HOW TO NUKE FACEBOOK
WANT TO CLEAN UP YOUR FACEBOOK PRESENCE? DAVEY PROVIDES A NUMBER OF OPTIONS, INCLUDING THE FULL NUKE
Want to clean up your Facebook presence? Davey provides a number of options, including the full nuke
Who knows where the whole Cambridge Analytica mess will have ended up by the time you read this. One thing is certain, however: the knock-on impact on Facebook. Forget about the $40 billion wiped off its share value overnight, and the legal/ regulatory action that might come from the revelation that 87 million user profiles were used without informed consent. The impact I’m talking about right now is both positive and negative.
Positive, in so far as the story does appear to have finally alerted folk to the danger of taking part in those “What kind of animal am I?” and “What is my real political leaning?” type surveys that plague Facebook. Yet people who do know better still participate on the basis of “what harm will it do?” My answer in the midst of that Cambridge Analytica fallout is simple: Donald J Trump.
The negative – as far as Facebook is concerned anyway – relates to the number of requests I’ve had from news media and individuals asking how best to delete their Facebook accounts. Personally, I think this is a knee-jerk reaction: we’ve always known that using any “free” social media service is a trade-off between functional value and privacy concerns. As far as the latter goes, it really isn’t that difficult to restrict who sees what and when on Facebook just by exploring the privacy settings and using common sense.
Nevertheless, if you’ve had enough of Facebook then deleting your account, and all your social history with it, is another matter altogether. Facebook will want you to deactivate your account, which effectively leaves it in limbo. Neither your account nor the posts and likes you’ve made while using it will actually be deleted. You can dig deeper to find the nuclear option (facebook.com/help/delete_account), which will take up to 90 days to delete all posts and then light the touch-paper.
But what if you only want to do a bit of social gardening, and prune posts and online activity from certain years or subjects? For that, Facebook expects you to delete every such post individually. Not really an option if, like me, you’ve been an active Facebook user for a decade. This is where third-party utilities come in.
The most useful I’ve found has been the “Social Book Post Manager” extension for Chrome. The developers are active in keeping on top of bugs – although who knows whether Facebook will come along and throw a lawyer at them, as it has at other add-ons I’ve found useful in improving the site’s woeful default user interface and functionality.
Anyway, assuming it’s still up and running, what you get is a powerful utility to route through the Facebook activity log and delete posts based upon such filters as year, month, text (does or doesn’t contain a given string) and standard AND/OR Boolean operators. It fully automates the process of bulk-deleting Facebook activity, although there are caveats.
The first relates to speed; the deletion process is automated for convenience, not speeded up. Essentially, it simulates Delete button mouse-clicking, one post at a time. There’s no way around this – it’s the way the Facebook UI works – and there’s no API to allow differently.
It’s a limitation placed upon the process by Facebook to prevent accidental bulk deletions of postings, or to make the process so annoyingly slow that most people won’t bother tidying up their activity – take your pick over which you think is most likely. As such, it’s reminiscent of those batch or cron jobs some of us used to rely upon so heavily to perform routine and time-consuming tasks. Best left to run overnight.
If you want to confirm the posts match your filters before deleting, you need to run the extension with the pre-scan option turned on (which is the default for reasons of safety), but this again adds to the time taken. Some folk have complained of unexpected barfing during the pre-scan process, especially where it’s a long-time Facebook user and the activity log is a large one.
This leaves two options, and which you choose depends on what your motive for using the utility is. If you simply want to nuke everything before deleting your account, then switch off the pre-scan function and let it automatically delete the lot without confirmation. If your intent is to “garden”, however, then I’d recommend using pre-scan – but working a year at a time. Maybe even a month at a time for heavy users.
There is a third option for veteran tweakers: fiddle with the pre-scan speed settings. These default to x4, but range from x0.25 to x16, so you may find a lower speed can help stability at the expense of time taken to complete.
ANDROID P: MOST SECURE YET
I’ve been running Android 8 Oreo for a while now, courtesy of being on the Samsung Beta programme with my Galaxy S8+. On the whole it’s been a good, if not earthshattering, upgrade. One area I felt particularly underwhelmed by was security.
Take the Android Verified Boot 2 feature, also known as Project Treble. It adds measures to prevent booting up with malicious software, or rolling back to an older OS version with vulnerabilities. Anyone who roots their devices won’t like this feature – but, then again, most devices don’t seem to include it anyway. Expect this, and other updates such as the OEM Hardware Abstraction Layer that limits unlock attempts and requires the encryption key to access the passcode, to be part of devices that ship with Oreo out of the box.
I’ll keep my S8+ for another year, before I upgrade to something running Android P. So what security features can we expect to see in devices that come with P out of the box? Quite a few, and they’re all most welcome. The Android P Developer Preview has been released and reveals a swathe of security enhancements.
Enhancements such as the disabling of sensor access in the background by any app. If an app running under Android P wants to activate the microphone, camera or pretty much any sensor other than GPS (which already has a standalone toggle giving user control) in the background, it won’t be able to. Instead, the app must create a foreground process, meaning Android P can then display a notification – a persistent one at that – all the while that sensor is being used. The days of apps spying on you without your consent could well be coming to an end.
Talking of days being numbered, Google is continuing to crack down on insecure app traffic, by enforcing HTTPS connections on all apps by default in Android P. Any app that wants to use a clear text connection can do so, but only after the user agrees to opt out of the secure default.
While on the subject of encryption, I’m glad to report that Android P will strengthen the security of backups. While these are already encrypted when using Android Oreo, the new OS will use client-side, on-device encryption. This is important, as it means the encryption key becomes a “local secret” on your device, PIN- or password-derived, rather than being stored on the Google servers. The key will be needed to restore a device backup.
The last of the security boosts involves API warnings when older, potentially less-secure APIs are used by developers. Although the format and wording of the warning displayed to the user is still to be decided, that it will be displayed at all shows how seriously Google is taking this issue. Coupled with Google Play requirements for enforced recent API usage in new or updated apps, which should be in place by the time you read this, it’s all heading in the direction of making the apps we rely on more secure.
Subscriber Ian P emailed me to ask for some advice regarding a neighbour who had been on the pointy end of a phishing attack. Ian, a computer engineer by trade, explained he sees “very little in the way of AV or malware issues”, with the exception of “phone phishing, which I see a lot of”.
Yet this neighbour appeared to have succumbed to something nasty.
The computer didn’t reveal anything bad by way of the browser history, nor were there any dodgy extensions installed on the default Chrome browser. The neighbour was running an up-to-date version of Windows 10, along with Trusteer Rapport (often installed by banks as part of their client security infrastructure) and Norton for AV.
I’ll hand the story back over to Ian to explain what the neighbour had told him: “A failed late-night login to his bank popped up a brief message, possibly from Trusteer but he couldn’t be sure, stating that the page was ‘not covered’ before another form appeared. This required lots of user details to be entered. Eventually, the user realises something isn’t right, and switches the PC off. He then went away from home for a couple of days before returning to find lots of missed calls from his bank, mobile phone provider and email providers, regarding requests to change personal details and logins.”
Ian wanted to know – as the neighbour reckons he didn’t enter the URL to arrive at this form – if this is a common type of attack and whether URL checkers are any good at stopping such things? As an aside, he also asked how my browser client handles a well-known misspelling of the Google address. As I replied at the time, without seeing the machine involved it’s hard to be specific, so my response had to be treated as being necessarily generic. That said, it was obviously an authentication scraping/credential stuffing attack, of a type that’s all too common. The popup described by Ian is actually the payload rather than the phish itself.
It’s hard to say whether that happened as a result of a mistyped login URL for the user’s online bank, or if the original phish was via an email/attachment and threat execution that then sat in the background waiting (man-in-the-
DAVEY WINDER is an awardwinning journalist and consultant specialising in privacy and security issues
Pre-scan ensures you delete only what you want –but at the cost of speed
Remember: you can download an offline archive of all your posts before deleting them