Month: March 2018

Yes, I use Facebook and I’m deleting their apps

Take a moment to peruse the story about Cambridge Analytica. One outcome of that is that I remain a Facebook user but their apps and data are removed from my phone. I recommend all people I know to delete their apps. Here's why.

Control what you share

I use Facebook for a number of reasons.

  1. My extended family uses it. I love my family, (yes, even you and especially YOU) and they use Facebook. As far as I am aware, my family extends from Puerto Vallarta in Mexico to Puerto Rico to parts of Asia and Europe. This is a very 21st century thing and it works.
  2. Many of my school friends use it and I like to maintain some form of contact with those people. I went to school with some very cool folks. 
  3. Support groups. I'm a 3D printer user (I can stop at any time, I am not an addict) and some of the most effective sources of information are on Facebook.
  4. SOCIAL ISSUE AWARENESS! That one deserves a shout. Many people organize and discuss issues that are important to me. Like it or not, my Facebook feed is a source of information about many topics. Gun control articles? Check. Liberal causes? Check. Funny kitten videos? Check, Check.

All that is valid and anything I put on Facebook I do so with full knowledge and forethought. When I upload an image, video, comment or post to Facebook I know what I'm doing. That is no longer something I control once I do that.

When I share something on Facebook I expect it to be innocuous. My phonebook isn't that.

What else is Facebook obtaining that I don't control?

Visit your Facebook settings page and download a copy of your data from Facebook. You can do so via this link. https://www.facebook.com/settings

Depending on how much data you've shared, that can take a while. Mine took 10 minutes before Facebook notified me the download was ready.

Download and extract that zip archive. Open the index.htm file with your browser and click the Contacts Info link. My whole smart phone address book there. This wasn't somehow cross indexed from other users, I 100% never gave Facebook my cellphone number. If they got that, it wasn't from me.

They have the number of my employer's travel booking hotline. Really? I only added that a few weeks ago when I had to fix some work travel bookings in a hurry.

They could have easily gotten my own moble number from users who mistakenly uploaded that via the Facebook Messenger app as apparently I did. I'm reasonably sure that is how Facebook harvested my phone's data.

This is something that I take great care to not do. That's a line too far for me to cross and I do not want Facebook, or any social media site to get phone numbers, names and email addresses from me. I routinely tell the LinkedIn app the same thing: stop asking for that info.

And yet, there is my phonebook in my Facebook data download. I've tried to eliminate it from Facebook and I have not succeeded yet.

They know which apps I've installed too

Now visit the Applications link on your downloaded data. That is a historical list of applications on phones that I've wiped and disposed of years ago.

There's even more there about what ads I've looked at, etc. but I'm OK with those. I don't mind anyone tracking what I do on their site. It's not my site and that I can retrieve that data is a good thing. I don't think Facebook is "E-V-I-L" but when it comes to data collection I think they're stunningly blind to what they are doing.

"You are not a Facebook user, you are a Facebook product."

That's entirely correct and I don't disagree with that.

In the United States, data belongs to the person who collected it. That may not be true in other countries but within the U.S. that is 100% correct. This will not change as our government historically puts companies before people.

In Europe and other places, that isn't always the case. There are penalties for this sort of behavior. What I explicitly share on a site is acceptable. What the site backdoors from me is not.

I'll keep using Facebook from a web browser for now but there's no way I'll trust them on my phone again.

I want that contact data removed from Facebook. I want to believe that Facebook will honor that wish. But I have no reason to believe that they will do so.

You see, Mark Zuckerberg's statement isn't about Cambridge Analytica abusing user data. It's about how someone beside Facebook did that and was caught. It's just public relations now. If you are aware of that and are careful then you may want to keep using Facebook for now. But not on a phone, that trust has just gone out the window.

Wildcard certs via Let’s Encrypt

I just reduced 14 Let's Encrypt certificates down to 2. This is possible because the free service went live for wildcard certs. This has great implications for people who use the WordPress Multisite feature or routinely light up new virtual hosts in the same domain.

You can read Let's Encrypt's understated announcement here.

On my VPS I run Ubuntu 17.10 and it has a version of certbot that you can get from the official repo. Sadly, it's the 0.21 release and wildcard certs need ACME v2 support and that's only in release 0.22 and greater.

Here's what I did

On the command line I cloned cerbot from Github.

git clone https://github.com/certbot/certbot.git
cd certbot
sudo ./certbot-auto

You'll see something like so. On my main box it asked if I'm OK with installing more Python packages. A quick installation of those dependencies and I was ready to go.

Press c to cancel. You want wildcard not single hostname certs. Now type this as one line.

sudo ./certbot-auto certonly --manual --server https://acme-v02.api.letsencrypt.org/directory

The server argument is the important one and points to the new V2 API. I could modify the configuration but I'd have to remember what/where I did that. This is easier for me. Certs generated using the V1 API will work and renew with the new one so there's no worries there. The manual argument prompts you through the steps and ask what domains to use.

Normally this is not a manual process. But for the ACME V2 API, an additional check is required and I don't have a certbot plugin to interface with my DNS provider.

When prompted for the domain name I used "*.dembowski.net dembowski.net" and was instructed to create a DNS TXT record for _acme-challenge.dembowski.net as well as a file in dembowski.net/.well-known/acme-challenge/ with a generated name and content.

If you can put that file on the right web server, if you can update your DNS, then you're considered legitimate. Just make sure you wait for DNS to propagate first before proceeding. You can check if it has (at least for Google) using this link.

I have Namecheap and after a quick visit to that dashboard, I waited for the new TXT record to populate, I created that special file and hit enter.

POOF! My server was validated and the certificates were placed in /etc/letsencrypt and a few minutes later my many hosts were updated to point to that new wildcard cert. I repeated this for my other domain and I'm good.

WordPress Multisite and wildcard certs

If you are running multisite then this simplifies your life tremendously. You can and should have one virtual host for your installation. In my case, they're underneath *.dembowski.net.

In my nginx configuration, I modified the server_name line to add *.dembowski.net and I removed the other vhosts files. They were pointing to the same directory for WordPress and they're not needed anymore.

Less is more. I've been waiting for this since they announced it and lighting up new web server instances while maintaining transport level encryption is such a good thing. Let's Encrypt continues to make the web a more secure place.