PC & Tech Authority - - CONTENTS - DAVEY WINDER

Want to clean up your Face­book pres­ence? Davey pro­vides a num­ber of op­tions, in­clud­ing the full nuke

Who knows where the whole Cam­bridge An­a­lyt­ica mess will have ended up by the time you read this. One thing is cer­tain, how­ever: the knock-on im­pact on Face­book. For­get about the $40 bil­lion wiped off its share value overnight, and the le­gal/ reg­u­la­tory ac­tion that might come from the rev­e­la­tion that 87 mil­lion user pro­files were used with­out in­formed con­sent. The im­pact I’m talk­ing about right now is both pos­i­tive and neg­a­tive.

Pos­i­tive, in so far as the story does ap­pear to have fi­nally alerted folk to the danger of tak­ing part in those “What kind of an­i­mal am I?” and “What is my real po­lit­i­cal lean­ing?” type sur­veys that plague Face­book. Yet peo­ple who do know bet­ter still par­tic­i­pate on the ba­sis of “what harm will it do?” My an­swer in the midst of that Cam­bridge An­a­lyt­ica fall­out is sim­ple: Don­ald J Trump.

The neg­a­tive – as far as Face­book is con­cerned any­way – re­lates to the num­ber of re­quests I’ve had from news me­dia and in­di­vid­u­als ask­ing how best to delete their Face­book ac­counts. Per­son­ally, I think this is a knee-jerk re­ac­tion: we’ve al­ways known that us­ing any “free” so­cial me­dia ser­vice is a trade-off be­tween func­tional value and pri­vacy con­cerns. As far as the lat­ter goes, it re­ally isn’t that dif­fi­cult to re­strict who sees what and when on Face­book just by ex­plor­ing the pri­vacy set­tings and us­ing com­mon sense.

Nev­er­the­less, if you’ve had enough of Face­book then delet­ing your ac­count, and all your so­cial his­tory with it, is an­other mat­ter al­to­gether. Face­book will want you to de­ac­ti­vate your ac­count, which ef­fec­tively leaves it in limbo. Nei­ther your ac­count nor the posts and likes you’ve made while us­ing it will ac­tu­ally be deleted. You can dig deeper to find the nu­clear op­tion (face­­count), which will take up to 90 days to delete all posts and then light the touch-pa­per.

But what if you only want to do a bit of so­cial gar­den­ing, and prune posts and on­line ac­tiv­ity from cer­tain years or sub­jects? For that, Face­book ex­pects you to delete ev­ery such post in­di­vid­u­ally. Not re­ally an op­tion if, like me, you’ve been an ac­tive Face­book user for a decade. This is where third-party util­i­ties come in.

The most use­ful I’ve found has been the “So­cial Book Post Man­ager” ex­ten­sion for Chrome. The de­vel­op­ers are ac­tive in keep­ing on top of bugs – al­though who knows whether Face­book will come along and throw a lawyer at them, as it has at other add-ons I’ve found use­ful in im­prov­ing the site’s woe­ful de­fault user in­ter­face and func­tion­al­ity.

Any­way, as­sum­ing it’s still up and run­ning, what you get is a pow­er­ful util­ity to route through the Face­book ac­tiv­ity log and delete posts based upon such fil­ters as year, month, text (does or doesn’t con­tain a given string) and stan­dard AND/OR Boolean op­er­a­tors. It fully au­to­mates the process of bulk-delet­ing Face­book ac­tiv­ity, al­though there are caveats.

The first re­lates to speed; the dele­tion process is au­to­mated for con­ve­nience, not speeded up. Es­sen­tially, it sim­u­lates Delete but­ton mouse-click­ing, one post at a time. There’s no way around this – it’s the way the Face­book UI works – and there’s no API to al­low dif­fer­ently.

It’s a lim­i­ta­tion placed upon the process by Face­book to pre­vent ac­ci­den­tal bulk dele­tions of post­ings, or to make the process so an­noy­ingly slow that most peo­ple won’t bother tidy­ing up their ac­tiv­ity – take your pick over which you think is most likely. As such, it’s rem­i­nis­cent of those batch or cron jobs some of us used to rely upon so heav­ily to per­form rou­tine and time-con­sum­ing tasks. Best left to run overnight.

If you want to con­firm the posts match your fil­ters be­fore delet­ing, you need to run the ex­ten­sion with the pre-scan op­tion turned on (which is the de­fault for rea­sons of safety), but this again adds to the time taken. Some folk have com­plained of un­ex­pected barf­ing dur­ing the pre-scan process, es­pe­cially where it’s a long-time Face­book user and the ac­tiv­ity log is a large one.

This leaves two op­tions, and which you choose de­pends on what your mo­tive for us­ing the util­ity is. If you sim­ply want to nuke ev­ery­thing be­fore delet­ing your ac­count, then switch off the pre-scan func­tion and let it au­to­mat­i­cally delete the lot with­out con­fir­ma­tion. If your in­tent is to “gar­den”, how­ever, then I’d rec­om­mend us­ing pre-scan – but work­ing a year at a time. Maybe even a month at a time for heavy users.

There is a third op­tion for vet­eran tweak­ers: fid­dle with the pre-scan speed set­tings. These de­fault to x4, but range from x0.25 to x16, so you may find a lower speed can help sta­bil­ity at the ex­pense of time taken to com­plete.


I’ve been run­ning An­droid 8 Oreo for a while now, cour­tesy of be­ing on the Sam­sung Beta pro­gramme with my Galaxy S8+. On the whole it’s been a good, if not earth­shat­ter­ing, up­grade. One area I felt par­tic­u­larly un­der­whelmed by was se­cu­rity.

Take the An­droid Ver­i­fied Boot 2 fea­ture, also known as Project Tre­ble. It adds mea­sures to pre­vent boot­ing up with ma­li­cious soft­ware, or rolling back to an older OS ver­sion with vul­ner­a­bil­i­ties. Any­one who roots their de­vices won’t like this fea­ture – but, then again, most de­vices don’t seem to in­clude it any­way. Ex­pect this, and other up­dates such as the OEM Hard­ware Ab­strac­tion Layer that lim­its un­lock at­tempts and re­quires the en­cryp­tion key to ac­cess the pass­code, to be part of de­vices that ship with Oreo out of the box.

I’ll keep my S8+ for an­other year, be­fore I up­grade to some­thing run­ning An­droid P. So what se­cu­rity fea­tures can we ex­pect to see in de­vices that come with P out of the box? Quite a few, and they’re all most wel­come. The An­droid P De­vel­oper Preview has been re­leased and re­veals a swathe of se­cu­rity en­hance­ments.

En­hance­ments such as the dis­abling of sen­sor ac­cess in the back­ground by any app. If an app run­ning un­der An­droid P wants to ac­ti­vate the mi­cro­phone, cam­era or pretty much any sen­sor other than GPS (which al­ready has a stand­alone tog­gle giv­ing user con­trol) in the back­ground, it won’t be able to. In­stead, the app must cre­ate a fore­ground process, mean­ing An­droid P can then dis­play a no­ti­fi­ca­tion – a per­sis­tent one at that – all the while that sen­sor is be­ing used. The days of apps spy­ing on you with­out your con­sent could well be com­ing to an end.

Talk­ing of days be­ing num­bered, Google is con­tin­u­ing to crack down on in­se­cure app traf­fic, by en­forc­ing HTTPS con­nec­tions on all apps by de­fault in An­droid P. Any app that wants to use a clear text con­nec­tion can do so, but only after the user agrees to opt out of the se­cure de­fault.

While on the sub­ject of en­cryp­tion, I’m glad to re­port that An­droid P will strengthen the se­cu­rity of back­ups. While these are al­ready en­crypted when us­ing An­droid Oreo, the new OS will use client-side, on-de­vice en­cryp­tion. This is im­por­tant, as it means the en­cryp­tion key be­comes a “lo­cal se­cret” on your de­vice, PIN- or pass­word-de­rived, rather than be­ing stored on the Google servers. The key will be needed to re­store a de­vice backup.

The last of the se­cu­rity boosts in­volves API warn­ings when older, po­ten­tially less-se­cure APIs are used by de­vel­op­ers. Al­though the for­mat and word­ing of the warn­ing dis­played to the user is still to be de­cided, that it will be dis­played at all shows how se­ri­ously Google is tak­ing this is­sue. Cou­pled with Google Play re­quire­ments for en­forced re­cent API us­age in new or up­dated apps, which should be in place by the time you read this, it’s all head­ing in the di­rec­tion of mak­ing the apps we rely on more se­cure.


Sub­scriber Ian P emailed me to ask for some ad­vice re­gard­ing a neigh­bour who had been on the pointy end of a phish­ing at­tack. Ian, a com­puter en­gi­neer by trade, ex­plained he sees “very lit­tle in the way of AV or mal­ware is­sues”, with the exception of “phone phish­ing, which I see a lot of”.

Yet this neigh­bour ap­peared to have suc­cumbed to some­thing nasty.

The com­puter didn’t re­veal any­thing bad by way of the browser his­tory, nor were there any dodgy ex­ten­sions in­stalled on the de­fault Chrome browser. The neigh­bour was run­ning an up-to-date ver­sion of Win­dows 10, along with Trus­teer Rap­port (of­ten in­stalled by banks as part of their client se­cu­rity in­fra­struc­ture) and Nor­ton for AV.

I’ll hand the story back over to Ian to ex­plain what the neigh­bour had told him: “A failed late-night lo­gin to his bank popped up a brief mes­sage, pos­si­bly from Trus­teer but he couldn’t be sure, stat­ing that the page was ‘not cov­ered’ be­fore an­other form ap­peared. This re­quired lots of user de­tails to be en­tered. Even­tu­ally, the user re­alises some­thing isn’t right, and switches the PC off. He then went away from home for a cou­ple of days be­fore re­turn­ing to find lots of missed calls from his bank, mo­bile phone provider and email providers, re­gard­ing re­quests to change per­sonal de­tails and lo­gins.”

Ian wanted to know – as the neigh­bour reck­ons he didn’t en­ter the URL to ar­rive at this form – if this is a com­mon type of at­tack and whether URL check­ers are any good at stop­ping such things? As an aside, he also asked how my browser client han­dles a well-known mis­spelling of the Google ad­dress. As I replied at the time, with­out see­ing the ma­chine in­volved it’s hard to be spe­cific, so my re­sponse had to be treated as be­ing nec­es­sar­ily generic. That said, it was ob­vi­ously an au­then­ti­ca­tion scrap­ing/cre­den­tial stuff­ing at­tack, of a type that’s all too com­mon. The popup de­scribed by Ian is ac­tu­ally the pay­load rather than the phish it­self.

It’s hard to say whether that hap­pened as a re­sult of a mistyped lo­gin URL for the user’s on­line bank, or if the orig­i­nal phish was via an email/at­tach­ment and threat ex­e­cu­tion that then sat in the back­ground wait­ing (man-in-the-

DAVEY WINDER is an award­win­ning jour­nal­ist and con­sul­tant spe­cial­is­ing in pri­vacy and se­cu­rity is­sues

Pre-scan en­sures you delete only what you want –but at the cost of speed

Re­mem­ber: you can down­load an off­line ar­chive of all your posts be­fore delet­ing them

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.