
Facebook has fired an employee accused of using privileged access to stalk women - rrauenza
https://www.sfgate.com/technology/businessinsider/article/Facebook-has-reportedly-fired-an-employee-accused-12880672.php
======
jacquesm
Apparently he's not the only Facebook employee that saw the dating potential
of the database.

Google once also had a case like this. What speaks for FB (and Google) that
these things happen so rarely. Their processes (including hiring) and
monitoring must be quite good to be able to have a workforce that large and
yet so few incidents of this kind (at least, that we hear about).

~~~
evgen
A significant majority of Facebook's security infrastructure is inward-facing.
Too much history with engineers doing stuff like this and the possibility of
an employee being compromised by a hostile state actor is high on the list of
threats that are considered. It used to be the case that an engineer could
fire up a test instance of the front-end and poke away at the back-end without
anyone noticing, but those days are long past. I am not sure how much more has
been added in the past few years, but there were so many instances of
developers snooping on the new SO of their ex-SO back in the day that the
paranoia level for this sort of threat became a driver for a lot of infosec
projects.

Given that anyone on the team who had been around for a while would have known
this I am assuming the security engineer who was shown the door was either an
intern or new to the team as most others would have known that they would
eventually be caught.

~~~
cierra
I think you are exaggerating the amount of internal security there is at
facebook. Up until a couple years ago, many of the internal tools didn't have
any privacy restrictions to stop employees from looking at private user data.
I looked at user data all the time as part of my job and was never questioned
about it. Of course I never looked at anything I shouldn't have out of fear of
getting caught. But no one checked to see why I was always looking at user
data.

Even after common tools were changed to add warnings about accessing private
data, there were still many ways to go around them. All engineers have access
to user databases as well as the thousands of other data sets that contained
user data.

The reason why most employees wouldn't abuse their power is the fear of
getting caught (not due to any actual internal security). From this article,
it's not clear how the fired employee accessed private data. So I can't say if
they did something too obvious or if they put any effort in making sure they
had plausible deniability if caught. This article doesn't indicate whether
internal security actually caught the data access violation. It sounds like
they only found out after the accusations appeared on twitter.

~~~
rrauenza
It's not even clear he did for sure -- he could have been fired for just
claiming he could since the claim harms the company.

------
joezydeco
Wasn't this the core business model of TheFacebook circa 2004?

------
rhcom2
The article makes it sounds like facebook only found out via outside
investigation. That is not a good look.

~~~
jacquesm
That's a very good observation. They should have caught this internally _long_
before an outsider pointed it out to them.

This is worrisome, especially given the comment upthread about how a large
portion of Facebook's security is inward facing.

------
BigHairyDocs
It wasn't me, guys!

