38 comments

[ 2.9 ms ] story [ 87.7 ms ] thread
What good is hundreds of billions of dollars if you can't do the small things right? Or maybe too much money just allows you be mediocre. There seems to be an inflection point that happens at, but who knows what that is.

Greed and pride come before the fall; hopefully all you people out there working to dethrone these companies will keep kicking.

Security is hard. You can't make this kind of statement if you haven't been a pentester. Do a stint for a year and you'll see.

I personally found a remote code exec on one of the biggest security company's servers. I can't be more specific, but suffice to say, it was a small oversight that had big consequences. It's very hard not to screw up the small things.

If you've written a large service, and you give me a week with it, odds are better than 50/50 that I'll at least find an XSS. I think out of fifty or so pentests, there were only two that I didn't find an XSS or better, and one was a read-only informational pamphlet.

It might be hard, but if you've got those kind of resources available to you and the consequence of being wrong is hundreds of your employees might not ever be safe again, you'd better make sure you are right.

A bug in the software, discovered late last year, resulted in the personal profiles of content moderators automatically appearing as notifications in the activity log of the Facebook groups, whose administrators were removed from the platform for breaching the terms of service. The personal details of Facebook moderators were then viewable to the remaining admins of the group.

So nobody noticed that or fixed it for 2 weeks (edit: the article actually says that the bug was active for 2 weeks before being discovered and not fixed for another 2 weeks, and was retroactively exposing employees for more than a year - is that security)? Thousands of employees and nobody is checking for that?

Come on. We praise Elon sending things into space but FB can't do some basic error checking? Something doesn't add up.

Did I mention that the other pentesters on the team completely missed that remote code exec I found? I hate to brag, but sometimes it's the best way to get a point across.

Security is so hard that you can't find everything. One of the dirty secrets of the security industry that nobody likes to talk about is that when you do a pentest, you're deemed secure, but it's overwhelmingly likely that the pentesters didn't find all the vulnerabilities.

Security breaches are rare, which is why this system works. But it's not malicious -- it's just very, very hard to be secure all the time. Security isn't even a priority in most cases.

I get that you're saying Facebook has resources. But with resources comes scale. How many programmers do you suppose worked on that feature? It could be one or two out of a dozen assigned to that arm of the project. Or it could be a dozen involved in a multi-month refactoring of spaghetti code. Or it could be one overworked person who threw in a "fix" before crawling home to bed. FB hires exceptional people, and even exceptional people ship bugs.

By the way, two weeks is a tiny amount of time. A real-world pentest takes about that long to book, unless you already have pentesters on retainer. I'm sure Facebook does, but as I said, pentesters can't catch everything.

It's frustration speaking, but you're right in what you are saying.

Good security folks are valuable for a reason. Good luck to your efforts.

I think the time to fix is the most telling. I can understand how bugs get shipped sometimes even by good engineers but what I don't understand is how they don't have someone fixing it immediately if lives are endangered.
People building and manteining the system are not really engaged with customers, and therefore cannot know what the system is used for? And people best qualified to understand that lives were at risk are so far away detached from the development team that their voices got drowned in a sea of pushy, entitled managers-of-very-important-things?
Security is hard. But it's impossible when you are idiotic. Only an idiot would think tying someone's personal account to their work account (where their work is counter terrorism) is a good idea!
We decided to not give our employees life preservers even though they are sailors. We didn't know they were going to drown!
> Security is hard.

So is nuclear reactor management, but we seem to be able to go decades between substantial reactor failures.

It helps if your company considers "move fast and break things" to be a cautionary tale instead of a fucking motto. This is the only industry in the world where people actually brag about doing slapdash work.

There are fewer than 500 nuclear reactors in the world, and those reactors have massively higher oversight and mature safety compliance processes in place than the innumerable websites on the internet (for which approximately all of them share the same default state: insecure).

I understand the spirit of your point, but that's not at all a fair comparison. They're just altogether different things, and part of the problem is the nature of the tech industry, in which layers of complexity and security debt from different languages and frameworks can be piled on each other over and over again.

I think you should consider Dunning-Kruger here: instead of comparing Facebook's security to nuclear reactor safety, compare it to a company you believe has superior security; moreover, do you think you are appropriately qualified to condemn Facebook's security organization for the proportion of failures it experiences?

Sorry, that's not an excuse here. The issue was not a breach. It was an uncaught bug that revealed the moderator's identity when they performed an action against the alledged terrorism group.

This is a process and protocol oriented issue. Facebook could have allowed the moderators to use anonymized accounts, or have better error testing.

> You can't make this kind of statement if you haven't been a pentester.

It's not that anyone broke in and stole things here, it's that Facebook dumped their stuff out of the window.

A variation of your point I totally agree with, FB has a lot of moving parts and a lot of employees. Who is this "Facebook" that should be ashamed of their incompetence, right? It's theoretically possible for a million genius engineers to be connected in a bureaucracy created the best of intentions, by the brightest of minds, that still turns their work into swiss cheese.

Maybe one problem is making these huge things, which are supposedly monolithic but where one hand doesn't quite know what the other is doing. That's at least a claim worth examining, right? And if you want to exclude the people who don't have that kind of experience because they consider it a dead end that never enticed them, that's both reasonable and circular. Yes, I don't know what I'm talking about, though I have enough imagination and whiffs of knowledge to at least know that -- but no, I don't have to be a ninja coder or a corporate high roller either, I learned to separate wheat from chaff, to appreciate skillful tight programs and to despite gimmicky bloat, sometimes around the Amiga, as a kid. Even as a user who pays a modicum of attention I can do this. I guess floppy drives helped, but the principle is still valid today, nothing changed.

So no, I don't need experience in maintaining giants that do a thousand things badly to wish for the return of a lot of little things that do a handful of things well. That's part of the reason I sleep soundly but angrily. It's 2017 and I still can't have a phone call with the quality I had in, say, 1990, because for every step of technological progress and insight, there seem to be five steps of greed and idiocy. It's 2017 and people are on Facebook. For me that's "the" problem, and making a "secure" Facebook is not the solution.

Freedom requires vigilance, that's not just words, that means if we have even just one lapse in your history, a period where we were not on your toes, where we left our drink unattended, we should be frightened stiff. A lot of people who should be aren't.

We laughed at AOL and whatever that thing was Microsoft cooked up before they realized the internet was going to be more than just a Microsoft product. And now, in the shape of Facebook and others, that won. It was cute to use "googling" as a verb meaning "to look something up on the internet", for a while, but it's not really, and I'm sick of it and I still say it. Yeah yeah, search engines are hard, operating systems are hard, but that stuff used to be even harder and it's silly that we seem to have less diversity now the more resources there are to go around. I don't hate on anyone's success, their success is hating on my imagined opportunities >:[

I'm not sorry for rambling, but as a more sober and delineated final point, something more actionable if you will.. from the article:

> Facebook confirmed the security breach in a statement and said it had made technical changes to “better detect and prevent these types of issues from occurring”.

What kind of "active" measures do they have in mind? What "type of issue" is this, even? Do they have something in mind they're "just" not sharing, or is that just a bluff? Without saying that, or hey, without actually showing the code and the understandable mistake that lead to this, that just sounds like "yeah, whatever it is you care most about, that's exactly what we'll fix". I know it's an article on The Guardian, I know they just can't show off code, but it's not really my fault that both incompetence and good faith speak in the same meaningless corporate verbiage.

Show me the goods, in some way or other. If you ...

Why are their personal profiles tied to their moderation duties? Are these not their passional profiles but one that also is tied to their identity in another way?
When I visited the NYC Facebook office in 2015, I was told that employees were required to use their personal Facebook pages for work purposes.
That's mind boggling. I wonder if you can just create a second Facebook page and use that. Would Facebook really fire an employee for using a work Facebook? And what if you didn't use Facebook in the first place? Any Facebook employees want to chime in?
When I worked at Facebook, an intern had never had a profile before. She made one for work, and kept commenting that she was the only person who was seeing the features Facebook advertises heavily to the low-friendcount users.

She doesn't seem to have used it since leaving.

And what if you didn't use Facebook in the first place?

That's even more mind boggling. Why would someone who didn't use Facebook want to work for them, much less get hired without creating an account sometime before that?

These days, it seems that if you don't use Facebook you probably have a strong opinion not to, and are unlikely to even consider working for them.

I don't use a Facebook profile, but it's not because I have a strong opinion about Facebook. It's just that nothing about its core product particularly appeals to me. But I also don't find anything about it morally repugnant, and I respect that many people really enjoy using it. I even respect that many other people don't enjoy it at all (and even find it repulsive), though they may be fatiguingly militant at times.

However, I'd probably work at Facebook. I respect and admire Facebook's overall security organization more than just about any other large tech company except Google, Apple or Microsoft. I haven't actually looked for employment there, but I've heard it's nice, and there are probably really interesting roles available for cryptography research and engineering.

Not uncommon for employee access systems to evolve from flags (or even email domain regex) on the product's user table.
Well, FB's core mission is to make online profiles actually real. So that makes sense. The entire point of FB is to remove anonymity.
Yes, Facebook should definitely have given them a faceless, anonymous moderation accounts, that were in no way whatsoever tied to their personal Facebook profiles. Security is hard, indeed, but this is aspect is a huge, inexcusable oversight.
Facebook is like a Bentham construction from the outside. No one wants to get in.
I've locked my FB profile down quite heavily, including hiding it from search engines. But my name leaks out to Google anyway, through its "view the profiles of people named" user list feature. Social networks pay lip-service to privacy, and incidents like this underscore that.
"Don't put anything on the internet you'd like to keep private."
Note: The dupe filter doesn't catch a missing www.

https://news.ycombinator.com/item?id=14571426

As it shouldn't. It's a different URL.

It's pretty annoying when dupe filters "catch" submissions with ?repost=1 appended to them, for example. It was either Reddit or HN that did that at one point. Sometimes there are legitimate reasons to resubmit.

It's also a form of letting the community express themselves -- if a thread is repeatedly flagkilled, having some mechanism to resubmit it is a way of resisting the urge to cry censorship. It often gets a thread to the front page (albeit with cement boots).

That's a bit tangential, but I'm just providing a few counterpoints to resist the urge to tighten the dupe filter. The manual method works pretty well.

>It's a different URL.

It seems ripe for abuse. #walawalabingbang is also able to pass.

https://news.ycombinator.com/item?id=14573297

That opens the door to unlimited resubmissions.

That's a rather inefficient way to get your account banned. ;)

Jokes aside, I've been consistently impressed with how well manual methods have worked for HN. It was very unexpected that you can simply throw human resources at problems of scale and do so well. There is lots of smart software powering those humans, but the manual approach avoids false positives.

Stripping a hashtag has also caused problems, by the way. I remember one submission in particular where the OP complained that the hashtag linked to a different entry in a blog, which was set up to make that the only way to link to it.

> It was either Reddit or HN that did that at one point.

HN, then, because Reddit loves reposts.

Facebook was exposing people who was against of gouvernment in china ?

Why are people using facebook, I really wonder why people want to be spyed and procecuted ?

Facebook and freedom of speech? - are you kidding me ?

Haha, facebook silly 2000's design with sandbox state of mind and some people even use that platform to all business contacts.. huh brave people.

There's a lot of "security is hard" comments here.

What I can't understand is:

Of the 1,000 affected workers, around 40 worked in a counter-terrorism unit based at Facebook’s European headquarters in Dublin, Ireland.

If you work in a counter-terrorism unit the consequences of your identity being known by the wrong people are extreme. Extreme as possible death.

Why aren't these employees identities obfuscated by multiple layers of protection. They shouldn't be logged in to Facebook's intranet in anyway that could possible expose them. This could mean they don't have ID cards on them to access the building they work in, they use manual time cards / attendance records. Their pay handled by a separate entity. They are not allowed to have personal Facebook profiles as a condition of employment in that department.

(comment deleted)
Is hacker news starting to disable people accounts now ?

Times are hard, people's freedom of speech start to be a joke.

The interesting part about this story is that if you're getting paid €15 an hour, to moderate facebook, and mark/flag garbage, you probably aren't doing anything important, and have saved no one's life. You are a cog in a machine that pays lip service to some misplaced idea that this sort of thing can intervene, and deflect negative outcomes into controlled results.

But, also even for all the nothing that this day job accomplishes, now we have an identity spill, and "terrorists" who don't really care about who they kill, so much as how many get killed (they will literally stab random people on the street, without warning, given the opportunity), now have a short list of people they can make easy news with. Not because they think this will matter, or get results, or slow down their open and flagrant use of facebook anyway, but because it's a splashy news item that they can use as a promotional device.

So nobodies accomplishing nothing, maybe get squished by people who know that these targets don't actually matter in a tactical or strategic sense, but incidentally as a public relations bump.

And so, if one person from the group of people suffers harm, the machine grinds onward on both sides unchanged, and this distraction evaporates, as more inconsequential crap gets dumped onto facebook, and faceless "whoevers" pick through the tin cans and banana peels looking for a smoking gun that will never appear. The difference being that they would be slightly less than random targets, but still nobodies, brought down by sacrificed expendable cannon fodder, entrapped into suicide attacks no matter what.

Is it actually a given that the prominence of terrorists is simply an inevitable fact of life, a phenomenon that has no cause and no solution, and that we have no choice but to simply accept it? Is it actually true that they have no actual cause, represent no idea, have no specific aims, no ideology, no picture of what they want the world to look like? Is it actually true that their existence can be fully explained by purely material or historical factors, such as economic conditions, wars, foreign influences or the ratio of young males to young females in a given nation?

It sucks that a bug caused a number of innocent people to fear for their lives. But this wider question can't be ignored - what could Facebook do alone if it were specifically targeted? People would still be fearing for their lives.

Important problems are not solved by ignoring or papering over fundamentals.