Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus' (zdnet.com)

Posted by BeauHD on from the leaked-recordings dept.

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.

85 comments

  1. Hacked by geekymachoman · · Score: 5, Interesting

    Well, considering their 1.2 billion people DB hasn't leaked .. I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

    1. Re:Hacked by Opportunist · · Score: 4, Interesting

      Well, if you run your network like a college campus, you probably wouldn't know if you're being hacked.

      So ... let's put it that way, when you're blind, you can't see the elephant standing in front of you as long as he doesn't step on your foot.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re: Hacked by Anonymous Coward · · Score: 3, Funny

      I visited their so called "campus". It is fucking filth, with kiddies running around I thought it was a kindergarten. Who the fuck in their mind is trusting zuckerburger with security.

    3. Re:Hacked by GuB-42 · · Score: 3, Insightful

      Well, I wouldn't be surprised if some college campuses have better security than some defense contractors.
      Especially if said campuses teach computer security, and there are hundreds of wannabe hacker students inside it and renowned security researchers in their ranks.

    4. Re:Hacked by Anonymous Coward · · Score: 4, Interesting

      OR, if you're running a college campus network, you assume it's the worst combination of raw internet and bored / mischievous students; so the network itself you treat as untrustworthy and build better systems on top. You assume constant hacking so you build systems tough rather than complacently relying on 'defense contractor firewalls'.

      Let's hope that's what's happening.

    5. Re: Hacked by Anonymous Coward · · Score: 0

      maybe get rid of the beer kegs?

    6. Re:Hacked by nospam007 · · Score: 1

      "Well, considering their 1.2 billion people DB hasn't leaked .."

      Leaked? You just have to download the whole thing, you get everything.

    7. Re:Hacked by Anonymous Coward · · Score: 2, Insightful

      Yeah, when I read the headline, I thought they were explaining that running it like a college campus is the *right* way to do it. It pretty much is. I'd be more concerned that their chief of security doesn't understand how colleges are successful at running such open networks.

    8. Re: Hacked by thegreatbob · · Score: 1

      But I was using those as ballast for my crash cart!

      --
      There is no XUL, only WebExtensions...
    9. Re:Hacked by Ol+Olsoc · · Score: 2

      Well, if you run your network like a college campus, you probably wouldn't know if you're being hacked.

      So ... let's put it that way, when you're blind, you can't see the elephant standing in front of you as long as he doesn't step on your foot.

      I'd be a little worried though if I was a present employee. The cultural differences between the two areas, college campus and defense contractor are pretty extreme. And it may be presumed that they have people of the college campus mindset at present. So when do they start lining up the employees for the polygraph tests?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    10. Re:Hacked by Anonymous Coward · · Score: 0

      Well, considering their 1.2 billion people DB hasn't leaked

      That we know of. Frankly, it can't happen fast enough. Facebook has to get fucked back into the stone age after opening Pandora's overwhelmingly Russian box before they attain some kind of nationalized ID status in the USA.

    11. Re:Hacked by skids · · Score: 3, Interesting

      Pretty much... I've had to evaluate security solutions hailing from the corporate sector for application in .edu, and I have to say so many of them put a disturbing amount of trust on their abilty to lock down the client OSes. Now this makes them pretty much useless in an environment where joining the majority of devices on the network to a domain or MDM is just plainly not an option (the users won't stand for it and even if they did, we have continuing ed users with conflicting configs on the work laptops from other companies which they bring to class). But even if we were able to do so, you should pretty much never trust client machines, even if you've gone all in on the even-with-TPM-won't-even-boot-BIOS-unless-connected-to-a-cloud-verification-service crap. You have to harden the infrastructure as if it were an internet-facing service, (while still doing what you can on the network layer to restrict access and at the OS layer to keep machines updated.)

      --
      Someone had to do it.
    12. Re:Hacked by Anonymous Coward · · Score: 0

      FB seems to have a good record of security so far. I don't recall any recent breaches. The last one was in 2013. If breaches happen, it usually is on the app level, not something on the DB or lower on the stack.

      They seem to be doing something right... other companies use them for authentication, so they seem to have some trust, although it is a head-scratcher why companies do that.

      I may not be a fan of FB, but the one thing they seem to be doing right is keeping data out of unauthorized hands. (Unauthorized as in blackhats, not governments or ad agencies who either pay or coerce the Zucc for information [1].)

      [1]: Sort of how the Russians got their ads in, or else FB would be banned from the Motherland. Not like that is a big loss... VK (aside from the fact that it is owned by Putin loyalists) is a better social network anyway.

    13. Re:Hacked by Anonymous Coward · · Score: 0

      Campus networks are a zoo. Even at institutions that have world-renowned computer security faculty.

    14. Re:Hacked by The+Cynical+Critic · · Score: 1

      I'm not sure there's any good reason, other than the bragging rights, for the kinds of organizations behind the big corporate breaches over the last few years to hack them when they're just going to end up competing with Facebook themselves in actually selling that data. No point in buying that data from an illegitimate source when you can get the exact same data from a perfectly legitimately from the original source.

      --
      "Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
    15. Re:Hacked by Anonymous Coward · · Score: 0

      All the real breakthroughs come from the college campus anyway raytheon and the like merely weaponize them. Where do you think the actual spying starts?

    16. Re:Hacked by Anonymous Coward · · Score: 1

      It depends on the college campus. I have witnessed places that are mind-blowing in their insecurity. They would have been considered insecure in the 1990s yet still operate today.

      The worst included a single VLAN spanning an entire building and including machine rooms, staff offices, student offices, labs, and conference rooms. Every computer in this network has a public IPv4 address and no firewalled ports except what they enforce locally in the computer. They even have some cargo-culted, DMZ-like subnet where they dump unrecognized MAC addresses via DHCP. However, rather than putting unrecognized machines on the internet, outside the "internal" network, they give them full access to the internal network and don't give them an internet route! But there is no port-level control or validation, so any static configuration will allow you to use one of the regular internal IPv4 addresses and have the run of the place. Meanwhile, they have abandoned-in-place machines from every era scattered through labs and machine rooms, often running unpatched software, and often configured with naive methods which assume the internal network is secure and trustworthy.

      When I see places like this which still seem to function today, in spite of their incompetent IT groups, I almost wonder if they have already been owned by some external black hats, who secretly manage the network to keep it going for their own ends!

    17. Re:Hacked by Anonymous Coward · · Score: 1

      If I were blind I still wouldn't see the elephant if it steps on my foot. That would be a miracle!

    18. Re:Hacked by mccrew · · Score: 1

      Well, considering their 1.2 billion people DB hasn't leaked .. that we know about.

      FTFY :)

      --
      Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
    19. Re:Hacked by Opportunist · · Score: 1

      Believe me, when an elephant steps on your foot, you won't care whether or what you see.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    20. Re:Hacked by Anonymous Coward · · Score: 0

      Well, considering their 1.2 billion people DB hasn't leaked .. I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

      It's only a matter of time before one of those privileged white millenials at Facebook makes a mistake that causes the entire company to be "flushed" like EFAX

    21. Re:Hacked by Anonymous Coward · · Score: 0

      Well, considering their 1.2 billion people DB hasn't leaked .. I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

      You do realize Alex Stamos is the same fucking guy right? He was responsible le for the Yahoo breaches. He was their CISO at the time. Now he has the same gig at Facebook.

    22. Re: Hacked by Reverend+Green · · Score: 1

      I would so love to be able to be freely able to query their database.

    23. Re:Hacked by epine · · Score: 1

      Well, considering their 1.2 billion people DB hasn't leaked ...

      Jason just called. He wants to know if you're his daddy.

  2. Whats the problem? Employees go to colleges. by Anonymous Coward · · Score: 0

    Sounds like someone out to push in his favorite firewall vendor for bigbucks. The tootsiepop model of security is long discredited. How about they put back some of the money they made off open source software into making sure that everybody can run a secure Linux on their network and that the Linux actually is secure? If every network connection was properly encrypted from a properly secured endpoint then the network wouldn't matter. If the endpoints aren't secure then the network isn't secure anyway.

    1. Re: Whats the problem? Employees go to colleges. by Anonymous Coward · · Score: 0

      Talk about missing the point. He is not talking about wires and switches and endpoints. He does not literally mean the network infrastructure.

      Try again before you magically solve the world's problems from yer mom's basement with encrypted end points an SELinux.

  3. Good on them! by Anonymous Coward · · Score: 0

    So refreshing to see a company take security seriously.

    1. Re:Good on them! by Opportunist · · Score: 2

      Mostly 'cause they want to sell that data. If it could be taken freely, who'd throw money at them?

      They're just protecting their assets.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Good on them! by Kokuyo · · Score: 3, Interesting

      That is true, however it's not the point of this story.

      It was also true for Equifax, wasn't it, and still they were breached due to negligence.

      This is more a matter of one company trying to do the minimum while others will happily gnaw at their last leg or sit there watching contentedly while their house is being washed down the river brick by brick.

      The only tragedy is that doing what you're supposed to do has become such a seldom event for corporations that it's news-worthy. If it was due to actual ethics, it would be the proverbial unicorn.

    3. Re:Good on them! by Pinky's+Brain · · Score: 1

      They were breached due to incompetence. Whoever didn't keep all web front end up to date made a mistake, that's not negligence ... mistakes get made. Security should mitigate mistakes.

      Whoever allowed a bug in a fucking web front end to escalate into their entire database getting downloaded, now he has something to answer for. Of course almost every IT department gets their entire shit owned by their web front end being exploited ... almost the entire IT industry is incompetent.

  4. Don't get his point. by Anonymous Coward · · Score: 0

    Well. He's been at the post for 2 and a half years, and the word chief is attached to his job title, so what exatly is he complaining about?

  5. I know facebook's security team by Anonymous Coward · · Score: 0

    And trust me, your info is safe with them. As a government secuirty analyst I *wish* we had the capability they have.

    1. Re: I know facebook's security team by Reverend+Green · · Score: 1

      Except it's their data, not mine. Even tho it's about me. This problem needs a legal, not technical, solution.

  6. Good awareness angle by Anonymous Coward · · Score: 0

    Not long ago, there was a discussion on Slashdot on how to encourage companies to be more mindful of security. Well, I think one of the answers is right here - use a metaphor that people will not be able to forget, like "Northropp Gruman versus college campus" :)

  7. That's not going to help. . . by Salgak1 · · Score: 3, Interesting

    . . . this effort:

    Facebook Is Looking for Employees With National Security Clearances

  8. Now we know why by Anonymous Coward · · Score: 0

    Zuckerberg taped over the camera on his Macbook Pro.

    Too lazy to fetch the link....

    1. Re:Now we know why by Opportunist · · Score: 2

      Who hasn't taped over the cam on his laptop?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Now we know why by Ol+Olsoc · · Score: 1

      Who hasn't taped over the cam on his laptop?

      That's the only way I can get wimmin to join me on Chatrbate! Otherwise, I scare them.........

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  9. You aren't saying anything useful by Anonymous Coward · · Score: 0

    "Hacked" can mean anything at all these days, so you're not saying anything of substance here.

    Yes, the entire computer "security" industry has that problem, deliberately so.

    Anyway, facebook apparently failed to grow up with their college campus mentality still very much in the dna of their company so you'll see it come back everywhere. On top of that their again college campus-inspired "real name policy", where they even decide whether your name can be "real" enough to open a facebook account with, and their "need" to gather as much data as they can to sell to third parties and therefore "need" to keep their own doings secret from the lusers who pour their tiny little hearts out into their platform, and you have... the privacy nightmare that is facebook. It's not so much any single incident. It's the leaky nature of the thing.

    What this guy is apparently saying is that sooner or later facebook will have data leakage incidents, and that'll be bad for the bottom line. Do you see how his heart bleeds for your privacy?

  10. Having seen IT at a defense contractor by Anonymous Coward · · Score: 0

    Having seen IT at a defense contractor, I can confidently say that is not a very high bar to aspire to. Defense contractor IT departments do not appear to attract the best or brightest - and it shows.

    1. Re: Having seen IT at a defense contractor by Anonymous Coward · · Score: 0

      We can fix that... But it's not cheap.

  11. Wait till Milo stops by... by Chas · · Score: 1

    Fires and employee uprisings and the members of the board running around going "NAZI!" and punching random people...

    --


    Chas - The one, the only.
    THANK GOD!!!
  12. likes-a-joke by Anonymous Coward · · Score: 0

    Put another drunk -ass in charge! :;'And now 'we""l' see what happens.

  13. College Campus? by Big+Hairy+Ian · · Score: 5, Interesting

    Speaking as an IT Professional working at a large University I can assure you we take network security very very seriously. I believe Facebook would be envious of our network security teams.

    --

    Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.

    1. Re:College Campus? by Anonymous Coward · · Score: 1

      Speaking as a developer who has worked with defense contractors, I can tell you that they take checking off government checklists of what qualifies as "secure" very seriously, but that's about it. As long as they can say "we followed the checklist!" and point fingers back at the government, they don't care even a little about true security.

    2. Re:College Campus? by Anonymous Coward · · Score: 0

      Then you worked for a lacking contractor. My working as a contractor for the Marines was eye opening. They took Security very serious. Yes they had the Congress mandated checklists, as well as STIGS, but they also had sign offs, reviews of security, and other checks that ensured nothing slipped through. This was just for stuff that was internal only. Webservers for this group were even more locked down. Plus you had to have a CAC to even access the apps, plus a second form of authentication.

    3. Re:College Campus? by Anonymous Coward · · Score: 0

      Speaking as someone who has worked in IT for (no specific order):
      Airlines - well resourced and managed networks, the best I've ever seen, at least with the airline I worked at.
      Universities - fairly well resourced and managed.
      Tech company - "good" resourcing, management and practices sloppy - a lot of - lack of ownership of systems and people that care about them, just patch it up, hack it around, this will do for now and slam the door shut, worry about it when next becomes a problem.
      Large corporate - ok resourcing, security and legal depts have the final say, well managed, things could be better/improved but its easier said than done.
      Public Hospital - awful, total lack of resourcing, everything is held together with string and tape.

    4. Re: College Campus? by Reverend+Green · · Score: 1

      I *wish* my company could afford military level security. They may sometimes be checklist checkers, but at least they take the matter seriously.

  14. Sloppy? by sjbe · · Score: 3, Insightful

    Well, considering their 1.2 billion people DB hasn't leaked ..

    If it's run that sloppy then it might have already happened and they/we just don't know it yet. My suspicion is that it is merely a matter of time before Facebook has some form of catastrophic data breach.

    Honestly I'm not even a tiny bit surprised that Facebook is sloppy. They have a looooong pattern of not giving a shit about the people who use their service and being alarmingly relaxed (for lack of a better word) with privacy and the rights of their users. This is just another example of why I don't trust Facebook and do not have an account with them.

    I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

    Talk about damning with faint praise...

    1. Re:Sloppy? by gnick · · Score: 3, Insightful

      This is just another example of why I don't trust Facebook and do not have an account with them.

      You never signed up for an account with them. That doesn't mean that there isn't a nice fat DB entry with your name and all the information they can gather. Did you sign up for Equifax?

      --
      He's getting rather old, but he's a good mouse.
    2. Re:Sloppy? by Ol+Olsoc · · Score: 1

      This is just another example of why I don't trust Facebook and do not have an account with them.

      You never signed up for an account with them. That doesn't mean that there isn't a nice fat DB entry with your name and all the information they can gather. Did you sign up for Equifax?

      Install noscript and look at the scripts it's blocking. Look, em up to see who's collecting the data. Facebook is tracking you even if you've never had an account there.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Sloppy? by Anonymous Coward · · Score: 0

      FB networks have already been breached by an ethical hacker.

      https://devco.re/blog/2016/04/21/how-I-hacked-facebook-and-found-someones-backdoor-script-eng-ver/

  15. Colleges are locking networks down hard by Anonymous Coward · · Score: 1

    A college campus network in the late 90s was as close to "free flow of information" as you can get. Nowadays there are firewalls everywhere. The last university network I was on didn't even allow NTP syncs with external servers.

    1. Re:Colleges are locking networks down hard by Anonymous Coward · · Score: 1

      You are not kidding. I currently work for a pretty large university and every dorm room's switch port is on a solo VLAN with the uplink port, so no two ports can talk to each other. Even more, every port is only allowed one MAC address, which a user must pre-register with IT. In other words, students cannot have two computers talking to each other at all, unless they buy their own switch and do it locally (which is against the AUP of the university, even if their private LAN is airgapped). That means students can't play LAN games, bring their own network printers (must be USB), and so on. It's draconian.

    2. Re:Colleges are locking networks down hard by Anonymous Coward · · Score: 0

      I hate to be elitist, but I'm sure this is not happening at top schools.

    3. Re:Colleges are locking networks down hard by skids · · Score: 1

      One MAC address per port is a bit on the extreme side for a residential user hospitality port... probably they have just not yet bought equipment capable of multi-client wired MAB/dot1x thus the one-MAC-address limitation. Registration of your MAC addresses is absolutely essential for security as, with wired dot1x and a cert bearing your registration, you can shut down a huge number of amateur-skill attacks by doing that (and if you haven't gotten all the way to wired dot1x yet and are still using MAB, you can at least raise the bar a little and also prevent those amateur attacks which can take down the whole network.)

      However "LAN gaming" is kind of ridiculous to expect any enterprise LAN to support... these are segmented networks out of necessity. The "One Big LAN" model just collapses under its own weight for technical reasons at college student body scales. You have to switch to NBMA models (preferred in the case of WiFi to limit RF chatter) or segment or the whole network or it will just crash all the time due to BC storms. That isn't a matter of a bugs in the gear, it's just a natural consequence of the ethernet standard.

      So who is on your "LAN" would be pretty arbitrary. It could be just your dorm floor or it could be only the people in your same class year or academic major or whatnot. On wireless, turning off broadcast/multicast is common best practice, and that would shut down any LAN game that relies on broadcast/multicast for discovering the participants, or during gameplay. Sometimes you have the staff and funds to administer a filtered/cross-vlan tool providing SDPish services to re-enable some of the living-room crap people want like sharing to their AppleTVs, sometimes you don't, but I don't know of any product of that stripe that has prebuilt profiles for the huge assortment of ad-hoc game protocols that must be out there.

      Forbidding local air-gapped networks is just beyond the pale. That college IT department needs to be put into its place. And, perhaps, resourced to configure STP and other loopguard protections correctly, since they probably did that just because they were afraid of network loops. They are just inviting disaster since some person within WfI range and out of their policy jurisdiction could fire up an alternative service, and given the oppressive restrictions, people will jump on it whether it is secure or not. You have to keep the network functional enough for the users to want to stay on it, or your security is threatened.

      --
      Someone had to do it.
    4. Re:Colleges are locking networks down hard by h4ck7h3p14n37 · · Score: 1

      students cannot have two computers talking to each other at all, unless they buy their own switch and do it locally.

      You mean unless they run a NAT gateway and communicate which high numbered port to use for their service.

    5. Re:Colleges are locking networks down hard by mattack2 · · Score: 1

      Honest question. Since MAC spoofing is apparently easy (https://en.wikipedia.org/wiki/MAC_spoofing), why is registration of your MAC addresses "absolutely essential for security"?

    6. Re: Colleges are locking networks down hard by Reverend+Green · · Score: 1

      I'm torn between "behind the curve as always" and "one law for the little people, a different law for the big people".

    7. Re: Colleges are locking networks down hard by Anonymous Coward · · Score: 0

      Nice wallotext.

      You lose at security. Next!

    8. Re:Colleges are locking networks down hard by skids · · Score: 1

      Well, most places haven't gotten to quite this level yet, when combined with a EAPOL EAP-TLS/dot1x you register your MAC address, you get a client cert containing that MAC address, and the switch will not let you on using a different MAC address than one you have registered. Presumably you don't allow double-registrations, of course. (Further past that you can close the last of the wired MITM vectors with MACSec but that requires rather new switches still.)

      But even with (yes, easily spoofable) MAC addresses there are several benefits. First, only allowing registered MAC addresses on the network prevents people flooding the network ARP and bridging tables with lots of fake MAC addresses or exhausting your DHCP pools, so you close some DOS and flooding attack vectors that can completely wreck the network or allow messing with traffic. Second, most people are not spoofing, and knowing who owns that machine that got infected shortens incident response time. It's also the most convenient thing to use as a machine identifier, lacking the GUID you get in managed environments.

      --
      Someone had to do it.
    9. Re:Colleges are locking networks down hard by mattack2 · · Score: 1

      Second, most people are not spoofing

      But isn't that mostly security through obscurity?

  16. One example by sjbe · · Score: 3, Informative

    Well, I wouldn't be surprised if some college campuses have better security than some defense contractors.

    I cannot speak for every defense contractor but I've worked at one in the past and with a few as a vendor and I can assure you that their security (physical and IT) was CONSIDERABLY tighter than any college campus I've ever seen, at least where I was working.

    1. Re:One example by GuB-42 · · Score: 3, Interesting

      And I've worked with defense contractors with abysmal security... They had safes, paper shredders, badges, special networks, all that stuff but it was just a facade. People shared passwords and used personal USB keys to transfer data, it took so long getting physical access that tailgating was the norm, airgaps weren't, outdated software, the IT department was so incompetent that bypassing it was almost a requirement for getting things done. While working there, I stumbled upon several gross vulnerabilities without even trying.
      At school, students had much more freedom but at least the network was sane, and the IT department was not the friendliest place on earth but they did the job.

  17. You can't be hacked by houghi · · Score: 1

    You can't be hacked if you have nothing hidden and everything is public. PointsHead.gif

    --
    Don't fight for your country, if your country does not fight for you.
    1. Re: You can't be hacked by Reverend+Green · · Score: 1

      True.

      In a sense, publicity is the ultimate security.

  18. Former security Chief by aglider · · Score: 1

    If he wasn't "former" at the disclosure, he surely will be shortly after.

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  19. As suspected by Anonymous Coward · · Score: 0

    Facebook is a group of moronic children. Is anyone surprised that people inder 30, particulatly in this day and age, couldn't manage their way out of a wet paper sack? You give power to children, they use it with the common sense and experience of children. The result is usually about on par in terms of insight, understanding, and mastery with their other high school science projects. Wehave done this to ourselves by refusing to be responsible adults, folks.

  20. So, they will lock the network down to be useless? by enjar · · Score: 3, Interesting

    Running joke from my buddy that works at a defense contractor is that if you can do your job, the network isn't secure enough. It's amazing the hoops he has to jump through to perform functions and obtain permission to perform functions that are actually enumerated in his job. Oh, and of course, they are told to just assume the network is compromised, anyway. There are good security reasons for a some of the restrictions, of course -- but there's no denying that having a very locked down network requires significant investment on the IT side as well as slowing down the jobs of the people actually trying to use the network.

  21. Wow! by DaMattster · · Score: 1

    I am surprised that a Facebook exec would publicly admit a failure like that! Worse, I am surprised said exec would have even allowed such an insecure network. Well, I am glad I gave up my Facebook account! Fuck Zuck.

    1. Re:Wow! by DaMattster · · Score: 1

      Need to read more carefully next time. The memo was leaked. Le sigh

  22. Remember Harvard! by Anonymous Coward · · Score: 0

    If Mark Zuckerburg is wired into the network, coding and drinking late at night, he can crash the Facebook campus network the same way he crashed the Harvard campus network? So much for intelligent design.

    Source: "The Accidental Billionaires: The Founding of Facebook: A Tale of Sex, Money, Genius and Betrayal" by Ben Mezrich

  23. "Move fast and break things" by ErichTheRed · · Score: 2

    The problem is that it's very difficult to resolve "move fast and break things" developers with anything approaching information security. If you run an extension of a college campus like Facebook does, you're going to get a college campus mentality.

    I can see why they are concerned though...Facebook has become the de facto identity provider for almost every consumer website. That "sign in with Facebook" button lets developers assume that Facebook will keep login details for millions of users safe. Microsoft has this same problem with Office 365/Azure AD and they've gone to great pains to explain what they're doing around security. Any time you are providing a vital service that others are counting on, and you have people's personally identifiable information stored, you can't put that in a college campus environment.

    1. Re:"Move fast and break things" by skids · · Score: 1

      FWIW, "move fast and break things" developers don't generally last very long in college environments. Software dev runs at a snails pace because everyone is actually using the software for important things, and when it breaks, there is hell to pay from the users... and the users are only a short walk away from you.

      --
      Someone had to do it.
  24. Ever worked at one of these defense contractors? by Anonymous Coward · · Score: 0

    I have (BAE, and Raytheon).

    The configuration and lockdown can be so Byzantine that simply signing into you workstation can be a chore.

    Hmm. how many intrusions has this prevented? Oh that's right. None.

  25. Does that mean by OYAHHH · · Score: 1

    Employees are f-ing like monkeys, drinking like sailors, and staying up all night to try to finish that last bit of code which ultimately results in a D+ grade?

    --
    Caution: Contents under pressure
  26. Minimizing harm by sjbe · · Score: 1

    You never signed up for an account with them. That doesn't mean that there isn't a nice fat DB entry with your name and all the information they can gather. Did you sign up for Equifax?

    Oh I'm well aware they are trying to gather data on everyone. I also cannot stop my idiot friends and family from posting information and pictures about me. Nevertheless I'm not going to cooperate with them and I make pretty heavy use of software to block advertisers and others who want to track my actions on the net. I'm sure information leaks through but they don't have nearly as much on me as they could if I took no measures and they don't have information voluntarily from me.

  27. "you can't be too secure" by Anonymous Coward · · Score: 0

    Some years ago (when /. was new) someone posted a comment regarding computer security of article about a major system that was recently hacked. He began with "when you are responsible for computer security, you can't be too secure. A shotgun will help." Then went on about choosing firearms for people staffing a computer room, really strange, with references like "don't use a large gun for your wimpy hands, a 22 slug in the gut is better than a 357 in the ceiling."

  28. The Magic of Zuck by Anonymous Coward · · Score: 0

    Does anyone remember when Zuck was hacked and it turned out his password was dadada? And people actually trust this clown with their data. He is both evil and incompetent, which is a dangerous combo. Ditch Facebook.

  29. Manufactured outrage by radarskiy · · Score: 1

    Lots of people outraged that their network is run like a college campus, no one looking at what he meant by that phrase.

  30. Someone wants a raise. by chakan2 · · Score: 1

    If what he claimed were true, FB would've had a major breech already. This sounds more like internal political jockeying rather than valid concerns.

  31. Why do you think they got offices near the spooks? by Anonymous Coward · · Score: 0

    Why do you think they're building that new office right near all the spooks?

    Must make it awfully convenient to tap into the fiber.

  32. drone riots by kwoff · · Score: 1

    Security people won't be happy until everyone has chips implanted and nerve stapling capability.

  33. If you have sysops or security experience from uni by MarkH · · Score: 1

    You have a great career in front of you. Employed a few myself. Great combo of open network experience with hardened systems with thousands of smart little shits ( technical term ) trying it on daily.