
When Myspace Was King, Employees Abused a Tool Called ‘Overlord’ to Spy on Users - jmsflknr
https://www.vice.com/en_us/article/j5w4xx/myspace-employees-spied-on-users-with-internal-tool-overlord
======
arkadiyt
This is all too common. I teach "Security 101" onboarding to new hires at my
company and this is one of my slides:

\- Google Engineer Stalked Teens, Spied on Chats:
[http://gawker.com/5637234/gcreep-google-engineer-stalked-
tee...](http://gawker.com/5637234/gcreep-google-engineer-stalked-teens-spied-
on-chats)

\- Lyft Investigates Allegation That Employees Abused Customer Data:
[https://www.theinformation.com/articles/lyft-investigates-
al...](https://www.theinformation.com/articles/lyft-investigates-allegation-
that-employees-abused-customer-data)

\- Uber Employees Allegedly Use Data to Stalk Exes, Celebs:
[http://www.newser.com/story/235409/lawsuit-uber-employees-
us...](http://www.newser.com/story/235409/lawsuit-uber-employees-use-data-to-
stalk-celebs-exes.html)

\- Facebook Investigating Claim That Employee Used 'Privileged Access' to
Cyber-Stalk Women: [https://gizmodo.com/facebook-investigating-claim-that-
employ...](https://gizmodo.com/facebook-investigating-claim-that-employee-
used-privile-1825666305)

\- Snapchat Employees Abused Data Access to Spy on Users:
[https://www.vice.com/en_us/article/xwnva7/snapchat-
employees...](https://www.vice.com/en_us/article/xwnva7/snapchat-employees-
abused-data-access-spy-on-users-snaplion)

I suspect the vast majority of these abuse cases never make it to the public.

~~~
caycep
these are all social media companies, but what about similar abuses or
security holes as such for those of us who are thinking about putting our
small business data online to cloud drives/storage lockers. I.e. the google
suite drive, dropbox business, backblaze backups of the world?

~~~
joshuamorton
[https://support.google.com/a/answer/9230979?hl=en](https://support.google.com/a/answer/9230979?hl=en)
may be relevant (I work in cloud, but am not familiar with that tooling, other
than knowing of it's existence). AWS might provide something similar, but I
don't know what it is.

~~~
worik
Not really. The problem is unauthorised access by users with sufficient
privileges to do what ever they want. That would include turning off audit
logs.

Do you think that when Google serves your data up to the secret police that
shows up in audit logs?

~~~
dodobirdlord
Do you imagine that engineers at Google just wander around with unaudited
ability to disable audit logs?

~~~
markholmes
Do you imagine this to be an impossibility? It would only take one.

~~~
dodobirdlord
I imagine that nobody has ever been deliberately given this power (why would
it need to exist?), and that the auditing implementation is robust against
most combinations of credentials that most engineers could put together. The
number of people that could pull it off in theory is probably very small, the
number that could do it in practice without leaving any trace is probably 0.

------
txt
Myspace had alot of issues when it came to security. At one point I was
discovering multiple exploits every week that gave me access to any account I
wanted. Most were patched up in a few days, using some temp workaround that
would end up creating a new hole to explore lol, it was the wild west for me.
Now I never used it to pull sensitive data or any type of illegal activities
such as fraud etc..BUT I may have had quite a few sites that suddenly had
millions of active users browsing them. ;] Im sure if I hopped on some of my
old machines, I could post some interesting code from those days...

~~~
cesarb
> Myspace had alot of issues when it came to security.

Obligatory: "The MySpace Worm"
[https://samy.pl/myspace/](https://samy.pl/myspace/)

------
fortran77
Back in Web 1.0 (1999 or so) I worked for what was then a large Social
Network. There was no security. Any engineer could look at anything.

When the thing went belly-up (it was acquired and then ended) the servers were
scrapped without even being wiped. Someone probably bought them at WeirdStuff.

~~~
billpg
I'm trying to think what was around back then that could be described as a
social network. Geocities?

~~~
fortran77
One fact about it: It was the only one that worked well on a WebTV.

It turns out we had a lot of people in prisons using it, because some prisons
had gotten WebTVs not knowing that the inmates could use it.

The Management didn't care, as long as there were pageviews. (Which I was
directed to inflate by our CFO.)

------
deanclatworthy
If you found this article or the idea interesting, be sure to check out one of
the latest episodes [1] of Black Mirror.

[1]
[https://www.imdb.com/title/tt8758202/?ref_=ttep_ep2](https://www.imdb.com/title/tt8758202/?ref_=ttep_ep2)

~~~
EpicEng
Unfortunately I did not find that episode of Black Mirror interesting.

~~~
rxhernandez
I found this entire season to be sophomoric. A lot of the previous episodes
were dense in subject matter that's not too often explored; the subject matter
in this season has all been going on for the past decade or two and you would
have to have not been paying any attention to the news while maintaining
absolutely no interest in transgender topics for this to be meaningful.

!!!!!! SPOILERS FOLLOW !!!!!!

Episode 1 - "a guy explores his gender in a video game and finds that he
enjoys a gender different than the one he's playing in real life. His friend
finds that he enjoys his friend in that gender despite not being gay."

Big deal? People have been doing this in real life without the aid of video
games for decades now.

Episode 2 - "a guy gets addicted to social media and (potentially) kills his
significant other because he was paying attention to his social media while
driving. He coerces the CEO of said social media into talking to him, CEO pays
him some lip service after "triangulating" who this guy is through minimal
information. Guy dies. Life goes on."

I mean what's surprising here? Who hasn't looked up a blind date with Google
to figure out whether or not they're a psycho? Laymen already have this
information easily accessible to them. I've done a background check on myself,
out of curiosity, and I found my address, phone number and email by just
looking up the city I'm from and my name. Social media profiles are even
easier to find.

Or was it the fact that the CEO paid convincing lip service to some guy and
then doesn't follow through with it?

Or was it that life goes on after you die? Big whoop?

Episode 3 - I mean why bother, it was just another feel good episode on a
topic black mirror already explored.

~~~
bduerst
I think the problem is that people expect every episode to be _San Juniper_
now. Does nobody remember the first episode of season 1? The show has come a
long way.

I've only seen Episode 1 of season 5, and it explored the gender bender aspect
of a fully-simulated virtual reality. Solid concept, but it probably could
have been more relevant to pop-culture if they had incorporated catfishing as
well, rather than a best friends love-triangle or whatever. Would have cinched
it too if there was a Pina Colada song ending, which they set themselves up
for.

~~~
IIAOPSW
season 1 ep 1 was the episode where the PM porks the pig. People remember it
because it became shockingly relevant.

IMO seasons 1 and 2 were the best. Seasons 1 and 2 gave us things like the
Waldo incident, which seemed to predict the rising tide of populism and data
driven politics. They gave us white bear which is a brilliantly deep critique
on crime and punishment in technologically advanced societies.

The worst episodes can all be summed up as "the bees". The bees episode didn't
have any deep or interesting point about micro-drones. It was just bad guy
does terror thing and good guy hunts him (with some fletching about social
media thrown on top). Same thing with Crocodile. The idea of a memory reading
device and the issues of surveillance and privacy are interesting, but that
episode completely skirted giving us anything to ponder in favor of a plain
old cops and killers story that may as well be a CSI rerun.

black mirror has two problems.

1\. Netflix. 2\. Charlie needs a technologist.

Before the Netflix acquisition the ending was usually dark or uncomfortable.
Each episode was like we had wished for some technology on a monkey's paw and
got it. After Netflix came along it seemed like a rule that half the episodes
had to end at least bitter sweet. I think they might be executive meddling
with the formula. Perhaps Charlie could do a "screw you" episode about how a
data driven TV production company leads to a world of incredibly bland art.

Charlie Brooker is a journalist / comedian. After visiting the well of "social
media kind of sucks" 3 or 4 times, he's clearly running out of ideas. He needs
to work with someone more up to date on the trends.

~~~
NeedMoreTea
Thoroughly agree, though don't forget White Christmas - the special was great
too!

Netflix brought larger budgets, no impact any more and 15 minutes extra to
explain points over, and over, and over. Like Nosedive. The extra 15 minutes
was entirely devoted to "have interaction, rate it". Two or three explanations
of this difficult concept would have been plenty. San Junipero was more Disney
than Black Mirror.

Even the better Netflix episodes feel like they are pulling their punches.

------
maxme3
What's the name of the Facebook equivalent?

~~~
exfbthrowaway
It was called ‘super’ and it was most famously abused by an intern that
blabbed to the press about using it. They then added more restrictions and
auditing to ‘super’ which was supposed to be mostly for investigations and
user operations teams to help users with their own account issues. Also at
that time Zuck’s own account was always super so...

~~~
coderintherye
Auditing sure, but almost any Facebook software engineer has permission to
still take super user actions. The ability to abuse is still there, it's just
a question if they actively audit well enough to catch the abuse.

~~~
barce
From an anonymous source, I found out it's automatic termination if you're
using super mode unauthorized. Would love to get one more anonymous or non-
anon source to verify.

~~~
acjohnson55
I know of someone who had to go in front of an internal audit committee of
some sort due to unauthorized access. He did it during a demo, not really
thinking it through. They were convinced it was unintentional, and he got to
keep his job in the end. He was telling me it was definitely considered a
termination-worthy thing, and was legit worried about losing his job.

------
aaronmgdr
I worked at a small company that had a kinda internal business social network
tool where the devs and customer service people could do this. We called it
superadmin. Eventually we anonymized the actual posts and employee names but
for a while we could literally see everything. Technically afterward we still
could if we had prod db rights and just connected straight to that.

------
ytNumbers
Those young employees had so much power that they acted like they were the
"Kings of MySpace". It's no surprise shenanigans ensued. It reminds me of some
other youngsters back then who called themselves "The Kings of MySpace":

[https://www.youtube.com/watch?v=2N1lIl3pGac](https://www.youtube.com/watch?v=2N1lIl3pGac)

------
lanrh1836
Literally every company has a tool like this. It’s more a question on what is
a company doing to define and enforce justifiable usage among employees.

At a well known “unicorn” I worked at a few years ago someone was reportedly
fired for looking up celebrity accounts.

~~~
wil421
I’ve heard rumors from friends and family that people get fired at hospitals
for looking up celebrities all the time.

------
lwhi
Not surprising.

This is the number one reason why we should be wary of producing these
platforms.

Security and privacy can only be looked after—in the way most people want—if
the potential for human interest is _completely_ removed.

------
annadane
Facebook, Myspace, Snapchat... is it that hard to, you know, not do asshole
things when you sign on in a position of responsibility working for these
companies?

~~~
calibas
I think the potential for abuse would be extremely tempting for anybody and
also make those positions very attractive to the wrong kind of person. In a
more honest world, these companies would be bending over backwards to prove
that they can be trusted, instead we're asked to trust them largely on faith
alone.

------
lhotkins
“Let them view users’ passwords”... sigh

------
swixm
Isn't this expected to happen? Especially back then... It might not fly in
this day and age I guess.

~~~
rolltiide
It is perfectly normal and easier and prevalent in this day and age

[https://www.fullstory.com/](https://www.fullstory.com/)

One javascript import statement and you are recording your users entire
session activity

There are whole startups offering this service to other startups

------
AdmiralAsshat
Never mentioned in the article, but I'd wager that "overlord" is a reference
to the StarCraft unit.

~~~
ssully
I am a big fan of StarCraft, but I am sure that Overlord was just used for
it's dictionary definition in this case.

~~~
AdmiralAsshat
I suppose it would depend on the program's primary purpose. If it was the
equivalent of "God mode" and the spying power was just one of many abilities,
then yes, the dictionary definition of "overlord" would make sense.

If the explicit purpose was spying on users, however, the StarCraft unit
reference seemed more apt because the Overlord unit is often used in early
game to do recon, often before the other player has had a chance to build
anti-air defenses, such that the Zerg player can "spy" on the other bases
without their being able to do anything about it.

------
anbop
When used benevolently this is an important tool for seed stage startups to
gauge product market fit. I used to silently join user interactions in real
time and observe them. really helped improve the product quickly

~~~
rurp
This does not sound ethical at all and seems to reinforce the point that we
should default to being suspicious of any company that holds our data.

~~~
anbop
Ethical: no

Useful: yes

~~~
mr_toad
Illegal: anywhere in the free world.

