A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'!

Thread: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'!

  1. Black Oracle's Avatar

    Black Oracle said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by CzarJunkie View Post
    It's quite a privacy issue that I'm surprised hasn't been more of, especially as people love to bash Facebook on privacy issues.
    CJ it's funny you mentioned Facebook's Privacy! I have studied Digital Anthropology, which in basic terms is looking at how different cultures consider the various platforms and how they use them on a global basis. There is major differences in North and South India, but the one that will always stand out the most is China! I assumed this country would have very high issues regarding security, but mention Privacy, and it's a whole new ball game, nothing like I expected at all.

    In China you must not hide your login details to anyone of your family, they think you are trying to dishonour your own family. And, if you think that is bad, then you'll be surprised that in most premises only have one bedroom per family, having seperate rooms is considered bad by the rest of your family. Privacy to them is basically non-existent!

    Over here our cultures are totally different, and Privacy means Private!!
     
  2. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by Black Oracle View Post
    CJ it's funny you mentioned Facebook's Privacy! I have studied Digital Anthropology, which in basic terms is looking at how different cultures consider the various platforms and how they use them on a global basis. There is major differences in North and South India, but the one that will always stand out the most is China! I assumed this country would have very high issues regarding security, but mention Privacy, and it's a whole new ball game, nothing like I expected at all.

    In China you must not hide your login details to anyone of your family, they think you are trying to dishonour your own family. And, if you think that is bad, then you'll be surprised that in most premises only have one bedroom per family, having seperate rooms is considered bad by the rest of your family. Privacy to them is basically non-existent!

    Over here our cultures are totally different, and Privacy means Private!!
    Is it possible for you to explain how and why facebook's XMPP servers display the end user's IP address to their chat partners as I'm having trouble finding any information for this online. Just a rough overview would be ideal.
     
  3. piggzy's Avatar

    piggzy said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by CzarJunkie View Post
    Can you expand on that?
    Not really. I am no expert but I am sure I remember reading that XMPP does include the IP in the comms if that is how it is configured. I am happy to be shown otherwise.
     
  4. akimba's Avatar

    akimba said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    why don't you have a FB chat with someone and see if can spot their IP? I not a fbooker so I couldn't run a test
     
  5. piggzy's Avatar

    piggzy said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    [Only registered and activated users can see links. ]

    3. DNS Records

    In order to advertise its availability for serverless messaging, a client MUST publish four different kinds of DNS records:

    1. A PTR record of the following form:
      _presence._tcp.local. PTR user@machine._presence._tcp.local.
    2. An address ("A" or "AAAA") record of the following form (where the IP address can be either an IPv4 address or an IPv6 address):
      machine.local. A ip-address
    3. An SRV record of the following form:
      user@machine._presence._tcp.local <ttl> SRV <priority> <weight> port-number machine.local.
    4. A TXT record whose name is the same as the SRV record and whose value follows the format described in the [Only registered and activated users can see links. ] section of this document, consisting of a set of strings that typically represent a series of key-value pairs such as the following:
      txtvers=1
      1st=user-first-name
      email=user-email-address
      hash=entity-capabilities-algorithm
      jid=user-jabber-id
      last=user-last-name
      msg=freeform-availability-status
      n=entity-capabilities-application-name
      nick=user-nickname
      node=application-identifier
      n=entity-capabilities-operating-system
      phsh=sha1-hash-of-avatar
      port.p2pj=5562
      status=avail-away-or-dnd
      vc=capabilities-string
      ver=entity-capabilities-identity

      Note: The DNS-SD specification stipulates that the TXT record MUST be published, but that it MAY contain no more than a single zero byte (e.g., if the user does not wish to publish any personal information).


    ________________________________________________________________________

    So the client must include their IP as per number 2. How visible that is though I am unsure.
     
  6. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by akimba View Post
    why don't you have a FB chat with someone and see if can spot their IP? I not a fbooker so I couldn't run a test
    I don't use it. But I am keen on knowing if organisations such as FB abuse user's privacy.
     
  7. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by piggzy View Post
    Not really. I am no expert but I am sure I remember reading that XMPP does include the IP in the comms if that is how it is configured. I am happy to be shown otherwise.
    And is that the local IP of the user, or the IP of the server the user is connected to?
     
  8. piggzy's Avatar

    piggzy said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by CzarJunkie View Post
    And is that the local IP of the user, or the IP of the server the user is connected to?
    See above :-)
     
  9. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by piggzy View Post
    See above :-)
    I don't understand that, can you explain it in layman's terms?
     
  10. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by piggzy View Post
    See above :-)
    From that same page, they declare this under Security Considerations:

    13.4 Private Information

    The TXT record parameters optionally advertised as part of this protocol MAY result in exposure of privacy-sensitive information about a human user (such as full name, email address, and Jabber ID). A client MUST allow a user to disable publication of this personal information (e.g., via client configuration).
    Am I getting warmer?
     
  11. piggzy's Avatar

    piggzy said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by CzarJunkie View Post
    From that same page, they declare this under Security Considerations:



    Am I getting warmer?
    I believe so but again have not had much experience... So my understanding is they allow the user to hide their IP if facebook have written their client software that way. Have they?
    Also in all honesty this isnt going to stop a hacker getting an IP through it anyway. It just doesn't hand it on a plate.
     
  12. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by piggzy View Post
    I believe so but again have not had much experience... So my understanding is they allow the user to hide their IP if facebook have written their client software that way. Have they?
    Also in all honesty this isnt going to stop a hacker getting an IP through it anyway. It just doesn't hand it on a plate.
    OK, so as far as you and Black Oracle are concerned, you can find a user's IP address using netstat when chatting to them using facebook messenger? And if so configured, XMPP will display the local IP address of your chat partner?

    Is that correct?
     
  13. Black Oracle's Avatar

    Black Oracle said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    [Only registered and activated users can see links. ]

    Very difficult without going in to technical details, but this is an XMPP server, which shows the clients in chart - you can blow it up, full-screen if need be.
     
  14. CzarJunkie's Avatar

    CzarJunkie said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by Black Oracle View Post
    [Only registered and activated users can see links. ]

    Very difficult without going in to technical details, but this is an XMPP server, which shows the clients in chart - you can blow it up, full-screen if need be.
    So, as far as you are concerned, you can find a user's IP address using netstat when chatting to them using facebook messenger? And if so configured, XMPP will display the local IP address of your chat partner?
     
  15. Black Oracle's Avatar

    Black Oracle said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    What you have to look at is that all chat clients use the same technology! XMPP - Skype, was forever becoming hacked under the old method it used, so it was all changed to XMPP. But even now in a Skype conversation you can pull the original IP of the user up by using netstat -nbt

    It makes no difference what messenger you use these days you can still pull the originating IP, unless there is a VPN involved - but has NASA proved a VPN is not safe either! Proxies well you can 'chain' as many as you want, but the more you chain the more the signal drops, causing time-outs, etc.

    If configured properly TOR is one way around it, but you need extensive knowledge of TOR networking!
     
  16. Black Oracle's Avatar

    Black Oracle said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by CzarJunkie View Post
    So, as far as you are concerned, you can find a user's IP address using netstat when chatting to them using facebook messenger? And if so configured, XMPP will display the local IP address of your chat partner?
    That is correct using the correct switches or commands with netstat makes it a very powerful tool...
     
  17. Over Carl's Avatar

    Over Carl said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Just for a moment when you guys started talking about XMPP, I thought I may be wrong - I haven't studied the protocol but I was wondering whether IP addresses of users may be present, but then this would require something like wireshark rather than netstat to view.

    But then I read the info piggzy has kindly provided.

    Quote Originally Posted by piggzy View Post
    [Only registered and activated users can see links. ]

    3. DNS Records

    In order to advertise its availability for serverless messaging, a client MUST publish four different kinds of DNS records:

    1. A PTR record of the following form:
      _presence._tcp.local. PTR user@machine._presence._tcp.local.
    2. An address ("A" or "AAAA") record of the following form (where the IP address can be either an IPv4 address or an IPv6 address):
      machine.local. A ip-address
    3. An SRV record of the following form:
      user@machine._presence._tcp.local <ttl> SRV <priority> <weight> port-number machine.local.
    4. A TXT record whose name is the same as the SRV record and whose value follows the format described in the [Only registered and activated users can see links. ] section of this document, consisting of a set of strings that typically represent a series of key-value pairs such as the following:
      txtvers=1
      1st=user-first-name
      email=user-email-address
      hash=entity-capabilities-algorithm
      jid=user-jabber-id
      last=user-last-name
      msg=freeform-availability-status
      n=entity-capabilities-application-name
      nick=user-nickname
      node=application-identifier
      n=entity-capabilities-operating-system
      phsh=sha1-hash-of-avatar
      port.p2pj=5562
      status=avail-away-or-dnd
      vc=capabilities-string
      ver=entity-capabilities-identity

      Note: The DNS-SD specification stipulates that the TXT record MUST be published, but that it MAY contain no more than a single zero byte (e.g., if the user does not wish to publish any personal information).


    ________________________________________________________________________

    So the client must include their IP as per number 2. How visible that is though I am unsure.
    How many of you have SRV records? I know I had to setup two, but it is highly unusual to have SRV records pointing to a domestic IP address, and setting these up are probably way beyond the capability of an average user. In addition, without a fixed IP address, SRV records have to rely on dynamic dns, and if facebook chat relied on such a mechanism, you would find you would not be able to use the service for a while after rebooting your home router, and messages could be sent to the wrong person for a while.

    I'm guessing some of our network/server admins have a few SRV records pointing at some servers for work, and maybe a few do for home servers, but this is definitely not the normal, yet seems to be a prerequisite for direct XMPP communication without a server.

    I could poke more technical holes and haven't fully explained the above as this is getting boring.

    Anyway, to put this matter to rest, I will do a little packet analysis myself. Unfortunately I don't really use facebook so I will have to arrange a time so I know I will have a friend who I can have a test conversation with. Gimme till Sunday max, but I'll probably be back to prove it a lot quicker than that.
    Last edited by Over Carl; 22nd June 2016 at 06:36 PM.
     
  18. Black Oracle's Avatar

    Black Oracle said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Let's look at this from a totally different perspective...

    Everyone knows Microsoft's Gaming servers are forever getting attacked, now say at your end you add a second network card in your PC, then 'bridge' both network cards together. This allows you to place a 'sniffer' on your PC, but to everyone else you look fine online - but since you have a sniffer inline with all the people in the room, you can see all their IP Addresses - this is more commonly known as a 'swatting' attack, by knowing the IP of anyone in the room you can do whatever you like to them.

    However, these days it is taken a step further - all because you can see everyones IP addresses you can feed it through another program running at the same time to find their geo-location precisely down to their address, ZIP and even phone number! This is why it is called a 'swatting' attack because the person that has all these details, contacts your local police 'saying shooter on the loose and the address!' - first thing is dispatch a SWAT team!

    And, this is all done through a computer bridged to the connected console! XMPP really needs to be more secure, these days!!!
     
  19. piggzy's Avatar

    piggzy said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by Over Carl View Post
    Just for a moment when you guys started talking about XMPP, I thought I may be wrong - I haven't studied the protocol but I was wondering whether IP addresses of users may be present, but then this would require something like wireshark rather than netstat to view.

    But then I read the info piggzy has kindly provided.



    How many of you have SRV records? I know I had to setup two, but it is highly unusual to have SRV records pointing to a domestic IP address, and setting these up are probably way beyond the capability of an average user. In addition, without a fixed IP address, SRV records have to rely on dynamic dns, and if facebook chat relied on such a mechanism, you would find you would not be able to use the service for a while after rebooting your home router.

    I'm guessing some of our network/server admins have a few SRV records pointing at some servers for work, and maybe a few do for home servers, but this is definitely not the normal, yet seems to be a prerequisite for direct XMPP communication without a server.

    I could poke more technical holes and haven't fully explained the above as this is getting boring.

    Anyway, to put this matter to rest, I will do a little packet analysis myself. Unfortunately I don't really use facebook so I will have to arrange a time so I know I will have a friend who I can have a test conversation with. Gimme till Sunday max, but I'll probably be back to prove it a lot quicker than that.
    An SRV record in most cases as you say would not exist but could not the client software create an acceptable SRV record on the fly to satisfy XMPP protocols ??
    Not saying that is what happens .. more thinking out loud!
     
  20. Over Carl's Avatar

    Over Carl said:

    Default Re: A guy on Facebook tried 'grooming' my 15 year old daughter! Wrong person to 'Hit'

    Quote Originally Posted by Black Oracle View Post
    Let's look at this from a totally different perspective...

    Everyone knows Microsoft's Gaming servers are forever getting attacked, now say at your end you add a second network card in your PC, then 'bridge' both network cards together. This allows you to place a 'sniffer' on your PC, but to everyone else you look fine online - but since you have a sniffer inline with all the people in the room, you can see all their IP Addresses - this is more commonly known as a 'swatting' attack, by knowing the IP of anyone in the room you can do whatever you like to them.
    Possibly true.

    But I am really baffled. Why not just run wireshark with a single NIC unbridged and just sniff that direct?

    Or if that is not possible, then the next choice of IT pros is to use a managed switch and setup port mirroring, then use wireshark on another computer or to use a network probe.

    I have worked with a few IT pros who have needed to sniff data. Just for example I have put in warranty claims with Draytek and Cisco when I have found faults with their equipment. By providing a professionally taken packet capture and explaining the faults, they acknowledged faults and replaced hardware that was faulty by design or created firmware updates which they would ask me to test before releasing worldwide. If I sent traces captured the way you started to describe, I am quite sure I would have never been allowed past level 1 tech support (i.e. have you turned it off and on again?).
    Last edited by Over Carl; 22nd June 2016 at 07:05 PM.