Social Network Security Manager

Social Network Security Manager

InternetNeverSleeps

Los Angeles, CA

Female, 38

I oversaw all on site safety and security concerns for one of the largest social networks in the world. In the wild west of the internet, I had to develop policies and guidelines on how to deal with even the weirdest issues, work with law enforcement, meet with our government and address all the urgent issues that can pop up. My teams were the 911 of the internet, if you will, responding to the craziest of issues.

SubscribeGet emails when new questions are answered. Ask Me Anything!Show Bio +

Share:

Ask me anything!

Submit Your Question

32 Questions

Share:

Last Answer on December 02, 2013

Best Rated

Do you think it's fair when social networks are blamed for enabling stalkers and pedophiles?

Asked by Brozen over 7 years ago

Hey Brozen, This question strikes near and dear to an issue that infuriated me for years. No!!! It's SO unfair!! Do people hold phone companies liable for crimes that are discussed via telephone and then committed? Does society threaten to sue itself for having criminals? No! Social networks are an 'online society', which means with the good comes the bad. And it's just another means of communication, like telephones. What it really all comes down to is politics. Social networks, especially a few years ago, were 'new, scary technology' for older generations. So politicians curried votes by vowing to attack social networks. Fortunately, I feel that this type of political pressure has greatly lessened, especially with the politicians USING social media for their communication platform! As a side note - parents are supposed to teach their kids not to talk to strangers - in real life or online, makes no difference!

How does Facebook or any other social network enforce age requirements to have an account? I think Facebook's age requirement is 13, for example.

Asked by H.L. over 7 years ago

Ahhh underage users. Almost all websites will state that users should be 13 years of age and older, due to 'COPPA' - the Children's Online Privacy Protection Act (http://www.coppa.org/coppa.htm for extra fun reading). Due to this law, site operators must remove an account of anyone that they are able to suspect to a certain degree of being underage. Unfortunately, people under 13 years old will lie to get on the site. Fortunately, they often think it's funny to say they are 99 years old, which helps with account removal (since they are obviously not 99 years old and therefore it's a Terms of Service violation). There are various ways to detect if a user is underage (images, things they say, etc), and the website support team will review the profile in question and remove if they determine that the user is under 13 years of age.

Can you describe the average Internet troll? Are they mostly 20-something disgruntled nerds living in mom and dad's basement? Or 40-something divorced fat dudes? Or something else?

Asked by Cartman over 7 years ago

Depends on the website you are hanging out on! Honestly, for the 'social network' sites, your biggest 'troll' (pain in the butt user) are the teenage girls. They are VISCIOUS! Considering several of my friends are fantastic online trolls, I'd say 30-something males are up there as well. But anyone can be a troll, it's a personality thing!

What's the most disturbing thing you ever found while monitoring your site?

Asked by shogun12 over 7 years ago

I think my employees and I could unanimously agree that child pornography is pretty horrific. Second to that, severe animal cruelty content - there was some weird video circulating the internet where a woman was crushing a kitten with high heels. Very odd and we all hated that one. Such a downer answer, though, so I'll also mention that for me, personally, I was also fairly disturbed by a strange subculture of 'diaper wearing adults'. Of course, it was never attractive people and their profiles were so creepy. Were they violating the Terms of Service? Not really. Were they bothering users in any manner? Not that I could identify. But were they really disturbing in the sense of hideous humans pretending to be babies with other hideous humans being their 'mommies'? Yes!! Overweight middle aged men peeing their diapers in their oversized baby crib is just not something you want to see. Gah!!

What do you think is an appropriate age for kids/teens to start using social networks?

Asked by KCs Mom almost 7 years ago

By themselves, I feel 11 is an OK age (depending on the maturity of the child) for them to start using social networks. I will add that this is AFTER the child and parent have discussed not adding anyone they don't know, letting the parent know if they see something that makes them uncomfortable, never to meet anyone from the internet without talking to their parent first, etc. BUT that is my opinion - due to COPPA, kids can not start using social networks until they are at least 12. Website operators can not have users under 12 and will delete their account if they identify it. I think for children ages 5 to 12, a "shared family" account is acceptable, where they use a special account that is highly restricted for sharing with other family members to keep in touch. But in this situation, the child AND parent would sit down together and use the account together.

What is it about Facebook that's made it immune to any major hacks? Is Facebook security just THAT good?

Asked by /\/\ & /\/\ over 7 years ago

Ironically, I am trying to research a security issue right now that affected my personal Facebook and a few friends. Spammers are using my display name and sending spoofed emails to friends that are also on my Facebook account (but via email). OK So in general, Facebook actually has more limited functionality than say, MySpace does/did. On MySpace, you have a whole profile that you could embed things into and tons of other 'sections'. On Facebook, you really just have a few general fields and after that, you just post status updates. To be fair, MySpace was around first and got slammed with a lot of these attacks. Also, Spammers will always be first and foremost on an attack while a website scrambles to catch up. No matter how much you patch this or that, they still find a way. :( So there are several types of 'security': 1. When a user submits stuff on a website, does the website allow 'bad code' to go through? This kind of stuff is the responsibility of the company that runs the website. This is not that common these days. 2. Users getting duped by spammers, either by getting phished and relinquishing their password or through other means. This is where the attacks happen. No matter how much the website operators try to detect false logins/educate the users/etc, it is still really tough :( I think users are starting to get a little smarter now and more suspicious, so hopefully that is helping. Also and this is JUST speculation - I think a lot of users are now on mobile devices and the spammers haven't yet started to exploit that area as much. Yet.

What motivates people to fill social networks with porn spam?

Asked by Geez Loueez over 7 years ago

Money money moneyyyyy!!! That is what drives all spam, and most definitely the spam on social networks. Spammers are generally driving users to a third party site, and when that user signs up, the spammers get money. That is pretty high level - most 'adult websites' have an affiliate program, so whenever a user signs up and starts to pay for the content the site offers (that social networks can't and won't offer!), the affiliate can get anywhere from $2-$20 a referral. So if you send out hundreds of thousands of messages, and get even 1%, you can still pull a tidy profit.

What % of the "bad guys" you found on your site were male v. female? And were there certain infractions that were more typically male or female? (e.g. sexual harassment by males, bullying by females, etc)

Asked by Carl Louis over 7 years ago

Hey Carl, Love the question. Females are brutal. I'd say the "less serious" (and by that I mean not heinous crimes) were female - cyberbullies!!! Terrible, cruel cyberbullies. From making fake profiles to harass other girls, spats over boys, and nasty private messages, teenage and young women can cause a lot of headaches for social networks. The more 'heinous' crimes (ie rape) were more often committed by men. The type of crimes where they end up meeting in person and then the crime occurs "in real life". An exception to this is prostitution - yes, prostitutes make good use of social networks!

There's so much porn spam on social networks. What countries does most of the porn spam originate from, and does it get high click-through rates?

Asked by >>> HHH <<< over 7 years ago

Sigh, I hate porn spam. It comes from everywhere but I suspect mostly Westernized nations. I honestly am not that sure about porn click through rates - it really depends on the 'type' of porn spam. Adult content websites have what is called an 'affiliate program', so if you are an affiliate and you get people to sign up to their paid service, you get a certain amount (say, $2 per sign up). So it's a numbers game - it's free to send email so they can send out millions of emails and even with a .5% sign up rate, that is a lot of money! There has been an evolution in porn spam as people catch on to the tricks of the spammers. So I'm sure once they see click through rates decrease with one method (or the website operator catches onto that method and tries to squish it), they try another method. I've been threatening for years to start a porn site and start spamming people. Then I will be able to analyze click through rates first hand. And hopefully make some money. Hmmmm..... ;-)

What were some of the basic rules of thumb that you were taught about what is vs isn't acceptable on a social network?

Asked by Gresh over 7 years ago

Hmm not completely sure what is being asked but I would say never, ever post naked pictures of yourself on the internet. Never a smart thing to do, unless this is how you make your living.

How accurate do you think the "The Social Network" movie was?

Asked by corneal over 7 years ago

I'm embarrassed to say I never saw the movie. I was feeling a little bitter at the time that FB had a movie made about it when some pretty awesome predecessors didn't. Guess the predecessors didn't have enough drama for Hollywood!

What was the worst hack your site had to deal with? Did you have to temporarily shut down the site?

Asked by McGruber over 7 years ago

Cross site scripting hacks were always a problem for us, because in the early days, a user's profile could get "infected" by just LOOKING at another user's profile that was already infected. And then BOOM! You get hundreds of thousands of profiles getting "infected" within minutes. So then you have to figure out how to plug the hole, launch that code asap, and then clean up the prior mess. Ironically, our site did get shut down once, as well as Yahoo's and some other huge websites. An electric company employee accidentally triggered a power outage in the Los Angeles Data Center hub (if I recall) and led to major outages for major websites!!!

Do you remember Bebo? Were you working at a social network when it was sold for $850M, and what were insiders saying about it at the time?

Asked by katbo over 7 years ago

BEBO!!! Blast from the past! If I recall, I always considered that a social network for 'young kids' (or people from another country). Do you mean $580MM? In that case, maybe. ;) Or please let me know which one sold for $850, I'm trying to jog my memory and can't recall who was in that range at the time.

What social networks, past or present, had the WORST security?

Asked by surf, not turf over 7 years ago

The one I worked at had pretty bad security in the beginning, but I won't disclose the name to protect the innocent LOL Though it depends on the type of spam/security issues. Free dating sites, like match.com, tend to have some pretty bad scammers on there.

Under what circumstances would you reveal the identity or private messages of a member to police?

Asked by paulerikson over 7 years ago

Hey there PaulErikson, We would only reveal the identify (aka profile information such as IP addresses, email address, name provided) in response to a subpoena or other valid legal request (court order, etc). Private Messages actually require a search warrant, so a basic subpoena won't suffice. The only time we would share identity information without having a legal request first is in the event of a life or death situation (such as a kidnapping or bomb threat) or in the event of child pornography (which would be submitted directly to NCMEC).

Did you cringe when social networks first started allowing developers to launch applications on-site? Is this the kind of thing that just unleashed an avalanche of new security headaches for you?

Asked by ez duz it over 7 years ago

Hey Ed Duz, You would think that would be a huge issue, and we thought it would be, too. But! It didn't - by that time, everyone was extra security conscious about what kind of issues apps could lead to. Almost overly cautious. So because of that, apps ended up being the least of our concerns. It was built in a way that it was very 'gated'. The apps were heavily reviewed for security and content issues before being authorized, and it was very easy to deactivate them in the event there was an issue. Honestly, I can't think of any major app related security or safety concern that came up. I think there was a content issue or two (ie a picture of boobies being distributed by an app) but that was about it. At least or our site! But I have been following all other major sites and haven't seen any issues, either.

If you identify a hacker or spammer and block him, what's to stop him from just creating another account? And another, and another, and another...

Asked by Zucktown over 7 years ago

Hey Zucktown, Good question. Generally spammers are automated systems that are coming in from a certain IP address/block of IP addresses (*cough* China *cough*) or mass posting very similar types of content. Based on various factors, you can either prevent account creation and/or certain types of content being posted. If an individual hacker is targeting a very specific individual, that is a bit tougher. We try to educate users on account security - so be wary of phishing, don't have a password of 'Password' (this happens more than you know) or name your password after your cat (a friend of mine got his account 'hacked' by his ex-girlfriend. Turns out his password was his cat's name. #fail).

Don’t social networks get hundreds if not thousands of attempted security intrusions every week? What was the furthest any hacker actually got?

Asked by ljenkins over 7 years ago

The biggest security issue I see that is still plaguing social network sites (and many other types of sites) are phishing attempts. I've seen very successful phishing schemes that result in thousands of user account login information, which then results in a bot automatically logging into that user's account and sending out spam. Cross site scripting (xss) hacks are also annoying and have, in the past, run rampant (in one instance, about 1 Million profiles were affected in a short period of time). They are more annoying than malicious - I consider phishing worse in terms of what we experienced.

Was your team monitoring the site 24/7? Were there certain days/times where violations were more frequent?

Asked by Gresh over 7 years ago

Good question, Gresh. There were both people and systems that would monitor for certain activities on the site (such as a spam attack) that were 24/7 (staffing for the graveyard shift is tough!). In the early days before I had the team become 24/7, the spammers knew when we went off line and would start their attack in the later evening and on weekends. Standard TOS violations would spike with site traffic, which tended to be 'after work' hours, so you would see the rise when the East coast got out of work/school and continue over to the West coast. Granted, our site was international but the majority of the traffic was domestic.

Do you think Facebook will still be around in 5 years? 10 years?

Asked by tubes over 7 years ago

Yes to both! I've been a very active user of the interw3b since about 1995 and there are pre-cursor 'social network' sites that still have a strong fan base (such as Livejournal) (OK I admit, I still love Livejournal) and have easily lasted over a decade. Will Facebook still have the strong following it does now? Only time will tell, but it's hard to stay on top forever!

Did you proactively search for and report people whose profiles suggested they were breaking the law? Like: if someone posts a picture of themself snorting coke?

Asked by justin over 7 years ago

Not really - using your example, I will explain why. First, we can't really determine (nor should we) if that is real cocaine (or say, pixie stick sugar). Second, the profile might claim the user lives in Miami, but we can't verify that (even if IP logs show a Miami-ish location, they could be using a proxy). Also, even if we reached out to local law enforcement with this information, we would still require a subpoena to release anything that would help law enforcement actually locate this person (such as their IP logs or email address). Law enforcement is already incredibly swamped with all the real-life crime/issues going on to deal with all the online activity going on, so no way are they going to take on this case knowing they have to do all this extra work for a potential, non confirmed, or as you said, suggested, crime. A major exception to this rule is child pornography. As our site proactively reviewed image content being uploaded to the site, we would come across questionable images. It is the law that we immediately report any child pornography to the National Center for Missing & Exploited Children (NCMEC), who has their own law enforcement agents assigned to them (I.C.E.). Even if we are not 100% sure that it is an underage person, it doesn't matter - if it raises a red flag, we don't take chances and report it.

Is it illegal for me to upload someone else’s image to my profile? Do copyright holders every send you takedown notices, and do you have to comply?

Asked by anonpigeon over 7 years ago

For the first question, it depends on the image rights. For example, if the image is Public Domain, then you should be OK. If you are ever unsure, probably best not to upload the picture. YES I can tell you right now that any website that allows users to post content MUST comply with takedown notices, in accordance with the Digital Millenium Copyright Act (DMCA). Fortunately for website operators, the DMCA is fairly clear about the process. More fun reading about the DMCA can be had here: http://www.copyright.gov/legislation/dmca.pdf Please note my response here is very generalized and should not be used as legal advice!! :)

When you first started this job, were you braced for all of the nasty stuff you encountered? Or was there a time in the beginning where you thought, "I had no idea people could be THIS messed up?"

Asked by S.D. Jones over 7 years ago

When I started the job, I was only focusing on security issues (vulnerabilities, attackers, etc). I had no idea I'd go down the path of pedophiles, law enforcement issues, insane profiles, nutjob users, and content that you just can't un-see once it's seen. I had already been online for MANY many years (back in newsgroup days) so I already had a pretty strong inkling of the stuff out there. ;)

What’s to stop someone from uploading hardcore porn to their social network profile?

Asked by crayonz over 7 years ago

Nothing! Bwuahaha! OK Well there are repercussions - the account would be deleted for violating the Terms of Service. It's just not a good idea in general. Keep porn where porn belongs, which is not on a social network that has underage people and a strict Terms of Service that needs to be abided by. Just like how one shouldn't wander down the street naked or have sex in public places, it's the same with porn - society and law dictates that sexual acts are not for public arenas.

I know Facebook says it's not possible to see who's viewed your profile. But is the "who's viewed your profile" information stored anywhere, such that a hacker could find and distribute it?

Asked by mealtik over 7 years ago

I wouldn't worry about that. But clever people with their own web server logs could see what IP addresses look at their profile. ;-)

Are there unicycles, foosball tables, and ball pits at work, or are your offices as corporate and stuffy as any other big company?

Asked by ELLIE over 7 years ago

Yes, at just about every company I work at there seems to always be foosball tables. I wish there was a ball pit at my current or any previous employers, that would be rad. I can't work at any big, corporate stuffy company. I worked for Siebel for a few months over a decade ago and found that out the hard way. :)

Do you think Twitter is too lenient with what users are allowed to post? There's a TON of racist and misogynistic banter there.

Asked by G-Town about 7 years ago

Hi G-Town, No, I don't think Twitter is too lenient. It's not Twitter's fault that there are jerks out in the world who will spew there hate on any channel, whether it is the internet, telephone or in person. The website operator can only control so much, and attempts to over-control are very costly, taxing and ultimately, ineffective. When confronted with a jerk, the best thing you can do is block and ignore them. The "old" internet saying of "Don't feed the trolls" is still the best medicine!

Do you think that LinkedIn has a bright future because the Facebook generation is 'growing up' and looking for more professional social networking?

Asked by askramsingh1977 over 7 years ago

I personally love LinkedIn and utilize it weekly. I think it does indeed have a bright future and meets a good niche in the social network arena.

Do you think Facebook is out of line regarding user privacy, or do they have the right to do whatever they want? Not from a strictly legal point of view because we all agreed to their terms of use but how about re: corporate responsibility?

Asked by france_sucks almost 7 years ago

I think FB has definitely made a few things fairly concerning with user privacy and their oddly shifting security settings on their products. Half of me sides with the viewpoint that 'it's their website, they can do what they want, and nothing you post on the internet is truly private or sacred anyawys' and the other half is reviled and would leave FB if I wasn't so heavily integrated with it for my social life (haha).  

 

Ultimately, companies are companies and they are out to make a buck. It's up to the end user to decide how comfortable they are with information about themselves being shared/distributed/etc. 

 

now that facebook is totally swamped w/ads, do u think people will eventually move on to another social network?

Asked by cali king 500 almost 7 years ago

No, I don't believe the in-stream ads (which I also can not stand) are enough motivation to prompt an egress from Facebook.

Many people, myself included, heavily use the site for social interactions. The ads can be easily 'mentally blocked' and I actually sometimes click through on the side ads, as they can be vaguely interesting at times.

 

Also, I think FB still maintains a fairly higher degree of quality among their ads - glad to see the site is not swamped with weight loss ads and tacky animated gif ads (and full screen takeover ads, ugh). Now if they got to that level, who knows if user interest will turn? But it wouldn't be the sole reason.

If one user was constantly messaging another user and getting no responses, would you look into it more closely to see if it was some kind of stalking or harassment?

Asked by Angela_82 almost 7 years ago

If the recipient reported the harrassment, the standard response is to tell the recipient to block the harrasser. If the harrassment continued, we would look at the harrasser and their messages, and potentially (if warranted) remove the violator's account.

 

If the recipient reported that they felt threatened, they would be advised to work with their local law enforcement agency. 

Well i got a call saying i won a grant for 9000 i have to pay 310 for processing fee at western union how do i know if it for real

Asked by rebecca about 6 years ago

It is definitely not real. I can tell you that right now. Anything involving 'instant money' or 'too good to be true' plus a pairing of ANY type of Western Union "processing fee" is definitely a scam. 

 

Check out Western Union's page on Fraud Types to learn more:

http://www.westernunion.com/fraudtypes