It was true at Google. It's certainly true at financial institutions. I dunno about Amazon. I'm not sure what other comparisons would be relevant here.
It's certainly not true at financial institutions. By financial institutions I mean Fortune 100 financial institutions, as well as smaller financial institutions.
If by "pretty strict internal controls" you mean they can, like Prince Potemkin, point to such things existing in some chimeric form, then yes, I suppose you are right. But in any real sense, no, there are no effective controls in the real world.
About 25 years ago I assumed it was early days for a lot of these things and they would sooner or later be closed up, but they haven't been. Things are wide open - as the recent Facebook/Analytics things have shown. In a very small and indirect way at that.
The first major book on this broad subject was Donn Parker's "Crime by Computer" published in 1976. The book opens by saying that a company's biggest enemies in terms of computer crime is its own employees. This is still true 40+ years later - the biggest enemy of the people who own companies are the people who do the work at them.
Yes, because Google is not your average company. It takes security extremely seriously... in fact it's about as awful of an example as you can give for a blanket statement you made about "most companies".
OK you're right that I overstated when I said "most companies." What I meant to say was most companies of the size and sophistication of Facebook that have a significant amount of private user information. Sorry for not being clear.
That's a really short list of companies, though! There are a lot of companies that each independently hold a ghastly amount of information about random people that have virtually no meaningful controls over this stuff. "No meaningful controls" is the norm.
I'd also say it's the norm among most Fortune 500 non-tech companies.
Even the very largest adtech firms don’t have messenger apps used by millions of people, social graphs of the population or control of large swaths of the internet infrastructure.
That’s not to say I disagree with you, but the data collected is (to me) orders of magnitude less sensitive.
> Google is not your average company. It takes security extremely seriously
While this is certainly true, you've admitted elsewhere not knowing anything specifically about either Google or Facebook's security process, so how can you compare them ? You seem to just "know" Facebook doesn't take security seriously (which is of course a ludicrous thing to say)
> While this is certainly true, you've admitted elsewhere not knowing anything specifically about either Google or Facebook's security process
You already misquoted me once and I already replied to you. Why do you ignore it and do it again? Like I said: no, I never "admitted elsewhere not knowing anything specifically about either Google or Facebook's security process". You are misquoting me again just like you already did in [1], and it's quite improper that you choose to do this when I have already responded to you and called out your misrepresentation there. If you are looking for a response, see that post. If you are not, then please stop.
People like me or [1] have called you out because you keep contrasting Google and Facebook's internal security processes for no good reason, making definitive assertions like "[Google] takes security very seriously" [2], suggesting that Facebook doesn't and should do "Whatever Google does" [3].
And you're doing this not based on any specific knowledge of what the internal security process looks like at either company, but on your (flawed) perception of what engineering interns might or might not be able to do.
When people like esman1 who actually have that knowledge and context, volunteer to explain to you [4] some of the safeguards in place (and he told you the truth), instead of taking the point, you won't have any of what he says and keep going at it stubbornly.
I think this is the point where reasonable people stop arguing, and anyone else who cares can check your comments in this thread and make their own opinion.
I'm not sure if Google even has an internal red team that performs breaches, last time I talked with someone there at a conference they didn't (that was 2016). So I am not sure Google has metrics on how easy it is to gain access by an adversary.
Red team is an overloaded term: "Analyze software and services from a privacy perspective, ensuring they are in line with Google's stated privacy policies, practices, and the expectations of our users." Doesn't sound like adversary simulation to me.
Yeah, still not the same as actually performing breaches themselves to see how long it takes to compromise, and if they get detected and how long it takes to remediate and evict the adversary. I should have been a bit clearer with what I meant initially.
How do you know there isn’t a team at Google doing this? It’s standard practice at companies of even middling size and Google is so large your friend might just be unaware of it.
A Google security manager told me at a conference when chatting about this in 2016. They were thinking of staffing a breach team, but did not have one then.
Project Zero is different compared to performing end to end breaches. A breach team might use 0-days of Project Zero to actually compromise Google's internal assets to see if their defenders can detect an adversary. FB has such a team and they gave public presentations (one was at RuxCon 2016) how they compromise for instance their domain controllers and stuff.
Google has a gaggle of security teams, almost all of which occasionally red team and some of which exclusively do. I'm not sure who told you otherwise but they were certainly mistaken. Source: I TL'd a security team there several years ago.
Thanks for pointing this out. I heard it from a security manager at Google at a conference in 2016. Good to hear that they do breach simulations now, besides regular pen testing and stuff.
I'm not sure if there was miscommunication or what, but Google has had teams that do this for a while now. I typically hear them referred to as orange teams.
Evidence suggests it wasn't true at the NSA five or so years back...
It's _probably_ true that things in general have gotten better since then, and it's probably true that they're better at _some_ companies like Google, Facebook, and Amazon - but I'd tend to agree that it's very unlikely to be true for "most companies".
The Snowden case is an interesting example. He went out of his way to get access to information, going so far as to transfer into a role that had more access (I don’t recall all the details but I remember that much). Every company has some category of employee whose job it is to ensure enforcement of policies, for instance, and if these people set out to subvert the system you should expect them to be able to do so. The watching watchers onion does eventually run out of skin (and it’s not even that deep most places).
The right person with the right access can do a tremendous amount of damage. 14 years ago some servers I was hired to maintain (marketing sites for a gambling site out of Costa Rica) were wiped out as part of an inside job: http://boston.conman.org/2004/09/19.1
2) the fact that no large scale leak from internal sources has happened from FB which is evidence that they have at least some internal controls or procedures to prevent one
Unfortunately the internal tech infrastructures of many (not all) financial institutions are a mess of many decades of mergers and acquisitions resulting in a Rube Goldberg like backend of seemingly endless unnecessary complexity and dysfunction with, in many cases, superficial controls around who gets access to what.
EDIT/NOTE: https://news.ycombinator.com/item?id=16675493