There is no such thing. To be clear, I was talking about Signal (the app/protocol) and VPN gateways – two separate things that work great together in a surveillance-state regime like the one that exists on FB’s campuses.
So, the employee gets the burner phone (no IMEI or phone number and provider linked to a true name), tunnels out through data connection and VPN gateway to a non-FB network (makes tracking and monitoring of “suspicious” app use more difficult) and then uses the Signal app/protocol to conduct and encrypt the actual chat.
If this situation continues I can see FB implementing procedures to combat these measures that you only usually see at places like the NSA.
So if I’m understanding you correctly, your threat model is that the signal protocol is encrypted - but if using a corporate VPN they can monitor who was using Signal at what time and infer things about leaks etc?
Because it’s my understandingSignal itself encrypts the messages and sends the blobs out over the network (to oversimplify).
TBH I work in infosec - though nowadays I am more policy/compliance focused rather than sitting on wireshark anaylzing packet captures, so I want to be mindful that my knowledge on this is high level. You sound like you are IT savvy and if you want to be more detailed, things I could read up on are appreciated.
(I’m also out sick today so I might just not be following well due to that)
To an extent. I’ll give you a very plausible scenario involving employees using Signal on employees’ personal phones.
First, I’m sure when someone installs whatever in-house FB apps are required for an employee to do her job/enjoy the free catering/schedule the foosball table they also install some additional monitoring components in the background.
One of those components probably logs apps installed on the employee’s phone and usage activity for each app during the workday on campus (and, knowing FB, probably beyond that). So in the case of non-burner phones FB is going to know the names of employees who have Signal installed and when the app is being used.
Aggregate and collate enough of that data throughout the company over 6+ months (perhaps less) and FB starts to get a rough idea of which employees are chatting with which other ones over Signal throughout the day. Combine that data with other monitored activities and known social graphs and FB knows quickly discovers who the “malcontents” are and how they connect. The actual message content and traffic protocol doesn’t matter.
The VPN tunnel to a trusted network would be an added layer of security, if there’s a suspicion that FB is monitoring traffic or injecting monitoring software over its own LAN (very likely) or is doing so over cellular data connections in partnership with local phone providers (less likely, but who knows what kind of deals shady and interdependent companies make?). The point is, if you’re a paranoid techie who works for FB that extra measure doesn’t hurt.
Knowing who the networks of “malcontents” are is valuable in and of itself to FB. And if one of those “malcontents” in a network/cell slips up somehow (and one always does) the company will immediately know who else to have a little talk with – or perhaps worse.
Wow shocker! People talking shit about the big company they work for LOL. That’s not a Facebook thing, that’s a corporate office thing. Second of all, as somebody else already pointed out these so-called miserable folks are still making great money and still working there. Zero fucks given
The only truly secure system is one that is powered off , cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.
-Gene Spafford
The bigger companies I have worked for expected people to dog food even when it comes to personal devices. So having a personal device and then a private-personal device makes sense in some situations.
“Dogfooding” is a tech industry term for a company making its employees use its products (“eating our own dogfood”). I’m sure it’s all-Alpo, all the time at the Facebook employee canteen.
There’s actually some interesting legal issues if you make installing software contingent upon employment, since many data protection regimes require opt in, freely given consent, and being coerced under threat of firing is not freely given.
I would probably try to not be so blatant and just be like “Sure happy to take a device home to test, where should I go to pick it up - IT?”
Yes, what Gracchus said. Idea being if you don’t like the flavor then don’t make the customers eat it as is.
I’ve never seen it be mandatory. But it is strongly encouraged and folks that find issues and improve he product this way get noticed to some extent. Management will ask you out of the blue how dog food is going. You wouldn’t get fired for not participating but it may give management a poor impression of you that could affect future opportunities, or not. Its a bit like flair in the movie Office Space.
from the buzzfeed-article (is buzzfeed becoming a major-source for BB-news?!? just asking)
Last month, Mark S. Luckie (…) posted a 2,500-word memo (…) to highlight what he saw as the company’s “black people problem.”
“In some buildings, there are more ‘Black Lives Matter’ posters than there are actual black people,” Luckie wrote, adding that “Black employees are commonly told ‘I didn’t know black people worked at Facebook.’”
It’s not about disposing of evidence, it’s about marking them as “read”. And just being a dick about it, knowing full well that the pieces need to be retrieved and taped up.
It’s not just about the giant surveillance heavy companies monitoring earphones.
My previous company was small and privately owned and yet they made a deal with Verizon and supplied all the managers with cell phones and service. Most of those managers seemed to get that anything on those phones was property of the company, and most had second phones (or basically never relinquished their original phones). I wouldn’t call them burners, just work and personal phones. Just like their laptops.
You just can’t pretend anymore that a device supplied by an employer or school isn’t going to be monitored, and used against you if necessary.
Even your own device, used on the company’s wifi, is not remotely secure, and you’ve probably signed something that approves it, too.
