These are not hackers but Meta employees/contractors who make money on the side by using their access to internal support tooling/channels. It's a fireable offense (it's only intended for actual friends/family) but still happens a lot.
Sadly I can't find anyone to pay off at Google yet to fix my gmail (I have the username, password, and everything is forwarded to the recovery email I own, I just lost access to the phone number and they enabled 2FA without asking).
Reddit also, I can't find anyone there to unban my friend's account that got locked (due to a server outage), even after speaking directly to spez about it.
One tip: if your IG/FB account get suspended, then it's way cheaper to get it unbanned via black hat routes than if you roll the dice and try to appeal it. Appeals often end in perma-bans that are much harder for Meta employees to undo.
To be fair, he just said it's a fireable offense-- presumably (and according to the article he linked) to use the tools for people you don't know at all, not just to take money for it. (It's probably easier for Meta to prove an employee used the recovery tool than to prove they received money for it.) I do hope you get your account back, though.
Tbh, I'd be curious if it's even recoverable and what triggered the ban. I just got an email out of the blue asking me to fill out a captcha, reply to an SMS and send a selfie. I did all that and just got a reply I had violated "community guidelines" ¯\_(ツ)_/¯
Since it was a private account I never posted anything on, I was racking my brain what could have possibly got me flagged. All I did was reply to pics of ppl's pets (and sometimes cute girlies). Definitely nothing abusive.
From what I've read, the SMS was used just to automatically block any new account you make.
> "So, I stalked them on Instagram through my backup but still slutty account," she said. "I managed to find a couple (employees), not from that department but still people that worked at Instagram in LA."
> She said she allegedly met up "with a couple" employees in the L>os Angeles area, adding that they know about her podcast.
> "We met up and I f*ked a couple of them and I was able to get my account back two-three times," Kitty Lixo said, recommending others with locked accounts to continue reaching out to the platform for eventual ban reversal.
That's rather surprising about the accessing user data bit. When I was at Meta, the quickest way to get fired as an engineer was to access user data/accounts without permission or business reason. Everything was logged/audited down to the database level. Can't imagine that changing and the rules are taught very early on in the onboarding/bootcamp process.
I haven’t touched a lot of these cyber security parts of industry: especially policies for awhile…
… but I do recall that auditing was a stronger motivator than preventing. There were policies around checking the audit logs, not being able to alter audit logs and ensuring that nobody really knew exactly what was audited. (Except for a handful of individuals of course.)
I could be wrong, but “observe and report” felt like it was the strongest possible security guarantee available inside the policies we followed (PCI-DSS Tier 1). and that prevention was a nice to have on top.
As a customer I'm angry that businesses get to use "hope and pray" as their primary data protection measure without being forced to disclose it. "Motivators" only work on people who value their job more than the data they can access and I don't believe there's any organization on this planet where this is true for 100% of the employees, 100% of the time.
That strategy doesn't help a victim who's being stalked by an employee, who can use your system to find their new home address. They often don't care if they get fired (or worse), so the motivator doesn't work because they aren't behaving rationally to begin with.
This really isn’t fair. It is not simply hope and pray: it is a clearly stated/enforced deterrent that anyone who violates the policy will be terminated. You lose your income and seriously harm your future career prospects. This is more or less the same policy that governments hold to bad actors (crime happens but perpetrators will be punished).
I get that it is best to avoid the possibility of such incidents but it is not always practical and a strong punishment mechanism is a reasonable policy in these cases.
You don't think it's fair to expect a trillion-dollar business to implement effective technical measures to stop rogue (or hacked!) employees from accessing personal information about their users?
I'm not talking about small businesses here, but large corporations that have more than enough resources to do better than just auditing.
> crime happens but perpetrators will be punished
Societies can't prevent crime without draconian measures that stifle all of our freedoms to an extreme degree. Corporations can easily put barriers in place that make it much more difficult (or impossible) to gain unauthorized access to customer information. The entire system is under their control.
Okay, how do you want to implement those technical measures? I propose that we add a checkbox, for employees to click when they have gone rogue, or have been hacked. That way, when the box is checked, we can just reject those requests as being bad/wrong/illegal. Simple as that!
There may be some details with the implementation of this, but once we've got that check box, then things will be secure.
Or maybe trillions of dollars can't change digital physics. I don't care how much money you have, you can't make water not be wet.
Facebook/Meta has shown time and time again that it can't be trusted with data privacy, full stop.
No amount of internal auditing, externally verified and stamped with approval for following ISO standards theater will change the fact that as a company it has firebombed each and every bridge that was ever available to it, in my book.
If the data has the potential to be misused, that is enough for me to equate it as not secure for use.
Whatever Meta says publicly about this topic, and whatever its internal policies may be, directly contradicts its behavior. So any attempt to excuse this is nothing but virtue signalling and marketing.
The privacy violations and complete disregard for user data are too numerous to mention. There's a Wikipedia article that summarizes the ones we publicly know about.
Based on incentives alone, when the company's primary business model is exploiting user data, it's easy to see these events as simple side effects. When the CEO considers users of his products to be "dumb fucks", that culture can only permeate throughout the companies he runs.
There’s a meaningful difference in a company wanting to exploit user data to enrich itself and allowing employees to engage in voyeurism. The latter doesn’t make the company money, and therefore can be penalised at no cost.
Your comment talks about incentives, but you haven’t actually made a rational argument tying actual incentives to behaviour.
My point is that it would be naive to believe that a company whose revenue depends on exploiting user data has internal measures in place to ensure the safe handling of that data. In fact, their actions over the years effectively prove that to not be the case.
So whatever they claim publicly, and probably to their low-level employees, is just marketing to cover their asses and minimize the impact to their bottom line.
What would be the cost of setting safeguards and firing employees that cross the line? Feel like an access control system would be fairly easy to build and firing employees is not a huge deal nowadays.
You claim it’s all talk, but it’s not much more effort to walk the walk. It doesn’t hurt profits to do it.
There is actually no difference, only a difference in intent.
The problem is similar to that of government efforts to ban encryption: if you have a backdoor, everyone has a backdoor.
If Meta is collecting huge amount of user info like candy (they are) and using it for business purposes (they are), then necessarily those employees implementing those business purposes can do that, too.
You can make them pinky promise not to. That doesn't do anything.
Meta has a similar problem with stalking via Ring camera. You allow and store live feeds of every Ring camera? News flash: your employees can, too! They're gonna use that to violate your customers!
To the extent a random person's evidence on the Internet amounts to proof:
From people at Facebook circa 2018, I know that end user privacy was addressed at multiple checkpoints -- onboarding, the UI of all systems that could theoretically access PII, war stories about senior people being fired due to them marginally misunderstanding the policy, etc.
Note that these friends did not belong to WhatsApp, which was at that time a rather separate suborg.
Everything is logged, but no one really cares, and the "business reasons" are many and extremely generic.
That being said, maybe I'm dumb but I guess I don't see the huge risk here? I could certainly believe that 1500 employees had basically complete access with little oversight (logging and not caring isn't oversight imo). But how is that a safety risk to users? User information is often very important in the day to day work of certain engineering orgs (esp. the large number of eng who are fixing things based off user reports). So that access exists, what's the security risk? That employees will abuse that access? That's always going to be possible I think?
Yes but an employee will always be able to do those things because some employees, even a large number of some employees, need access to user accounts and data for legitimate reasons, and since the only workable way is to track and punish later (cannot run the company if every user access needs human approval at the moment), it's always a risk
It's how data roaming works in general -- it's tunneled through to the SIM's home provider. Conversely, a Chinese SIM roaming overseas is still subject to the Great Firewall.
I have an extremely common first and last name and my email address is first.last@gmail.
I get my fair share of misaddressed mail but it doesn’t help that I share the same name as the CEO of a major hotel chain’s timeshare business so I’ve getting tons of complaints about that :/
GMail doesn't care about dots, so you could say your email address is [email protected] for all the good it does. Using the dot probably does more harm, as it makes people think it's a legit differentiator.
The article doesn’t mention Apple’s persistent refusal of JIT support for 3rd party JavaScript engines, which is a main barrier to implementing a performant 3rd party browser.
I’m no fan of the current administration but this is one person’s account so inherently 1 sided. I just flew in from Europe and most people were not searched. US border control don’t have time to systemically search the phones of all travelers. I’m guessing some other red flag triggered the questioning and phone search and denial (eg no return ticket or accommodation booked).
Because people of all political persuasions tell lies for attention and to support their political agenda. It is sensible to withhold judgment until there is sufficient information to make a reasonable determination on the balance of probabilities. That may mean witholding your righteous indignation for a day or two, but that's a price worth paying.
Indeed, a clear indication that the meme was the reason, or at least part of the reason, to deny admission would have a very serious weight, and hopefully grounds for the reversal of the decision, and a disciplinary action.
You are talking about the US administration here, which is currently making up rules as it pleases based on the whims of a geriatric maniac, and where masked kidnappers are abducting people off the streets without repercussion. None of what you said is likely to happen.
I agree that the top of the administration is plenty rotten, but I still believe that rank-and-file people in governmental agencies did not lose their dignity, at least those who had it.
at the very end of the article there's a statement from the Ministry of Foreign Affairs that contains "..and it is the traveller's responsibility to have valid documents and be familiar with the current entry regulations." which makes me believe there's more to the story.
Yeah, expecting a governmental agency to produce evidence that will negatively impact their political standing is a very reasonable request indeed. Or expecting evidence from a person who was stripped of all their devices. How silly these people are for working with what they have. They even lie about how much and what quality of information is it that they possess... oh wait, no they don't, you're just being a jackass. Well ain't that unfortunate.
> it is the traveller's responsibility to have valid documents and be familiar with the current entry regulations
This response from the Norwegian foreign office makes it seem like the man lacked proper documentation, which led to the search. However, it’s unclear to me whether the comment is specific to this case or just a general statement.
Wrong. DHS tells the Airlines your ESTA Status, so they won't let you board if you don't have a valid one. And if you don't have one, the Airlines will check for a Visa
"DHS communicates a traveler’s ESTA status to the carriers. However, DHS recommends that travelers print out the ESTA application response as a record of their ESTA application number to confirm their ESTA status."
They also have DHS Agents on the departure Airports, which already tell the Airlines which Passengers aren't allowed to board. If the Airlines violate against this, they face severe consequences like a ban from US Airspace
