>>fahimu+(OP)
Why state-sponsored hacking specifically, as opposed to any (likely) unauthorized access?

>>fahimu+(OP)
This question obviously is unlikely to have an answer, but someone has to ask: does "nation-state" include the Western countries, namely the US/EU and friends?

>>Pyxl10+q1
If they have the information, the heads-up could save a life/personal freedom?

>>Pyxl10+q1
Also, how will sending a new password to your cell phone help? If you are dealing with state sponsored actors, why not assume they can see all text and email?

>>NhanH+v1
Of course not. The only states that do bad things are China, Iran, N.Korea, right?

>>fahimu+(OP)
Except the USA, of course. :)

>>NhanH+v1
I once received this alert from google, a few months later had a run in with the FBI.

I don't see why any non-Western countries would be interested in me, so yeah.

>>Pyxl10+q1
it's quite obvious, really. Regular unauthorized access means: batten down the hatches, man battle stations, i.e. change password State-sponsored hacking means: delete social media profile, move residence, change phones, start praying, etc ;-)

>>A_COMP+w1
There are many non-state actors who can threaten life/personal-freedom.

>>jsprog+x1
A two-factor authentication token to sent via text, not the actual password.

That said, I find SMS-based 2FA to be pretty dodgy as well. Cloudflare was hacked once by somebody who managed gain access to an admin's mobile phone by social engineering their telco. If a site does not offer TOTP based 2FA I usually don't bother using it.

>>fahimu+(OP)
This is so stupid since they can be forced to give information with no hacking involved...

>>fahimu+(OP)
Will it disregard National Security Letters to notify users?

>>aNoob7+D1
Yeah, I suspect this wouldn't show up if Facebook received an NSL...

>>Pyxl10+q1
I think they do, they're just being extra helpful here and specifying that they think whoever owned you was a state actor.

>>pearls+P1
I doubt it.

This is just propaganda by Facebook showing everyone that it cares about your privacy. Unfortunately, I believe government all around the world are going to have a talk with Facebook about what is acceptable levels of privacy.

>>fahimu+(OP)
Why so many naysayers? I can't see this having any detrimental effects, regardless of how effective it is in practice.

>>ryanlo+F1
> I once received this alert from google, a few months later had a run in with the FBI.

Sounds like quite a story; any details you can share?

>>ryanlo+F1
I think you should share your story. The more the people know, the better.

>>fahimu+(OP)
"we strongly encourage affected people to take the actions necessary to secure all of their online accounts."

This is an important aspect. The affected individual might be using several other services that don't have the sophistication of Facebook's security team. Facebook might have been able to thwart the attack but his/her other online accounts might have been compromised.

>>corndo+Y1
One possible argument would be that having a false sense of security is worse than no security at all.

>>agorab+A1
No need to downvote this reply. The sarcasm was an effective and appropriate way to communicate a serious point.

>>Lafore+K1
I didn't say the actual password. The page wasn't very forthcoming on all the details, but a 2FAT is typically just a very short, temporary password.

>>tonyar+S1
Oh? I was hoping that that was one intended use for this. Would such an alert violate the typical terms of an "NSL"?

>>fahimu+(OP)
I've been getting regular emails from Facebook saying "sorry you've been having trouble logging in to your account". I haven't been trying to login to my account, I deactivated it years ago. Don't think there is anything I can do about it.

>>corndo+Y1
People are biased about Facebook for various reasons, including $privacy-issue-of-the-day; no matter what they do they get to be the villan.

That is, unless we're talking about their newest PHP optimizer or ad toolkit.

>>JoshTr+52
I received the alert around Dec 2012, big red bar at the top of my screen (which interestingly enough caused a reflected XSS vulnerability in gmail) just randomly popped up as I was eating dinner a few days before christmas.

Didn't really think much of it, account logs showed no access from outside of my own IP addresses and analysing all the emails I had received in the past few months found nothing out of place. Leads me to believe (Well, hope.) that the attack was detected and blocked by google.

About 8 months (had to double check that, since it sure felt like less) later I flew over to defcon and the FBI searched my hotel room, seizing my throwaway phone and laptop. On my way out of the country I was again stopped at JFK by a bunch of agents holding a grand jury subpoena.

Ended up being asked a bunch of rather silly questions regarding some ORNL hack(and others) that I couldn't really answer.

Wasn't arrested, got to spend an extra day in the states and flew out.

>>tonyar+S1
I think this alert is sent when they can sense you're being surveilled before they themselves get a NSL. "Targeted by state actor" != "obeyed lawful request for data".

>>Myrmor+k2
Sincerity does a better job than sarcasm in communicating, usually.

>>jsprog+x1
If the actor is not sponsored by a state that would have easy access to your telecom (e.g. you live in the US but the attack is from a hacker sponsored by China) this is still very helpful.

>>pearls+P1
The focus seems to be on "state-sponsored actors", not the states themselves. My guess is this is targeted at completely illegal and disavowed actors, not those that have the luxury of being able to issue a NSL.

>>digita+H1
James Mickens' "Mossad/not-Mossad" threat model comes to mind: https://www.usenix.org/system/files/1401_08-12_mickens.pdf

>>_bpo+J1
Not in the same way a state actor can. Especially if it's your own state. An FBI agent won't go to jail for ending your life/personal freedom; he can act in the open.

>>ryanlo+C2
Did you go back to the states afterwards?

>>_bpo+J1
Yes, but the majority of hacking attempts against Facebook accounts are probably just trying to post ads for knock-off Ray-Bans.

>>ryanlo+C2
Your email address in your profile would lead me to believe you're Russian, but you speak very fluent and informal American English. Don't suppose you'd admit to being a Fin and having a name of Julius, would you?

Curiosity, that's all.

>>pearls+P1
I don't think you have to comply with NSL before you get it. If Facebook is able to detect pre-NSL surveillance (I doubt government just sends batch NSLs as a prelude to investigating potential targets), they can alert you before an official gag order tells them to shut up.

>>joshmn+33
Yep.

>>jacque+Z2
Nope, and I don't think I'm going to be trying that any time soon.

>>TeMPOr+w2
That's no good either, because then they are just giving it to you so they can sure you later and steal your startup due to the PATENTS file.

>>Myrmor+q2
From Wikipedia:

NSLs typically contain a nondisclosure requirement, frequently called a ''gag order,'' preventing the recipient of an NSL from disclosing that the FBI had requested the information.

...however:

The nondisclosure order must be authorized by the Director of the FBI, and only after he or she certifies "that otherwise there may result a danger to the national security of the United States, interference with a criminal, counterterrorism, or counterintelligence investigation, interference with diplomatic relations, or danger to the life or physical safety of any person.

So it seems this is regulated to some degree, though it is unclear what counts as "interference with a criminal, counterterrorism, or counterintelligence investigation".

>>fahimu+(OP)
The comments (on Facebook) are surreal.

>>aNoob7+D1
It is a welcome move if facebook wants to be a true social platform, and increase its acceptance within me than rejection. But this particular change must come with a degree of transparency, which is required IMO to address your humorous but serious comment, and address larger value of this move.

    - How would facebook detect nation-state attacks?
    - How do we make the policy around it participative and open?
    - Etc.

>>corndo+Y1
I haven't naysaid yet, but I'm always wary of big companies that take actions that clearly fit into some geo-political agenda. E.g. in this case, I suspect that the aim might be to embarrass and critique nation states such as Russia, China, and whatever country the US wants to replace the leadership of (Syria right now). These countries tend to use fairly obvious and naive attacks, as opposed to the US that might be able to demand information by an NSL.

>>wadeta+c3
Don't forget to post that the next time there's a Facebook tech thread :).

>>fahimu+(OP)
Imagine if this alert system were too liberal at labeling things "nation-state" and a significant proportion of users saw this notice: I imagine the general populous would be much more concerned about internet security than they are now.

>>fahimu+(OP)
This is a good move by facebook and does have the potential to save lives, but the fact that they don't provide any details about the attack or the supposed attacker definitely makes it significantly harder for potential victims to act on this information.

Imagine getting a message like this out of the blue, not even knowing who's after you. What are you going to do?

It's hard to fight a faceless enemy, especially when you can't even be sure if they really exist.

>>ryanlo+C2
Can you elaborate on what the big red bar said? At least I'm assuming it had some message.

>>lambda+n3
> I haven't naysaid yet, but I'm always wary of big companies that take actions that clearly fit into some geo-political agenda.

Personally, I'm beginning to feel Google and Facebook are getting more and more open about US politics going against their interests.

> These countries tend to use fairly obvious and naive attacks, as opposed to the US that might be able to demand information by an NSL.

I don't think I agree with that point. Isn't the exact opposite the case? Russia, China, et al. have to actually do the work and hack the US citizen, while the US GOV can just send the NSL and have the data delivered on silver platter by US companies, who are bound by law to comply?

>>strang+T2
Thanks for that, it had honestly never occurred to me that murder for the purpose of buying someone's stuff at an estate sale might be a thing. I have updated my will accordingly.

>>ryanlo+s3
I wrote a long response to this but decided to simply ask, what can a person do to act on the information, if it were provided?

Protestors in Syria or China could probably already guess what such a message means, so I'm curious as to the amount of information needed for a person to be able to act on it?

>>ryanlo+83
Using russian email server is smart: out of subpoena powers of all of the Western nations... and FSB, even if they were to spy on you, doesn't really give a damn unless you’re trying to undermine Russian Federation.

>>fahimu+(OP)
Rather than stealing your password so they can log in to your Facebook account, won't these state sponsored hackers just steal the authentication cookie that your browser sends to show that it's been authorized by MFA?

>>ryanlo+F1
I wish I could find the reference, but I recall someone once saying that sites like Google or Yahoo will provide a really subtle "canary" to indicate that your account details may have been requested, through just requiring you to re-accept the terms of service agreement.

>>NhanH+v1
I would guess not, since Facebook is likely required to abide by laws in the US\EU which allow transparent access to information (through warrants or otherwise), as we have already seen.

>>wavefu+I2
Tedious HN thought police. Not everyone, not every culture, shares the aesthetics of communication implied by recent HN directives. I think we should consider the possibility that they are, though well-intentioned, overly prescriptive and ultimately oppressive.

>>Lafore+K1
How does TOTP compare to HOTP?

>>scinti+v3
https://4.bp.blogspot.com/-kaEkDHuMR-8/T85THToQyYI/AAAAAAAAC...

Looks like that, although I remembered it being more red.

>>nness+M3
Protestors in Syria or China aren't the only people getting these.

As Snowden demonstrated there's no lack of westerners being spied on just because they happen to work at a telecom company.

The fact that there's no more information provided makes it far too easy for those people to just ignore these warnings as mistakes and go on with their lives.

>>Jerry2+P3
And contacting yandex customer support is significantly easier than trying to get in touch with someone at google capable of unlocking my account.

>>Pyxl10+q1
They already notify you about likely unauthorized access. This is just additional notification for state-sponsored attacks.

>>iandan+z3
Seriously? I got through the first page and a half of smarmy pop-culture references and couldn't figure out what the heck the author was talking about, so I just stopped reading. More power to you if you understood it!

>>NhanH+v1
Alex Stamos (Facebook CSO) is a vocal critic of the NSA [1]. Obviously they have to work within the law, so I don't expect we will see them illegally notifying people about NSLs, but I do expect to see Facebook pushing as much as possible against both western and other state-sponsored attacks on privacy.

[1] http://www.bbc.com/news/technology-31604503

>>Myrmor+Z3
We could also consider that HN has a particular culture. No one foces anyone to live here. It's a community you can freely join and leave, which makes it only more important to protect the culture that makes it good.

>>vitd+K4
I think it's because of the context it was linked in. Mickens is a pretty smart guy and is known for the series of articles like this one; it's something you read to reflect on in between crying out of laughter.

>>smprk+j3
> - How would facebook detect nation-state attacks?

"We do this by a combination of traffic monitoring, incident tracking and utilizing cellular network infrastructure to notify the engineers responsible for sending the warning in time between the NSL reaching front desk and CEO becoming aware of its content."

> - How do we make the policy around it participative and open?

"Everyone is free to receive a warning about being targeted by a state or state-sponsored actor, regardless of race, religion, gender, income and sexual preferences of said actor."

>>ryanlo+C2
>> "...the FBI searched my hotel room..."

Interesting story. For completeness, how do you know it was the FBI that searched your room?

>>Myrmor+Z3
This is my personal opinion that I've posted you smarmy git.

>>ryanlo+F1
At Google when we have done these alerts we have not discriminated by country. The alerts only cover what we see with phishing and malware targeting by what we believe is nation state activity and has nothing to do with law enforcement requests or other legal processes.

>>suneil+c4
HOTP tokens does not expire with time, so there is a bigger risk of them being stolen from transit/storage and successfully used.

>>strang+T2
That is an incredible essay. Thanks for posting

>>wavefu+Ca
Sincerity does a better job than sarcasm but offensiveness and insults are best of all? I even made sure in my response that personal pronouns like "you" were not present so that it was a criticism of HN rather than you.

>>Myrmor+Z3
The reason for HN's guidelines is not that we're uptight finger-waggers. It's that we understand the dynamics of a large anonymous internet forum. The alternative isn't HN-as-it-is, spiced up with more sarcastic or aggressive comments. The alternative is internet sludge.

The way to preserve what HN has that is good (and I'm not saying it's great, only that it's better than it might be) is to have a clear set of principles and communicate them. If you know a better set of principles, where the fitness function is high-quality discussion at scale, I'd love to hear what they are. Otherwise I'm going to suspect you of magical thinking, in which HN's current level is assumed to just happen for free, and for some reason meddlesome thought police keep intruding on it.

>>dang+vd
Thanks dang, your posts on this topic are always very thoughtful and reasoned.

I guess I would draw a clear distinction between aggression and sarcasm. I do believe you that it's a difficult task to make things function healthily at scale and I'm sure those involved in issuing recent guidelines were correct to do so. And of course I agree that we shouldn't be aggressive (though waveform apparently needs a reminder of this). But I'm pretty uncomfortable with eliminating sarcasm. That's really a very common mode of communication in some cultures. It feels very sterile/corporate to not be allowed to simply be sarcastic. Especially when the target of sarcasm is basically western hegemony, as it was here!

>>TeMPOr+w2
> People are biased about Facebook for various reasons, including $privacy-issue-of-the-day"

While FB as a company certainly is not altruistic, they employ quite a few privacy-minded engineers. Data leaks to the outside of their walled garden are very likely treated as company-wide problems, but as the LGBT doxes showed, there are wide implications even within their walls. [0]

As they try to capture ever larger parts of the online population, they will* keep colliding with non-Western, non-SV norms. The privacy issues may be nothing but a canary in the goldmine, because they are mostly an expression of non-SV values. For example, I have my doubts about how long images of traditional Hindu artwork would be allowed to stay up...

0: http://www.huffingtonpost.com/2015/03/27/facebook-authentic-...

>>Myrmor+me
Oh, I see. I think I took your concern at slightly the wrong angle.

The guidelines don't rule out sarcasm. They ask for comments to be civil and substantive. The Venn diagram of those things may not have a lot of common area but there's definitely some. Just don't ask me to specify what it is—that's probably too hard.

>>avn210+Z7
After asking them a couple of times they agreed to present their badges, and that's what the copy of the warrant said.

>>ryanlo+r4
That's true, but I suppose its a lot easier for Facebook to show warnings when actors like Syria or China are the culprits since they have no requirement to abide by their law. Where as, as Snowden has shown, the US and EU can stipulate whatever policy they want and require that Facebook can not disclose anything about it. I'm just skeptical anyone in the US or EU will see this warning.

>>joenat+s2
You can delete your account. https://en-gb.facebook.com/help/125338004213029

>>nness+Gp
I've, as a white EU citizen, received similar warnings from google.

I don't know if Facebook is going to be showing this to any western people, but when google showed me their version of the warning there was very little I could do with it since looking through my logs and emails showed no signs of any attempted attacks.

>>ryanlo+w4
Followed you briefly (news-wise). Fun fact: I once received a call about some credit card information being leaked, and was brought on to figure it out. I'm pretty sure you had something to do with it.

Small, fun little world we live in. I was amazed to learn that you were so young. Hope you stay out of trouble and put your curious brain to good use. :) Don't forget your SOCKS.

>>Myrmor+Rc
Insults are effective in communicating some things!