Facebook made a grievous PR error taking back the internship. Regardless of who he is, my peers are thinking twice about joining Facebook now due to what looks like a petty and vindictive administration.
Those who made this decision probably won't see the bad fruits of it directly, but I know of two people who are very talented who turned down offers they were about to accept due to the news.
Those of us who have worked at Google or apple or other top firms know what vindictive and short sighted administration looks like and what a bad sign it is for the environment.
And that's aside from the fact that what the kid did embodies the "hacker way" held up by Mark. Signs of a backwards company having an identity crisis.
> Facebook made a grievous PR error taking back the internship.
Only if the issues surrounding the internship loss can be generalized enough that potential interns and employees will actually give a damn. Otherwise, it's just "some dude lost an internship. Wow. Gimme tha money."
Facebook has proven that "Code wins arguments" is bullshit, but Google has proven that they can be just as evil and manipulative as everyone else and you see how that's worked out.
It was hardly an exploit when the data was publicly available... It was a lack of privacy control by Facebook which the public recognition forced them to fix.
FB is a shitty company on certain levels... I was let go for being "too social" (Really? WTF!?)
I also inadvertently caught a VP lying about the status of a project. I was doing weekly status reports on certain projects, and one project VP wanted me to get my status from him only... as opposed to me going to the other contributors like I was on all other projects.
After he was not responding to my questions, I went to the direct contributors for status and found out the schedule was behind and things that were said were done were not.
I reported this, true status, along with my others.
Within hours of doing so, my manager and the rest of my team (we sat in one row) got up and left... then I got a call telling me I had to leave the building immediately.
This was just hours after having a meeting with several people telling me how happy they were I had joined and what a great job I was doing.
FUCK FB.
The internal culture is a set of ambiguous bullshit rules enforced ruthlessly. It seems that there are a lot of people jockeying to be the bid swinging dick in each area.
There are thousands of cool employees, and a ton of assholes.
Facebook's response seems predictable if the intern had just thought about it a bit. I'm not arguing that FB did the right thing, only that they took a predictable action.
What is the real harm of not rescinding this guy's internship? Seems punitive and petty. It's not like anyone actually believes that FB cares about privacy. Whatever reputation or brand damage there was done a long time ago by FB's repeated violations of user privacy, which is just the natural state of things given their advertising-based business model.
FB could have turned this around and scored a marketing coup: "look we're hiring the hacker who exposed a security flaw, he'll be patching up the hole he found this summer - because at FB we're committed to user privacy and saving baby harp seals!"
But then again, is this really a big surprise? Just another data point in the growing contradiction between what SV is and what SV wants to be.
> But most people hope that individual Facebook employees have limited strictly audited access to user data.
Any reason to think this is at all the case?
I recall Google getting into trouble over this in the past [1]. I can definitely see data scientists and other employees at FB taking a peek... if anything just finding out who looked at your profile/photos/etc would be pretty tempting.
At this point, FB is just too valuable as a source of intel. I just assume that the US Govt (and others) has direct and easy access. Use at your own risk.
> Way back in 2005, a kid named Chris Putnam wrote a computer virus that rapidly spread across Facebook. [...] Pretty quickly, Facebook's COO, Dustin Moscovitz, was able to figure out Putnam was behind the attack. But instead of having Putnam arrested, Facebook hired him.
> "I will be forever grateful that the company was so sympathetic toward people like myself. It's one of the things that really sets Facebook apart with its passion for scrappy, hacker-type engineers."
Everybody loves a cool hacker persona. Except when it's directed against you :) And, facebook, imo, is more of "get shit done", rather than "break shit". This was more of the latter.
But really, if you work for a company, even if just as an intern, you really should be looking out for their interests. If you aren't, then why would they keep you?
but then, it really isn't a smart PR move from facebook. Now we know that not only do they mess up with privacy big times, but that they're not hiring anyone that wants to raise public awareness on that subject. As if public awareness was detrimental to facebook.
Which it obviously is, but by hiring that personn anyway, and have him work on privacy and ethic inside fb they could have shown some good will.
What was predictable about it? The author didn't do anything illegal or unethical. So he violated the ToS. I violate ToS's probably daily and I think most people would agree they have become a cultural joke.
If anything I'd think the appropriate response would be sitting him down and saying "look we appreciate you are an enterprising risk-taker but we have certain expectations here at mega-corp" Once he was a sufficiently brow-beaten corporate drone then they could have pile monotonous work in him/her ad infinitum. Win Win in my mind.
"As a rising [University student / whatever]," - have people really started saying this? "Rising" as a self-descriptor sounds ridiculous. I feel like this is at least the second time I've seen that opener.
I don't think so in this case. The company knew about the feature (per the story they were informed in 2012) so private disclosure would have likely gone nowhere.
This is another sad example in a long list of security/privacy issues that only gets fixed by what sometimes gets called "stunt hacking" or flashily disclosing the issue.
Take android security patching as a great example. Security pros have been lamenting the lack of a security patch process on android for years and years, Samsung et al have done very little about it. Now Stagefright comes along and gets the press and all of a sudden Samsung are committing to regular security patches..
Another good example is the car hacking stuff that Chris Valasek and Charlie Miller did. without the press furory around their release, do we think a recall would've happened for those cars... I don't think so.
It's an unfortunate truth in security which is full disclousre gets the results that private disclosure often doesn't.
The leak was publicized in 2013 by somebody else, and it wasn't fixed for two years until the events in this article. Clearly Facebook didn't think it was a bug or a security issue, or they wouldn't have taken two years to fix it.
IMO the kid dodged a bullet when the internship was rescinded. Looks like hubris and shitty company culture, and he can probably get something better.
Yup. He seems too young and idealistic. Of course you don't publicly release anything that is damaging to your employer. That should never even have occurred to him. Companies have these kinds of training all the time. Maybe if he'd lasted long enough to actually get to the internship he would've learned it.
I'm glad that he noticed the privacy flaw, but someone who is about to become an employee of Facebook is the worst person to publicly release it. Maybe the notoriety he's gained from this will be worth it in the end, but I know a lot of companies probably won't want anything to do with him given the (lack of) judgment he's demonstrated from this.
> Of course you don't publicly release anything that is damaging to your employer.
I think that is a really, really dangerous line of thinking. Sometimes, employers do bad things. Sometimes (perhaps often), there is not a satisfactory way to rectify those bad things within the company. Sometimes, what's good for the public outweighs what's good for your employer. It is absolutely reasonable to have a conscience and say "wait, this isn't something I can let slide."
Now, did that happen here? I'm not sure. This individual made a judgment call, as you said. I don't know if I would have made the same call. But I simply don't feel that loyalty to one's employer is as important a value as privacy or safety. If that makes me unhireable in Silicon Valley, I guess I don't want to work in Silicon Valley.
> .. Companies have these kinds of training all the time.
Two broad category of workers emerge from elite institutions.
> .. (lack of judgement) he's demonstrated ..
Well, to this reader (at least) our fellow geek here has established which of the above subset of workers he belong to. You're correct that he has demonstrated that he is unfit for say the Facebooks, GoldmanSachs, Googles, ... of the world.
But who knows? Possibly Aran Khanan will follow up with his debut [1] and become a future LEADER in this space.
Facebook offers a bug bounty program, use it! I just did and got paid $2000 this month for reporting a crypto related flaw. The thing is, if a company offers a bounty program and you choose to go around it and publicly disclose you are sort of a jerk and to more than just the company. Another researcher had already found and reported the bug. Facebook was already working on a fix. The researcher was likely waiting for the terms of the bug bounty program to be met so they could then publish and spin it into a Black Hat, DEF CON, CanSec talk, then this kid comes along and takes the thunder. That's a real dick move.
How is this a bug? It's a feature of FB Messenger! He didn't have to exploit any bugs to get at the data. He just took what FB gave him and displayed it on a map. Why would this be eligible for a bug bounty?
Can someone give me an idea of how difficult it would be to change the default on the software from sharing location to not sharing location? Is it more complicated that simply changing a variable value somewhere in the code?
It's always difficult to answer questions like this, because code can be structured in so many different ways, good and bad, to do the same things. It's probably safe to say in this case that for a well-written body of code this would be a simple change: likely changing the default value of a flag, or the boolean expression in a branch. However the code could be written to make it much more difficult, and there is just no way to get a sense of that without understanding how it is put together.
I remember the post that demonstrated the privacy issue. Back then I thought it was really weird he wrote that without being scared of losing his internship. If it were my company I would do the same.
I would be a lot less sympathetic to the intern if Facebook itself was not infamous for having first been built on scraped content. I am not sure I would want an internship with them anyway, they seem to have lost freshness and with it a lot of their young user base.
Those who made this decision probably won't see the bad fruits of it directly, but I know of two people who are very talented who turned down offers they were about to accept due to the news.
Those of us who have worked at Google or apple or other top firms know what vindictive and short sighted administration looks like and what a bad sign it is for the environment.
And that's aside from the fact that what the kid did embodies the "hacker way" held up by Mark. Signs of a backwards company having an identity crisis.