My key takeaway from the Facebook "whistle-blower" is how lax Facebook's internal security is. Many have pointed out that Frances Haugen was essentially a nobody within the organization. A mid-level employee who didn't make key decisions or have particularly privileged account-level access. She said herself that ANY employee could have copied the same documents she did.
If Facebook is that lax with their own internal documents then I have to assume that their user account security is no better than at any company I've worked for as a software developer - which is to say completely non-existent.
As far as I'm concerned, anyone who uses Facebook, Instagram, WhatsApp or any other FB-owned company is as good as making all their information, including DMs, public.
That's a really dumb takeaway. What does the openness of documents like that within the company possibly have to do with the company's security? How do you even connect those two? Your theory is that a company that chooses to be open among employees and not lock down simple research documents somehow must be bad at security?
Frances Haugen is being dubbed a "whistle-blower." The documents that she leaked have been damaging to the company. In addition to that, she said that she was expecting IT to flag her account activity and ask her what she was doing, but it never happened. So Frances herself described the access control policies as lax.
Security begins with risk assessment. You identify your assets and how they may be vulnerable. You then model your security protocols in accordance.
In my experience, this is almost never done. The typical approach to security is reactive, not proactive. And when proactive approaches are done, it is usually done with an eye towards covering the company's ass rather than giving the slightest concern to the interests of their users.
That's how I arrive at my conclusion. If Facebook takes such a lax approach to their own internal security that means they likely have a perimeter approach to security, rather than a layered one. They may try to block attacks coming from without but have little measures in place with regards to segregating, isolating and restricting once within.
All of this is speculative of course. Facebook might be the one single example of a company that actually takes some serious measures to protect their users' data while not being as concerned with their own internal data. I suppose such a unicorn is plausible. I just don't consider it very likely. I've never seen it happen once in my 25 years of industry experience.
The anecdata mentioned, that all the software companies they have worked for have poor internal security struck a chord with me even if it can be argued it's just anecdata. And if you look at facebook's checkered history of security it's not a good track record. Or how about the fact that you can still to this day post public links to private photos?
If Facebook is that lax with their own internal documents then I have to assume that their user account security is no better than at any company I've worked for as a software developer - which is to say completely non-existent.
As far as I'm concerned, anyone who uses Facebook, Instagram, WhatsApp or any other FB-owned company is as good as making all their information, including DMs, public.