to limited what access an application has to your system and home folder: http://l3net.wordpress.com/2014/09/19/f ... a-firefox/

You could run Firefox with firejail with the private option, which starts Firefox with an empty home folder mounted in RAM--fully restricting it access to files in your home folder. You could create a .desktop file specifically to start Facebook in a firejail with the private option.

Steps:
1. Download the latest .deb file for your architecture from http://sourceforge.net/projects/firejai ... /firejail/
2. Install the downloaded .deb file
3. Create a new facebook.desktop file in ~/.local/share/applications (use your preferred editor, or from the terminal: nano ~/.local/share/applications/facebook.desktop), to give you a new menu entry to start Firefox with firejail and open Facebook. Paste the following into it:

[Desktop Entry]
Type=Application
Name=Facebook
Comment=Facebook in Firefox with Firejail
Exec=firejail --caps --private firefox 'http://www.facebook.com/'
Icon=firefox
Terminal=false
StartupNotify=true
Categories=Network;WebBrowser

4. That's it! On MATE you'll have to do killall mintmenu to make the menu aware something changed (it's a bit lazy, the mintmenu ) and answer to reload it when asked.

BTW, you can use firejail for any application. I'm evaluating using it on anything with proprietary code, such as Firefox, Google Chrome, Chromium, Steam, and so on.

[bjornmu]

FB and others don't track what the machine is doing on the web, they track via cookies what the browser is doing. Each one has its own set of cookies, so I don't think you even need to create a separate user. It should be enough to create a separate FF profile and run a separate FF instance; one for FB and one for everything else.

I'm not on FB but I do have a google account, and I use my chrome browser only for those google sites/services where I actually need to be logged in (not for searches). Anything else I do i FF and opera and never log into my google account in those.

[mike acker]

FB and others don't track what the machine is doing on the web, they track via cookies what the browser is doing.{snip}.

I agree: that is what is supposed to be going on. I tried to do some research into javascript and the info I found indicated that is was a design intention that javascript would be able to read/write cookies -- but nothing more.

still, from my browser I can upload/download all sorts of stuff. on flickr for example when i select upload photos -- the script allows me to browse my directories -- not just photos -- anything --- --- ---

I've considered scrounging a discarded xp notebook which i could convert to MINT and run in joints that have wi fi

and I've considered installing VM Ware -- which is a highly regarded product

still,-- from the Old Days my background was in MVT and MVS -- systems in which the general idea was that each initiator -- shell in unix -- was to act as a separate virtual machine. this is what makes me think -- just running another user id -- ought to be enough to get isolation. except for items shared on purpose such as the /Public folder

it is of course critical to 'sanitize' documents passed from one system to another -- by e/mail, shared folder, or thumb drive. modern documents have to be treated as executable files. they are a bit less dangerous in Linux as they will not be able to corrupt the /boot components; still -- when I sign on -- I have access to everything under /home ,,,, and so too will a program that launches from an executable document, e.g. a vbs script, macro, what have you .

this is why I've been interested in apparmor in the past . this jailfire thing -- thanks xenopeek -- looks very interesting too though. it might be 'just what the doctor ordered' as in security questions we are not just interested in what files a user might want to look at -- but also what program he wants to use to do that .

[niowluka]

I agree: that is what is supposed to be going on. I tried to do some research into javascript and the info I found indicated that is was a design intention that javascript would be able to read/write cookies -- but nothing more.

still, from my browser I can upload/download all sorts of stuff. on flickr for example when i select upload photos -- the script allows me to browse my directories -- not just photos -- anything --- --- ---

So you have a problem with FB, because you can browse your own files ??

If FB was accessing data on your drive, it would be:
a) extremely easy to find out (lsof)
b) imagine the headlines, that would be the end of FB, socially, legally, economically...

[DrHu]

OK, but it is everything that does on Facebook and the geolocation of the IP address
--and of course if it is a totally fake profile, it won't work socially; assuming that is the purpose of using Facebook

Facebook could also be used for a business, but in that case the profile should be real or there won't be any business

[mike acker]

{snip}
So you have a problem with FB, because you can browse your own files ??

the concern is: if I can direct a script running in the browser to browse/upload/download files then it follows that the script is generally capable of that. I'll be happy to find out that javascript is capable of launching the file browse dialog -- but not responding to it or reading it.

which leads to the concerns involving the development of firejail, -- and to the larger question: do I want to be able to do *anything* with *any* program? I think this is a question that should have been looked at

the programs that are a particular concern are those that (a) receive remote input, and (b) can execute scripts or macros, -- javascript, java runtime, ajax, VBS, macros etc

[niowluka]

the concern is: if I can direct a script running in the browser to browse/upload/download files then it follows that the script is generally capable of that.

In principle yes. I used to do a little java scripts few years ago (simple things) and I don't think it would be at all difficult to write a script to scan your drive and download files without your knowledge.

However, as I mentioned earlier, if FB were doing just that, it would be:
a) very easy to verify, you can list any process accessing any file
b) just plain illegal, accessing information on your drive without your consent is an offence punishable by the court of law, at least here in the UK

[mike acker]

I'm not concerned with what's legal or proper. we have to defend against the possibilities

Article on Malvertising

this got me thinking on the topic again. it should be possible to run a browser in a virtual machine such that all the funny stuff just doesn't work.

[niowluka]

I'm not concerned with what's legal or proper. we have to defend against the possibilities

Article on Malvertising

this got me thinking on the topic again. it should be possible to run a browser in a virtual machine such that all the funny stuff just doesn't work.

I'm sorry, are we still talking about FB, or internet in general ? Because if it's the latter then you can ignore my last post. If you visit some random websites then yes, there are risks out there you can't ignore.

[mike acker]

the object is to prevent web authors from exploiting client computers -- whoever they may be.