[HN Gopher] Facebook has a hidden tool to delete your phone numb...
___________________________________________________________________
Facebook has a hidden tool to delete your phone number, email
Author : elorant
Score : 80 points
Date : 2022-11-01 20:25 UTC (2 hours ago)
(HTM) web link (www.businessinsider.com)
(TXT) w3m dump (www.businessinsider.com)
| tony-allan wrote:
| This is a service to ONLY delete your phone number uploaded from
| someone else's address book. I expect that they have hundreds of
| other sources of your private data so they don't really care iof
| you delete this copy.
|
| Read the text carefully -
| https://www.facebook.com/contacts/removal
|
| You are just adding another signal to their data about your
| attitudes and beliefs that is valuable to advertisers.
| neves wrote:
| It looks like a scam. I never confirmed my number, but they need
| to send a sms to it so they can confirm it.
| nikeee wrote:
| This instantly reminded me of this:
| https://i.imgur.com/nAoc3cO.jpeg
| jaredsohn wrote:
| Nice thing about this is how easy it is to implement. But if
| it ever says 'no' then there is a bug.
| autoexec wrote:
| > "You can ask us to confirm whether we have your phone number or
| email address," the firm states. "If we do, you can request that
| we delete it from our address book database. To prevent it from
| being uploaded to this database again through someone's address
| book, we need to keep a copy in our block list."
|
| I wouldn't doubt if they remove your information from their
| "address book database" and add it to one or more others where
| they keep it forever. There's zero oversight, and zero
| accountability. It makes no sense at all to just assume that
| facebook will do anything they aren't forced to when not doing
| that thing could make them money. Facebook doesn't care about
| you, your privacy, or even the law. Facebook cares only about
| facebook.
| ritzaco wrote:
| Of course, it's not a technical problem. They could keep a hash
| instead of a copy. But I'm sure people who find the 'hidden
| tool' and request to have their information removed are
| interested in specific products, so a list of these people is
| very valuable to train machine learning models on..
| m463 wrote:
| I wonder what happens if someone blocks their phone number,
| then switches it.
|
| Will the re-used number be blacklisted forever with a hash
| scheme?
| kadoban wrote:
| Hashes of phone numbers is unfortunately not actually useful
| in almost any circumstance. You can trivially reverse them by
| iterating through every phone number and computing the hash.
|
| Hashes of emails is not quite as useless, but not far off
| (consider 90+% of emails are at like ~3 domains, and also
| that lists of vaguely ~valid email addresses aren't hard to
| get).
| qxmat wrote:
| Slow hash function + salt would solve this.. e.g. you'd be
| lucky to do more than 10 hashes a minute with bcrypt and 20
| salt rounds.
| kadoban wrote:
| You can try that, but it's really difficult to tune so
| it's useful. The amount of time the server has to waste
| computing hashes is too close to the amount of time an
| attacker has to waste to break at least some of them.
|
| It's just not hard enough to guess a potentially valid
| phone number. With passwords, hashing only helps because
| the probability of a valid password is _very_ low, and
| because you don't need to look up a password, only check
| if it's the right one for joeblow (so you can salt them
| individually).
| m4jor wrote:
| Yeah but with hashcat supporting cracking with multiple
| GPUs, even bcrypts can be cracked quickly now. There are
| also a ton of cloud cracking services like GPUHash.me and
| entire cracking forums where ppl crowdsource and help out
| like HashKiller.
| addingadimensio wrote:
| Hash and salt
| galeaspablo wrote:
| How could I match an incoming unhashed value to an
| existing salted hash?
| m4jor wrote:
| hashcat
| ohbtvz wrote:
| There are only about 3 billion valid US phone numbers.
| How many hashes can your GPU compute per second?
| m4jor wrote:
| Most people crack with multiple GPUs. For example, I have
| a 5 GPU (3080s) rig that I used for mining ETH but now
| can use to crack with hashcat. tl;dr crack fast af boiii.
| kadoban wrote:
| If you salt, then either you can't lookup a number, or
| you've only changed the problem to: iterate over all the
| possible phone numbers, _add the salt_ and hash them. No
| big difference.
| gerdesj wrote:
| "You can trivially reverse them by iterating through every
| phone number and computing the hash."
|
| Well yes and no. What exactly is your understanding of a
| phone number 8)
|
| Not everyone is blessed with the NANP. I'm a Brit and we
| have an eye wateringly complicated nonsense of a numbering
| plan and our's isn't the worst.
|
| What do you hash? Perhaps the standardised international
| representation or one of them (no that is not a joke -
| telephony is weird). For a laugh you could try one of the
| many colloquialisms. For example a UK number might be
| 00441395112233 or 441395112233 or +44 (0)1395 112233 - the
| final part might be displayed as 112 233 or 112-233.
| Imagine if the database works by operating on all numbers
| in locally correct colloquial mode and hashes that!
|
| Now let's really get silly: There are hashes that are nasty
| to compute but easy to check and vv. We'll use whatever is
| indicated.
|
| Anyway this is all a very well researched problem, there is
| no need for silly games: passwords.
| groffee wrote:
| So normalise the data first? Your comment literally makes
| no sense at all.
| kadoban wrote:
| Phone numbers get complicated, yeah, but US numbers are
| pretty trivial (and so are they in several other places,
| and even for UK it's just more annoying, not really
| computationally harder).
|
| So at _best_ the security analysis is: "okay, all US
| phone numbers and a bunch from other places might as well
| be in cleartext", which is already broken enough that
| it's basically useless.
| popcalc wrote:
| This is the same reason hashing a SSN is purely security
| through obscurity. Anyone with a couple GB of space to
| spare for a text file can easily perform a reverse lookup.
|
| https://gist.github.com/stouset/4322307
| krono wrote:
| Not too dissimilar from Google Analytics official global opt-
| out browser extension. It injects a consistent/unchanging item
| into the global window scope of every single page you visit.
|
| https://tools.google.com/dlpage/gaoptout/index.html
|
| License prohibits sharing its code so I won't - setting a good
| example for our artificially intelligent friends :)
| cyberphobe wrote:
| I'm sure are artificially intelligent friends give precisely
| zero fucks what you do and will steal your shit with
| impunity. If you do crime on a large enough scale, it's
| called innovation.
| nipponese wrote:
| It's not a secret. You can google any product name plus "CCPA"
| and you'll get an email address for a legally binding request to
| delete data.
| encryptluks2 wrote:
| Providers have gotten creative now requiring you provide an
| identity proving you live in California and an ominous warning
| suggesting that it is a felony to state you live somewhere you
| do not.
| m463 wrote:
| I've read the CCPA sections of privacy policies, and it's
| (designed to be?) completely unclear what and how to request
| stuff. There is probably a lot they can be required to do they
| don't tell you.
|
| I'd love to see a website that details what you can do, and
| step-by-step how to do it.
| barbazoo wrote:
| For some reason https://www.facebook.com/legal/policy/ccpa
| doesn't open for me. Is this only for California residents?
| carbocation wrote:
| It opens for me in California, so I can't refute your
| hypothesis.
| notRobot wrote:
| Not in California, doesn't open for me.
| daledavies wrote:
| Seems broken anyway. I requested it look for my phone number but
| never received a confirmation code.
| sys_64738 wrote:
| Delete from FB.id where email in FB.email or phone == FB.phone;
| commit;
| lagrange77 wrote:
| To answer your question:
|
| Why would they, if they didn't have to?
| [deleted]
___________________________________________________________________
(page generated 2022-11-01 23:00 UTC)