Getting in might be possible, but then the attacker would have to covertly exfiltrate and store all of Facebook's content to do a dump. Does J. Random Attacker have enough storage to do this?
Maybe; realistically, the Internet speed would probably be more of a limiting factor. At mine, it would take almost a week to fill up 1 terabyte of storage. That's plenty of time to go get a few more HDDs. At 1 Gbps you'd have about 2 hours.
I think you're underestimating the scale of this problem.
According to http://www.datacenterknowledge.com/archives/2013/01/18/faceb... , people upload 350 million new photos per day, and they have 240 billion photos total. If we use 1 MB per photo as an average, you'd need about 334 terabytes to store a day of Facebook's pictures. You'd need 228882 terabytes to store the whole thing. Assuming Wikipedia's estimate of $35/TB for desktop hard drives, it would cost about $8 million to store Facebook's photo archive (that's without videos or text). Actually hosting it would cost even more.
If you wanted to go after photos for everyone I would agree with you. Probably just as interesting would be grabbing everyone's private messages, and although a large dump, would be nowhere as hard to store. A further option would be to filter whose photos you steal, so you only target celebrities and/or the rich and famous for maximum effect. It all depends on the aims of the hacker, but I would imagine you could make a devastating attack without stealing all of Facebook's data
You can split that across multiple attackers, though. A botnet of 58 machines would be able to do it in about a year by that math. Once you cross into the thousands, a full dump like this is suddenly feasible.
That's why this is more a storage problem than a bandwidth problem in practice. That's a lot of hard drives. While it might be possible to build up a botnet of a few hundred thousand slave machines to download and store it all, the task is by no means trivial.
The real hack will be using Facebook to infect people with malware. Which will probably be staggeringly easy once they get inside.
It will be impossible to remove, it will hijack legitimate connections to non-FB accounts with injection attacks, it will expose all the credentials of all the users of all the services of these 1 billion people. The compromise of sites that rely on Facebook for authentication tokens will pale in comparison.
Attack vectors: app upgrades, browser exploits, e-mail/messenger/comment phishing, 3rd party comment section or ad-network injection, desktop integration, and of course, all the mobile networks that provide Facebook data access for free (which are largely non-smartphone and have rudimentary interfaces).
One billion people will be prompted in some way, or immediately exploited using 0-days, and I would wager around 20% of users would be infected within a few hours of actually starting the attack. That's 200 million infected devices (edit: users; number of devices may be many times more). Depending on the point of entry and the access gained (let's say 20 percent of the infections lead to compromise of the whole system), that's 40 million accounts compromised in a few hours.
Banks, email accounts (which lead to everything else), online shopping, e-wallets, etc all stolen. Then the data extortion packages will encrypt all the phones and wipe any usable data and demand payment or destruction of data. There'll be a very short timer, too, because the bank and other financial account session data may be reset quickly. There is a potential that markets could crash worldwide as financial balances get shifted around at the speed of the internet.
Screw the Facebook data. This is a compromise that organized crime and state actors would invest millions of dollars to set up. And it's a virtual certainty that it will happen one day.
> And it's a virtual certainty that it will happen one day.
Hell, it's probably already happening. Facebook's a big company. Not inconceivable to think that there might be at least one underpaid, disgruntled, obese, bespectacled mole in their ranks, quietly subverting security measures and siphoning data until he gets his $1.5 million pay day and heads off to retire in Costa Rica (or attempt to before getting eaten by Dilophosaurus while trying to escape Facebook's HQ...).
Would it even be possible to exfiltrate all that data? It's hard to imagine even storing all that they're generating in a single day. What's the most an attacker could likely get? Usernames & passwords for all users? Complete profile/album/comment data on a few tens of millions?
Very insightful question. The only way I could see this working is having a botnet network that extracts the data externally, encrypts and stores locally, and then each node serves up its cache over bittorrent to a command and control system.
It's just so much data. The more valuable data, arguably, would be plain text profile data about people, not their photos.
Assuming 7 billion people in the world (very conservative, for funsies), each profile containing 10 megabytes of profile data (exclude photos, just textual data), uncompressed, would be 70 petabytes. A lot of data to be sure, but not unsurmountable. Compressed, you could probably get down to 30-40 PB depending on compressibility.
10 megabytes of text data per user? You are orders of magnitude off. A list of friends, all posts and private messages. After compressing it will probably average 10 kilobytes per user.
Remember that thing when a guy from Europe asked from Facebook to give him everything they knew about him (which European citizens are allowed to request by law) and got over 1000 pages of information from Facebook?
Now, multiply that by a billion (well, two or three billions actually).
I only know about the Netherlands, but European might be similar:
- When an organization collects data about you, they are forced to tell you about it (unless they're police or something I guess) and tell you what they are going to do with it. In Dutch this is called the "Informatieplicht persoonsgegevens".
- Upon reasonable request, an organization must give you all information they can reasonably give you. "Reasonably" means, given a normal amount of effort. If they need to contact the garbage collectors and dig up an old cassette they threw away years ago, that is unreasonable to ask. They may also charge a fee, but the limit is quite low I think.
- You can ask an organization to correct or remove your personally identifiable information if you have a good reason or if they have no reason not to. For example if you ask to remove your IP address from logs and they want to keep it for security purposes for 4 weeks, their argument sounds pretty reasonable (unless you have some better reason).
- They cannot keep personally identifiable information for longer than necessary. For example, log files from the web server may be kept for security purposes, but if you have ten year old log files, that is too long to be reasonable for that purpose and is thus illegal.
One thing I've always wondered about is how applicable this is to foreign organizations with websites accessible from the Netherlands. I've heard some people say that for companies with customers in the Netherlands, Dutch law applies and those customers have the above rights. Nobody seems to comply with that, though. Another thing I've heard is that if they have an office here, that office can be held to our laws. I should look that up some time.
I remember the case in which one guy (I think he was Irish) did send that request to Facebook and got a over one thousand page long response.
Then, there was a shit ton of persons from Europe (like, dozens of thousands) who tried to do the same through a combined court order in Vienna. Then, the court in Vienna decided that this issue was "not admissible on procedural grounds". Then, those thousands of people got generic responses like: "You can download every data we store on you by going into your settings...". Then there was an appeal to that decision and then the whole thing died out.
They keep a lot of data in cold storage as well, so not sure how easy it would be able to get everything. Probably just whatever data they think will be likely accessed soon and is in relatively ephemeral storage.
I assume that anything I put on facebook is already known to various governments, and might well become known to anyone in the world. I mostly post funny comments and the occasional picture, but would never post anything I didn't want my employer, my children, etc. to see.
But I post photos of my children with the assumption that I have privacy from the masses, and I think Facebook offers that.
My ex girlfriend can't access those photos. Yes, I agree they're not private, I know someone can copy them and email them to her. The government has access. They're sitting in public CDNs, the URL to them has no security etc etc.
But those photos still have a level of privacy.
So yes, I think there are many people who put things on Facebook expecting they're private. Not private in the way you mean, but private in the way I mean.
