Slashdot Mirror
Facebook Intern Gets Preemptive Ax For Exposing Security Flaw
Engadget reports that Harvard student Aran Khanna, who was about to begin an internship at Facebook, had that internship yanked after he created (and took down, but evidently too slowly for the company's taste) a browser plug-in that exposed a security flaw in Facebook, by allowing users to discover the location of other users when they use the Messenger app. Surely Khanna won't be jobless or internship-less for long. (Don't expect the app to work now; it's still in the Chrome store as a historical artifact, though, and at GitHub.)
So you're trying to get a job at a company and instead of reporting to them a security flaw, you create a Chrome extension to let anybody (ab)use it.
If you're expecting to NOT get fired, you're an idiot.
Your hair look like poop, Bob! - Wanker.
What? They yanked an internship away from someone who released an exploit for their platform?
Can someone close that parenthesis? It's driving the LISP part of my noggin nutty.
And make him find more exploits and publish them. But too late for GooglePlus that's doomed now.
If you keep throwing chairs, one day you'll break windows....
)
Pet peeve: people using parentheses unnecessarily.
Some (inspired) companies provide rewards for discovering flaws in their products; allowing them to improve them under controlled circumstances. Some (shorted-sighted) companies punish the discovery of product flaws, preferring the illusion of a pristine public image over the security of their clients. Yet this is clearly a third case: that of it being an intentional "flaw" which was intended to provide revenue. So, if there was such a thing as justice at this level (there isn't) then Facebook should be doubly embarrassed.
Outrageous... The kid I mean, and likely his parents as well.
Why is this even posted?
What happened to Slashdot?
Who claims Oracle finds all their own exploits, correct them, and will send you to their legal department if you happen to find bugs in their software!
While this is more due to limitations in said masters and their organizations, it is nonetheless a very important rule. If you must do it, then do it privately. If you need not, then do not do it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
here are your choices:
1. employee or white hat or grey hat comes to you with an exploit. you reward him for the discovery, you squash the exploit. the media paints you in a good light. more white hats and employees are eager to come forward with exploits they find. your userbase is happy with the quick resolution, transparency, and eagerness to protect
2. employee or white hate or grey hat comes to you with an exploit. you fire him, sue him, ignore him, censor him. maybe you don't squash the exploit, you think you can just hide it. of course, the media gets wind anyways and paints you as a moron who thinks you can sweep it under the rug or an idiot in denial for your "no comment" when asked about the exploit. white hats and employees are discouraged and hide exploits or, turn into grey hats and black hats and sell your exploit underground or use them for nefarious purposes themselves. you don't find about it until much later as no one wants to talk to you after the reception you've demonstrated. you are hacked, your userbase grows angry and shrinks, your third quarter profit takes a hit, the guys in the corner office call you in and ask you to account for the problems
those are choices middle management morons. proceed accordingly
oh, the guy wrote an app instead of coming to you immediately?
gee, how horrible
hide your blind shortsighted anger, paint on a fake smile, and give him a reward
because that's what is in your best interests you fucking pinhead! you WANT these guys to come to you, so you NEVER show any negativity to anyone who has shown how YOU have failed by discovering the exploit. the original shame, the original failure is YOUR EXPLOIT
it's not a parent-child situation and the kid crashed the family SUV. it's about you failing to provide airtight security with your product and you showing the world that you are welcoming to all friends and foes who would only come to you and tell you what you did wrong to allow the exploit. understand? you failed first, by allowing the exploit to exist
oh, all complicated software has exploits? true. so you're really eager to plug those holes any way you can, right? you're really glad someone found one for you, right? prove it, by rewarding those who find the holes
either the exploits go underground when you storm around like a prima donna when someone finds a hole, or you show how eager you are in due modesty that anyone come forward with an exploit for you to squash, with thanks and kudos
now figure the fuck out what is best for you and your company's bottom line, and don't be such a mediocre empty suit
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Wondering what percentage of /.ers is trying to track their (imaginary)girlfriend/wife/goat with this right now...
blindly antisocialist = antisocial
It was published THREE YEARS ago by CNet and others. What the fuck was he supposed to disclose exactly? I'm sick and tired of people not doing the minimal amount of reading necessary to avoid rail roading a privacy researcher with a priori judgments.
Also it's not a security flaw, its a feature: they push this data to your box. All he did was write some JavaScript to display it on a map.
"KHAAAAAAAAAAAAAAAAAANNA!"
I thought the FB mobile app already gave you the ability to click on messenger-based messages to see where they came from? How is this a flaw?
The curios part about this is that this privacy leakage flaw has been know since 2012 and was reported in the media. Facebook didn't care.
Aran Khanna MADE Facebook care. I don't know if he was trolling Facebook or if he is just naive. Either way, I applaud his results.
I disagree.. this "idiot" cleverly parlayed an unpaid internship 'firing' into fame and notoriety to get noticed and then hired by a security company; you can't buy this much press even on a Harvard tuition budget. He had a bigger plan all along, and will be hired by a firm in the area of his interest.
Such a firm will be smart to do so. And they will not fail to capitalize on this new hire... they will highlight that one of their employees, [begin bio and / or press release] "...recently made international news by demonstrating a critical security / privacy flaw in FaceBook's messenger application, a flaw that potentially affected hundreds of millions of unsuspecting at-risk FB users".
Pretending this is my office full of bitter coworkers..
employee or white hat or grey hat comes to you with an exploit.
Too bad that is not what happened. The following is a much closer description.
A recent hire who has yet to start work publishes an implementation of an exploit so that anyone can use it
Here are the differences.
1. He had yet to start work
2. He let the exploit out to the general public before informing his soon to be employer.
I believe that it would have been a different story had he just reported the exploit to Google rather than publishing it.
oh, the guy wrote an app instead of coming to you immediately? gee, how horrible
That is the difference between a white hat and a black hat. It shows poor judgement, need for recognition and the propensity to do similar stupid things in the future.
Lets look a a similar situation. Say you boss is walking around a conference with is fly open. Which of the following do you do?
1. Ignore it and hope he realizes.
2. Talk to him and discretely mention the issue.
3. Stand in the middle of the room and shout out the fact that your boss has his fly down.
This guy chose option 3 which shows how little judgement and tact he truly had.
oh, all complicated software has exploits? true. so you're really eager to plug those holes any way you can, right? you're really glad someone found one for you, right? prove it, by rewarding those who find the holes
There is a right way and a wrong way to do thing and this guy chose the wrong way.
Plenty of use want to create new wonderful things or improve the world. Shuffling other peoples mony around is boring despite the good pay.
Stop using Facebook - it's not that hard!
Consider it another way.....his life will now be measurably improved by working for a company besides Facebook.
"First they came for the slanderers and i said nothing."
well said
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
what, no "hey thanks for the free development work" sort of thing here?
I disagree.. this "idiot" cleverly parlayed an unpaid internship 'firing' into fame and notoriety to get noticed and then hired by a security company
I am pretty sure Facebook internships pay fairly well.
Am I the only feeling like throwing up?
Internships usually don't pay anything at all.
this is why they are internships. This is why there is a whole other class of internships called "paid internships" around. Because if paid isnt specified, its assumed that you aren't going to get paid.
Unpaid internships are illegal in California (with the exception of certain types of non-profits). The Sillicon Valley companies only offer paid internships. I am pretty sure facebook pays their interns very well (they need an incentive to join facebook once they graduate)
http://www.glassdoor.com/Inter...
Let's assume the temporary internship pays money. Then I would stand by my general point and amend the comment to say, "...he parlayed a temp job that he clearly did not want (based on his public actions against FB) into millions of dollars worth of PR toward a future, permanent, high-paying career position in IT security".
Pretending this is my office full of bitter coworkers..
You don't exploit our 3 year-old, no-privacy web-page. We exploit you.
it's a feature.
turn off location tags if you don't want them.
they didn't want him to intern because the way he was presenting the stuff, I think. or because he cannot tell a software flaw from a feature.
world was created 5 seconds before this post as it is.
No. Let's be clear here. Facebook wants that detailed location information so that they can target ads. Read the TOS. Facebook has access to the messages, and can tailor an ad to what you are messaging about. Messaging your friends on where to meet for dinner. Bang - you get an ad for the pizza place a block away.
The kid exposed the scam in the system which will likely cost Facebook millions in lost revenue opportunity if people actually turn off location monitoring.
Already commented so I can't mod this myself, but: yes, this. Exactly this.
I'd like to emphasize here that among "you people" one must, prominently, include Timothy. None of the linked articles call this a "security flaw", and calling it that anyhow is just intellectually dishonest bullshit.
There's no place I could be, since I've found Serenity...
If Facebook was really as forward thinking and revolutionary in any kind they would have kept that young fella and offered him a permanent position on the security team. Punishing people for such actions is just old style HR policy. Sure, he should have gone about it differently maybe, as in not making it a publicly available tool, but the core of the issue is that he found a significant vulnerability on his own. It is just too typical that folks get punished for a job well done, either by firing them, giving them more work, or promoting them to a management position where they waste their talent on annual reviews, budget planning, and singing kumbayah at management retreats.