Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Businesses Technology

Tech Companies Have a History of Giving Low-Level Employees High-Level Access (theoutline.com) 102

A reader shares a report (condensed for space): In the summer of 2010, Google fired a 27-year-old site reliability engineer named David Barksdale after it discovered that Barksdale had been accessing the Google accounts of four teens he met through a local Seattle tech group. The spying went on for months before it was reported, Gawker's Adrian Chen wrote at the time. In one incident Chen described, a 15-year-old refused to tell Barksdale the name of his new girlfriend; Barksdale broke into the teen's Google Voice account, listened to messages to get the name, then taunted him with it and threatened to call her. Google was contrite, saying publicly that it "carefully control[s] the number of employees who have access to our systems" and monitors for abuses by rogue employees. [...] The rogue Twitter customer service employee who momentarily deactivated President Trump's account on Thursday night brought this issue to mind. Twitter has 3,898 employees, according to Wikipedia, for 330 million monthly users, a ratio of one employee for every 84,658 users. This means that a single employee may have a ton of power over loads of users, but the value of a single user is low. Their privacy may seem insignificant in light of the greater mob. [...] At Uber, employees regularly abused its "God View" mode to spy on the movements of celebrities, politicians, and even ex-spouses.
This discussion has been archived. No new comments can be posted.

Tech Companies Have a History of Giving Low-Level Employees High-Level Access

Comments Filter:
  • All, really all, big organizations have this problem. Just ask Manning and Snowden; classic cases of too much access to too much information.
    So governments, corporations, every organization needs to give power over information and access to the lowly peons or those peons can't do the lowly jobs they are supposed to do.
    You can put in controls, access walls and shit, but if you do it, your administrative overhead will go through the roof. Someone like Google might sorta be able to pay for all of this, but it

    • Let's see, you want a low level employee to do a crapload of stuff that affects lots of users. YOu give them access to accounts. This is a surprise how?
    • Back in the 90's I worked in IT for the state govt. I found out in my first month that I had more access to the data systems than the Director or our agency.
      He had to call me to get access to certain accounts.

      Plus, I soon found out my IT badge would open every door in HQ. Security guard told me that "You computer guys are allowed to go anywhere."

  • In one incident Chen described, a 15-year-old refused to tell Barksdale the name of his new girlfriend; Barksdale broke into the teen's Google Voice account, listened to messages to get the name, then taunted him with it and threatened to call her.

    First this guy and then James Damore, Google hires some real winners...

    • by Anonymous Coward

      When you give them godly powers, they start acting like gods. You know, disguising themselves as golden "rain" and getting innocent ladies pregnant.

  • This story stinks of hand waving. Just because someone realizes that "account access" means "account access", doesn't mean it's high level access. When you add finer grained controls, you get middle tech who's sole job is to vet access (now the lower level just performs a bit of social engineering and it's old status quo).

    David Barksdale's story is a low level employee with low level access. If the application needs frequent adjustment at the account level, of course you hire a bunch of cheaper-than-average

  • by Anonymous Coward

    Back in the old days, the local Bastard Operator From Hell could read all of your mail on the local system. Now, Google is the global bastard reading the mail of everyone in the world.

    The people demand centralized monopolies. This is what the people get.

  • the CEO must review all code and deploy to machines... otherwise if you're writing code and deploying, you already have access to everything.
    • Our build server has access to prod, but I don't. I can still trigger the build though, so technically I'm deploying to prod.

      This is how it should be because there's a log of everything. Sure, I could write some script that exploits the build server permissions, but that script is in source control with my name on it and requires a code review.

      Some teams just suck at security. My last company checked the production security credentials into source control so that the deployer could access them. So anyone wi

  • >Twitter has 3,898 employees, according to Wikipedia, for 330 million monthly users

    Both Twitter and Facebook outsourced "user operations teams" in god forsaken places like Algiers, Albania, Tunis and so on.

    They do dirty stuff like porn filtering, and banning

  • by rsilvergun ( 571051 ) on Friday November 03, 2017 @02:48PM (#55485211)
    I've had lots of high level access over the years because I need it to do my job. I've also seen lots of overworked, overtired people in charge of massively important systems because in theory the work isn't that hard. The thing is, if you pay somebody minimum wage they live like somebody making minimum wage. Meaning their lives are a never ending parade of problems they can't solve. They're going to make mistakes, and you're going to pay for them. The only question is do you save more money by paying them like crap than you do cleaning up the mistakes. Depress wages far enough and the answer is 'yes'.
    • Well, software engineers aren't badly paid but if our wages kept up with inflation I daresay we'd be making twice what we do. Even in this field, this is absolutely true.
      • It's more the rank and file IT guys that keep the servers running that they're talking about. Actually, the software engineers tend to have almost no access at all since 90% of what they do gets done in test environments and then pushed to production.
        • Nope, even as a lowly QA contractor I've had production access at major tech companies. They didn't intentionally give me access but they also did a terrible job of protecting access.

          Case in point, several major recent data breaches involved default database passwords in production.

        • by pnutjam ( 523990 )
          Your assuming competency, the world is always building a better moron, moron's are highly optimized.
        • It depends. I've worked in devops shops where there was pretty cavalier access to production - which used to freak me out.
  • In other news (Score:5, Insightful)

    by stabiesoft ( 733417 ) on Friday November 03, 2017 @02:57PM (#55485291) Homepage

    Maids clean rooms of VIP's.

  • by The Optimizer ( 14168 ) on Friday November 03, 2017 @03:01PM (#55485313)

    I see many other posts making the same point, and I'll add my specific story from the 1980s.

    In 1987, I was doing some work for a local chain of auto-body shops that had some software to do job pricing. In the process of understanding how the business worked, I got to know some of the guys who did sheet metal, welding, body repair, mechanical, etc. These were your typical blue-collar young males for the most part.

    In the corner of the main shop area there was a dedicated terminal (VT100ish) and modem for connecting to the state DMV mainframe, where you could do basic queries. There were a couple legit uses for it, which is why the shop had it, but the only time I saw it used was by a couple of the guys who would enter the license plate number of cars they saw driven by pretty women, to pull up the registration info to find out the names and addresses of the car's owner. No checks or balances or access control; the logon info was taped on the side of the terminal. Any access logs would have been somewhere in Austin.

    Totally creepy stuff then, still creepy 30 years later.

  • by El_Muerte_TDS ( 592157 ) on Friday November 03, 2017 @03:03PM (#55485327) Homepage

    Level of employment does not equal trustworthiness of employees. In fact, often the higher you go the worse they get.

  • by Anonymous Coward on Friday November 03, 2017 @03:08PM (#55485371)

    In engineering school, that major didn't exist - nor does it anywhere. Is it like a "Sanitation Engineer"?
    Or "software engineer"? Or "domestic engineer"?

    I get calls all the time form recruiters saying I'm an engineer. I say, "No. I'm a programmer."

    "Oh, we're looking for engineers."

    "My bad. I just read specs and develop software according to those specs."

    "OHHHHHH! You are a software engineer!"

    "I am?!"

    "Yes!"

    "OK. So, what's a programmer?"

    "He's someone who takes specs and implements them in the programming language of choice."

    "Ah. So, what's a software engineer?"

    "He's someone who takes specs and implements in the programming language of choice using engineering principles."

    "Ok. So, Thermo is involved?"

    "What do you mean by 'Thermo'?"?

    "Never mind. So, whatever - programmer, engineer, god, ....whatever the title is, I'll take the job."

    "You have a problem with your attitude."

    "....."

    • by Anonymous Coward

      This is slashdot, and serious technical discussions aren't had here anymore, but I'm willing to try.

      Serious answer: a site reliability engineer is someone that implements best-practices and theories regarding incident response, disaster recovery, business continuity, high availability, and graceful failure at a singular geographic location

      It is an important job that does save companies far more money than any singular engineer of other persuasion can create. Without at least hiring a consultant to do the wo

  • by ctilsie242 ( 4841247 ) on Friday November 03, 2017 @03:10PM (#55485385)

    This is not surprising in the least. On a physical level, the person who likely has the most access is the janitor or cleaning staff.

    Almost any access can be abused, if someone feels vindictive enough. An electrical worker can toss a dead rat in an opened panel, and the arc flash likely would take out a good amount of power in the building.

    Having access controls to minimize things are critical, but even with those in place, there is a point where the problem changes from a technological issue to a HR issue, of why someone is that pissed and vindictive in the first place... and why they were cleared for access.

    • by tomhath ( 637240 ) on Friday November 03, 2017 @03:16PM (#55485435)

      On a physical level, the person who likely has the most access is the janitor or cleaning staff.

      Back in the day, the people companies worried most about were the secretaries. They knew everything because they typed up and made the copies of everything. Today we have sysadmins and customer support, same deal. And get off my lawn.

    • some times the only locks on power panels are the lock out / tag out ones.

      • some times the only locks on power panels are the lock out / tag out ones.

        Most deadfronts unscrew from the box--1/4" Flathead or #2 Robertson. To quote the US Army: "Locks are delay devices".

      • by pnutjam ( 523990 )
        That's true in residential areas too, it's easy to walk by and pop your neighbors power off.
  • by gweihir ( 88907 ) on Friday November 03, 2017 @03:15PM (#55485423)

    Hence they need "high level" access. This is well-known and unlikely to change.

  • by Anonymous Coward

    Great Jeebus Almighty. People have insisted on giving all human communication to either Google or Facebook. Email for example used to be distributed - if your local BOFH was malicious, at least he didn't have access to the entire world's email, at once. But no, that wasn't good for the mouth breathing masses. Everyone insisted that a couple of advertising companies should get access to everything. All email, all instant messages, all voice chat.

    Because, of course, advertising companies have our best in

  • by mysidia ( 191772 ) on Friday November 03, 2017 @03:24PM (#55485491)

    The ability to login to a customer's account and check basic information to verify identity, reset a password, or turn off an account is NOT high-level access.

    Minimum wage customer service representatives REQUIRE this level of access to customers' accounts to answer basic support requests or investigate problems. When Xyzuser calls in or e-mails to request their account disabled or request a troubleshooting assist, some low-level user is going to answer this request.

    There's no way around that, other than companies SHOULD be very tight with auditing, and make sure to challenge any action on a customer account that doesn't have an explanation and a support ticket opened by someone else.

  • by Anonymous Coward

    Was asked to give a relatively low level employee administrative access to a system of ours facing customers. I thought it was a test, so I refused. Then got escalated to executives and had to relent. It didn't have any sensitive data on it, but the integrity of the data was important.

    Of course prior to relenting, I took all legitimate content update channels offline, made a backup, and then blew the system away and restored from backup when that employee was done, to be extra paranoid.

  • by Austerity Empowers ( 669817 ) on Friday November 03, 2017 @03:29PM (#55485545)

    This isn't high level access. High level access means telecom, email and backup files of senior execs, possibly access to the people in question to support them, proximity to their cubes, permission to listen in on board meetings, that sort of thing. These high level employees aren't usually very good with data (or any more discrete), you probably wouldn't necessarily want them managing it.

    It's all necessarily low level access. But clearly they are not protecting customer data well, or putting a high value on privacy.

  • by rickb928 ( 945187 ) on Friday November 03, 2017 @03:35PM (#55485591) Homepage Journal

    I work for a well-known financial company. I guarantee you that if I accessed the information of any even marginally well known celebrity, public figure, even a notable individual, I would be asked why and expected to offer clear evidence of the need. I occasionally see personally identifiable information for any of our clients, and I do not pursue any I happen to come across that I recognize, and of course I would not.

    I would also be asked if I accessed MY information - that usually results in one warning. Then dismissal.

    But it's evident these Internet companies haven't worked out the confidentiality protections they should have in place, and so we read these reports. Kinda sad.

    • by Anonymous Coward

      The big difference is that the financial services sector has monetary and legal reasons for not fucking around with this stuff. Twitter... um, it's a glorified wall for putting shit up, and they've only lost what, like 2 billion, and just now are they maybe going to break even this quarter?

      To put it another way, you're at a financial company, and you close your doors and take all the info with you, you could be in a ton of trouble, because you own the money of all of these people. Twitter closes its doors

    • See, you're doing it wrong.

      You steal your coworkers credentials and use that to access that information.

      You would be impressed with the information you can gather by setting up a mirror port on a switch paired with wireshark.

      • 0. Using a co workers's credentials gets your both fired on the spot.

        1. Physical access to networking equipment is restricted by lock and key. Installing a switch of your own world be grounds for dismissal and prosecution. It's been tried.

  • by chispito ( 1870390 ) on Friday November 03, 2017 @03:36PM (#55485601)
    Every website or service I've ever supported allowed the tier one support to disable an account. That's not the same as deleting an account and in many cases it's essential.

    Take Twitter: If an account is taken over and used for malicious purposes, you want the first level support to be able to freeze it without having to go through a bunch of checks. That's not really that high a level of power, it's what's required to do the job.
  • by hey! ( 33014 ) on Friday November 03, 2017 @03:57PM (#55485771) Homepage Journal

    Think Bradley/Chelsea Manning an E-4 specialist who was entrusted with access to an astonishing breadth of sensitive information. Manning was, according to other soldiers, bullied to the point of a nervous breakdown during basic training, and yet even after that they moved him (as she was then) right into training as an intelligence analyst.

    Assange cultivated Manning with methods anyone who'd read a LeCarré novel: pick out someone emotionally vulnerable and work to gain their trust.

    Somebody's got to handle the grunt work of managing sensitive information, either in the military or private sector; but it's not going to be someone who spent four years at West Point or getting an engineering degree. But just because a job doesn't require *those* particular credentials doesn't mean anyone can or should do it.

    The problem isn't that low level people have access to sensitive information; the problem is that organizations are sloppy about hiring people for those positions because they aren't high status jobs.

    • the problem is that organizations are sloppy about hiring people for those positions because they aren't high status jobs.

      This is exactly the issue. Sometimes you have to pay well for a low-skill job because you don't want to risk having an idiot or a junkie doing it.

      Somewhere, someone paid good money for a background investigation so that someone else could be a janitor. Because even the most sensitive labs have floors and bathrooms, and you don't pay an engineer $200K to clean the tiles and unclog the toilets.

      Skills, reliable performance, and trustworthiness all play into an individual's value in the labor market, and some c

  • by supernova87a ( 532540 ) <kepler1@NoSpaM.hotmail.com> on Friday November 03, 2017 @04:03PM (#55485819)
    I don't think the problem is "tech companies have a history of giving low level employees high level access".

    I think the issue is "tech companies give many employees priviliges to do things because it works, and then those things have unexpectedly important consequences that weren't realized because it's a young company doing something no one else did before".
  • by fahrbot-bot ( 874524 ) on Friday November 03, 2017 @04:04PM (#55485833)

    At Uber, employees regularly abused its "God View" mode to spy on the movements of celebrities, politicians, and even ex-spouses.

    And, yea, on the Seventh day, God saw that the driver was at 5th and Elm and that it was Good. (... insert chanting in Latin ... )

  • Many years ago I was a entry level Data Tech that started at a very tender young age at a now very big tech company. Most of the time we were the ones doing the system level troubleshooting that required high level access, we did all the troubleshooting from oracle DB performance issues, to fixing the entire phone systems when it would crash on the weekends. We had global sudoers access, we had the master local passwords for all of the network gear, and we had a bunch more access. The only access we did

  • by Anonymous Coward

    For starters, let me state that it's my opinion that this Google person did something truly disgusting.

    But what I find even more disgusting is that this person is mentioned with his full name in global, regular media. He is only 27 years old. He has to work for about 40 more years. Was it really neccessary to destroy his life over this? I don't think so.

    Where I live it is common that even the heaviest criminals' identities are protected. More often than not only their first name and the first letter of the

  • I assume you mean front line or customer facing. So thank you for showing your contempt for these people msmash.

    You have to give these people all these powers but ideally you audit them and have a way of backing out any changes they make. (The only thing I can think of that you really can't back out of a system is if someone reports you dead to the credit bureau. Sorry Jesus). The admins, programmers and anyone else who has access to the raw data generally are not audited.
  • Lets just hope he wasn't able to use his access to create a communications network for a drug gang that the police couldn't listen in without some sort of court approved measure.
  • So on this note, how much access do you all have at your company and where do you sit in the corporate food chain ?

    Me, I'm just a faceless employee. One who has enable mode access to nearly every router and switch ( even the core systems ) in the entire company. Scary level of power if you think about it.

    Someone has to do the work though and it certainly isn't going to be some executive type who wouldn't know what an enable mode prompt looked like if you threw it at them.

    So, many tech companies ( especial

  • You want an oncall person to be able to quickly stop a contraversy or even a legal liability to the company. So if a Twitter employer sees a lot of crap coming out a high profile account, you want to be able to quickly shut it off to limit damage.

    Oh wait...

You are always doing something marginal when the boss drops by your desk.

Working...