A secret program called "Project Ghostbusters" saw Facebook devise a way to intercept and decrypt the encrypted network traffic of Snapchat users to study their behavior.
It’s a proprietary platform … what do people expect?
It’s visiting someone’s business and you are in their property and you are watching TV on their TV set. You are reading newspapers and books that are on their property. And everyone acts surprised when the property owner keeps track of what you watched and what you read on their property.
You have no rights to do anything on their property … other than the rights they give you, which they can also take away, or just kick you out.
Are you under the impression that Facebook owns Snapchat? Because they don’t. Nothing about this little “blame people for using proprietary services” rant is actually relevant to what happened. At all.
You should read the article because you clearly didn’t. Hell, all you’d have to do is read the first paragraph to understand they were spying on the users of a competitor.
Are you under the impression that Facebook owns Snapchat? Because they don’t. Nothing about this little “blame people for using proprietary services” rant is actually relevant to what happened. At all.
You should read the article because you clearly didn’t. Hell, all you’d have to do is read the first paragraph to understand they were spying on the users of a competitor.
The spying was done by a proprietary service (Facebook’s VPN). Blaming the users for anything on that scale is dumb and futile, but it still reinforces the idea of avoiding proprietary services as much as possible, especially anything on the client side.
The article didn’t explain how the attack worked though. Did the Snapchat client not use anything like TLS to connect to the Snapchat server? Did the Facebook VPN somehow still intercept it, e.g. with a certificate that Snapchat trusted but that Facebook used for spying? Die that cert also work in browsers and did it somehow pass a third party audit, that at least Mozilla requires? I do know Mozilla looks very askance at such things, and they booted out at least one cert vendor over something like that a few years ago.
If Snapchat used some kind of device-wide TLS stack that Facebook managed to subvert, that should be treated as an OS vulnerability (assuming we’re talking about mobile devices). There’s a bunch of stuff that apps simply cannot do unless the user first goes through some complex procedure to root the phone. Messing with the TLS stack should be one of them.
Are you under the impression that Facebook owns Snapchat? Because they don’t. Nothing about this little “blame people for using proprietary services” rant is actually relevant to what happened. At all.
You should read the article because you clearly didn’t. Hell, all you’d have to do is read the first paragraph to understand they were spying on the users of a competitor.
The spying was done by a proprietary service (Facebook’s VPN). Blaming the users for anything on that scale is dumb and futile, but it still reinforces the idea of avoiding proprietary services as much as possible, especially anything on the client side.
The article didn’t explain how the attack worked though. Did the Snapchat client not use anything like TLS to connect to the Snapchat server? Did the Facebook VPN somehow still intercept it, e.g. with a certificate that Snapchat trusted but that Facebook used for spying? Die that cert also work in browsers and did it somehow pass a third party audit, that at least Mozilla requires? I do know Mozilla looks very askance at such things, and they booted out at least one cert vendor over something like that a few years ago.
If Snapchat used some kind of device-wide TLS stack that Facebook managed to subvert, that should be treated as an OS vulnerability (assuming we’re talking about mobile devices). There’s a bunch of stuff that apps simply cannot do unless the user first goes through some complex procedure to root the phone. Messing with the TLS stack should be one of them.