Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Facebook Businesses Communications Network Security Social Networks The Internet

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus' (zdnet.com) 85

An anonymous reader quotes a report from ZDNet: Facebook's security chief has told employees that the social media giant needs to improve its internal security practices to be more akin to a defense contractor, according to a leaked recording obtained by ZDNet. Alex Stamos made the comments to employees at a late-July internal meeting where he argued that the company had not done enough to respond to the growing threats that the company faces, citing both technical challenges and cultural issues at the company. "The threats that we are facing have increased significantly and the quality of the adversaries that we are facing," he said. "Both technically and from a cultural perspective I don't feel like we have caught up with our responsibility. The way that I explain to [management] is that we have the threat profile of a Northrop Grumman or a Raytheon or another defense contractor, but we run our corporate network, for example, like a college campus, almost," he said.
This discussion has been archived. No new comments can be posted.

Facebook Security Chief Says Its Corporate Network Is Run 'Like a College Campus'

Comments Filter:
  • Hacked (Score:5, Interesting)

    by geekymachoman ( 1261484 ) on Friday October 20, 2017 @03:47AM (#55402017)

    Well, considering their 1.2 billion people DB hasn't leaked .. I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

    • Re:Hacked (Score:5, Interesting)

      by Opportunist ( 166417 ) on Friday October 20, 2017 @03:56AM (#55402043)

      Well, if you run your network like a college campus, you probably wouldn't know if you're being hacked.

      So ... let's put it that way, when you're blind, you can't see the elephant standing in front of you as long as he doesn't step on your foot.

      • Re:Hacked (Score:4, Interesting)

        by Anonymous Coward on Friday October 20, 2017 @05:24AM (#55402185)

        OR, if you're running a college campus network, you assume it's the worst combination of raw internet and bored / mischievous students; so the network itself you treat as untrustworthy and build better systems on top. You assume constant hacking so you build systems tough rather than complacently relying on 'defense contractor firewalls'.

        Let's hope that's what's happening.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Yeah, when I read the headline, I thought they were explaining that running it like a college campus is the *right* way to do it. It pretty much is. I'd be more concerned that their chief of security doesn't understand how colleges are successful at running such open networks.

        • Re:Hacked (Score:4, Interesting)

          by skids ( 119237 ) on Friday October 20, 2017 @09:22AM (#55403289) Homepage

          Pretty much... I've had to evaluate security solutions hailing from the corporate sector for application in .edu, and I have to say so many of them put a disturbing amount of trust on their abilty to lock down the client OSes. Now this makes them pretty much useless in an environment where joining the majority of devices on the network to a domain or MDM is just plainly not an option (the users won't stand for it and even if they did, we have continuing ed users with conflicting configs on the work laptops from other companies which they bring to class). But even if we were able to do so, you should pretty much never trust client machines, even if you've gone all in on the even-with-TPM-won't-even-boot-BIOS-unless-connected-to-a-cloud-verification-service crap. You have to harden the infrastructure as if it were an internet-facing service, (while still doing what you can on the network layer to restrict access and at the OS layer to keep machines updated.)

        • by Anonymous Coward

          It depends on the college campus. I have witnessed places that are mind-blowing in their insecurity. They would have been considered insecure in the 1990s yet still operate today.

          The worst included a single VLAN spanning an entire building and including machine rooms, staff offices, student offices, labs, and conference rooms. Every computer in this network has a public IPv4 address and no firewalled ports except what they enforce locally in the computer. They even have some cargo-culted, DMZ-like subnet w

      • Well, if you run your network like a college campus, you probably wouldn't know if you're being hacked.

        So ... let's put it that way, when you're blind, you can't see the elephant standing in front of you as long as he doesn't step on your foot.

        I'd be a little worried though if I was a present employee. The cultural differences between the two areas, college campus and defense contractor are pretty extreme. And it may be presumed that they have people of the college campus mindset at present. So when do they start lining up the employees for the polygraph tests?

      • by Anonymous Coward

        If I were blind I still wouldn't see the elephant if it steps on my foot. That would be a miracle!

    • Re: Hacked (Score:3, Funny)

      by Anonymous Coward

      I visited their so called "campus". It is fucking filth, with kiddies running around I thought it was a kindergarten. Who the fuck in their mind is trusting zuckerburger with security.

    • Re: (Score:3, Insightful)

      by GuB-42 ( 2483988 )

      Well, I wouldn't be surprised if some college campuses have better security than some defense contractors.
      Especially if said campuses teach computer security, and there are hundreds of wannabe hacker students inside it and renowned security researchers in their ranks.

      • One example (Score:4, Informative)

        by sjbe ( 173966 ) on Friday October 20, 2017 @06:28AM (#55402379)

        Well, I wouldn't be surprised if some college campuses have better security than some defense contractors.

        I cannot speak for every defense contractor but I've worked at one in the past and with a few as a vendor and I can assure you that their security (physical and IT) was CONSIDERABLY tighter than any college campus I've ever seen, at least where I was working.

        • Re:One example (Score:4, Interesting)

          by GuB-42 ( 2483988 ) on Friday October 20, 2017 @07:48AM (#55402767)

          And I've worked with defense contractors with abysmal security... They had safes, paper shredders, badges, special networks, all that stuff but it was just a facade. People shared passwords and used personal USB keys to transfer data, it took so long getting physical access that tailgating was the norm, airgaps weren't, outdated software, the IT department was so incompetent that bypassing it was almost a requirement for getting things done. While working there, I stumbled upon several gross vulnerabilities without even trying.
          At school, students had much more freedom but at least the network was sane, and the IT department was not the friendliest place on earth but they did the job.

    • Sloppy? (Score:4, Insightful)

      by sjbe ( 173966 ) on Friday October 20, 2017 @06:12AM (#55402307)

      Well, considering their 1.2 billion people DB hasn't leaked ..

      If it's run that sloppy then it might have already happened and they/we just don't know it yet. My suspicion is that it is merely a matter of time before Facebook has some form of catastrophic data breach.

      Honestly I'm not even a tiny bit surprised that Facebook is sloppy. They have a looooong pattern of not giving a shit about the people who use their service and being alarmingly relaxed (for lack of a better word) with privacy and the rights of their users. This is just another example of why I don't trust Facebook and do not have an account with them.

      I guess they're doing OK job, compared to let's say yahoo... who have been hacked like 3 times in 5 years ? Or linkedin. Or equifax.. or ..

      Talk about damning with faint praise...

      • Re:Sloppy? (Score:4, Insightful)

        by gnick ( 1211984 ) on Friday October 20, 2017 @08:46AM (#55403081) Homepage

        This is just another example of why I don't trust Facebook and do not have an account with them.

        You never signed up for an account with them. That doesn't mean that there isn't a nice fat DB entry with your name and all the information they can gather. Did you sign up for Equifax?

        • This is just another example of why I don't trust Facebook and do not have an account with them.

          You never signed up for an account with them. That doesn't mean that there isn't a nice fat DB entry with your name and all the information they can gather. Did you sign up for Equifax?

          Install noscript and look at the scripts it's blocking. Look, em up to see who's collecting the data. Facebook is tracking you even if you've never had an account there.

        • You never signed up for an account with them. That doesn't mean that there isn't a nice fat DB entry with your name and all the information they can gather. Did you sign up for Equifax?

          Oh I'm well aware they are trying to gather data on everyone. I also cannot stop my idiot friends and family from posting information and pictures about me. Nevertheless I'm not going to cooperate with them and I make pretty heavy use of software to block advertisers and others who want to track my actions on the net. I'm sure information leaks through but they don't have nearly as much on me as they could if I took no measures and they don't have information voluntarily from me.

    • "Well, considering their 1.2 billion people DB hasn't leaked .."

      Leaked? You just have to download the whole thing, you get everything.

    • I'm not sure there's any good reason, other than the bragging rights, for the kinds of organizations behind the big corporate breaches over the last few years to hack them when they're just going to end up competing with Facebook themselves in actually selling that data. No point in buying that data from an illegitimate source when you can get the exact same data from a perfectly legitimately from the original source.
    • by mccrew ( 62494 )

      Well, considering their 1.2 billion people DB hasn't leaked .. that we know about.

      FTFY :)

    • I would so love to be able to be freely able to query their database.

    • by epine ( 68316 )

      Well, considering their 1.2 billion people DB hasn't leaked ...

      Jason just called. He wants to know if you're his daddy.

  • Fires and employee uprisings and the members of the board running around going "NAZI!" and punching random people...

  • College Campus? (Score:5, Interesting)

    by Big Hairy Ian ( 1155547 ) on Friday October 20, 2017 @06:10AM (#55402299)
    Speaking as an IT Professional working at a large University I can assure you we take network security very very seriously. I believe Facebook would be envious of our network security teams.
    • by Anonymous Coward

      Speaking as a developer who has worked with defense contractors, I can tell you that they take checking off government checklists of what qualifies as "secure" very seriously, but that's about it. As long as they can say "we followed the checklist!" and point fingers back at the government, they don't care even a little about true security.

  • by Anonymous Coward

    A college campus network in the late 90s was as close to "free flow of information" as you can get. Nowadays there are firewalls everywhere. The last university network I was on didn't even allow NTP syncs with external servers.

    • by Anonymous Coward

      You are not kidding. I currently work for a pretty large university and every dorm room's switch port is on a solo VLAN with the uplink port, so no two ports can talk to each other. Even more, every port is only allowed one MAC address, which a user must pre-register with IT. In other words, students cannot have two computers talking to each other at all, unless they buy their own switch and do it locally (which is against the AUP of the university, even if their private LAN is airgapped). That means studen

      • by skids ( 119237 )

        One MAC address per port is a bit on the extreme side for a residential user hospitality port... probably they have just not yet bought equipment capable of multi-client wired MAB/dot1x thus the one-MAC-address limitation. Registration of your MAC addresses is absolutely essential for security as, with wired dot1x and a cert bearing your registration, you can shut down a huge number of amateur-skill attacks by doing that (and if you haven't gotten all the way to wired dot1x yet and are still using MAB, you

        • Honest question. Since MAC spoofing is apparently easy (https://en.wikipedia.org/wiki/MAC_spoofing), why is registration of your MAC addresses "absolutely essential for security"?

          • by skids ( 119237 )

            Well, most places haven't gotten to quite this level yet, when combined with a EAPOL EAP-TLS/dot1x you register your MAC address, you get a client cert containing that MAC address, and the switch will not let you on using a different MAC address than one you have registered. Presumably you don't allow double-registrations, of course. (Further past that you can close the last of the wired MITM vectors with MACSec but that requires rather new switches still.)

            But even with (yes, easily spoofable) MAC address

      • students cannot have two computers talking to each other at all, unless they buy their own switch and do it locally.

        You mean unless they run a NAT gateway and communicate which high numbered port to use for their service.

  • Comment removed based on user account deletion
  • If he wasn't "former" at the disclosure, he surely will be shortly after.

  • by enjar ( 249223 ) on Friday October 20, 2017 @09:00AM (#55403167) Homepage
    Running joke from my buddy that works at a defense contractor is that if you can do your job, the network isn't secure enough. It's amazing the hoops he has to jump through to perform functions and obtain permission to perform functions that are actually enumerated in his job. Oh, and of course, they are told to just assume the network is compromised, anyway. There are good security reasons for a some of the restrictions, of course -- but there's no denying that having a very locked down network requires significant investment on the IT side as well as slowing down the jobs of the people actually trying to use the network.
  • I am surprised that a Facebook exec would publicly admit a failure like that! Worse, I am surprised said exec would have even allowed such an insecure network. Well, I am glad I gave up my Facebook account! Fuck Zuck.
  • by ErichTheRed ( 39327 ) on Friday October 20, 2017 @09:41AM (#55403453)

    The problem is that it's very difficult to resolve "move fast and break things" developers with anything approaching information security. If you run an extension of a college campus like Facebook does, you're going to get a college campus mentality.

    I can see why they are concerned though...Facebook has become the de facto identity provider for almost every consumer website. That "sign in with Facebook" button lets developers assume that Facebook will keep login details for millions of users safe. Microsoft has this same problem with Office 365/Azure AD and they've gone to great pains to explain what they're doing around security. Any time you are providing a vital service that others are counting on, and you have people's personally identifiable information stored, you can't put that in a college campus environment.

    • by skids ( 119237 )

      FWIW, "move fast and break things" developers don't generally last very long in college environments. Software dev runs at a snails pace because everyone is actually using the software for important things, and when it breaks, there is hell to pay from the users... and the users are only a short walk away from you.

  • Employees are f-ing like monkeys, drinking like sailors, and staying up all night to try to finish that last bit of code which ultimately results in a D+ grade?

  • Lots of people outraged that their network is run like a college campus, no one looking at what he meant by that phrase.

  • If what he claimed were true, FB would've had a major breech already. This sounds more like internal political jockeying rather than valid concerns.

  • Security people won't be happy until everyone has chips implanted and nerve stapling capability.
  • You have a great career in front of you. Employed a few myself. Great combo of open network experience with hardened systems with thousands of smart little shits ( technical term ) trying it on daily.

The Tao is like a glob pattern: used but never used up. It is like the extern void: filled with infinite possibilities.

Working...