With the recent surveillance nightmares of 90s hackers coming true, I’ve begun moving a bit toward the “dark arts” of networking, as agencies such as the NSA and CIA are rather blatantly spying on the American people now. I am not fully informed on how the rest of the web looks, but I don’t think it’s much better. I know Brazil is a mess at the moment.
Facebook is currently the most popular social network site, and has gotten more commercial by the day since it achieved its popularity. Numerous companies use facebook “likes”, comments, and social patterns of Facebook for marketing purposes, and borderline legal data mining for their own purposes. Facebook is also notorious for disrespecting the assumed privacy of such a network, and anything discussed in Facebook messages can be assumed to be open for their admins, other companies, and law enforcement to read.
In this mini-tutorial I will guide you through how to run Facebook chat through a separate client, and encrypt the messages so Facebook’s staff and records cannot read them. Other Facebook interaction cannot be secured from their own servers this way, but there is a great open-source, community maintained social network called Diaspora* starting up now. If one really cares about security, a direct connection from server to server is optimal, followed by secure forums such as IRC. However, Facebook’s pre-existing network is too convenient to ignore.
*DISCLAIMER* If you use this to mask illegal activities, don’t blame me
*DISCLAIMER* BOTH ends will need to be set up like so for this to work
1.) Install pidgin. Pidgin is a small IM client on a GNU General Public License, and works in Linux with Gnome, KDE, and on Windows. (Windows is not featured on this blog, but the Windows set up should just be an install .exe or .zip, then again for otr which will be mentioned later on)
for Debian/Ubuntu/Mint: su -c “apt-get install pidgin”
for Fedora/Red Hat: su -c “yum install pidgin”
for Arch Linux: su -c “pacman -S pidgin” (unverified, but should be there, otherwise check AUR)
2.) Get pidgin-otr. To save time this could have been done with the above step, but I felt it was important to identify this extension separately. OTR means “off the record”, which is a feature of pidgin allowing encrypted chat between users. I believe this method will use PGP, but I could be wrong.
for Debian/Ubuntu/Mint: su -c “apt-get install pidgin-otr”
for Fedora/Red Hat: su -c “yum install pidgin-otr”
for Arch Linux: su -c “pacman -S pidgin-otr” (unverified, but should be there, otherwise check AUR)
3.) Configure otr in pidgin. This is done by launching pidgin, the at the top navigating Tools > Plugins, or hitting ctrl+u. In these plugins, check the checkbox next to otr, then in those settings, enable otr, but do NOT require it. Requiring it will prevent pidgin from sending unencrypted messages, so the client will not work unless both ends of chat are configured this way. Next it will have an option to create a key, which will take a few moments. Try to move the cursor around and hit random keys to create entropy.
4.) Configure facebook. Pidgin should have a wizard for this, and if you do not know your username, go to your facebook page and the URL will be www . facebook . com/YourUserName, and your password will be your password.
5.) Begin otr chat. Open your “buddies list” for Facebook, then right-click a name and choose “IM”. This will being an IM session with this user. Pidgin, if properly configured, with have a button which reads “not private”, which is used to toggle private, aka encrypted conversation. If the other end is not set up, the message will read [encypted message], and then all messages after the “starting off the record chat” message will show up normal, and unecrypted. Again, both ends must be set up this way, and they must accept the invite to otr, or this will not be encrypted.
In conclusion, one can essential ignore Facebook as a social network, and just pretend it’s a very popular IM client, and after removing personal data from their site, ones security is restored. Through encrypted messaging Facebook is unable to read messages, and with no “likes” or personal info to mine, they have nothing to gain from you, and you are, as the title says, using Facebook without them using you.
As far as I know, Facebook stores all removed data for a period of 6 months before actually deleting. Please comment, ask questions, provide further info, or notify me of errors or vulnerabilities of this method in the comments.
photo credit: http://elioguevara.blogspot.com/