Who's using Mueller Report Day to bury bad news? If you guessed Facebook, you're right: Millions more passwords stored in plaintext While journalists and netizens are distracted digesting the redacted 400-plus-page Mueller report, released within the past few hours, today will be a good day for spin doctors to bury bad news. And Facebook just couldn't pass up on the opportunity. One hour before the long-awaited dossier by Robert Mueller – special counsel …
That doesn't matter - Facebook is still making money out of you.
Stop feeding the monster : close your account and get out of there.
Facebook is a blight that not only feeds on the feeble-minded that subscribe, it also impacts anything that comes withing clicking distance of it.
Don't you understand ? It's the plague - revisited for the 3rd millennium.
Kill it while you still can.
and cant be bothered to employ competent coders? Is it a failing of HR, or is this the way agile development works?
I dunno. I get shit from my gaffer because testing and refinement takes much longer than the quickly thrown together PoC I developed in order to say.."yes this can be done"
Agile has 2 different but apparently similar definitions. One is the methodology with very specific features such 2 week sprints, design iteration on the fly, etc. The other is more of mindset of the involving all the parties to the project from the start with design meetings including programmers from the start and iterative building until one has a usable or final product. In the first, there are often specific check boxes that must be adhered to. The second is more dynamic and has fewer, if any formal check boxes. Its key concept is the programmers must be involved early one and there must be feedback to the refine the project. Oddly, the second may appear to be more formal as it does mandate specific practices about meetings or timing.
"I first thought PoC was Piece of Crap, but then guessed it could be Proof of Concept"
It is bit like 'Schrodinger's Cat' ....... say call it 'Schrodinger's code' ;) :)
Until you look actually *see* the code it can be either 'Proof of Concept' OR 'Piece of Crap' and the code runs *without* knowing which it is !!!
Sociopathic economiser of truth that he is, Zuckerberg can't produce so much crap without the cult like obedience that he seems to get from his employees.
The ongoing saga of disaster that is faecebook must surely be confined to the pages of history sooner rather than later, it has single handedly been responsible for dumbing down an entire generation.
Can't we close them down for crimes against humanity?
"Our investigation has determined that these stored passwords were not internally abused or improperly accessed."
That's unusual. The normal form is to find no evidence of anything wrong.
Ah! I've read it again. The passwords were not internally abused or improperly accessed. That doesn't rule out external abuse or improper access.
FaceBUTT's Terms of Service are written by illiterate nitwits, precisely so you can't understand their meaning.
These appear to allow Facebook to exploit your name, likeness, content, images, private information, and personal brand by using it in advertising and in commercial and sponsored content — without any compensation to you. Facebook claims the right to monetize, not just your images, but a sizable portion of your entire online identity. They want to see Facebook became a place where users are disrespected and their experience is a feeling of being victimized and exploited.
They REALLY repect me and mine.
"Our investigation has determined that these stored passwords were not internally abused or improperly accessed."
Judging from its previous statements, nothing Facebook does is abusive or improper.
Is this therefore a null statement, a false statement, or both?
Ah, but you see, they were sneaky with their adverbs. You would think that they meant them in the sense of internally abused or internally improperly accessed, but they meant internally accessed but only in a proper way (you probably don't want to know what Facebook considers proper ways to access data) and not abused internally. Should they want some abuse done with the data, they can get an external entity to do it. Adverbs are tricky.
I'm still not sure what circumstances would require one to log passwords. I've coded a pile of authentication systems and even the highest debugging levels only ever logged username and success y/n - logging the password even to a secure database would be a massive no-no. That shit is salted and hashed into an unrecognisable mass by any dev who know their shit, and then it's stored in a heavily monitored cluster/store/whatever where you check exactly who looks at it because it's highly sensitive data. Right? I mean storing elsewhere as plaintext undoes any other security measures you might have (OK, 2fa defeats a lot of that, but few systems enforce 2fa, facebook does some half-assed geolocating stuff so chinese script-kiddies can't brute force you)
Use PHP as a programming language, not a templating language.
Avoid globals.
Avoid extract().
Avoid eval().
Avoid variable variables.
Prefer classes over functions.
Release React candidates as often as you can to confuse Front End developers.
Store user data in plain text files.
Lie about everything.
This post has been deleted by its author
Ther are two groups in this world that cause me more problems than even users. Project managers and developers.
They are both focused on delivering solutions on time and on budget but have no focus on the real stuff like ongoing management, real security and remembering that the work around/logging thing the put in to try and fix that problem needs to be removed before go live, and they feed of each other.
Dear El Reg,
Whenever you write about anything in the Facebook empire, can you add the following small paragraph?
"You will notice that, despite warning about the evil and insecure nature of Facebook/Instagram/whatever, we continue to provide easy to find and obviously branded tracking links from every single page in our site (yes, even on the 404 page) to all of these platforms. So please understand that our stance against them is more on the 'verbiage' scale than on the 'action' scale. We don't quite dare remove the buttons, in the same way that we don't quite dare start a subscription model, even as we moan about ad-blockers. Thank-you for your understanding."
I can't recall where I read it but a recent article pointed out that, apparently, Facebook thinks it's advantageous to release the reports of these security lapses just before major holidays---when nobody is looking much at the news. Slimy practice from a slimy company.
It's probably someone working in their tech department who is taking bribes under the table by "bad actors" in foreign business and government to "accidentally" leave this stuff laying around in the open, they grab the information, and then Facebook says "oh hi Facebook investors...this was a mistake. We'd never put our user's privacy in jeopardy...never ever ever. But here it is if you give us so and so amount of $$$$'s"
Smug punchable-face Mark Zuckerberg up to his usual routine.
Even in Silicon Valley. At an unnamed meeting 5 security geeks and one single girl (about the right boy-girl ratio here) were chatting. I asked the girl where she worked and she said Facebook. The look of distaste on everyone’s face was obvious. We all did a disappearing act. That is a very powerful reaction.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
