Hacker News new | comments | ask | show | jobs | submit login
Facebook Network Breach Impacts Up to 50M Users (nytimes.com)
1677 points by coloneltcb 4 months ago | hide | past | web | favorite | 609 comments

Excerpts from the press call transcript [1] by Guy Rosen explaining what lead to this breach being possible:

> The first bug was that, when using the View As function to look at your profile as another person would, the video uploader shouldn’t have actually shown up at all. But in a very specific case, on certain types of posts that are encouraging people to post happy birthday greetings, it did show up.

> The second bug was that this video uploader incorrectly used the single signon functionally, and it generated an access token that had the permissions of the Facebook mobile app. And that’s not the way the single sign-on functionality is intended to be used.

> The third bug was that, when the video uploader showed up as part of View As -- which it wouldn’t do were it not for that first bug -- and it generated an access token which is -- again, wouldn’t do, except for that second bug -- it generated the access token, not for you as the viewer, but for the user that you are looking up.

> It’s the combination of those three bugs that became a vulnerability. Now, this was discovered by attackers. Those attackers then, in order to run this attack, needed not just to find this vulnerability, but they needed to get an access token and then to pivot on that access token to other accounts and then look up other users in order to get further access tokens. This is the vulnerability that, yesterday, on Thursday, we fixed that, and we’re resetting all of those access tokens to protect security of people’s accounts so that those access tokens that may have been taken are not usable anymore. This is what is also causing people to be logged out of Facebook to protect their accounts.

[1] https://fbnewsroomus.files.wordpress.com/2018/09/9-28-press-...

> The second bug was that this video uploader incorrectly used the single signon functionally, and it generated an access token that had the permissions of the Facebook mobile app. And that’s not the way the single sign-on functionality is intended to be used.

Is it just me or does this sound like an terrible idea in the first place? Guess we can't know for sure, but why would anything unrelated to authentication generate access tokens?

Technical debt, multiple systems using multiple old authentication routines getting slowly upgraded to new auth methods. And no one taking the time to fully understand the ramifications. And honestly it seems like that was the right choice for the teams responsible. They all made tons of money delivered features and now years later a bug is found.

Would you feel the same way if this vulnerability was for, say, a major banking website?

I work for a major (by Norwegian standards) bank. This level of authentication integration trickery wouldn't be attempted by us. Mainly because we try hard to avoid serious technical debt (due to timeline/delivery pressure) in our security infrastructure. We occasionally take such shortcuts in places that are not mission-critical, but they are always considered carefully as the tradeoff that they are. I believe that we are considerably better at technology development than most of the banks in the US.

That said, I've heard stories of similar bugs in the industry. The difference was that they were more shallow in the effort to reproduce; deep enough to get through QA but discovered quickly in production.

But honestly, Facebook has more resources to spend on security than any online bank. Banking security should be defense-in-depth: Strong first layer security, serious monitoring of suspicious activity & openness for reports by users, a certain level of manual approval of irrevocable transfers, a certain revocability of transfers that are able to be automatically processed, transfer size limits to deny one breach to have huge consequences.

And finally, a credible economic and legal system that ensures only a tiny minority of people want to rob a bank because there are much better options for making money, and banking regulations that leave the responsibility for security vulnerabilities squarely with the bank's shareholders.

Anyone can be owned with enough effort, so it's not just about creating software that's as secure as you can make it. You need to have sound policies as well.

Meanwhile I work for a major US IB. While I don't work on anything customer facing our internal SSO infrastructure basically consists of a single cookie that gets access to almost everything.. And its really not difficult to sniff one from another user (like say getting them to visit a link like http://mydesktop.companyname.com/..).

Its so bad that for certain systems we check the origin of your connection and will only trust you if you've come from the DMZ rather than internal.

Is the cookie not associated to a specific IP? SSO systems would normally flag the mismatch if you try to connect to a website and pass an SSO cookie issued for a different IP, so sniffing cookies wouldn’t help all that much.

In the mobile space the IP address changes all the time, isn't it?

It's unlikely to change between the SSO login page and the application's login page, and it doesn't matter if it changes later on since the app can issue its own session cookie which isn't tied to an IP.

Ha, major banking website won't do any improvement. Can't have enhancement vulnerability if there are no enhancement we smart.

You're vastly overrating the size of the vulnerability and the security of banks. This would not have been caught by internal security teams at most banks and even if it was caught, it wouldn't be considered a major vulnerability on a major banking website.

With that said, this is a bigger vulnerability precisely because Facebook is a free service - at banks, you need to be a customer with real-world identity to even begin to attempt to exploit this.

Just as Microsoft developed Patch Tuesday, Facebook should have Forced Logoff Friday

Every day on Facebook should be forced logoff day. Or, at least, incognito mode day.

There's a Firefox Add-on named "Facebook Container". Once you install that Facebook lives in a little box, Facebook cookies, Facebook whatever else, all trapped in the little box.

No effort needed, if you click your Facebook bookmark, or follow a link or whatever, the browser goes "Oh, this is Facebook" and traps it inside the box with the rest of Facebook without any extra steps from the user. There's a cute blue "Facebook" icon added to the URL bar so you can see it's working.

(I mean, or, stop using Facebook, but for many that isn't a reasonable option)

'We only use incognito mode for security. Since it's annoying to login constantly, everyone has dedicated machines that are powered 24/7 so you never have to shut down those incognito tabs.'


"That won't scale" - Sandberg

If you're more interested in tech discussion or maybe some subcultures, and less interested in food photos/anecdotes about babies, just join http://mastodon.social/ already.

Set your preferences to show posts of your native language only, start poking around the timelines, and follow people who post something interesting. Follow, boost, reply, it only takes a few days before you have plenty of interesting content in your feed.

There's zero chance on Mastodon that you'll get caught up in a gigantic data breach like this. Probably less chance you get caught up in any kind of breach -- it's too obscure to be a target, plus the code is open source so many eyes on it, etc.

And you'll enjoy these guaranteed benefits, as well:

- No longer subject to the most sophisticated data vacuuming adtech in the world

- If you get bored/annoyed you can just take a break from Mastodon because it doesn't own your life the way Facebook tries to

> Probably less chance you get caught up in any kind of breach -- it's too obscure to be a target, plus the code is open source so many eyes on it, etc.

Security through obscurity...

Open source != secure. I can guarantee that a hell of a lot more folks with a lot of security expertise have combed through the fb codebase than Mastodon.

>Security through obscurity...

...is not a solution by itself but is a perfectly valid part of a defense in depth strategy, for example running SSH on a port other than the default is a common and good practice.

> I can guarantee that a hell of a lot more folks with a lot of security expertise have combed through the fb codebase than Mastodon.

This is the same argument Microsoft always made in defense of Windows security back in the XP era. "We hire the best experts in the world so Windows must be fantastically secure." And Windows security turned out to be a train wreck. Now in Microsoft's defense it has improved considerably over the years, but Windows desktops still get owned far more often than Linux desktops do, for a reason that would probably apply to Mastodon today as well: not that many people use it, so it is not nearly as common a target for exploits.

I don't think I deserved downvotes for making these points btw, that button is way overused on HN.

>>Security through obscurity... > ...is not a solution by itself but is a perfectly valid part of a defense in depth strategy, for example running SSH on a port other than the default is a common and good practice.

This really depends on what kind of target you are. Are you a random person on the internet? Then making yourself a smaller target by using obscure services might help. Are you someone with sufficient value for a spear phishing attack? Not so much. “Sufficient value” might just be “you slighted the wrong person on the internet.”

There’s also a lot of trade offs involved, some of them less than obvious. For example mastodon servers may be run by a person/team who’s trustworthiness rating is harder to evaluate Tran facebooks. The server you’re on might by run by well-meaning but incompetent people. The server you’re on might have one participant that is a target of sufficient value for spear phishing and your data might be taken and leaked just to obscure the real target.

i agree, but "guarantee" is a strong word. on the flip side, a hell of a lot more folks _without_ much security expertise have _contributed_ to the fb codebase.

- reminiscent of old DeBeers diamond courier group motto anonymity is the best security. Interesting that most NYC 47th street diamond district couriers were Hasidim, who's attire wasn't particularly inconspicuous.

The "View as" feature has been the source of many security vulnerabilities.

There was a time where you could read other peoples' chats using this feature.

When designing such a system, the immediate failure mode is obvious: at some point, someone will read data not meant for them.

As every feature on FB needs to take "View as" into account when handling their own permissions, a lot of developers on FB's payroll get a chance to f'up. We are all humans, so the probability of this happening is very high. The impact (for the users) is also high, given that it's automated and concerns every user on FB equally.

When dealing with a very probable, high impact risk in a software project, considerable additional effort is warranted to mitigate that risk: in this case maybe taint checking and additional implementations of the same feature in different programming paradigms, to ensure the system is fail-stop.

But in contrast to airlines and railways, the interests of FB and their users are not aligned. For Facebook, this risk is not (or was not deemed to be of) high impact, so we did't get any of this.

It seems to warrant checking both the permissions of the true user and the view-as user. If either does not have permission, then the action should fail. Of course, lacking the middleware for this forces you to choose one or the other and hope you remember to check the remaining user in numerous pathways.

Any link to this type of vulnerability? Sounds like a juicy read.

That doesn't just seem like a few unlucky coincidences. That seems like a fundamentally unsound design. Why should it even be theoretically possible for a request under the authority of one user to create a token with the authority of another user?

Notably, they previously had issues were "View as" allowed you to view notifications and messages of the user you were viewing as.

If they'd done a proper post mortem and corrected the fundamental issue, and made sure it wouldn't have re-occured, this should not have happened.

Instead they moved fast and broke things.

Its more important for you to move fast and break things and make us money than to move slow and do things the right way. The life of an engineer...Do it now! why did you do it that way!? Now we are screwed??

Facebook’s php developers like to move fast and break things. Bad design choices, monkey patching, breaking things on production, it’s all part of Facebook’s “engineering” principles.

Not the root cause, but I'm guessing a microservice architecture made it more possible. It sounds like both the token generating service and the video upload service have bugs.

How likely is it that the three bug combination could be discoverd without access to source code ?

Very likely. It happens all of the time. If you read through some cve’s or other bug reports or post mortem’s, you’ll be surprised just how complex attacks can be.

I suppose that the likelihood estimate would need to take into account the number of people who have (or had) access to the sources. Obviously the alternatives are not mutually exclusive.

Here's the banner that they put up on peoples newsfeeds: https://imgur.com/G7sBbwX

Nowhere on that banner does Facebook make it clear that there was recently a severe security issue that may have resulted in the loss of personal user information (Making it much less likely for the user to actually click 'Learn More'). It's misleading to title this with just "An Important Security Update" and make it seem like they've just updated their systems. No mention of the recent compromise until you click 'Learn More'.

They've been showing me that banner for a while. In fact, they stopped showing it to me about a week ago. Are your sure it's related?

This is 100% the banner I have received. The call to action directs you to this page:


Which is the issue at hand.

Okay. That's very deceptive of Facebook.

Also, it's "100%" the banner I saw for several days last week. Make of that what you will. I didn't click it so I don't know what it pointed towards.

This banner is crazily insufficient. It disappears forever after you visit any other page, without you having to acknowledge its existence.

I just checked fb, and went quickly to my first notification. I didn't really register what the banner was until maybe a second after it loaded - at which point I had already clicked on my first notification. By that point, the banner is gone forever. I can't find any way to get it back.

It's so, so easy to miss this message.

Fun fact: https://newsroom.fb.com/news/2018/09/security-update/ was published at 16:42:44. https://www.nytimes.com/2018/09/28/technology/facebook-hack-... was published at 16:45:41. NYT writes fast :)

> “We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”

There was a conference call with reporters about the subject, so the press release public release was not the first the NYT knew about it. They likely had an embargo agreement.

I very very much doubt the NYT would have agreed to an embargo on a story like this. It's a major news story, not the launch of a new car.

Since you're just getting downvoted, I may as well say that as a member of the press it isn't uncommon to see embargoes on stuff like this. They don't say a week out "hey we've got a huge security announcement" but they do say "we have something coming out this afternoon and we're doing a briefing half an hour before if you agree not to publish before we go public."

It's often in the interest of the reporter to agree to stuff like this since publishing security issues ahead of time can have serious negative consequences.

This is in response to a dead reply on this chain. Unless you are in Congress it is illegal to trade on material non public information. So if a reporter traded on info in an embargoed press release they could be prosecuted for insider trading.

I hadn't considered an 30 minute embargo, thanks for setting me straight on that (also an ex member of the press, but from the days when things didn't move quite so fast)

In the journalism world, pre-written articles are apparently quite common. I assume they had a boilerplate already for the next Facebook controversy, and just wrote 2-3 opening paragraphs that were relevant for this one.

CNN many years ago accidentally left some of their pre-written obituaries for (living) world figures publically accessible. https://en.wikipedia.org/wiki/List_of_premature_obituaries#T...

The FB press release was probably shared early with the agreement it would be embargoed by the media until FB made it official.

It's not uncommon. It's how you build "friendly" relationships with the media. I scratch your back, you scratch mine.

In the journalism world, pre-written articles are apparently quite common.

Actually, not "common" at all.

Obituaries for famous people are often done in advance, since everyone dies. It used to be one of the things that young journalists/interns did to cut their teeth.

But not every company has a massive security breach, so this was not pre-written.

It's not uncommon for big companies to fax (yes, fax) bad news to news organizations a few hours or days before posting it on their own web sites.

In the past, there would be embargoes on the information, but in the case of bad news, those are routinely ignored.

Welp, this sounds like a pretty bad practice. If there's one thing that journalists can count on, it's that famous companies are going to have a data breach.

You should probably get on that.

This is probably not at all what happened. Things get heard and articles get quickly written. In this case it can even be the company spreading the news to key media companies in order to control the spreading of the news.

The press release was almost certainly sent to the NYT in advance of its release, but embargoed.

Source: I spent years at a national PR agency

There's something ironic about NYT getting a lot of its traffic these days by writing recaps of Facebook news.

* Citation needed

Or it was the other way round, they learned of the issue, asked for comment, accelerating the news release.

It's possible they emailed the release out before it was published on the web, I suppose. It would make sense, as I imagine news outlets have follow up questions.

...and posted on HN ~16:47

Posting a link to HN takes 10 seconds. Writing a news article doens't.

PR Teams will work with major news sources on the stories in advance of the announcement, in exchange for having an input on the final story.

It's also possible a bunch of them got logged out this morning, new something was up, and started fleshing out their prewritten template with details like the date and symptoms.

I suspected there was a breach of some sort, when my tokens expired in three places simultaniously, this morning. First thing I did was search google news, nothing had been written yet. I wasnt sure they would ever announce it, probably depends on the scale.

"NYT writes fast :)"

Facebook wrote it. They called their friend at NYT and handed over the article - then mentioned they would be sharing it with other outlets later. [just my guess].

Pre-disclosing news to publications is a standard affair in business and politics. Nothing out of the ordinary here.

I'm also surprised that many supposedly educated people on HackerNews don't seem to know these things.

Noam Chomsky wrote Manufacturing Consent decades ago.

Read, you fools!

It's actually the 30th anniversary. Also, Herman wrote half the book!

That's a serious ethical accusation to make against a journalist. Make it if you have evidence, but not reasoning from first principles.

They wrote it in 3 minutes, are you seriously saying first principles are not sufficient here?

I am. Much more plausible is an embargoed story.

If the NY Times doesn't have Facebook corporate and PR infiltrated, then they aren't doing their job.

Until they can provide some data that say the 50 million number is a fact, I don't believe it's that low. Every breach starts out on the low end, and miraculously ends up being double or triple as they do "more research" and the initial anger dies down.

I'm pretty sure they logged out more than <5% (90m of 2B) of their users, because of the people I talk to on a daily basis on Messenger like well over 2/3s got logged out. I could see if they meant 90m of American users or something.

I don't think you understand how big the world outside of the US. They could logout 50% of all Americans and it amounts to 5% of Facebook. How many people in other countries have you spoken to before drawing your conclusion?

Also if the tokens can be used for 3rd party “Sign in through Facebook” authentication this just compromised millions of people’s entire digital identities for everything from dating sites to financial logins.

They can, and this is why I completely disabled that feature a while back.

I was logged out twice, once in the morning and again in the evening - I came back to this discussion to see if there was some explanation.

(No, it's not that it was just two devices - I had to log in four times just on my phone. Once for Messenger, once for FB itself; during each occurrence.)

Why the downvotes ? This is important data, and no one gave this information in the whole thread.

Probably because it's entirely anecdotal and attempts to extrapolate from such a small sample size.

It's more a problem of a biased sample than a small sample - this attack spread through the friend network, and so if one of your Facebook friends is in the attacked/vulnerable group then other ones are also likely to be.

Sure, but that's very different than the logical problem I'm talking about.

Because his friend group is not a random sampling.

Hofstadter's Law, data breach edition: the breach's always worse than you think it is, even after you factor in Hofstadter's Law.

But in today's reality, that revised number is framed as fake news. Somebody has an axe to grind, and is artificially inflating the numbers.

I am totally baffled in the post-fact world.

It's only a post-fact world on a handful of media outlets.

Sadly, where I live, Texas, that handful of media outlets is what is viewed by the majority. Also, relating back to FB, it has become an echo chamber. Most people lock into one source, and once they are locked in, that information becomes gospel. They favorite/like/follow these sources, and that's all they will accept. Before I left FB, I was inundated with other people's posts from this handful of media outlets. People I know and consider friends, but this is what they are into. It was tiresome and baffling.

> But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts

oh boy, what a mess.

User impersonation code always terrifies the bajeebus out of me.

You only get to see your own profile. It's a very useful tool to make sure you're not leaking data you people you'd rather not give it to.

> You only get to see your own profile.

Well, when it doesn't have a security hole.

Well, thanks to Facebooks "View As" functionality, I recently discovered that their privacy setting "Only Me" does not work for only me, if another person is tagged in the picture. Meaning that if I have a picture with my ex somewhere in profile, set to "Only Me", it actually means "Only me... and her".

Right, the interface isn't very clear but instead of "Only Me" it shows "Only Me (+)" and if you hover it says: "Only Me, Anyone tagged."

... until the mechanism turns out to have an exploit, as just happened here.

Could have been any other mechanism on the site.

...but it wasn't. Which is the point, no?

I don't think that matters. "I hate travelling by air because the plane can crash" is a true statement for many people... but statistically, that's not the method of transportation that kills people.

The fact of the matter is... ACLs are hard to get right. It's even harder when you have various roles that can be checked against the ACL (logged in user, batch job, logged in user impersonating someone, etc.) . But in the end, complexity is what's scary, not some feature that depends on complexity.

> The fact of the matter is... ACLs are hard to get right

This sounds similar to different distros of linux. Some are security focused where nothing is allowed until it is explicitly allowed. Other distros try to be more "user-friendly" and pretty much everything is open.

Starting from a wide open starting point and then trying to batten down the hatches afterwards does seem to the harder way to do it, but that's exactly where FB is. They wanted everything open, and then had to decide to start limiting that data. FB was designed as a place to share info. If you posted it, you wanted to share it. I totally get that mentality. However, as devs, I can imagine that we have all built something that the end users use in a way not envisioned, and we've probably all had "you're holding it wrong" lines of thinking. Once you get to that point, you can alienate users by telling them to stop doing it that way or embrace what's happening, and then make it work for them. Seems like the perfect situation to where bugs can get introduced.

Which is why the point doesn't make sense. The article says tokens were leaked. There are plenty other places where such bug could happen, so it shouldn't serve as a strong validation of "User impersonation code always terrifies the bajeebus out of me".

(Not to mention it's not really user impersonation, it's just filtering your profile page based on computed access level of one of your friends.)

Something similar happened 8 years ago. https://techcrunch.com/2010/05/05/video-major-facebook-secur...

if ( loggedin_user() ) { }.... oh shit wait, since it is viewAs it's not that it's current_user() oops.

Stealing the access token is the worst possible attack, because it wouldn't get logged or lead to any sort of notification. If they were only able to steal the passwords, this would have gotten caught immediately.

Isn't this the second time this feature has been exploited? I thought I remembered a similar issue from a while ago.

Yes, there have been other cases of exactly the same issue. I recall a case where it was possible to pretend to be people via the chat system while using “View as”.

I think they’ve been breached like this previously. What a mess.

Am catching up. Would these tokens be the signed JWT’s, if so am wondering how they were able to figure out the signature part?

I imagine you just "replay" the issued/signed JWT to Facebook, so you can act like that user.

So is this what the hacker was going to livestream the deletion of Zuck's page? In the end, they submitted a bug to FB so I'm assuming this is the exploit that was intended to be used.

Does anyone have an idea on how this exploit could have worked? If only the hacker(s) would write a blog article or make a LiveOverflow-style video about it. It would be quite entertaining. I'd be so curious/intrigued to know more about this specific exploit, it's a shame it wasn't a responsible disclosure from a white-hat.

One of the top comments by herpderperator dives into it pretty good. The part that I had questions was where it tied into the increased traffic patterns. But if I'm understanding it correctly, that would be because you're baiscally walking the graph, each token that you compromise, you have to masquerade as that new person to expose more tokens that they are connected to.

Move Fast and Fix Things instead?

this should be the thread link

I find facebook's effects on privacy and democracy as scary as the next person, but so far their secure coding standards have been extremely high. They're one of the few big names NOT on haveibeenpwned.com, they run their passwords through a KDF and then encrypt the result with a hardware security module, and a whole lot of other good things.

I guess even the best (at secure coding) sometimes mess up.

They're one of the few big names NOT on haveibeenpwned.com

Have Amazon, Google, Twitter, Microsoft or Apple been on haveibeenpwned? That’s what I think of when I hear “big names”.

MS yes, via LinkedIn (at least)

Not the same.. that breach was way before the acquisition, you can't conclude from that breach that MS development or security practices were lacking ..

The issue is that Facebook has access to so much information that their security has to essentially be unbreakable if they don’t want a massive leak of sensitive user information.

The fact that passwords have never been leaked is irrelevant when a hacker can just get hold of the access tokens!

Many users are still going to use the same password for their FB account and email account. All the security in the world won't fix people.

Pervasive biometric security may be the next step. I know it's scary and could actually be abused but it also can generally increase the level of security for everyone.

If your password is leaked, then you can still reset it. If your fingerprint signature leaks, you're out of options.

Burn your fingers!

This may be an urban legend, but I've heard there was once a bank robber who dipped his fingertips in acid. After a few months, his fingers healed, and the prints were exactly the same as before.

Something like left eye iris scan for Google, right eye iris scan for FB, left index fingerprint for AWS?

Recently talked to 2 friends working for fb. According to them, the culture there is very toxic. For a master's degree, once get in, you need to get promoted in 22 months (I might misremember the actual number.) or you will have to leave. Debugging is never counted as a real work, so for quick promotion, nobody wants to solve bugs unless a bug becomes too obvious. And they also complained about no work-life balance. They got pushed to check-in code at 12a.m. for example.

I suspect that that's very team-dependant (in a company with thousands of engineers in tens of offices, most things are). Personally I got promoted based on debugging / code cleanups / reliability work, and I don't remember the last time I worked outside my self-assigned working hours (~10am-6pm) (Aside from on-call shifts, where I got one false-alarm on a weekend a few weeks ago). If one of my teammates messaged me asking for code review at midnight and it wasn't a "the site will be down if this doesn't land right now" issue, then I'd reject their code on the basis that we should all be in bed :P

My understanding of the "get promoted or leave" thing is "engineers hired as juniors are expected to get to mid-level in under 5 years (with a half-way milestone at 2 years)"; once you're mid-level it's up to you if you want to carry on climbing. Personally once I got there I switched to a "work more efficiently in fewer hours and keep the same overall productivity" approach instead of trying to get promoted into the senior levels, and that's worked out nicely so far :)

> I switched to a "work more efficiently in fewer hours and keep the same overall productivity" approach.

Train me, please.

Trading anecdotes, I have a number of friends at Facebook (both at Menlo Park and the NYC office), and they complain about the opposite: lots of people just coasting and doing the minimum needed to get by, really hard to fire people, etc.

This is part of why I left last year so... too true.

This is seemingly the case in a lot of places.

Unfortunately the number of lazy people far outweigh the number of hard workers.

Anecdotally none of this even remotely resembles my experience there

What you’re talking about isn’t related to having a masters. All engineers are expected to progress beyond junior levels (get to E5) in a reasonable amount of time.

It’s not a great practice in my opinion. But in practice only a small percentage of engineers fail to make the grade.

This does not reflect my experience working here at all

What, exactly, is wrong with the expectation that people make senior level eventually? What exactly is wrong with being able to work at any time? I worked there for years, and if I was landing code at 12am, it was because I was excited about what I was doing. It was wonderful being able to work with people from all over the world on high-impact projects, and fixing important bugs was definitely high-impact. People who fixed vexsome bugs were heroes.

>> you need to get promoted in 22 months ... or you will have to leave

> What, exactly, is wrong with the expectation that people make senior level eventually?

The problem is when you base too much on promotion systems and performance reviews, that end up as a form of bias and favoritism not closely approximating the truth. Some amount of people are doing useful work for you (like cleaning up after people you think are the high performers) that does not surface there, and when you crap on them, pass them up, bust their morale, make them afraid of their next review, etc., you risk losing their valuable contributions.

> you risk losing their valuable contributions.

Modus operandi in these companies is to rewrite/reintroduce whole products instead of fixing bugs from already discarded people. So if you lose a critical amount of worn out higher paid contributors, you just make a V2 or introduce a new product with a completely new fresh team that will get discarded after another 3 years. This requires fresh supply of motivated and hungry people willing to take sacrifices and a much smaller amount of people willing to exploit that.

So that’s why Google is “reinventing” their chat every 2 years!

"landing code at 12am, it was because I was excited about what I was doing"

I can't believe people put up with this. I really hope you got paid for that time.

Societal pressure to do everything it takes to get rich and succeed is a serious drug. I also contribute some of it in cases like this to the fact that some programmers are unfortunately just not well adjusted.

Either you were excited about what you were doing or you got an 11pm page from chuckr and consequently had a lingering doubt about your expected lifespan...

I am finding it very hard to comment on this without violating HN guidelines and throwing ad-hominens. But I will try.

You see, the parent poster said:

> They got pushed to check-in code at 12a.m. for example.

This is ENTIRELY different than having you, overly excited about some project, deciding to work late and pushing code at 12am of your own accord. That's absolutely nothing wrong with that.

Now, if you are EXPECTED to do it, outside major emergencies, then you have a problem.

What you call being "excited about working at 12am" I call "accepting being a corporate slave".

It’s perfectly reasonable to work at 12am, and there’s nothing in the parent comment to suggest that they’ve been working since 9am or so. Maybe they started working at 8pm. Modern work should be asynchronous. If your company cares about butt-in-seat time, it’s the one that’s wrong.

I don't think you can so glibly dismiss enthusiasm as Stockholm syndrome. Passionate people push the world forward, and mocking passion is a recipe for mediocrity and stagnation.

I think i'd just much rather spend the short time I've got left in my one existence doing things outside of work that actually make me happy and fulfilled, than being exploited for the benefit of the mostly rich and powerful and the illusion of "progress". If you truly get fulfillment from that stuff then more power to you, but I don't think the vast majority of people who are pressured to perform do.

Just because we have more "stuff" and more advanced "technology" doesn't make life more worth living. Happiness levels across society don't increase alongside productivity.

> I think i'd just much rather spend the short time I've got left in my one existence doing things outside of work

Okay. That's your choice. But having made this choice, don't complain when those of us who choose to devote more time to work receive greater rewards. There's nothing wrong with paying for performance.

Of course there is. If you are working 12 hours a day, how am I with my paltry 8 hours ever going to be considered for a promotion? I quite need it to keep feeding my family after all.

I can’t stop my bosses from judging based on time spent working (which is silly, but hey, we’re all human), but I sure can try to stop my coworkers from subscribing to such insane work hours.

Keep on living to work, brah. I'll feel less guilty clocking out early knowing you're there to keep things running. I bet you'll feel differently on your death bed.

There is something wrong with abuse.

On the flip side celebrating a culture where (allegedly) people are expected to toss out their personal lives and time (what is sometimes referred to as passion in some circles) is a race to the bottom. It means colleagues who DON'T do this are punished or replaced. Perhaps that's what you refer to as mediocrity, the unwillingness to put in long workdays that extend into night.

Do you think that I should be forced not to code after a certain time of day? I wouldn't work at a company that imposed this restriction.

I work at a company like this.

In fact, I need permission from my manager's manager's manager in order to stay past 7pm.

This company believes in a strong work-life balance, and this is one of the ways it achieves this.

Also, it "changes the world" in good ways, not by "connecting people" through bogus data siphoning addiction traps.

If you did, do you get fired? Genuinely curious: what happens?

Personally I strongly prefer no fixed working hours. If you want to work at night, so that you can do things when it’s light out (especially in winter), and you still get the expected results, what’s wrong with that?

A few workaholics create a culture where more people become expected to be doing stuff outside of business hours.

Also, lone wolves working at night are harder to manage and communicate with.

If you did, do you get fired? Genuinely curious: what happens?

Probably not fired. But the interior motion sensor alarms go on automatically at 7pm, which would probably alert the security guards that roam the campus.

When I first started, I came in too early once and set off the alarms. People were nice about it, but I was super embarrassed because I was a n00b.

Personally I strongly prefer no fixed working hours. If you want to work at night, so that you can do things when it’s light out (especially in winter), and you still get the expected results, what’s wrong with that?

I worked at a place like that once. When I was hired I was told I could make my own hours. I prefer to work early mornings, so some days I came in long before anyone else. A couple of times around 3am. But I always worked at least eight hours, and often more.

In my exit interview, my supervisor was rabid about how I wasn't a good fit because I "come and go as [you] please." She was so full of crap about other allegations against me that I didn't even have a chance to bring up that making my own hours was part of my employment deal.

I think the conversation above was more about people who put in very long hours because they're passionate and so forth, or they're obliged, or whatever the reason the 'company culture' is a certain way. I think flexible hours that you describe is a far more popular idea (and probably a good one if you ask me).

Yes, and it shouldn't be up to an employer to set that limit, but to regulatory bodies. Having people spend 12-14h a day working is not good in the long term, and expecting people to do that otherwise they will be fired is draconic.

It’s not that cut and dry. For a lot of reasons, I don’t do side projects. But I do choose jobs that are using technologies that will keep me marketable. So if I want to learn a new to me technology, I’ll often work some crazy hours to both learn the technology and get the work done.

Yes my company benefits from it, but so do I. For instance, given a choice of trying to come up with an idea to learn about a feature of AWS and pay money for the resources I use, and take advantage of my work AWS (Dev) account where I am an admin, I would rather do a work related project where I have the resources and I don’t have to come up with an idea and I don’t have to pay for it.

What I don’t do is “signal”. I don’t stay at work late, I don’t send emails out after hours, and I pushback if they give me unreasonable deadlines.

You’re not working.

Let’s say my team had a feature to get out and the React expert said he could do it in 30 hours and he could have it done by Monday morning without working extra during the week or on the weekend.

On the other hand, say it would take me 50 hours and I knew I would have to work on the weekend because I’m not as experienced, but I thought I could still have it done by Monday.

I might be willing to volunteer, knowing it would take me longer but it would also be done on time. That extra 20 hours, I’m still working, committing code but zeal do trying to figure out the framework. I wouldn’t have a problem doing that because I am learning a new skill.

But, I wouldn’t work weekends to finish a project because I was given an unrealistic deadline.

The first scenario, the extra 20 hours benefits me and the company. The second, it just benefits the company.

But... nothing about “12am” sets that expectation. You need to know when they started work.

I’m passionate about a lot of things, but not working at 12 midnight for a profit seeking company that I do not have a significant equity stake in.

Facebook is a cancer. It’s not “pushing the world forward.” It’s a phenomenal waste of energy.

Take those excited geniuses and have them work on preventing climate change from ruining all life on earth, instead of inventing new ways to profit off of people’s data.

There’s already a community of excited geniuses that work on preventing climate change - they’re called climate scientists, and their solution is a steep carbon tax. It could pay for a public interest ad campaign for recycling and energy efficient practices, distributed and targeted by the excited geniuses at Facebook. That way we can brainwash the Paleolithic know-nothing American public into behaving in a way that doesn’t destroy the planet.

Well, maybe this specific case doesn't apply to you, but enthusiasm and passion weren't the vocabulary used to describe many of my friends' experiences working late nights at fb.

I think I see the disconnect. Yes, passionate people move the world forward, but that's not every person, or every coder, or even every Facebook employee. Plenty of engineers just want to make a steady paycheck and live their comfortable life outside of work.

If Facebook's a grind, then that's something the employee has to figure out.

I think she probably meant that being passionate without meaningful equity is equal to being a corporate slave - even if ultimately company/world benefits, the person gets discarded/sacrificed at some point in a hierarchical structure with limited upward movement, not profiting from it in the future.

> Passionate people push the world forward

we're talking about Facebook here

What really freaks me out is the day Facebook die, what will happen to all of this data?

If you heard about the NCIX story where they basically abandoned their servers filled with users data (over 13 years of data) and someone scooped them up and tried to resell them on the black market, one could think that a similar fate is possible.

source : https://www.privacyfly.com/articles/ncix_breach/

Obviously if Facebook was going under it would probably trigger a huge legal process on how to handle the data but it clearly doesn't happen for smaller businesses...

If they go under, they'll of course sell off their assets to the highest bidder. Their shareholders will demand they do so. Or it'll be auctioned off as part of declaring bankruptcy.

Your data is their primary asset.

Facebook as a company will never die. It's too diversified. Facebook as a product will die in the next 10 years.

And it won't matter because the data will be rolled over to drive ads on Instagram and Snap and other attention-properties.

Facebook is the IBM of social media. It's too big to die, and too big to do anything good.

> What really freaks me out is the day Facebook die, what will happen to all of this data?

Interestingly, Facebook owns your data. I believe if they wanted to, they could close the company tomorrow and put a facebook.tar.xz of everything they collected on archive.org or somewhere else.

No. You own your data stored at Facebook. Facebook just have license to use "as they wish" while respecting your privacy settings (i.e. uploading facebook.tax.xz is definitely not according to privacy settings of most people).

At least that written and TOS or so.

If they did that with any European data, they would soon face criminal charges.

(Except if a European office of Facebook did it, then the nationality doesn't matter.)

I wonder if archive.org could actually store that much data.. and how long it would take to create a tar.xz of it.

What file systems would support a tar that big?

From Facebook's announcement: "After they have logged back in, people will get a notification at the top of their News Feed explaining what happened."

I personally did not get any explanation as to why I had to log back in. It did surprise me to be logged out this morning and was wondering why.

This is how you are treated when you're not a customer. Glad I left a couple of years back.

Nor did I, and I knew right away when it happened. Either my account was compromised or Facebook was.

Same situation here, I was logged out of all sessions and did not receive any notice.

Logged out of and back into what? Your mobile app? Your web browser tab that is left open indefinitely? I no longer use FB, so just curious. I know people that never log out of FB, and have closed their browser window/tab thinking that was good enough even though the "remember me" type option was checked. Opening a new window/tab to FB would show their account just like nothing happened because they did not log out. I know this is to FB's advantage of tracking all the things, but wow what a security nightmare.

There's no remember me option antymore, it always remembers. You have to log out manually and/or set your browser to delete the cookies and/or use Ghostery if you don't want FB tracking you all over the web...

The "View As" feature has caused a massive vulnerability in the past: https://techcrunch.com/2010/05/05/video-major-facebook-secur...

I bet they're now really regretting keeping it around.

Yeah, I thought this was old news I heard years ago, but I guess the broke it again.

If you watched the Senate hearing on privacy two days ago you'd have seen that they were remarkably on the same page about potential privacy legislation [1]. Facebook's continued fuck ups will only help the cause, and for that I'm grateful.

[1] https://www.c-span.org/video/?451963-1/google-apple-amazon-t...

Of course they're on the same page. They can afford the best lawyers and as much infrastructure as they need to fulfill the requirements, while every new competitor gets sued from all angles. I'd be very surprised if any of that regulation actually serves the user in any positive way.

I was talking about the Senators.

My girlfriend and I experienced a really weird bug in the past. We would see that Facebook said we were active in the middle of the night when we were definitely asleep. It didn't make too much sense then, but now its possible that those instances might have occurred due to someone else accessing our accounts? Both of our accounts were logged out.

Did anyone else experience anything like that?

AFAIK if you have messenger installed and you have internet connection, Facebook displays your status as active.

So here is a question: my girlfriend only uses FB on her laptop, and always logs out when she's done. I usually make fun of her for doing this.

But does this mean most of the time that there was no active access token and she is mostly safe? (Excluding the windows of time where she was actively using FB) Do I have to take back all of my teasing?

I doubt it. The "View As" feature does not require the target to be currently logged in to Facebook AFAIK.

This is an interesting point. Right now, I can't reconcile the "we canceled active sessions thus logging people out" as a fix with the fact that "View As" was the attack vector.

I'm guessing they invalidated all access tokens for accounts that have been used as "View As" targets since the issue was introduced.

They also disabled "View As" which is the actual fix for the time being.

It's likely the fix required the kill active sessions which cause new keys to be generated on sign in

Logging out when finished with an online service is good practice. You should do it too. (and don't make fun of her) :-)

Possibly -- if the attacker accessed session IDs, they could potentially hijack the sessions of logged-in users. If you log out, most servers will destroy the session data on their backend, so there's no session that can be hijacked.

Only if the act of logging out explicitly invalidates the token on the server side

This is something I would suspect doesn't actually happen. FB wants to track all of the user's browsing habits, so maybe they just make the actual FB UI look logged out? Security-wise, it would seem to be more complicated by their desire to never let a user be logged out, and looks like it's complicated enough it is biting them in the backside. Oops?!

It’s not really that complicated, you have auth tokens and you have tracking tokens, and you wouldn’t want to mix them anyway because you also want to be able to correlate multiple accounts logged in from the same browser over time.

Me too. I always log in in incognito mode,check messages and notifications and log out.

The interesting part is that it is the second time (at least) that this is happening. In the past, when you were using "View As" you could read private messages without doing anything malicious (you were actually logged on victim's Messenger account).

> This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.”

Obviously, Facebook is an extremely complicated system. But I find it hard to believe a video uploading feature would impact 'View As'.

It's very easy for me to believe. "View As" is an authorization and authentication sensitive, limited user impersonation feature. Video uploading interacts with, and complicates, authorization in an application with fine grained privacy and permission models.

It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications. One of those ramifications could then result in a vulnerability chain compromising user impersonation functionality.

I have seen far, far more incredulous head scratchers in penetration tests and code reviews. The interaction boundaries of, or middleware between, two seemingly unrelated systems is generally a good start to look for a security vulnerability.

> It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications.

I get this part. But why would it affect only videos and not other entities (photos, status etc.)? I would think creating (or uploading) any of the entities have the same authorization and authentication ramifications. What could be different for videos? Unless the privacy models are so fine grained that you can have different privacy settings for different entities (haven't used Facebook in years, so I don't really know). Your explanation makes sense, I'm just looking for a concrete example.

As someone who works specifically on user authentication stuff...

The problem is often that there are multiple sources of truth for who the user is. And if you have an impersonation feature, you by definition have two sources of truth: who the user actually is, and who the user is impersonating. It would just be a matter of a single mistake of using the wrong one.

Considering that "view as" requires your page view to render every control as the impersonated user but only when it comes to your profile, but renders all controls outside of your profile as the original user, I could see any engineering team dealing with some very carefully drawn and potentially confusing boundary cases.

Edit: just to elaborate, it's not just obvious impersonation contexts where this gets interesting. For example, linking your Humble Bundle account to your Steam account, or on Netflix which user you are vs. which email address is being billed. Many apps have a function to share some document using a one-time expiring token. If you're also logged in, then do you read permissions from the shared token or from your account? If you mix them, do you make sure anything that writes to this shared view can't touch your account itself on accident? We don't think about it much but I think you can see how these subtle distinctions are important when you are thinking about access control, and that makes it a breeding ground for subtle mistakes.

They said they introduced bug in video uploading part in 2017. All were Ok till then.

sounded like the video stuff was added after view as was added so it probably didn't go through the same level of scrutiny

Mayve it has some complicated privacy rules?

Possible. Some more technical details would be nice, but I doubt Facebook releases the post-mortem to the public.

If I recall correctly this is not the first FB vuln relating to View As. I searched and can't find it, but I seem to remember there being a bug around 2009 where you could basically take over a friends' account by viewing your profile as them.

Is it wrong to be glad FB's reputation has tarnished (and stock price sideways) over the past year or so? For so long they've monopolized the talent pool in the Bay Area. If more people decide 1) they don't want to work at FB and 2) FB employees are itching to leave then I see any stain on FB's employment brand as a net positive to the greater tech + startup ecosystem.

they havent monopolized talent, they pay for talent. Facebook paying high salaries has increased all of our pay, equity etc, whether you work there or not. The only thing this may be bad for is founders who are in a zero sum competition with FB for talent and now need to spend more money and equity to get it.

This is a very short-sighted view. Yes it has some immediate benefit in terms of pay, but you have to consider the long-term societal tradeoff of not developing addictive mental candy for people or developing societally useful technologies (or vice-versa, as it now stands). We can focussed on getting paid a lot now, or improving the wealth of everyone and generative the value we can all enjoy later.

> the long-term societal tradeoff of not developing addictive mental candy

Along with React, GraphQL and a bunch of other technologies with various degrees of popularity https://opensource.fb.com

Along with various startups building around the projects incubated at Facebook - Asana, Interana, Phacility, Qubole, etc.

Ok so React, GraphQL, and good pay. Definitely not short-sighted.

You don't think those technologies could have been developed by people at ethical companies, or even by the same people at ethical companies?

So why haven't they been developed by the time Facebook came around?

Why would it be remarkable that a few popular technologies come out of a big, rich technology company? People who create such technologies work at places like that. But there’s nothing about React or GraphQL that makes them only possible at Facebook.

A big, rich technology company has the resources to put people on the project full time and a revenue stream to justify such broad architectural project.

There's also financial support for building a community around improving the tech, by encouraging outside contributions via meetups, conferences, social events, better technical documentation, etc.

At smaller scale startup an engineer is surely welcome to work on his skunkworks project, but justifying expensive large-scale architectural undertakings on company's dime is problematic. Especially if a quicker fix is available and buys the company a chance to kick the problem down the road.

With that said, it's not impossible to build a major popular piece of technology within a small company (Joyent and Node.js being a good example), it's just harder.

You’re repeating what I wrote - Big tech is likely to produce new tech, but new tech comes from other places too.

This discussion is mostly irrelevant to the fact that this particular company is completely reckless and unethical. The technology they accidentally produce while building a dystopia to make people click on ads[1] does not justify anything.

1: https://youtu.be/iFTWM7HV2UI

The same reason Facebook didn’t develop them before they did.

React + GraphQL < B

Where B is the sum of the set consisting of:

-Breaking democracy in the US and the UK by being _the_ platform for disinformation.

-Disinformation assisting genocide in Myanmar.

-Use correlating strongly with poor mental health

-Manipulating behaviour to encourage poor attention spans for the sake of ad-clicking

-Constantly violating basic standards of privacy

-(I could go on..)

Oh wait, excuse my arithmetic. I forgot to add another JS framework like Relay to the LHS of the equation, that makes it a net positive from Facebook! :D

I don't think its fair to blame FB on the decay of democracy in the information age. Surely Twitter is also to blame them. I think the blame is on the users. Its not possible to be perfectly informed. It is possible to keep your mouth shut if you don't know something for sure. Perhaps its the fact that in real life, to say something you need to say it to someone's face and on social media you don't have that social weight to carry. This brings about people more likely to share misinformation. If this is the case, its not the fault of social media, rather the fault of internet culture. More personal responsibility is the solution. Not an improved ML system to detect fake news.

Yes, Twitter is also to blame.

It is a problem inherent in the structure of most social media companies. And Facebook is the most significant social media company, and thus contributor to the problem.

I think the sadder part of this argument is that nobody outside of software engineers know or care what GraphQL is, yet it’s being touted as a “societal benefit”. How about the fact that my grandma with limited mobility can still attend church virtually through the Live feature? Regardless of how often the scions of the Valley disavow their own technology (I would /never/ let my children use our products!), there are a billion or so other people who actually use it to real benefit in their quaint little lives.

This argument I agree is far more compelling than "reductio ad JS library"

> Breaking democracy in the US and the UK by being _the_ platform for disinformation.

Blaming facebook for "breaking" democracy in the US and the UK is ridiculous. I can't understand how this can continue being a claim remotely considered valid. I agree (or may agree, at least in part) on some of the other points, but not on this.

Claiming that Trump won just because of the russians putting ads on facebook is at least naive - and ignores the fears/actual issues a very big* part of the US population experience daily. Isn't failing public schooling a problem there also? Does that give us citizen more or less prepared to actually participate in democracy?

Politicians (of all sides) in the UK have accused the EU of being the root of all evil since they "joined", again and again and again: you lost your job? Blame the EU! We can't cut taxes? Blame the EU! You really want to blame facebook and NOT the politicians themselves because people voted for brexit?

If the Russians tried to manipulate (and for sure they did, oh gosh, I'm pretty sure the US and the EU states never do - or did - anything to manipulate elections abroad! Evil Putin, why you do this to us? :cry:) we rolled out the red carpet for them!

Democracy was broken because actual journalists did not do their job. Stop doing what they (may) want you to do, using social media as a scapegoat for their own (willing, sometimes, for sure, at least if you read what Chomsky has to say) MASSIVE failure of being the "champions of truth" they claim (and blindly believe - I worked on somewhat close contact with them for years, I've seen that) to be.

OData was developed before Graphql - pretty much does the same thing

I agree with your premise, that many Facebook employeees would give society a better return on its investment if they were employed elsewhere, but that’s hardly Facebook’s fault.

It's tempting to think that without Facebook they would get involved in cancer research or interplanetary travel, but given the Silicon Valley's funding cycles, they would be more likely to end up building yet another food delivery startup or revolutionizing something by putting it on blockchain.

Also, a bunch of recruiting venues exploited by Facebook are not that accessible to smaller startups.

E.g. one of the top previous employers for Facebook employees was Google (or some other outfit within Alphabet group, like YouTube). Most likely those people would've stayed at Google.

Another hiring source was university recruiting, which involves participating at job fairs at various universities, exhaustive days of back-to-back interviews, flying candidates for on-campus interviews, and eventually covering relocation costs (and potentially visas and immigration paperwork) for someone moving from Pittsburgh, Waterloo or Romania.

Would a smaller startup have the financial oomph to run a similar recruiting pipeline?

I didn't pin the blame on them. I place it as a cultural issue.

There's also its ostensible goal to connect people. I logged in for the first time in months just to see if I had been compromised. In about 15 minutes of goofing around, I got to enjoy countless happy baby pics posted by old college friends, and had a nice chat with someone I hadn't talked to in almost a decade, after I randomly commented on a status update. Then I logged off. I know that my kind of limited use is likely not the average scenario, and I can definitely understand people suffering when they get sucked in. But it's a site that does a damn good job of making it easy for me to find and interact with friends, and I don't believe the tech and design involved is trivial.

Still living in Europe, I must admit I always envied the people who work at Facebook, Google etc. This neutralizes my envy

What makes Facebook "addictive mental candy" other than you not personally liking it?

I know lots of people who feel they get and have got tremendous practical benefit from Facebook. It isn't "addictive" unless you use that term to mean anything some people make that other people enjoy.

Here's a study:


"Our results showed that overall, the use of Facebook was negatively associated with well-being."

Naturally, even if this study is accurate it isn't definitive; the causation could go in the other direction, that the unhappy use Facebook more often than the contented. But it's still quite suggestive.

I saw this study referenced from this article: https://www.vox.com/policy-and-politics/2018/3/21/17144748/c...

A friend in HR that has friends in many of the Bay's companies told me that people at Google and other big companies hire to keep people away from other companies. Because they can.

So, yes, I believe they are trying to corner the market on the best programmers.

Wasn't Facebook part of the class action lawsuit that sought to supress wages and colluded in anti-poaching between Intel, Apple, Microsoft, and Adobe?

They may pay more, but they collude to make sure people couldn't leave without going far outside the bay. That's a monopolistic trait.

I agree they weren't putting a gun to people's heads but they were making the environment less available.

I don’t think Facebook was part of that group. More importantly though, it was in the aftermath of that, where large companies started more aggressively poaching employees, that large company compensation ballooned and startups started to complain about the top large companies hogging talent.

How have they monopolized the talent pool? By paying their employees better than everyone else?

By hiring talent out of college when every other company's looking for 10 years of experience in Kubernetes.

Not sure if this was meant as a joke or not. I can certainly believe clueless HR doing that.

I was indeed alluding to stories of real job postings doing just that with other technologies (not Kubernetes specifically).

there is also prestige associated to big names like Facebook (and Google, Apple, etc)

> there is also prestige associated to big names

I hate that this has happened. The Bay Area used to be a place where working for the big, shiny company that makes your parents happy wasn't prestigious. It was safe. But taking a risk and starting something new was admired. The present state of affairs reminds me of Wall Street.

What happened was that VCs started sucking up all the equity and it became not worth it from a risk-reward perspective for most people to work at a startup. This, coupled with companies staying private longer meant that in the lat 5 years, you were better off working at G/FB than a small or mid-sized startup.

e.g https://www.slideshare.net/a16z/state-of-49390473/29-29Becau...

While VCs certainly played into this, I'd say founders merit the bulk of the blame. VCs are generally more amenable than founders to larger equity pools for employees. They're also much more enthusiastic about IPOs than founders, since they want liquidity events for their investments.

Thank you both. VCs and founders together have sucked up all the potential value of working for a startup, leaving only risk and below-market pay to employees. Until this changes, big name companies are not just safer but higher expected value.

It was a little different when you could afford to buy a house in the Bay Area without $2m in the bank.

Yes, so much this. There is a very real opportunity cost to forgoing high salaries (and this opportunity cost is front-loaded as well since home prices keep appreciating).

There was always a level of prestige associated with certain companies even in the 80s and 90s, no?

The tech industry, despite its shortcomings, is vastly superior to Wall Street in that regard. It's still a meritocracy above all else.

Plenty of smart people break into tech after doing something else for a few years. If you want to go into investment banking, you better come from a consulting or have already been working in finance. Your only last bastion of hope is to get an MBA and then join the rat race.

I think that prestige only exists in the minds of some people who work there or have worked there. If I had a nickel for every time someone started a sentence with "well when I was at Google" for a scenario that is nothing like Google... Facebook's move-fast-and-break-things culture is fortunately a little less envied, in my experience.

The prestige most definitely exists and is especially relevant for people who dont have a strong public portfolio to show off their talent. An average developer from Google/FB etc. has an easier time getting access to opportunities than even an outstanding developer at a no-name company. Companies/Hiring managers go through an implicit thought process along the lines of "if she/he go through google she/he must be good" which opens doors and helps in salary negotiations.

Working at Google confers prestige among lay people as well, in my experience.

What other big companies are associated with similar prestige?

In the SV tech community, Dropbox, Uber, Snapchat, Spotify, AirBnB, Lyft, Netflix, Pinterest, Robinhood to name several.

Outside the tech community, probably Amazon, Microsoft, and Instagram (most people don't know Facebook owns Instagram).

Why is there a difference between inside and outside the tech community?

The economic success, brand awareness, and hipness of a company with the general public is only somewhat correlated with average level of engineering talent at a company. Different successful companies take different approaches to hiring - some focus on hiring a lot of reasonably competent engineers, while others focus on only hiring the best (and generally pay them a lot).

> some focus on hiring a lot of reasonably competent engineers, while others focus on only hiring the best (and generally pay them a lot).

Are you saying the latter two don't do that?

Based on their privacy issues, influence scandal, etc. its scary to imagine what the company looks like without the best and brightest.

I think about this a lot too. All companies eventually decline or go through rough patches. A Google that's fighting for survival and losing money would be much more open to working with the Chinese government or selling user data to the highest bidder.

Trusting these entities based on their noble intentions today makes no sense to me if there's no legal agreement or regulation to restrain them tomorrow, when they get desperate.

Same could be said for Google

Lmao. Very good point.

> Is it wrong to be glad FB's reputation has tarnished (and stock price sideways) over the past year or so?

No, not at all. Their positive reputation was in many ways unearned, and it's a good thing to be glad that their own actions and attitudes are finally catching up with them.

That's fine, but it would be okay with those of us who live elsewhere if maybe the tarnishing didn't come as a result of things like this.

They pay like 2x more than competitors that aren't big tech companies.

From everyone I know at top tech companies this isn't happening at all. If anything the stock dip was a good thing for new grads because they got more shares.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact