ZUCK OFF: Facebook nixes internship after student embarrasses firm

Just about to say the same thing, "don't do this it's against our terms" yep that works

"Second, this mapping tool scraped Facebook data in a way that violated our terms, and those terms exist to protect people's privacy and safety."

..Really, Facebook???

Surely the way to protect people's privacy and safety should be to write defensive code which doesn't allow this sort of behaviour by a third party?

If you must collect this data in the first place, protect it.

(posted from somewhere in the region of 52.89340, -1.43669 if you're interested, Zuck)

Not sure I'm getting the point here.

Techie makes Bookface look silly and now we're surprised they no longer want to hire him?

*Either way I'm sure it's Bookface's fault and they should be shut down immediately*

I am sure he'll find a proper internship somewhere more interesting.

Facebook, ethics????

Facebook, ethics, bwahahaha!!!

10 minutes

That's how long I think it will take for several other big-name IT companies to offer him a job.

Scrape you!

What about browser's cache? Does that count as facebook scrapping? What about a browser written in python using chromedriver saving all output? Can you tell the difference? I bet you can't. It's my internet given right to connect and fetch data from remote services, if you don't want me to see your data take it off the internet. So shove your ToS up your ass.

Relativity.

"Facebook, however, displaying extreme chutzpah, told Khanna that it had withdrawn his internship offer. The reason? His blog post did not reflect the 'high ethical standards' which it expects of its interns."

It's all relative. One man's "high ethical standards" are another man's "low-to-non-existent ethical standards with a large dose of brazenly hypocritical sanctimoniousness".

FaceBook is right about this

Facebook is right about this. Using security loophole to collect confidental information from facebook's servers is clearly illegal. It's the same as trying to login to secure system without having proper authorisation, i.e. trying to guess passwords. There's invisible legality line in such places, and anyone crossing that border is doing something illegal.

However, denying internship is pretty harsh consiquence for such actions. He could be simply not understanding where the legality line is located at... Finding loopholes in security is dangerous exactly for this reason -- it's easy to cross the authorisation -line -- Once the actions are not authorised, and it somehow skips proper authorisation mechanism, it is by default illegal action.

Real issue?

I think the real issue is that FB was pissed that they couldn't hang on to this data for themselves and their ad partners. Now that it's in the wild, any and all can scrape it and by-pass the FB money machine.

Meanwhile....

http://www.theregister.co.uk/2015/08/12/facebook_privacy_flap_data_phone_number/

It's the hacker way

unless the target is Facebook.

These are exactly the people FB needs to hire, the ones that can find and fix problems and come up with innovative solutions.

I guess Facebook has shareholders to answer to, so they will act no different than IBM or Oracle would. Put away your hoodie, Zuck, and put on a suit, because you're a sellout.

Depends on the company

"Isn't the issue that he made freely available the tool to exploit the problem, rather than informing Facebook privately and letting them fix the bug in advance? That's what security researchers do usually, isn't it?"

Depends on the company. Companies that try to hide the existence of bugs, claim bugs are features, and put off indefinitely fixing bugs, do not get this courtesy.

That is the problem, Facebook did not even consider this a security bug or leak. This "bug" was probably fully documented to "trusted third parties" to be able to get this info.

I wouldn't be surprised if this behavior wasn't in the fine print, but A) People don't read the fine print, and then are utterly shocked when behavior is revealed that was explicitly covered by the fine print. B) Others assume that the fine print is a "cover your ass" and covers every POSSIBLE activity, and naively assume this stuff is not actually being done. And facebook was clearly fine with that.

In other news

Zuck has discovered we no longer need to waste time and money putting keys and locks on our houses and cars, because a simple sign saying "Thou shalt not steal" stuck on the front works perfectly to deter thieves, burglars and carjackers.

Canning the guy because he wrote code that "violated Facebook's terms and conditions?" Give me a fucking break.

Looks sensible to me

Whatever the rights and wrongs of the flaw and who should have fixed it this is a sensible decision commercially.

If the guy is bright enough to spot a flaw from outside your company and disloyal enough to create a publically available exploit rather than privately disclose it to you then letting him inside the corporate intranet is too big a risk given the modest upside of the free labour you'd get in return.

That says nothing of the rights and wrongs of how he and they approached it - a point I'm agnostic on - but in a very minor way it would be equivalent to an intelligence agency given Edward Snowden an internship.

I think this guy will struggle to find work at the other big corporates who will see similar reason to take a pass but have no shortage of interested parties in the startup community as he's clearly capable of hacking interesting things together.

Conflict of interest

I looks like FB are, not unexpectedly, in the wrong w.r.t. privacy and handling the "feature" both before and after exposure. The young man in question, however, should have realized that he was facing a conflict of interest (do they teach that at Harvard?). A responsible thing would be approach the (prospective?) employer, disclose the issue and the exploit, ask what the employer's position on public disclosure would be (the expected "don't even think about it" and the more reasonable "thank you, give us 30 days, we'll fix it and publish it, crediting you" would be among possible responses), and then decide whether to go public against FB's will or accept the internship offer, sign the confidentiality clauses, and keep mum. It would be clear then that the first choice, while, arguably, admirably ethical, would be incompatible with the expectation of employment. As far as I understand, the guy went ahead with public disclosure without even approaching his prospective employer. He may feel ethically in the right, but he should have realized he was closing any doors a FB for himself. Not a huge loss, if you ask me, but then don't make it an issue.

The guy clearly shows technical ability and some aspects of commitment to ethics. However, I probably would not hire him, either. I would expect from an employee who finds an issue with my company's product to work internally to resolve it (and to disclose the conflict of interest regarding the ethical responsibility). And if the issue is not resolved to his/her satisfaction, then don't expect to remain employed if you break a confidentiality clause, even for a good reason. If you get fired for it then you may think the employer acted unethically, but that's still a breach of contract. (Do you want to be employed at an unethical company, by the way?) I would not hire someone who is likely to publish stuff on a personal blog without going through internal channels first.

So, while I share everybody's sentiment about FB's attitude to privacy in general and in this case in particular I cannot fault them for withdrawing the internship offer.

NB: Whether or not the internship is paid or not, and whether or not one is employed or just offered employment, and whether or not a contract (and confidentiality clauses therein) has been signed or not is, IMHO, immaterial w.r.t. the conflict of interest question.

Double Standards

So it's ok for Facebook to keep sharing user data against customers wishes either accidentally or intentionally by changing the T&C's and making bold but false assumptions, but when someone else (not them) does it - it's completely wrong and they should be punished.

Perhaps they should have hired the person to understand how they were exploited, figure out what went wrong internally with their processes (because a single student thwarted a company of thousands) and perhaps educate each other, instead they chose the belligerent path - again.

Facebook just don't get it - as usual.