They do have a firewall with a default deny policy, but due to an overlooked configuration issue and a miscommunication on the network team, it failed to include this server (and this server only).
"They should have auditors to make sure that doesn't happen!", you might say. Well, they do. That's how they caught it.
No matter how much someone wants to pretend their process is perfect, the fact is that in practice, simple, embarrassing mistakes can and do happen. Facebook is a company packed with many competent software, network, security, and infrastructure engineers, no one can doubt that. I'm sure they have at least semi-formalized code review processes and a security checklist pre-deployment. Yet they still overlooked this pretty permissions issue which anyone who has ever developed a multi-user web app has encountered.
It's easy to armchair quarterback it, but keep in mind, one day it may be your organization up on HN. Pretending like you're invincible is not productive for anything except your personal ego.
"They should have auditors to make sure that doesn't happen!", you might say. Well, they do. That's how they caught it.
No matter how much someone wants to pretend their process is perfect, the fact is that in practice, simple, embarrassing mistakes can and do happen. Facebook is a company packed with many competent software, network, security, and infrastructure engineers, no one can doubt that. I'm sure they have at least semi-formalized code review processes and a security checklist pre-deployment. Yet they still overlooked this pretty permissions issue which anyone who has ever developed a multi-user web app has encountered.
It's easy to armchair quarterback it, but keep in mind, one day it may be your organization up on HN. Pretending like you're invincible is not productive for anything except your personal ego.