The Problem with Facebook…

Maybe that was a bit of a ‘clickbait’ title, since the list of problems with Facebook is epic, tragic, and depressing. So let’s go with, “tonight’s example of an ongoing problem with Facebook”.

One of my biggest gripes about the social media platform is that after all this time, they still do not give us a simple way to view posts chronologically. At some point in the past, they introduced an option to supposedly to that, but it was done via a URL argument and not a user-friendly GUI widget. I’ve used that option to view Facebook to this day, and it is still horrible. Why? Because as you think you finally get the holy grail of simplicity, it is still weighted… just less so. Meaning you are more annoyed when some crappy post pops up four times that day.

OK, so they want weighting and control to deliver the posts your friends make, as they see fit. That means you never see some posts you absolutely want to see, while seeing other posts multiple times a day. Their algorithm has nothing to do with standard weighting, and everything to do with their weird formula that no one can seem to figure out. OK, fine…

Facebook has also been on a tear about ‘honesty’ in the form of user profiles. The last few years have seen nothing but drama and turmoil as Facebook tries to enforce their ‘real name’ policy. A policy that the Chief Product Officer at Facebook apologized for, ensnared a former employee or seven, unfairly targets the LGBT community, and has caused enough headache to warrant a Wikipedia entry. Oh, of course, that the “noble and charitableMark Zuckerberg defends. So… integrity and honesty and clarity is important, right?

That sets up the easiest of questions. Why is Facebook targeting their user base, who they profit off, regardless of a real name attached? Sure, they may make a few more pennies on the dollar if a real name is attached over a pseudonym, but still profitable. For years, it let them defend their absurdly high user count on top of the obvious ploys of ignoring idle accounts and such. Now, jump to tonight, which set up a perfect example of where Facebook shows they don’t care. A rather simple example, but one that should be trivial for them to programatically notice and warn against, in a variety of methods. If a single user is posting something that may be fraudulent, contradictory, or a basic scam (e.g. how many times have you been tagged in an image for Oakley sunglasses, even in 2016), why isn’t there a warning? Even when the account isn’t compromised, the user isn’t warned. When the same image of knock-off sunglasses is posted to hundreds of ‘friends’ from a compromised account, it comes with no warning, either from the subject matter, or the break from the normal behavior (e.g. that user with 87 friends tags one photo with 87 names, when never tagging more than 2 people the last 5 years). We’re not talking AlphaGo or Microsoft Tay, we’re talking a couple decades behind them as far as computer intelligence goes. The fact that one was an amazing success while the other was an amazing failure, speaks to my point. They are cutting edge, trying to solve ‘problems’ that are are incredibly complicated. Meanwhile, Facebook can’t figure out what boils down to mid 1990’s email spam patterns, implementing the most basic of statistical filtering.

That said, I would love to see Facebook answer how the following two posts, from the same user, within 40 minutes of each other, could be posted without a warning to them AND me. Compare them posts carefully, not that there is much to go on as far as the end-user sees. At some level, this is stupidly trivial and any half-assed program should notice. No, it isn’t trivial or worth ignoring, that such articles get posted with such discrepancy. That is how we end up with stupid rumors and lies spread around as if they are fact, and fundamentally why our political climate is like it is. When you stop ignoring the details, especially the obvious contradictions, you are buying into a system that doesn’t serve you; rather, one that only exploits you.

sf-box-2

sf-box-1

MITRE’ Horrible New CVE ID Scheme and Spindoctoring

[This was originally published on the OSVDB blog.]

Today, The Register wrote an article on MITRE’s announcement of a new CVE ID scheme, and got many things wrong about the situation. As I began to write out the errata in an email, someone asked that I make it public so they could learn from the response as well.


From The Register:

The pilot platform will implement a new structure for issuance of Common Vulnerabilities and Exposures numbers. MITRE will directly issue the identifiers and bypass its editorial board.

The old system bypassed the Editorial Board. The Board isn’t there to give input on assignments, not for over 10 years. The criticism right now is that the new system was rolled out without consulting the Board, which the board is supposedly there for:

The MITRE Corporation created the CVE Editorial Board, moderates Board discussions, and provides guidance throughout the process to ensure that CVE serves the public interest.

The last ID scheme change was after more than a year of discussion, debate, and ultimately a vote by the board (11/2/2012 Start –> 6/7/2013 End). This ID scheme change was a knee-jerk response to recent criticism (only after it became more public than the Editorial Board list), without any board member input. From The Register article:

The CVE numbers are the numerical tags assigned to legitimate verified bugs that act as a single source of truth for security companies and engineers as they seek to describe and patch problems.

No… CVE IDs are assigned to security issues, period. Alleged, undetermined, possible, or validated. Many IDs are assigned to bogus / illegitimate issues, which are generally discovered after the assignment has been made. There is no rule or expectation that IDs are only assigned to legitimate verified bugs. To wit, search the CVE database for the word “REJECTED”.

More importantly, the notion it is a “single source of truth” is perhaps the worst characterization of CVE one could imagine. Many companies use alternate vulnerability databases that offer more features, better consumption methods, and/or much better coverage. With MITRE falling behind other VDBs by as many as 6,000 vulnerabilities in 2015 alone, it isn’t a single source for anything more than training wheels for your vulnerability program.

The platform will exist alongside the current slower but established CVE system.

At this point, with what has been published by MITRE, this is pure propoganda in line with the platitudes they have been giving the Editorial Board for the last year. The new format does not make things easier for them, in any way. The ‘old ID scheme’ was never the slowdown or choke point in their process. In fact, read their press release and they say they will be the only ones issuing federated IDs, meaning the same problem will happen in the interim. If it doesn’t, and they start issuing faster, it wasn’t the new scheme that fixed it. More important to this part of the story is that it wasn’t just about assignment speed. The last six months have seen MITRE flat out refuse assignments to more and more researchers, citing the vulnerable software isn’t on their list of monitored products. Worse, they actually blame the Editorial Board to a degree, which is a blatant and pathetic attempt at scape-goating. The list they refer to was voted on by the board, yes. But the list given to the board was tragically small and it was about arranging the last chairs on the Titanic so to speak.

He says MITRE is aiming for automated vulnerability identification, description, and processing, and welcomed input from board members and the security community.

This is amusing, disgusting, and absurd. MITRE, including the new person in the mix (Sain) have NOT truly welcomed input from the board. The board has been giving input, non-stop, and MITRE has been ignoring it every single time. Only after repeated mails asking for an update, do they give us the next brief platitude. Sain’s title, “MITRE CVE communications and adoption lead”, is also ironic, given that just last week Sain told the board he would contact them via telephone to discuss the issues facing CVE, and never did. Instead, there was no communication, and MITRE decided to roll out a scheme that was horribly designed without any input from the Board or the industry.

For those who want a better glimpse into just how bad MITRE is handling the CVE project, I encourage you to read the Editorial Board traffic (and hope it is updated, as MITRE still manually runs a script to update that archive).