this post was submitted on 27 Sep 2024
1117 points (99.6% liked)

Technology

59647 readers
2686 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 47 points 2 months ago (7 children)

Considering how old Facebook is, you'd think they would have their shit together when it comes to password security...

[–] [email protected] 50 points 2 months ago (3 children)

Facebook is huge and has very diverse teams/departments. It's absolutely possible the guys who know what security is, and the guys who build app xyz are in different departments, countries, continents.

The capitalists want us to believe otherwise, but large corporations are just as convoluted and inefficient as a planned economy.

[–] [email protected] 21 points 2 months ago* (last edited 2 months ago)

Of not more. At least government gives some amount of insight and a chain of responsibility. Corporations are opaque and responsibility ends in an understaffed, underpaid "support" line.

[–] [email protected] -4 points 2 months ago (1 children)

Have you ever worked for government IT? Most of it is ages behind private sector.

[–] [email protected] 6 points 2 months ago* (last edited 2 months ago) (1 children)

I work in the private sector and our most essential systems run on Windows Server 2012. Because the installed applications can't be migrated to anything else. After a reboot, there's 21 scripts that need to be run in a specific order (with admin rights) to get the app running again. The frontend is an http webpage that's open to the world.

The supplier of the software is a huge global corporation, market leader in their field.

[–] [email protected] -2 points 2 months ago (1 children)

I'm not saying there isn't crap in the private sector, but in my experience government really sucks managing IT.

[–] [email protected] 2 points 1 month ago (1 children)

No. Large organizations suck at managing IT, simply because it's not crucial for them to keep it managed and they usually have enough institutional insulation to mitigate the impacts. Whether that insulation is money or disregard of the public doesn't matter all that much.

[–] [email protected] -1 points 1 month ago
[–] [email protected] -5 points 2 months ago* (last edited 2 months ago)

The difference is even this pittance of a fine wouldn't happen in a planned economy - it would be like the planners fining themselves.

What we're seeing here is a result of the amoral "beastly" types concentrating power. What you're suggesting is to intentionally concentrate that power from the start.

Facebook is a great example of democracy - the billions of people using it have effectively (in their voluntary ignorance) voted for it to be like this. These are the same people who would vote for policies in a pure democracy.

And you're ignoring what happens in the SMB space, where people aren't part of the corrupt circle.

You're welcome to start a small community anywhere in the US with a planned economy, as proof of concept.

You could call it.... A commune, to indicate its goals.

[–] [email protected] 11 points 2 months ago (2 children)

Considering how old Facebook is…. They probably never bothered to upgrade the authentication system because “if it ain’t broke, don’t fix it” and it didn’t matter to their revenue.

[–] [email protected] 15 points 2 months ago* (last edited 2 months ago)

Password hashing has been standard practice far longer than Facebook has existed. Even by 2004's awful, 'archaic' standards.

[–] [email protected] 5 points 2 months ago

At the time Facebook was invented, plaintext passwords had been a joke for years.

[–] [email protected] 7 points 2 months ago (1 children)

They are still on the old system of writing them down on paper XD

[–] [email protected] 2 points 2 months ago

old system of writing them down on paper

That's harder to steal/hack by someone across the globe.

[–] [email protected] 2 points 2 months ago

I mentioned this in another comment too: Nobody seems to reads the actual posts, just the headlines. They were accidentally stored in logs:

As part of a security review in 2019, we found that a subset of FB users' passwords were temporarily logged in a readable format within our internal data systems,

which is something I've seen at other companies too. For example, if you have error logging that logs the entire HTTP request when an error happens, but forget to filter out sensitive fields.

[–] [email protected] 1 points 2 months ago

It seems like it was one of those old systems from the earlier days that somehow was overlooked. It's not great but I understand how it happens if they didn't have strong monitoring and system ownership.

[–] [email protected] 1 points 2 months ago

This is almost certainly the result of accidentally letting the passwords get into the logging infrastructure.

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago) (1 children)

These things are the other way around. The older something is, the more likely it is to find a bunch of questionable choices, spaghetti code, and security holes.

The questions I have surround the "since 2012" bit. FB exists since 2004, so what happened in 2012? Was it a data dump, a careless logger, system migration, or something else?

[–] [email protected] 1 points 2 months ago

Careless logging is the one.