According to Zakto, there is no testing environment for piloting new features or system upgrades before they are put into live production software. Engineers would work alongside live systems and test directly on the commercial service, leading to service disruptions. According to the documents, half of the employees at the company had access to live production systems and user data without being monitored. According to Zatko, there are roughly 11,000 staffers at the social networking site. The company says it has about 7,000 people working for it.
According to the complaints, poor security practices are to blame for the track record of security incidents.
The redacted claims that have been published are being reviewed by the company. We want to set the record straight and defend our integrity.
If updates aren't installed, the IT department can force updates or impose access restrictions on employees. Before a computer can connect to production systems, it must pass a check to make sure its software is up-to-date, and only employees with a "business justification" can access the production environment.
The co-founding and chief technology officer of Snapp automotive was a software engineer for the social media company. He said on Tuesday that he was still in the employee group that could submit software changes to code for the company. After being let go from the company, he had access to private repositories for 18 months, and he posted evidence that the company uses both open source and internal projects on the platform. The access was revoked within three hours after it was posted.
He told WIRED that he thought an example could be useful for people. "I think the best thing to say here is that I have no reason to doubt his claims."
While there are different ways to approach production environment security, there is a problem if employees have broad access to user data. The choice between drastically limiting access or a combination of broader access and constant monitoring is a conscious choice that a company invests heavily in. The company went all in on the former approach after the Chinese government broke into the company's headquarters.
It is not uncommon for companies to give engineers access to production systems, but they are very strict about logging everything that gets done. udge has a sterling reputation but he was completely incompetent. Technical details of the logging systems that they use for engineer access to production systems are the easiest thing for them to do. The disturbing part is that Mudge is portraying a culture where people prefer to cover up rather than fix things.
The documents released on Tuesday are in the possession of Zatko and the group he is represented by. It has an outsized influence on the lives of hundreds of millions of people around the world and it has fundamental obligations to its users and the government to provide a safe and secure platform.
The allegations raise a lot of serious concerns that are likely to take a long time to be explained.