Monthly Archives: October 2013

Facebook Removes Privacy Settings (or Why it’s hard to hide information on the Internet)

A few weeks ago Facebook announced the removal of a “Search” setting. That’s their marketing term for a privacy setting. The setting in question allowed a user to prevent his or her Facebook profile from being discovered via Facebook’s search function.

Now before you go look for it, you should know that most of us lost the setting in December 2012. At the time Facebook announced it as part of several “Better Controls for Managing your Content.” One of these better controls included a notice that anyone not currently using this older setting, lost it. However those had enabled setting were allowed to keep it for awhile. In other words the ability was first taken from those not using it, and now stripped from those who were. (It sounds like there’s a political analogy in there somewhere…)

According to Michael Richter, Facebook’s Chief Privacy Officer, the setting was removed because it didn’t do enough. People could still access those non-searchable pages by clicking the user’s name on another page, a comment, a mutual friend’s Timeline, or even through the Graph Search. And of course Google would still link to the page. Richter pointed out that instead of preventing access to the Timeline, people should set more granular privacy settings on the content they share. But that argument assumes that this was the only privacy setting that people enabled.   From my personal experience, people who enabled specific privacy settings like this, often enabled many if not most of the others as well.

Richter also pointed out that this “setting also made Facebook’s search feature feel broken” when a user wouldn’t show up in the search results even though you know they have an account. Personally I think that this was the bigger motivation for Facebook as their business model depends on people finding each other and interacting.

So what does this mean for you? If you had been using this setting, it means tough luck. Now your page will be much more easily discoverable. Of course if your friends or acquaintances used the setting, it might mean they can no longer hide from you. It also will be much easier to find information about people that you meet or target as part of a social engineering engagement. If you’ve got kids with Facebook accounts, now might be a good time to review those privacy settings with them.

The important lesson here is that over time, information leaks out. When you post information on the internet, especially on a free service like Facebook, you should always assume that it will become public knowledge. Facebook has gotten much better about offering privacy controls, but it’s still a company that profits off of people sharing information. Whether it’s an intentional change like this, or an unintentional action or security breach, your data will eventually be made accessible. If you’re not okay with that, then think twice about posting it.

Nathan Sweaney is a Senior Security Consultant for Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at or visit the Secure Ideas – Professionally Evil site for services provided.

Tactical Burp Suite Webinar

We have decided to try something new here at Secure Ideas.  We have a long history (as long as the company actually) of doing webcasts and presentations around the country.  (And we plan on continuing those!)  But we thought maybe we could start doing some of our own.  So we have recently signed up with… Continue Reading

Web App Pre-Flight

I think that it is because of my background in software development that I am passionate about integrating security testing with the SDLC (Software/Systems Development Life Cycle).  Or perhaps it’s just that watching development teams push untested code to production grates on my nerves worse than nails on a chalkboard.  Whatever the case, security testing… Continue Reading

Security Tubthumping

I have a friend who is an alcoholic. A few weeks ago after 5 years of sobriety, she stumbled and had a relapse. It doesn’t make her a bad person, just a fighter. She starts everyday with a reminder of where she’s been, and where she’s going. And in the last 5 years she has… Continue Reading

Getting my 11 year old to Present at SANS

Getting my 11 year old to Present at SANS

Speaking is a major fear for most people.  Even though I have been speaking at public events of one type or another for the last 20 years, I am still not comfortable presenting to crowds.  (Thats putting it lightly.)  So when my daughter started talking about “doing what you do, dad”, I was curious how… Continue Reading