I saw the screenshot of the FB anti-malware message being tweeted about and thought for sure it was a malware/phishing scam, so I was surprised to read that it is an official FB feature (admittedly I haven't been using FB much lately).
That the feature couldn't detect the user's OS (had her download a Windows binary even though she was on a Mac) doesn't lend much confidence though
I thought the same thing. That's really bad. It's going to train users to be more susceptible to phishing attacks. I can't tell my grandmother that any site that tells her to install software is a scam, because Facebook just made this a legitimate user workflow
Along the same lines, FTA: "An antivirus product can collect a lot of useful information from the user machine—telemetry data; beyond what Facebook gets through their website—and share it with Facebook. Facebook should make their agreements with antivirus partners public."
"Facebook's Mandatory Anti-Malware Scan" is something I expected to read only by 2026 or so, as the company, falling to hard times, would resort to dotcom bubble-era techniques.
The article fully explains it; using Facebook doesn't really provide any additional insight. Facebook has decided to lock people out of accounts if their undisclosed mechanisms of detecting a potentially compromised client machine is tripped, and will continue to lock them out until they run a Facebook supplied (but apparently sourced from one or more of a shifting set of partners) malware scanning application is installed on the users machine and run, with all the intrusive level of access that antivirus type of applications tend to have.
There's no other practical means, other than to create a separate account. Facebook in theory will kill your account if somehow it came to their attention that you operate a non-personal account for that purpose. If you kill off your personal account, set up a new account and link it fresh from day one to new advertising & pages, are they likely to ever know? Coin toss. It'll be suspicious to their systems that you don't have any friends, so it might get flagged as a fake account or similar at some point.
The first time I get a Facebook demand to scan my computer, while locking me out of the account, is the last time I use my Facebook account.
I have an account with no friends and that is an admin of one page, which I buy ads for. It’s not my real name, but obviously has my real CC info in there.
Interestingly, a friend showed me his contact list entry for me (I believe created through a 3rd party OSX app), and in the Facebook field it had the name used on the admin/ads account I have. Given I don’t use my real email address on the Facebook account I am amazed (but not particularly surprised) that the connection was made.
> A Facebook spokesperson said Charity may have been asked to download the wrong software because some malware can spoof what kind of computer a person is running
To the common person, what you have outlined is rocket science. You have to remember that most people are not as advanced in computers as you are. What Facebook is doing here is wrong. They are actively indexing files on people's machines and sending that data back to Facebook and their partners. This is a gross invasion of privacy.
I didn't realize Facebook did this. I feel like the spirit of the idea is from a good place, though, even its the implementation and messaging have flaws. The article has a bit of a "it's evil" slant that I'm not entirely sure I agree with.
That said, I'm on Linux, so it would be pretty tricky for me to fix this issue if it happened to me.
The one part that struck me as genuinely evil is refusing to offer a guarantee about the data use.
I realize internet companies all always hate offering info about data use, much less binding agreements. But "let us and a third party touch and modify every single byte on your machine to use our product" is a gigantic ask, and deserves at least some good-faith effort to keep the results walled off from everything except security initiatives.
Beyond that, the intent seems fine. I still think it's hubris, though - Facebook is ostensibly just a website, and attempting to remotely diagnose and treat malware is something they ought to acknowledge they're not going to do well.
[+] [-] danso|8 years ago|reply
That the feature couldn't detect the user's OS (had her download a Windows binary even though she was on a Mac) doesn't lend much confidence though
[+] [-] mind-blight|8 years ago|reply
[+] [-] CryoLogic|8 years ago|reply
[+] [-] LambdaComplex|8 years ago|reply
[+] [-] 1001101|8 years ago|reply
[+] [-] dictum|8 years ago|reply
[+] [-] giancarlostoro|8 years ago|reply
[+] [-] qume|8 years ago|reply
A closed version of the internet controlled by a corporation? We should be yelling from the rooftops not nitpicking things like this story
[+] [-] keyboardhitter|8 years ago|reply
just get it overwith, you'll be better off.
[+] [-] d3sandoval|8 years ago|reply
[+] [-] Jeff_Brown|8 years ago|reply
Happily, so far, they don't ask from Firefox.
[+] [-] snvzz|8 years ago|reply
[+] [-] dragonwriter|8 years ago|reply
[+] [-] joelrunyon|8 years ago|reply
I have no desire to personally be on FB anymore, but I would like to maintain the pages + ads for business purposes.
[+] [-] adventured|8 years ago|reply
The first time I get a Facebook demand to scan my computer, while locking me out of the account, is the last time I use my Facebook account.
[+] [-] nichodges|8 years ago|reply
Interestingly, a friend showed me his contact list entry for me (I believe created through a 3rd party OSX app), and in the Facebook field it had the name used on the admin/ads account I have. Given I don’t use my real email address on the Facebook account I am amazed (but not particularly surprised) that the connection was made.
[+] [-] kernelPan1c|8 years ago|reply
> A Facebook spokesperson said Charity may have been asked to download the wrong software because some malware can spoof what kind of computer a person is running
Just changed the user agent?
[+] [-] monochromatic|8 years ago|reply
[+] [-] kingkoronov|8 years ago|reply
[+] [-] gruez|8 years ago|reply
2. run the malware scan
3. everything shows up as clean
4. ???
not defending facebook or anything, but that seems relatively easy to bypass.
[+] [-] electic|8 years ago|reply
Another reason not to use Facebook.
[+] [-] monochromatic|8 years ago|reply
[+] [-] ASalazarMX|8 years ago|reply
I guess you could copy the entire browser profile so it thinks it's the same machine, but that's even harder for your regular user.
"Yes, father. VirtualBox.org... Yes, .org, not .com... Without spaces, yes... Remind me, do you have Windows 32bit or 64bit?"
[+] [-] Bartweiss|8 years ago|reply
So this would probably work, but if you go back to your main machine then whatever config was mistaken for malware will trip the alert again.
[+] [-] aussieguy1234|8 years ago|reply
[+] [-] larrik|8 years ago|reply
That said, I'm on Linux, so it would be pretty tricky for me to fix this issue if it happened to me.
[+] [-] Bartweiss|8 years ago|reply
I realize internet companies all always hate offering info about data use, much less binding agreements. But "let us and a third party touch and modify every single byte on your machine to use our product" is a gigantic ask, and deserves at least some good-faith effort to keep the results walled off from everything except security initiatives.
Beyond that, the intent seems fine. I still think it's hubris, though - Facebook is ostensibly just a website, and attempting to remotely diagnose and treat malware is something they ought to acknowledge they're not going to do well.