> But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts
Which is why the point doesn't make sense. The article says tokens were leaked. There are plenty other places where such bug could happen, so it shouldn't serve as a strong validation of "User impersonation code always terrifies the bajeebus out of me".
(Not to mention it's not really user impersonation, it's just filtering your profile page based on computed access level of one of your friends.)
I don't think that matters. "I hate travelling by air because the plane can crash" is a true statement for many people... but statistically, that's not the method of transportation that kills people.
The fact of the matter is... ACLs are hard to get right. It's even harder when you have various roles that can be checked against the ACL (logged in user, batch job, logged in user impersonating someone, etc.) . But in the end, complexity is what's scary, not some feature that depends on complexity.
> The fact of the matter is... ACLs are hard to get right
This sounds similar to different distros of linux. Some are security focused where nothing is allowed until it is explicitly allowed. Other distros try to be more "user-friendly" and pretty much everything is open.
Starting from a wide open starting point and then trying to batten down the hatches afterwards does seem to the harder way to do it, but that's exactly where FB is. They wanted everything open, and then had to decide to start limiting that data. FB was designed as a place to share info. If you posted it, you wanted to share it. I totally get that mentality. However, as devs, I can imagine that we have all built something that the end users use in a way not envisioned, and we've probably all had "you're holding it wrong" lines of thinking. Once you get to that point, you can alienate users by telling them to stop doing it that way or embrace what's happening, and then make it work for them. Seems like the perfect situation to where bugs can get introduced.
Well, thanks to Facebooks "View As" functionality, I recently discovered that their privacy setting "Only Me" does not work for only me, if another person is tagged in the picture. Meaning that if I have a picture with my ex somewhere in profile, set to "Only Me", it actually means "Only me... and her".
Yes, there have been other cases of exactly the same issue. I recall a case where it was possible to pretend to be people via the chat system while using “View as”.
Stealing the access token is the worst possible attack, because it wouldn't get logged or lead to any sort of notification. If they were only able to steal the passwords, this would have gotten caught immediately.
So is this what the hacker was going to livestream the deletion of Zuck's page? In the end, they submitted a bug to FB so I'm assuming this is the exploit that was intended to be used.
Does anyone have an idea on how this exploit could have worked?
If only the hacker(s) would write a blog article or make a LiveOverflow-style video about it. It would be quite entertaining.
I'd be so curious/intrigued to know more about this specific exploit, it's a shame it wasn't a responsible disclosure from a white-hat.
One of the top comments by herpderperator dives into it pretty good. The part that I had questions was where it tied into the increased traffic patterns. But if I'm understanding it correctly, that would be because you're baiscally walking the graph, each token that you compromise, you have to masquerade as that new person to expose more tokens that they are connected to.
Because ot was not network breach (i.e. get dump from some db), but abuse of feature available in the web app (so they had good logs to see who was affected).
> Since we’ve only just started our investigation, we have yet to determine whether these accounts were misused or any information accessed. We also don’t know who’s behind these attacks or where they’re based. We’re working hard to better understand these details — and we will update this post when we have more information, or if the facts change. In addition, if we find more affected accounts, we will immediately reset their access tokens.
From the press release[0] posted elsewhere in this thread
Over 50M accounts are compromised and we're going to split hairs on the proper way to divide up a week? The optimal number of days to alert your 50 million users that their accounts have been compromised is zero. Think about how many businesses that use FB and the thousands of 3rd party sites that use Facebook's API to authenticate users. I don't feel Facebook should get to be sole arbiter on deciding the severity of the incident when if affects so many and has so much potential to financially impact other businesses. They should have immediately sent out an alert when they discovered it.
Is it wrong to be glad FB's reputation has tarnished (and stock price sideways) over the past year or so? For so long they've monopolized the talent pool in the Bay Area. If more people decide 1) they don't want to work at FB and 2) FB employees are itching to leave then I see any stain on FB's employment brand as a net positive to the greater tech + startup ecosystem.
I think about this a lot too. All companies eventually decline or go through rough patches. A Google that's fighting for survival and losing money would be much more open to working with the Chinese government or selling user data to the highest bidder.
Trusting these entities based on their noble intentions today makes no sense to me if there's no legal agreement or regulation to restrain them tomorrow, when they get desperate.
> Is it wrong to be glad FB's reputation has tarnished (and stock price sideways) over the past year or so?
No, not at all. Their positive reputation was in many ways unearned, and it's a good thing to be glad that their own actions and attitudes are finally catching up with them.
I hate that this has happened. The Bay Area used to be a place where working for the big, shiny company that makes your parents happy wasn't prestigious. It was safe. But taking a risk and starting something new was admired. The present state of affairs reminds me of Wall Street.
Yes, so much this. There is a very real opportunity cost to forgoing high salaries (and this opportunity cost is front-loaded as well since home prices keep appreciating).
There was always a level of prestige associated with certain companies even in the 80s and 90s, no?
The tech industry, despite its shortcomings, is vastly superior to Wall Street in that regard. It's still a meritocracy above all else.
Plenty of smart people break into tech after doing something else for a few years. If you want to go into investment banking, you better come from a consulting or have already been working in finance. Your only last bastion of hope is to get an MBA and then join the rat race.
What happened was that VCs started sucking up all the equity and it became not worth it from a risk-reward perspective for most people to work at a startup. This, coupled with companies staying private longer meant that in the lat 5 years, you were better off working at G/FB than a small or mid-sized startup.
While VCs certainly played into this, I'd say founders merit the bulk of the blame. VCs are generally more amenable than founders to larger equity pools for employees. They're also much more enthusiastic about IPOs than founders, since they want liquidity events for their investments.
Thank you both. VCs and founders together have sucked up all the potential value of working for a startup, leaving only risk and below-market pay to employees. Until this changes, big name companies are not just safer but higher expected value.
I think that prestige only exists in the minds of some people who work there or have worked there. If I had a nickel for every time someone started a sentence with "well when I was at Google" for a scenario that is nothing like Google... Facebook's move-fast-and-break-things culture is fortunately a little less envied, in my experience.
The prestige most definitely exists and is especially relevant for people who dont have a strong public portfolio to show off their talent. An average developer from Google/FB etc. has an easier time getting access to opportunities than even an outstanding developer at a no-name company. Companies/Hiring managers go through an implicit thought process along the lines of "if she/he go through google she/he must be good" which opens doors and helps in salary negotiations.
The economic success, brand awareness, and hipness of a company with the general public is only somewhat correlated with average level of engineering talent at a company. Different successful companies take different approaches to hiring - some focus on hiring a lot of reasonably competent engineers, while others focus on only hiring the best (and generally pay them a lot).
they havent monopolized talent, they pay for talent. Facebook paying high salaries has increased all of our pay, equity etc, whether you work there or not. The only thing this may be bad for is founders who are in a zero sum competition with FB for talent and now need to spend more money and equity to get it.
This is a very short-sighted view. Yes it has some immediate benefit in terms of pay, but you have to consider the long-term societal tradeoff of not developing addictive mental candy for people or developing societally useful technologies (or vice-versa, as it now stands). We can focussed on getting paid a lot now, or improving the wealth of everyone and generative the value we can all enjoy later.
I agree with your premise, that many Facebook employeees would give society a better return on its investment if they were employed elsewhere, but that’s hardly Facebook’s fault.
It's tempting to think that without Facebook they would get involved in cancer research or interplanetary travel, but given the Silicon Valley's funding cycles, they would be more likely to end up building yet another food delivery startup or revolutionizing something by putting it on blockchain.
Also, a bunch of recruiting venues exploited by Facebook are not that accessible to smaller startups.
E.g. one of the top previous employers for Facebook employees was Google (or some other outfit within Alphabet group, like YouTube). Most likely those people would've stayed at Google.
Another hiring source was university recruiting, which involves participating at job fairs at various universities, exhaustive days of back-to-back interviews, flying candidates for on-campus interviews, and eventually covering relocation costs (and potentially visas and immigration paperwork) for someone moving from Pittsburgh, Waterloo or Romania.
Would a smaller startup have the financial oomph to run a similar recruiting pipeline?
What makes Facebook "addictive mental candy" other than you not personally liking it?
I know lots of people who feel they get and have got tremendous practical benefit from Facebook. It isn't "addictive" unless you use that term to mean anything some people make that other people enjoy.
"Our results showed that overall, the use of Facebook was negatively associated with well-being."
Naturally, even if this study is accurate it isn't definitive; the causation could go in the other direction, that the unhappy use Facebook more often than the contented. But it's still quite suggestive.
-Breaking democracy in the US and the UK by being _the_ platform for disinformation.
-Disinformation assisting genocide in Myanmar.
-Use correlating strongly with poor mental health
-Manipulating behaviour to encourage poor attention spans for the sake of ad-clicking
-Constantly violating basic standards of privacy
-(I could go on..)
Oh wait, excuse my arithmetic. I forgot to add another JS framework like Relay to the LHS of the equation, that makes it a net positive from Facebook! :D
I don't think its fair to blame FB on the decay of democracy in the information age. Surely Twitter is also to blame them. I think the blame is on the users. Its not possible to be perfectly informed. It is possible to keep your mouth shut if you don't know something for sure. Perhaps its the fact that in real life, to say something you need to say it to someone's face and on social media you don't have that social weight to carry. This brings about people more likely to share misinformation. If this is the case, its not the fault of social media, rather the fault of internet culture. More personal responsibility is the solution. Not an improved ML system to detect fake news.
It is a problem inherent in the structure of most social media companies. And Facebook is the most significant social media company, and thus contributor to the problem.
> Breaking democracy in the US and the UK by being _the_ platform for disinformation.
Blaming facebook for "breaking" democracy in the US and the UK is ridiculous. I can't understand how this can continue being a claim remotely considered valid. I agree (or may agree, at least in part) on some of the other points, but not on this.
Claiming that Trump won just because of the russians putting ads on facebook is at least naive - and ignores the fears/actual issues a very big* part of the US population experience daily. Isn't failing public schooling a problem there also? Does that give us citizen more or less prepared to actually participate in democracy?
Politicians (of all sides) in the UK have accused the EU of being the root of all evil since they "joined", again and again and again: you lost your job? Blame the EU! We can't cut taxes? Blame the EU! You really want to blame facebook and NOT the politicians themselves because people voted for brexit?
If the Russians tried to manipulate (and for sure they did, oh gosh, I'm pretty sure the US and the EU states never do - or did - anything to manipulate elections abroad! Evil Putin, why you do this to us? :cry:) we rolled out the red carpet for them!
Democracy was broken because actual journalists did not do their job. Stop doing what they (may) want you to do, using social media as a scapegoat for their own (willing, sometimes, for sure, at least if you read what Chomsky has to say) MASSIVE failure of being the "champions of truth" they claim (and blindly believe - I worked on somewhat close contact with them for years, I've seen that) to be.
I think the sadder part of this argument is that nobody outside of software engineers know or care what GraphQL is, yet it’s being touted as a “societal benefit”. How about the fact that my grandma with limited mobility can still attend church virtually through the Live feature? Regardless of how often the scions of the Valley disavow their own technology (I would /never/ let my children use our products!), there are a billion or so other people who actually use it to real benefit in their quaint little lives.
Why would it be remarkable that a few popular technologies come out of a big, rich technology company? People who create such technologies work at places like that. But there’s nothing about React or GraphQL that makes them only possible at Facebook.
A big, rich technology company has the resources to put people on the project full time and a revenue stream to justify such broad architectural project.
There's also financial support for building a community around improving the tech, by encouraging outside contributions via meetups, conferences, social events, better technical documentation, etc.
At smaller scale startup an engineer is surely welcome to work on his skunkworks project, but justifying expensive large-scale architectural undertakings on company's dime is problematic. Especially if a quicker fix is available and buys the company a chance to kick the problem down the road.
With that said, it's not impossible to build a major popular piece of technology within a small company (Joyent and Node.js being a good example), it's just harder.
You’re repeating what I wrote - Big tech is likely to produce new tech, but new tech comes from other places too.
This discussion is mostly irrelevant to the fact that this particular company is completely reckless and unethical. The technology they accidentally produce while building a dystopia to make people click on ads[1] does not justify anything.
There's also its ostensible goal to connect people. I logged in for the first time in months just to see if I had been compromised. In about 15 minutes of goofing around, I got to enjoy countless happy baby pics posted by old college friends, and had a nice chat with someone I hadn't talked to in almost a decade, after I randomly commented on a status update. Then I logged off. I know that my kind of limited use is likely not the average scenario, and I can definitely understand people suffering when they get sucked in. But it's a site that does a damn good job of making it easy for me to find and interact with friends, and I don't believe the tech and design involved is trivial.
A friend in HR that has friends in many of the Bay's companies told me that people at Google and other big companies hire to keep people away from other companies. Because they can.
So, yes, I believe they are trying to corner the market on the best programmers.
Wasn't Facebook part of the class action lawsuit that sought to supress wages and colluded in anti-poaching between Intel, Apple, Microsoft, and Adobe?
They may pay more, but they collude to make sure people couldn't leave without going far outside the bay. That's a monopolistic trait.
I agree they weren't putting a gun to people's heads but they were making the environment less available.
I don’t think Facebook was part of that group. More importantly though, it was in the aftermath of that, where large companies started more aggressively poaching employees, that large company compensation ballooned and startups started to complain about the top large companies hogging talent.
From everyone I know at top tech companies this isn't happening at all. If anything the stock dip was a good thing for new grads because they got more shares.
If you watched the Senate hearing on privacy two days ago you'd have seen that they were remarkably on the same page about potential privacy legislation [1]. Facebook's continued fuck ups will only help the cause, and for that I'm grateful.
Of course they're on the same page. They can afford the best lawyers and as much infrastructure as they need to fulfill the requirements, while every new competitor gets sued from all angles. I'd be very surprised if any of that regulation actually serves the user in any positive way.
> This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.”
Obviously, Facebook is an extremely complicated system. But I find it hard to believe a video uploading feature would impact 'View As'.
It's very easy for me to believe. "View As" is an authorization and authentication sensitive, limited user impersonation feature. Video uploading interacts with, and complicates, authorization in an application with fine grained privacy and permission models.
It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications. One of those ramifications could then result in a vulnerability chain compromising user impersonation functionality.
I have seen far, far more incredulous head scratchers in penetration tests and code reviews. The interaction boundaries of, or middleware between, two seemingly unrelated systems is generally a good start to look for a security vulnerability.
> It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications.
I get this part. But why would it affect only videos and not other entities (photos, status etc.)? I would think creating (or uploading) any of the entities have the same authorization and authentication ramifications. What could be different for videos? Unless the privacy models are so fine grained that you can have different privacy settings for different entities (haven't used Facebook in years, so I don't really know). Your explanation makes sense, I'm just looking for a concrete example.
As someone who works specifically on user authentication stuff...
The problem is often that there are multiple sources of truth for who the user is. And if you have an impersonation feature, you by definition have two sources of truth: who the user actually is, and who the user is impersonating. It would just be a matter of a single mistake of using the wrong one.
Considering that "view as" requires your page view to render every control as the impersonated user but only when it comes to your profile, but renders all controls outside of your profile as the original user, I could see any engineering team dealing with some very carefully drawn and potentially confusing boundary cases.
Edit: just to elaborate, it's not just obvious impersonation contexts where this gets interesting. For example, linking your Humble Bundle account to your Steam account, or on Netflix which user you are vs. which email address is being billed. Many apps have a function to share some document using a one-time expiring token. If you're also logged in, then do you read permissions from the shared token or from your account? If you mix them, do you make sure anything that writes to this shared view can't touch your account itself on accident? We don't think about it much but I think you can see how these subtle distinctions are important when you are thinking about access control, and that makes it a breeding ground for subtle mistakes.
If I recall correctly this is not the first FB vuln relating to View As. I searched and can't find it, but I seem to remember there being a bug around 2009 where you could basically take over a friends' account by viewing your profile as them.
I wonder where the "50M users" estimate comes from. It seems like the feature that caused it, "View As", is probably available to more than that many people. Does this mean that they managed to trace the attacker capturing the access tokens of 50M users? Even allowing for the bug in the first place, it seems like exploiting it should be detected before 50M uses.
They have different versions of code base deployed to different areas of the world all the time. They can reduce the user base nuber based on where the code was deployed and how much is the usage
The interesting part is that it is the second time (at least) that this is happening.
In the past, when you were using "View As" you could read private messages without doing anything malicious (you were actually logged on victim's Messenger account).
On the one hand, every time another scandal or breach is revealed about centralized networks, I want to post this and have everyone recognize the root problem and the solution:
On the other hand, I feel like I’m shamelessly promoting/shilling my own company.
How to do it in a classy way? I really believe that there is a problem people are not recognizing enough to do something about it (Diaspora and Mastodon and Solid are exceptions).
And I spent the last 7 years and $700K of our company’s profits solving it. So it’s now solved. If Mastodon is “a decentralized Twitter creation kit” where you own your own data, then Qbix is a “decentralized Facebook creation kit” where you can assemble social apps from a growing marketplace of reusable components, some of which don’t exist anywhere. Here for example is a Group Rides plugin that basically makes a social Uber, and ANYONE can have it on their OWN social network:
OK, but we are perfectionists and are spending months polishing “the other 90%” so it’s not a flop when we release it to the public to create their own facebooks. We need really clean onboarding and measure engagement metrics and fix bugs etc. It took 7 years thus far.
For example this was last year, we are way more advanced now:
So, advice would be appreciated from people who have successfully done before. Maybe contact me (qbix.com/about has my email link). How do we get the story out there that Qbix is being built to FIX the underlying root problem of decentralizing social networking, so people’s data isn’t in one place?
Please if you have some knowledge about this, take a look at the above videos and let us know what advice you have to get stories actually published.
PS: one more thing, we managed to get tons of inadvertent press back in March including BBC and Newsweek, which you will find if you search for “calendar mining” or “qbix calendar”. BUT when I reached back out to thise journalists to cover an actual story of Qbix is actually doing, none of them replied. Many of them just want to break the sensational controversy because that brings notoriety. How do you make them write about SOLUTIONS to problems?
Seeing as you asked... your website's terrible UX doesn't help. I just took a look and moved on within 30 seconds - a dated look and feel (that also feels targeted at primary school teachers), walls of text, broken links, no clear route back to the homepage to reorient yourself (can't click the logo), no clear waypoints to follow...
You only get one chance to make a first impression. I'm afraid the first impression I got means I'm unlikely to return. I suspect the same applies to all those who took a look in March.
3D strong blue and green spinning globe. 3D logo, hard (high contrast?) RGB values. Child's drawing header looks like a hospital. Mission statement not at all aligned with what your comment says. Empowering people page, weird lego photoshop. More strong RGB icons.
>We build apps for all kinds of communities.
I assume this is an app building consultancy from this statement. Nothing about decentralization. Way too much text on the page (for people like me who cbf to read). Are you trying to get people to download your group / calendar app or build apps on qbix? Choose a goal and optimize your copy for it.
Mastadon - Single page layout. Clear missions statement (Social networking, back in your hands). Flat (material?) icons. Single, fixed width column of text. Lower contrast color scheme.
What do you mean it isn’t responsive? It loads on mobile phones with a completely mobile optimized look. Have you tried it? Unless you mean you loaded it on a desktop and tried to resize the browser window to quickly check what would happen on a phone - no normal user does that
You’ve picked a point of the criticism and are trying to defend it. You need to drop your view of your own work when receiving constructive criticism. I agree with other comments. Your website is full of 3d effects and low quality pictures that imply it’s a product for children- and most importantly it doesn’t seem to mention your product besides the blog. A blog is a secondary strand of thought from the main page. You should only have to read the blog if you’re already interested and want to learn details. Also in the blog, you give a long list of features that are very difficult for non technical people to consume. There’s no value statement. It also reads like a side project and not a professional venture. If you spent $700k on this, you should really pay a professional to write some marketing material.
I spent 10 minutes on your site, still have no idea what it's about. If you say it's the "decentralized facebook", I don't see anything about a feed/updates, no way to post/broadcast anything. The only thing I see are contact grouping and shared calendar?
I wish you all the best but it boggles my mind as to why engineer types tend to think decentralized versions of exceptionally popular consumer platforms will ever take off.
I find facebook's effects on privacy and democracy as scary as the next person, but so far their secure coding standards have been extremely high. They're one of the few big names NOT on haveibeenpwned.com, they run their passwords through a KDF and then encrypt the result with a hardware security module, and a whole lot of other good things.
I guess even the best (at secure coding) sometimes mess up.
Pervasive biometric security may be the next step. I know it's scary and could actually be abused but it also can generally increase the level of security for everyone.
This may be an urban legend, but I've heard there was once a bank robber who dipped his fingertips in acid. After a few months, his fingers healed, and the prints were exactly the same as before.
The issue is that Facebook has access to so much information that their security has to essentially be unbreakable if they don’t want a massive leak of sensitive user information.
Not the same.. that breach was way before the acquisition, you can't conclude from that breach that MS development or security practices were lacking ..
Recently talked to 2 friends working for fb. According to them, the culture there is very toxic. For a master's degree, once get in, you need to get promoted in 22 months (I might misremember the actual number.) or you will have to leave. Debugging is never counted as a real work, so for quick promotion, nobody wants to solve bugs unless a bug becomes too obvious. And they also complained about no work-life balance. They got pushed to check-in code at 12a.m. for example.
What, exactly, is wrong with the expectation that people make senior level eventually? What exactly is wrong with being able to work at any time? I worked there for years, and if I was landing code at 12am, it was because I was excited about what I was doing. It was wonderful being able to work with people from all over the world on high-impact projects, and fixing important bugs was definitely high-impact. People who fixed vexsome bugs were heroes.
I don't think you can so glibly dismiss enthusiasm as Stockholm syndrome. Passionate people push the world forward, and mocking passion is a recipe for mediocrity and stagnation.
On the flip side celebrating a culture where (allegedly) people are expected to toss out their personal lives and time (what is sometimes referred to as passion in some circles) is a race to the bottom. It means colleagues who DON'T do this are punished or replaced. Perhaps that's what you refer to as mediocrity, the unwillingness to put in long workdays that extend into night.
Yes, and it shouldn't be up to an employer to set that limit, but to regulatory bodies. Having people spend 12-14h a day working is not good in the long term, and expecting people to do that otherwise they will be fired is draconic.
It’s not that cut and dry. For a lot of reasons, I don’t do side projects. But I do choose jobs that are using technologies that will keep me marketable. So if I want to learn a new to me technology, I’ll often work some crazy hours to both learn the technology and get the work done.
Yes my company benefits from it, but so do I. For instance, given a choice of trying to come up with an idea to learn about a feature of AWS and pay money for the resources I use, and take advantage of my work AWS (Dev) account where I am an admin, I would rather do a work related project where I have the resources and I don’t have to come up with an idea and I don’t have to pay for it.
What I don’t do is “signal”. I don’t stay at work late, I don’t send emails out after hours, and I pushback if they give me unreasonable deadlines.
Let’s say my team had a feature to get out and the React expert said he could do it in 30 hours and he could have it done by Monday morning without working extra during the week or on the weekend.
On the other hand, say it would take me 50 hours and I knew I would have to work on the weekend because I’m not as experienced, but I thought I could still have it done by Monday.
I might be willing to volunteer, knowing it would take me longer but it would also be done on time. That extra 20 hours, I’m still working, committing code but zeal do trying to figure out the framework. I wouldn’t have a problem doing that because I am learning a new skill.
But, I wouldn’t work weekends to finish a project because I was given an unrealistic deadline.
The first scenario, the extra 20 hours benefits me and the company. The second, it just benefits the company.
If you did, do you get fired? Genuinely curious: what happens?
Personally I strongly prefer no fixed working hours. If you want to work at night, so that you can do things when it’s light out (especially in winter), and you still get the expected results, what’s wrong with that?
I think the conversation above was more about people who put in very long hours because they're passionate and so forth, or they're obliged, or whatever the reason the 'company culture' is a certain way. I think flexible hours that you describe is a far more popular idea (and probably a good one if you ask me).
If you did, do you get fired? Genuinely curious: what happens?
Probably not fired. But the interior motion sensor alarms go on automatically at 7pm, which would probably alert the security guards that roam the campus.
When I first started, I came in too early once and set off the alarms. People were nice about it, but I was super embarrassed because I was a n00b.
Personally I strongly prefer no fixed working hours. If you want to work at night, so that you can do things when it’s light out (especially in winter), and you still get the expected results, what’s wrong with that?
I worked at a place like that once. When I was hired I was told I could make my own hours. I prefer to work early mornings, so some days I came in long before anyone else. A couple of times around 3am. But I always worked at least eight hours, and often more.
In my exit interview, my supervisor was rabid about how I wasn't a good fit because I "come and go as [you] please." She was so full of crap about other allegations against me that I didn't even have a chance to bring up that making my own hours was part of my employment deal.
Well, maybe this specific case doesn't apply to you, but enthusiasm and passion weren't the vocabulary used to describe many of my friends' experiences working late nights at fb.
Facebook is a cancer. It’s not “pushing the world forward.” It’s a phenomenal waste of energy.
Take those excited geniuses and have them work on preventing climate change from ruining all life on earth, instead of inventing new ways to profit off of people’s data.
There’s already a community of excited geniuses that work on preventing climate change - they’re called climate scientists, and their solution is a steep carbon tax. It could pay for a public interest ad campaign for recycling and energy efficient practices, distributed and targeted by the excited geniuses at Facebook. That way we can brainwash the Paleolithic know-nothing American public into behaving in a way that doesn’t destroy the planet.
I think i'd just much rather spend the short time I've got left in my one existence doing things outside of work that actually make me happy and fulfilled, than being exploited for the benefit of the mostly rich and powerful and the illusion of "progress". If you truly get fulfillment from that stuff then more power to you, but I don't think the vast majority of people who are pressured to perform do.
Just because we have more "stuff" and more advanced "technology" doesn't make life more worth living. Happiness levels across society don't increase alongside productivity.
> I think i'd just much rather spend the short time I've got left in my one existence doing things outside of work
Okay. That's your choice. But having made this choice, don't complain when those of us who choose to devote more time to work receive greater rewards. There's nothing wrong with paying for performance.
Keep on living to work, brah. I'll feel less guilty clocking out early knowing you're there to keep things running. I bet you'll feel differently on your death bed.
Of course there is. If you are working 12 hours a day, how am I with my paltry 8 hours ever going to be considered for a promotion? I quite need it to keep feeding my family after all.
I can’t stop my bosses from judging based on time spent working (which is silly, but hey, we’re all human), but I sure can try to stop my coworkers from subscribing to such insane work hours.
I think she probably meant that being passionate without meaningful equity is equal to being a corporate slave - even if ultimately company/world benefits, the person gets discarded/sacrificed at some point in a hierarchical structure with limited upward movement, not profiting from it in the future.
I think I see the disconnect. Yes, passionate people move the world forward, but that's not every person, or every coder, or even every Facebook employee. Plenty of engineers just want to make a steady paycheck and live their comfortable life outside of work.
If Facebook's a grind, then that's something the employee has to figure out.
It’s perfectly reasonable to work at 12am, and there’s nothing in the parent comment to suggest that they’ve been working since 9am or so. Maybe they started working at 8pm. Modern work should be asynchronous. If your company cares about butt-in-seat time, it’s the one that’s wrong.
>> you need to get promoted in 22 months ... or you will have to leave
> What, exactly, is wrong with the expectation that people make senior level eventually?
The problem is when you base too much on promotion systems and performance reviews, that end up as a form of bias and favoritism not closely approximating the truth. Some amount of people are doing useful work for you (like cleaning up after people you think are the high performers) that does not surface there, and when you crap on them, pass them up, bust their morale, make them afraid of their next review, etc., you risk losing their valuable contributions.
Modus operandi in these companies is to rewrite/reintroduce whole products instead of fixing bugs from already discarded people. So if you lose a critical amount of worn out higher paid contributors, you just make a V2 or introduce a new product with a completely new fresh team that will get discarded after another 3 years. This requires fresh supply of motivated and hungry people willing to take sacrifices and a much smaller amount of people willing to exploit that.
Societal pressure to do everything it takes to get rich and succeed is a serious drug. I also contribute some of it in cases like this to the fact that some programmers are unfortunately just not well adjusted.
I am finding it very hard to comment on this without violating HN guidelines and throwing ad-hominens. But I will try.
You see, the parent poster said:
> They got pushed to check-in code at 12a.m. for example.
This is ENTIRELY different than having you, overly excited about some project, deciding to work late and pushing code at 12am of your own accord. That's absolutely nothing wrong with that.
Now, if you are EXPECTED to do it, outside major emergencies, then you have a problem.
Either you were excited about what you were doing or you got an 11pm page from chuckr and consequently had a lingering doubt about your expected lifespan...
Trading anecdotes, I have a number of friends at Facebook (both at Menlo Park and the NYC office), and they complain about the opposite: lots of people just coasting and doing the minimum needed to get by, really hard to fire people, etc.
I suspect that that's very team-dependant (in a company with thousands of engineers in tens of offices, most things are). Personally I got promoted based on debugging / code cleanups / reliability work, and I don't remember the last time I worked outside my self-assigned working hours (~10am-6pm) (Aside from on-call shifts, where I got one false-alarm on a weekend a few weeks ago). If one of my teammates messaged me asking for code review at midnight and it wasn't a "the site will be down if this doesn't land right now" issue, then I'd reject their code on the basis that we should all be in bed :P
My understanding of the "get promoted or leave" thing is "engineers hired as juniors are expected to get to mid-level in under 5 years (with a half-way milestone at 2 years)"; once you're mid-level it's up to you if you want to carry on climbing. Personally once I got there I switched to a "work more efficiently in fewer hours and keep the same overall productivity" approach instead of trying to get promoted into the senior levels, and that's worked out nicely so far :)
What you’re talking about isn’t related to having a masters. All engineers are expected to progress beyond junior levels (get to E5) in a reasonable amount of time.
It’s not a great practice in my opinion. But in practice only a small percentage of engineers fail to make the grade.
> The company is in the beginning stages of its investigation.
This is code for "this is much worse than we are telling you now, we just can't reveal it all at once".
I dislike Facebook as much as the next person.. but I have to say, Facebook Ads are a goldmine if you know what you're doing. It's not going to be that way forever.
So here is a question: my girlfriend only uses FB on her laptop, and always logs out when she's done. I usually make fun of her for doing this.
But does this mean most of the time that there was no active access token and she is mostly safe? (Excluding the windows of time where she was actively using FB) Do I have to take back all of my teasing?
This is an interesting point. Right now, I can't reconcile the "we canceled active sessions thus logging people out" as a fix with the fact that "View As" was the attack vector.
This is something I would suspect doesn't actually happen. FB wants to track all of the user's browsing habits, so maybe they just make the actual FB UI look logged out? Security-wise, it would seem to be more complicated by their desire to never let a user be logged out, and looks like it's complicated enough it is biting them in the backside. Oops?!
It’s not really that complicated, you have auth tokens and you have tracking tokens, and you wouldn’t want to mix them anyway because you also want to be able to correlate multiple accounts logged in from the same browser over time.
Possibly -- if the attacker accessed session IDs, they could potentially hijack the sessions of logged-in users. If you log out, most servers will destroy the session data on their backend, so there's no session that can be hijacked.
I was still logged in. I just went and did the "log out all my active sessions" thing just for good measure, even though I didn't see anything unusual there.
In the journalism world, pre-written articles are apparently quite common. I assume they had a boilerplate already for the next Facebook controversy, and just wrote 2-3 opening paragraphs that were relevant for this one.
This is probably not at all what happened. Things get heard and articles get quickly written. In this case it can even be the company spreading the news to key media companies in order to control the spreading of the news.
In the journalism world, pre-written articles are apparently quite common.
Actually, not "common" at all.
Obituaries for famous people are often done in advance, since everyone dies. It used to be one of the things that young journalists/interns did to cut their teeth.
But not every company has a massive security breach, so this was not pre-written.
It's not uncommon for big companies to fax (yes, fax) bad news to news organizations a few hours or days before posting it on their own web sites.
In the past, there would be embargoes on the information, but in the case of bad news, those are routinely ignored.
Welp, this sounds like a pretty bad practice. If there's one thing that journalists can count on, it's that famous companies are going to have a data breach.
It's possible they emailed the release out before it was published on the web, I suppose. It would make sense, as I imagine news outlets have follow up questions.
It's also possible a bunch of them got logged out this morning, new something was up, and started fleshing out their prewritten template with details like the date and symptoms.
I suspected there was a breach of some sort, when my tokens expired in three places simultaniously, this morning. First thing I did was search google news, nothing had been written yet. I wasnt sure they would ever announce it, probably depends on the scale.
> “We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”
There was a conference call with reporters about the subject, so the press release public release was not the first the NYT knew about it. They likely had an embargo agreement.
Since you're just getting downvoted, I may as well say that as a member of the press it isn't uncommon to see embargoes on stuff like this. They don't say a week out "hey we've got a huge security announcement" but they do say "we have something coming out this afternoon and we're doing a briefing half an hour before if you agree not to publish before we go public."
It's often in the interest of the reporter to agree to stuff like this since publishing security issues ahead of time can have serious negative consequences.
This is in response to a dead reply on this chain. Unless you are in Congress it is illegal to trade on material non public information. So if a reporter traded on info in an embargoed press release they could be prosecuted for insider trading.
I hadn't considered an 30 minute embargo, thanks for setting me straight on that (also an ex member of the press, but from the days when things didn't move quite so fast)
Facebook wrote it. They called their friend at NYT and handed over the article - then mentioned they would be sharing it with other outlets later. [just my guess].
'Facebook is clearly aware that losing its chief security officer and dissolving its dedicated security team, in the middle of all that’s going on, is not a great look. So many of the company’s statements today are clearly designed to address obvious concerns that arise.
“We expect to be judged on what we do to protect people’s security, not whether we have someone with a certain title,” a spokesperson said. In another statement, Facebook said it is “investing heavily in security to address new types of threats” and that its new security structure has “helped us do more to keep people safe.”'
It is essential that tech companies, especially ones that provide critical infrastructure, place technical excellence above other priorities. Denigrating meritocracy is like pollution: the impact may not be immediate, and in the short term, it may look like you can have your cake and eat it too, but the universe is not caring and not kind, and if you forget about the need for excellence in the continual struggle against entropy, nature will eventually get around to teaching you a harsh and remedial lesson.
> According to some in the US government, Facebook can change the result of an election, so I guess that would qualify
Essential infrastructure describes "assets that are essential for the functioning of a society and economy" [1]. Not things that can cause a lot of damage. Bombers aren't essential infrastructure. Facebook is non-essential.
Bombers don't cause damage if they are neglected and unmaintained. A better analogy might be explosive material or radioactive material like involved in the Goiânia accident. There are consequences to the public when these are neglected. I don't know if those semantically qualify as critical infra, but its security is important for our security.
The information contained within Facebook is the payload. Facebook itself is the structure that holds and protects (or lack thereof in this case) that payload.
Nuclear missiles themselves aren't critical infrastructure, but you better bet the launch systems, and specifically the security of those systems, are utterly critical to society's continued functioning as we know it.
According to your linked article, it could be considered 'Critical.' Not sure how it doesn't fit under the 'telecommunications' umbrella. Subjectively I don't like facebook nor people's dependence on it to label it 'critical', but objectively I'm not sure the linked article supports those subjective inclinations. At the very least, it's certainly debatable that facebook could be considered Telecommunications infrastructure.
But it's a self fulfilling prophecy. It's only "critical" because it exists. If we shutdown every Facebook server tomorrow and set fire to their data center, it would no longer exist. And therefore have no influence on much of anything.
I'm not so sure I follow this argument, one could say the Earth itself is only critical infrastructure because it "exists". So therefore if we destroy the Earth, it wasn't actually "critical" infrastructure, even though any associated infrastructure on the Earth went along with it. Maybe the distinction needs a little more fleshing out.
The "surface" of Facebook may not be, but the parts of it that keep "personal information" certainly are, due to the scope of what can happen if it leaks.
Edit: people take my comment to mean it won't be a big deal. It will be. However, not on the same scale of taking out the power grid, or the water system, which would lead to hundreds or thousands of deaths. Facebook is not critical infrastructure.
If it leaks, there is a direct impact on users monetary expenses.
One of the examples:
FB may know their user's lifestyle - eating habits, drinking habits etc. (based on the content/media users upload) If this info is leaked to insurance companies, it'll have direct impact on the premium you pay.
You're absolutely, completely, 100% correct. Facebook holds an immense trove of private information that in the wrong hands could be leveraged to inflict unimaginable pain and suffering.
With that said, is it perhaps possible that some people might view this as subtly distinct from power plants, hospitals, roads, and ISPs? Those are what are generally considered "critical infrastructure".
If you also add the ability to micro-target voters at scale using everything facebook knows about them using secret ads and niche content that only those voters will see and no one knows need debunking, and thus changing the government, then it is very much like the power plants.
I understand the point that you don't need facebook the way you need the ability to feed the people in the cities (and thus need roads and power plants). If facebook disappears, life will go on. But as long as it exists, control of it is critical like control over power plants.
In the sense that it allows for power, you're completely correct!
In the sense that it's an immediate need for the continued basic functioning of the state, it's possible that there may be some distinctions that could be drawn. Some might opine that these are the distinctions that matter for the designation of what is and isn't critical infrastructure.
Facebook is positioning itself to be a -- the -- private source of a "social score", somewhat akin to what the Chinese government is doing.
As that comes into place and use, how many companies are going to be basing their pricing -- their entire product offers, in light of the availability of this information, this "score" (and all the categorization behind it) -- upon it?
Bingo. Critical infrastructure. (Like it or not, for some of us.)
It's not just the quote, the whole appendix ought to be taught to every engineer (and manager, and investor), and deserves to be hanging on the wall in many places.
For what it's worth, Facebook did not dissolve its dedicated security team. That statement is misreporting on the part of The Verge. Facebook's security team is actually expanding its presence.
There is lot of misinformation about the Stamos debacle on all sides.
With regards to the implication: this isn't a throwaway account, it's just ironically named. Take a look at my comment history; I'm not affiliated with Facebook in any official capacity, but I do know security engineers who work there and I've been to Facebook offices.
A true statement is that Facebook's security teams have been shifted around in several reorgs. A false statement is that Facebook has dissolved its security teams. The latter is a mischaracterization of the former, because while some security staff have left Facebook for a variety of reasons, the company is not deliberately reducing its security staff nor encouraging their departure. It still employs a huge number of engineers specializing in every major domain of information security.
If you'd like evidence that Facebook is expanding its security presence, you can take a look at its careers portal. It's aggressively hiring security staff in satellite offices that previously weren't focus areas for security engineering.
In my opinion, Alex Stamos' company memo gives a clearer picture of what's happened in Facebook's security org recently.[1] You should read that in addition to media reports.
634 comments
[ 2.7 ms ] story [ 346 ms ] threadoh boy, what a mess.
Well, when it doesn't have a security hole.
(Not to mention it's not really user impersonation, it's just filtering your profile page based on computed access level of one of your friends.)
The fact of the matter is... ACLs are hard to get right. It's even harder when you have various roles that can be checked against the ACL (logged in user, batch job, logged in user impersonating someone, etc.) . But in the end, complexity is what's scary, not some feature that depends on complexity.
This sounds similar to different distros of linux. Some are security focused where nothing is allowed until it is explicitly allowed. Other distros try to be more "user-friendly" and pretty much everything is open.
Starting from a wide open starting point and then trying to batten down the hatches afterwards does seem to the harder way to do it, but that's exactly where FB is. They wanted everything open, and then had to decide to start limiting that data. FB was designed as a place to share info. If you posted it, you wanted to share it. I totally get that mentality. However, as devs, I can imagine that we have all built something that the end users use in a way not envisioned, and we've probably all had "you're holding it wrong" lines of thinking. Once you get to that point, you can alienate users by telling them to stop doing it that way or embrace what's happening, and then make it work for them. Seems like the perfect situation to where bugs can get introduced.
From the press release[0] posted elsewhere in this thread
[0] https://newsroom.fb.com/news/2018/09/security-update/
Now it's 28th, meaning that they've disclosed the breach within 72 hours, as requested by at least one regulation (Article 33 of the GDPR).
That's clearly not even half a week.
Trusting these entities based on their noble intentions today makes no sense to me if there's no legal agreement or regulation to restrain them tomorrow, when they get desperate.
No, not at all. Their positive reputation was in many ways unearned, and it's a good thing to be glad that their own actions and attitudes are finally catching up with them.
I hate that this has happened. The Bay Area used to be a place where working for the big, shiny company that makes your parents happy wasn't prestigious. It was safe. But taking a risk and starting something new was admired. The present state of affairs reminds me of Wall Street.
The tech industry, despite its shortcomings, is vastly superior to Wall Street in that regard. It's still a meritocracy above all else.
Plenty of smart people break into tech after doing something else for a few years. If you want to go into investment banking, you better come from a consulting or have already been working in finance. Your only last bastion of hope is to get an MBA and then join the rat race.
e.g https://www.slideshare.net/a16z/state-of-49390473/29-29Becau...
Outside the tech community, probably Amazon, Microsoft, and Instagram (most people don't know Facebook owns Instagram).
Are you saying the latter two don't do that?
Also, a bunch of recruiting venues exploited by Facebook are not that accessible to smaller startups.
E.g. one of the top previous employers for Facebook employees was Google (or some other outfit within Alphabet group, like YouTube). Most likely those people would've stayed at Google.
Another hiring source was university recruiting, which involves participating at job fairs at various universities, exhaustive days of back-to-back interviews, flying candidates for on-campus interviews, and eventually covering relocation costs (and potentially visas and immigration paperwork) for someone moving from Pittsburgh, Waterloo or Romania.
Would a smaller startup have the financial oomph to run a similar recruiting pipeline?
I know lots of people who feel they get and have got tremendous practical benefit from Facebook. It isn't "addictive" unless you use that term to mean anything some people make that other people enjoy.
https://www.ncbi.nlm.nih.gov/pubmed/28093386
"Our results showed that overall, the use of Facebook was negatively associated with well-being."
Naturally, even if this study is accurate it isn't definitive; the causation could go in the other direction, that the unhappy use Facebook more often than the contented. But it's still quite suggestive.
I saw this study referenced from this article: https://www.vox.com/policy-and-politics/2018/3/21/17144748/c...
Along with React, GraphQL and a bunch of other technologies with various degrees of popularity https://opensource.fb.com
Along with various startups building around the projects incubated at Facebook - Asana, Interana, Phacility, Qubole, etc.
Where B is the sum of the set consisting of:
-Breaking democracy in the US and the UK by being _the_ platform for disinformation.
-Disinformation assisting genocide in Myanmar.
-Use correlating strongly with poor mental health
-Manipulating behaviour to encourage poor attention spans for the sake of ad-clicking
-Constantly violating basic standards of privacy
-(I could go on..)
Oh wait, excuse my arithmetic. I forgot to add another JS framework like Relay to the LHS of the equation, that makes it a net positive from Facebook! :D
It is a problem inherent in the structure of most social media companies. And Facebook is the most significant social media company, and thus contributor to the problem.
Blaming facebook for "breaking" democracy in the US and the UK is ridiculous. I can't understand how this can continue being a claim remotely considered valid. I agree (or may agree, at least in part) on some of the other points, but not on this.
Claiming that Trump won just because of the russians putting ads on facebook is at least naive - and ignores the fears/actual issues a very big* part of the US population experience daily. Isn't failing public schooling a problem there also? Does that give us citizen more or less prepared to actually participate in democracy?
Politicians (of all sides) in the UK have accused the EU of being the root of all evil since they "joined", again and again and again: you lost your job? Blame the EU! We can't cut taxes? Blame the EU! You really want to blame facebook and NOT the politicians themselves because people voted for brexit?
If the Russians tried to manipulate (and for sure they did, oh gosh, I'm pretty sure the US and the EU states never do - or did - anything to manipulate elections abroad! Evil Putin, why you do this to us? :cry:) we rolled out the red carpet for them!
Democracy was broken because actual journalists did not do their job. Stop doing what they (may) want you to do, using social media as a scapegoat for their own (willing, sometimes, for sure, at least if you read what Chomsky has to say) MASSIVE failure of being the "champions of truth" they claim (and blindly believe - I worked on somewhat close contact with them for years, I've seen that) to be.
You don't think those technologies could have been developed by people at ethical companies, or even by the same people at ethical companies?
There's also financial support for building a community around improving the tech, by encouraging outside contributions via meetups, conferences, social events, better technical documentation, etc.
At smaller scale startup an engineer is surely welcome to work on his skunkworks project, but justifying expensive large-scale architectural undertakings on company's dime is problematic. Especially if a quicker fix is available and buys the company a chance to kick the problem down the road.
With that said, it's not impossible to build a major popular piece of technology within a small company (Joyent and Node.js being a good example), it's just harder.
This discussion is mostly irrelevant to the fact that this particular company is completely reckless and unethical. The technology they accidentally produce while building a dystopia to make people click on ads[1] does not justify anything.
1: https://youtu.be/iFTWM7HV2UI
So, yes, I believe they are trying to corner the market on the best programmers.
They may pay more, but they collude to make sure people couldn't leave without going far outside the bay. That's a monopolistic trait.
I agree they weren't putting a gun to people's heads but they were making the environment less available.
[1] https://www.c-span.org/video/?451963-1/google-apple-amazon-t...
Obviously, Facebook is an extremely complicated system. But I find it hard to believe a video uploading feature would impact 'View As'.
It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications. One of those ramifications could then result in a vulnerability chain compromising user impersonation functionality.
I have seen far, far more incredulous head scratchers in penetration tests and code reviews. The interaction boundaries of, or middleware between, two seemingly unrelated systems is generally a good start to look for a security vulnerability.
I get this part. But why would it affect only videos and not other entities (photos, status etc.)? I would think creating (or uploading) any of the entities have the same authorization and authentication ramifications. What could be different for videos? Unless the privacy models are so fine grained that you can have different privacy settings for different entities (haven't used Facebook in years, so I don't really know). Your explanation makes sense, I'm just looking for a concrete example.
The problem is often that there are multiple sources of truth for who the user is. And if you have an impersonation feature, you by definition have two sources of truth: who the user actually is, and who the user is impersonating. It would just be a matter of a single mistake of using the wrong one.
Considering that "view as" requires your page view to render every control as the impersonated user but only when it comes to your profile, but renders all controls outside of your profile as the original user, I could see any engineering team dealing with some very carefully drawn and potentially confusing boundary cases.
Edit: just to elaborate, it's not just obvious impersonation contexts where this gets interesting. For example, linking your Humble Bundle account to your Steam account, or on Netflix which user you are vs. which email address is being billed. Many apps have a function to share some document using a one-time expiring token. If you're also logged in, then do you read permissions from the shared token or from your account? If you mix them, do you make sure anything that writes to this shared view can't touch your account itself on accident? We don't think about it much but I think you can see how these subtle distinctions are important when you are thinking about access control, and that makes it a breeding ground for subtle mistakes.
https://Qbix.com (see the video)
On the other hand, I feel like I’m shamelessly promoting/shilling my own company.
How to do it in a classy way? I really believe that there is a problem people are not recognizing enough to do something about it (Diaspora and Mastodon and Solid are exceptions).
And I spent the last 7 years and $700K of our company’s profits solving it. So it’s now solved. If Mastodon is “a decentralized Twitter creation kit” where you own your own data, then Qbix is a “decentralized Facebook creation kit” where you can assemble social apps from a growing marketplace of reusable components, some of which don’t exist anywhere. Here for example is a Group Rides plugin that basically makes a social Uber, and ANYONE can have it on their OWN social network:
https://youtu.be/Z7Q7IzVv1VU
OK, but we are perfectionists and are spending months polishing “the other 90%” so it’s not a flop when we release it to the public to create their own facebooks. We need really clean onboarding and measure engagement metrics and fix bugs etc. It took 7 years thus far.
For example this was last year, we are way more advanced now:
https://vimeo.com/208438090
So, advice would be appreciated from people who have successfully done before. Maybe contact me (qbix.com/about has my email link). How do we get the story out there that Qbix is being built to FIX the underlying root problem of decentralizing social networking, so people’s data isn’t in one place?
Please if you have some knowledge about this, take a look at the above videos and let us know what advice you have to get stories actually published.
PS: one more thing, we managed to get tons of inadvertent press back in March including BBC and Newsweek, which you will find if you search for “calendar mining” or “qbix calendar”. BUT when I reached back out to thise journalists to cover an actual story of Qbix is actually doing, none of them replied. Many of them just want to break the sensational controversy because that brings notoriety. How do you make them write about SOLUTIONS to problems?
You only get one chance to make a first impression. I'm afraid the first impression I got means I'm unlikely to return. I suspect the same applies to all those who took a look in March.
What makes it dated specifically? Versus let’s say https://joinmastodon.org/
Also did you visit from a mobile phone or desktop?
3D strong blue and green spinning globe. 3D logo, hard (high contrast?) RGB values. Child's drawing header looks like a hospital. Mission statement not at all aligned with what your comment says. Empowering people page, weird lego photoshop. More strong RGB icons.
>We build apps for all kinds of communities.
I assume this is an app building consultancy from this statement. Nothing about decentralization. Way too much text on the page (for people like me who cbf to read). Are you trying to get people to download your group / calendar app or build apps on qbix? Choose a goal and optimize your copy for it.
Mastadon - Single page layout. Clear missions statement (Social networking, back in your hands). Flat (material?) icons. Single, fixed width column of text. Lower contrast color scheme.
Good news, you're not just imagining things. It feels exactly like that to the readers as well.
I guess even the best (at secure coding) sometimes mess up.
Have Amazon, Google, Twitter, Microsoft or Apple been on haveibeenpwned? That’s what I think of when I hear “big names”.
Yes my company benefits from it, but so do I. For instance, given a choice of trying to come up with an idea to learn about a feature of AWS and pay money for the resources I use, and take advantage of my work AWS (Dev) account where I am an admin, I would rather do a work related project where I have the resources and I don’t have to come up with an idea and I don’t have to pay for it.
What I don’t do is “signal”. I don’t stay at work late, I don’t send emails out after hours, and I pushback if they give me unreasonable deadlines.
On the other hand, say it would take me 50 hours and I knew I would have to work on the weekend because I’m not as experienced, but I thought I could still have it done by Monday.
I might be willing to volunteer, knowing it would take me longer but it would also be done on time. That extra 20 hours, I’m still working, committing code but zeal do trying to figure out the framework. I wouldn’t have a problem doing that because I am learning a new skill.
But, I wouldn’t work weekends to finish a project because I was given an unrealistic deadline.
The first scenario, the extra 20 hours benefits me and the company. The second, it just benefits the company.
In fact, I need permission from my manager's manager's manager in order to stay past 7pm.
This company believes in a strong work-life balance, and this is one of the ways it achieves this.
Also, it "changes the world" in good ways, not by "connecting people" through bogus data siphoning addiction traps.
Personally I strongly prefer no fixed working hours. If you want to work at night, so that you can do things when it’s light out (especially in winter), and you still get the expected results, what’s wrong with that?
Also, lone wolves working at night are harder to manage and communicate with.
Probably not fired. But the interior motion sensor alarms go on automatically at 7pm, which would probably alert the security guards that roam the campus.
When I first started, I came in too early once and set off the alarms. People were nice about it, but I was super embarrassed because I was a n00b.
Personally I strongly prefer no fixed working hours. If you want to work at night, so that you can do things when it’s light out (especially in winter), and you still get the expected results, what’s wrong with that?
I worked at a place like that once. When I was hired I was told I could make my own hours. I prefer to work early mornings, so some days I came in long before anyone else. A couple of times around 3am. But I always worked at least eight hours, and often more.
In my exit interview, my supervisor was rabid about how I wasn't a good fit because I "come and go as [you] please." She was so full of crap about other allegations against me that I didn't even have a chance to bring up that making my own hours was part of my employment deal.
Take those excited geniuses and have them work on preventing climate change from ruining all life on earth, instead of inventing new ways to profit off of people’s data.
Just because we have more "stuff" and more advanced "technology" doesn't make life more worth living. Happiness levels across society don't increase alongside productivity.
Okay. That's your choice. But having made this choice, don't complain when those of us who choose to devote more time to work receive greater rewards. There's nothing wrong with paying for performance.
I can’t stop my bosses from judging based on time spent working (which is silly, but hey, we’re all human), but I sure can try to stop my coworkers from subscribing to such insane work hours.
we're talking about Facebook here
If Facebook's a grind, then that's something the employee has to figure out.
> What, exactly, is wrong with the expectation that people make senior level eventually?
The problem is when you base too much on promotion systems and performance reviews, that end up as a form of bias and favoritism not closely approximating the truth. Some amount of people are doing useful work for you (like cleaning up after people you think are the high performers) that does not surface there, and when you crap on them, pass them up, bust their morale, make them afraid of their next review, etc., you risk losing their valuable contributions.
Modus operandi in these companies is to rewrite/reintroduce whole products instead of fixing bugs from already discarded people. So if you lose a critical amount of worn out higher paid contributors, you just make a V2 or introduce a new product with a completely new fresh team that will get discarded after another 3 years. This requires fresh supply of motivated and hungry people willing to take sacrifices and a much smaller amount of people willing to exploit that.
I can't believe people put up with this. I really hope you got paid for that time.
You see, the parent poster said:
> They got pushed to check-in code at 12a.m. for example.
This is ENTIRELY different than having you, overly excited about some project, deciding to work late and pushing code at 12am of your own accord. That's absolutely nothing wrong with that.
Now, if you are EXPECTED to do it, outside major emergencies, then you have a problem.
Unfortunately the number of lazy people far outweigh the number of hard workers.
My understanding of the "get promoted or leave" thing is "engineers hired as juniors are expected to get to mid-level in under 5 years (with a half-way milestone at 2 years)"; once you're mid-level it's up to you if you want to carry on climbing. Personally once I got there I switched to a "work more efficiently in fewer hours and keep the same overall productivity" approach instead of trying to get promoted into the senior levels, and that's worked out nicely so far :)
Train me, please.
It’s not a great practice in my opinion. But in practice only a small percentage of engineers fail to make the grade.
I was logged out of Facebook about 30 minutes ago.
[0] https://en.wikipedia.org/wiki/Thundering_herd_problem
This is code for "this is much worse than we are telling you now, we just can't reveal it all at once".
I dislike Facebook as much as the next person.. but I have to say, Facebook Ads are a goldmine if you know what you're doing. It's not going to be that way forever.
But does this mean most of the time that there was no active access token and she is mostly safe? (Excluding the windows of time where she was actively using FB) Do I have to take back all of my teasing?
They also disabled "View As" which is the actual fix for the time being.
Edit: Same on my PC. Still logged on.
CNN many years ago accidentally left some of their pre-written obituaries for (living) world figures publically accessible. https://en.wikipedia.org/wiki/List_of_premature_obituaries#T...
It's not uncommon. It's how you build "friendly" relationships with the media. I scratch your back, you scratch mine.
Actually, not "common" at all.
Obituaries for famous people are often done in advance, since everyone dies. It used to be one of the things that young journalists/interns did to cut their teeth.
But not every company has a massive security breach, so this was not pre-written.
It's not uncommon for big companies to fax (yes, fax) bad news to news organizations a few hours or days before posting it on their own web sites.
In the past, there would be embargoes on the information, but in the case of bad news, those are routinely ignored.
You should probably get on that.
I suspected there was a breach of some sort, when my tokens expired in three places simultaniously, this morning. First thing I did was search google news, nothing had been written yet. I wasnt sure they would ever announce it, probably depends on the scale.
There was a conference call with reporters about the subject, so the press release public release was not the first the NYT knew about it. They likely had an embargo agreement.
It's often in the interest of the reporter to agree to stuff like this since publishing security issues ahead of time can have serious negative consequences.
Source: I spent years at a national PR agency
Facebook wrote it. They called their friend at NYT and handed over the article - then mentioned they would be sharing it with other outlets later. [just my guess].
Noam Chomsky wrote Manufacturing Consent decades ago.
Read, you fools!
“Facebook Is Giving Advertisers Access to Your Shadow Contact Information”
Source: https://gizmodo.com/facebook-is-giving-advertisers-access-to...
'Facebook is clearly aware that losing its chief security officer and dissolving its dedicated security team, in the middle of all that’s going on, is not a great look. So many of the company’s statements today are clearly designed to address obvious concerns that arise.
“We expect to be judged on what we do to protect people’s security, not whether we have someone with a certain title,” a spokesperson said. In another statement, Facebook said it is “investing heavily in security to address new types of threats” and that its new security structure has “helped us do more to keep people safe.”'
Source: https://www.theverge.com/2018/8/1/17640852/facebook-cso-alex...
Essential infrastructure describes "assets that are essential for the functioning of a society and economy" [1]. Not things that can cause a lot of damage. Bombers aren't essential infrastructure. Facebook is non-essential.
[1] https://en.wikipedia.org/wiki/Critical_infrastructure
Nuclear missiles themselves aren't critical infrastructure, but you better bet the launch systems, and specifically the security of those systems, are utterly critical to society's continued functioning as we know it.
If you destroy Facebook, Google+ gets some more users.
Edit: people take my comment to mean it won't be a big deal. It will be. However, not on the same scale of taking out the power grid, or the water system, which would lead to hundreds or thousands of deaths. Facebook is not critical infrastructure.
With that said, is it perhaps possible that some people might view this as subtly distinct from power plants, hospitals, roads, and ISPs? Those are what are generally considered "critical infrastructure".
I understand the point that you don't need facebook the way you need the ability to feed the people in the cities (and thus need roads and power plants). If facebook disappears, life will go on. But as long as it exists, control of it is critical like control over power plants.
In the sense that it's an immediate need for the continued basic functioning of the state, it's possible that there may be some distinctions that could be drawn. Some might opine that these are the distinctions that matter for the designation of what is and isn't critical infrastructure.
As that comes into place and use, how many companies are going to be basing their pricing -- their entire product offers, in light of the availability of this information, this "score" (and all the categorization behind it) -- upon it?
Bingo. Critical infrastructure. (Like it or not, for some of us.)
[0] https://science.ksc.nasa.gov/shuttle/missions/51-l/docs/roge...
FWIW though, investors can be fooled.
There is lot of misinformation about the Stamos debacle on all sides.
A true statement is that Facebook's security teams have been shifted around in several reorgs. A false statement is that Facebook has dissolved its security teams. The latter is a mischaracterization of the former, because while some security staff have left Facebook for a variety of reasons, the company is not deliberately reducing its security staff nor encouraging their departure. It still employs a huge number of engineers specializing in every major domain of information security.
If you'd like evidence that Facebook is expanding its security presence, you can take a look at its careers portal. It's aggressively hiring security staff in satellite offices that previously weren't focus areas for security engineering.
In my opinion, Alex Stamos' company memo gives a clearer picture of what's happened in Facebook's security org recently.[1] You should read that in addition to media reports.
______________
1. https://www.buzzfeednews.com/article/ryanmac/facebook-alex-s...