operations contact @ facebook?

2009-10-05 Thread Leland Vandervort
Hi All, 

Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook application
that we were neither aware of nor condoned.

Thanks in advance.


Leland Vandervort
Director, Technical Operations
Gandi SAS
Paris
t: +33 1 70 39 37 59
m: +33 6 31 15 15 07





Re: operations contact @ facebook?

2009-10-05 Thread Patrick W. Gilmore

On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:


Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook  
application

that we were neither aware of nor condoned.


Clearly I do not have all the information, so please forgive me for  
being confused.  But since when do I[*] have to ask you before I put  
an application on my server?  If FB put an application on your server,  
that seems like something you should have known up front.


--
TTFN,
patrick

[*] No, I do not work for FB.




Re: operations contact @ facebook?

2009-10-05 Thread Alex Balashov

Patrick W. Gilmore wrote:


On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:


Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook application
that we were neither aware of nor condoned.


Clearly I do not have all the information, so please forgive me for 
being confused.  But since when do I[*] have to ask you before I put an 
application on my server?  If FB put an application on your server, that 
seems like something you should have known up front.


The original poster is from Paris.  Do consider the possibility that 
there are different jurisdictional rules or service terms in force 
from your own.


--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct  : (+1) (678) 954-0671



Re: operations contact @ facebook?

2009-10-05 Thread Justin Wilson - MTIN
We have had issues with a FB application basically doing a DOS against a
network. This was not on our servers but somewhere out there on the
Internet.  It was an application that was going rogue.  It was talking to
several of our user¹s using this application.  FaceBook caught it and made
the developer fix the App.  I am sure we were not the only ones seeing the
issue.

Justin



From: Patrick W. Gilmore patr...@ianai.net
Date: Mon, 5 Oct 2009 10:57:28 -0400
To: NANOG list nanog@nanog.org
Subject: Re: operations contact @ facebook?

On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:

 Would anyone happen to have an operations contact at Facebook by
 anychance?  Our systems are being overwhelmed by a facebook
 application
 that we were neither aware of nor condoned.

Clearly I do not have all the information, so please forgive me for
being confused.  But since when do I[*] have to ask you before I put
an application on my server?  If FB put an application on your server,
that seems like something you should have known up front.

-- 
TTFN,
patrick

[*] No, I do not work for FB.




Re: operations contact @ facebook?

2009-10-05 Thread Jon Lewis

On Mon, 5 Oct 2009, Patrick W. Gilmore wrote:


On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:


Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook application
that we were neither aware of nor condoned.


Clearly I do not have all the information, so please forgive me for being 
confused.  But since when do I[*] have to ask you before I put an application 
on my server?  If FB put an application on your server, that seems like 
something you should have known up front.


Sounds like it's an app on facebook that's causing unexpected access to 
something on their systems...perhaps kind of like being /.'d ?


--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_



Re: operations contact @ facebook?

2009-10-05 Thread Joe Greco
 On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:
 
  Would anyone happen to have an operations contact at Facebook by
  anychance?  Our systems are being overwhelmed by a facebook  
  application
  that we were neither aware of nor condoned.
 
 Clearly I do not have all the information, so please forgive me for  
 being confused.  But since when do I[*] have to ask you before I put  
 an application on my server?  If FB put an application on your server,  
 that seems like something you should have known up front.

That's far from the only possibility.  The ability of a site such as FB
to generate an inadvertent but effective DDoS against a smaller site in
a variety of ways is quite significant, and depending on the specifics, 
failure to mitigate such damage once being made aware of it could even
open one up to penalties under regional computer crime laws...  of
course, that's making a bit of a jump and some assumptions, but it is
certainly a different possibility from the one you suggest.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.



Re: operations contact @ facebook?

2009-10-05 Thread Leland Vandervort

The application is not being hosted on the VPS servers, but rather on
the mutualised blog platform and is impacting on other customers of this
platform.

We have VPS services available for the app developer in question to host
his application on should he desire to do so.

Leland


On Mon, 2009-10-05 at 10:57 -0400, Patrick W. Gilmore wrote:
 On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:
 
  Would anyone happen to have an operations contact at Facebook by
  anychance?  Our systems are being overwhelmed by a facebook  
  application
  that we were neither aware of nor condoned.
 
 Clearly I do not have all the information, so please forgive me for  
 being confused.  But since when do I[*] have to ask you before I put  
 an application on my server?  If FB put an application on your server,  
 that seems like something you should have known up front.
 




Re: operations contact @ facebook?

2009-10-05 Thread Benjamin Billon
I guess the facebook app allows any FB user to check availability of 
domain names or to request Gandi's whois database.


From what I saw, FB people do not check every applications neither 
before or after publication.

And that could create some issues out there.

Patrick W. Gilmore a écrit :

On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:


Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook application
that we were neither aware of nor condoned.


Clearly I do not have all the information, so please forgive me for 
being confused.  But since when do I[*] have to ask you before I put 
an application on my server?  If FB put an application on your server, 
that seems like something you should have known up front.






Re: operations contact @ facebook?

2009-10-05 Thread Justin M. Streiner

On Mon, 5 Oct 2009, Leland Vandervort wrote:


Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook application
that we were neither aware of nor condoned.


You might be able to reach the right people at o...@facebook.com

jms



Re: operations contact @ facebook?

2009-10-05 Thread Leland Vandervort

Thanks Justin... will give it a shot;  hopefully they're relatively
rapid :)

Leland


On Mon, 2009-10-05 at 11:31 -0400, Justin M. Streiner wrote:
 On Mon, 5 Oct 2009, Leland Vandervort wrote:
 
  Would anyone happen to have an operations contact at Facebook by
  anychance?  Our systems are being overwhelmed by a facebook application
  that we were neither aware of nor condoned.
 
 You might be able to reach the right people at o...@facebook.com
 
 jms




Re: operations contact @ facebook?

2009-10-05 Thread Alexander Harrowell
This is a classic case of one of the problems of the increasingly numerous and 
powerful Web dev platforms - as you let other people either control your app 
through an API, or even write code that executes on the server-side, you're 
increasing the cycles available to an attacker. It's similar to the dns 
reflector attack.


signature.asc
Description: This is a digitally signed message part.


Re: operations contact @ facebook?

2009-10-05 Thread Alex Balashov

Patrick W. Gilmore wrote:

On Oct 5, 2009, at 11:10 AM, Alex Balashov wrote:

Patrick W. Gilmore wrote:

On Oct 5, 2009, at 10:46 AM, Leland Vandervort wrote:

Would anyone happen to have an operations contact at Facebook by
anychance?  Our systems are being overwhelmed by a facebook application
that we were neither aware of nor condoned.
Clearly I do not have all the information, so please forgive me for 
being confused.  But since when do I[*] have to ask you before I put 
an application on my server?  If FB put an application on your 
server, that seems like something you should have known up front.


The original poster is from Paris.  Do consider the possibility that 
there are different jurisdictional rules or service terms in force 
from your own.


I certainly did not.  And I would suggest we refuse to do so as an 
industry.


The UN lists 192 countries, and there are several others (e.g. Vatican 
City, Scotland, etc.) which others may count.  Many of these have 
provinces or states or whatever, and almost all have cities, towns, 
counties, etc., each of which may have its own laws  regulations.


Operationally speaking (see, this is on-topic :), trying to consider 
every single one of those possible laws, rules, social norms, 
preferences, political slants, religious authorities, and whatever else 
may come into the mix when putting an object or code onto the Internet 
is simply not possible.  Giving in to it, even a little bit, leads to 
ridiculous restrictions and stifling of many things on the 'Net.  We 
should all push back HARD whenever someone over here tries to tell 
someone over there what to do.


The OP responded with a quite reasonable answer (shared infrastructure) 
that had nothing to do with local jurisdiction.  That is an operational 
issue. What laws your country, province, county, town, or church has set 
up for you should have zero operational impact on me if my gear is not 
in the same place.


And maybe someday we can even get away from that whole in the same 
place idea.  (Hey, one can dream.)


That is a very fair point.  I cannot come up with any appealing 
counterarguments.



--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct  : (+1) (678) 954-0671