Verizon sent a big chunk of the internet down a black hole this morning – and caused outages at Cloudflare, Facebook, Amazon, and others – after it wrongly accepted a network misconfiguration from a small ISP in Pennsylvania, USA.

For nearly three hours, web traffic that was supposed to go to some of the biggest names online was instead accidentally rerouted through a steel giant based in Pittsburgh.

It all started when new internet routes for more than 20,000 IP address prefixes – roughly two per cent of the internet – were wrongly announced by regional US ISP DQE Communications: this announcement informed the sprawling internet’s backbone equipment to thread netizens’ traffic through DQE and one of its clients, steel giant Allegheny Technologies, a redirection that was then, mindbogglingly, accepted and passed on to the world by Verizon, a trusted major authority on the internet’s highways and byways. This happened because Allegheny is also a customer of Verizon: it too announced the route changes to Verizon, which disseminated them further.

And so, systems around the planet were automatically updated, and connections destined for Facebook, Cloudflare, and others, ended up going through DQE and Allegheny, which buckled under the strain, causing traffic to disappear into a black hole.

Diagram showing how network routes were erroneously announced to Verizon via DQE and Allegheny … Click to enlarge. Source: Cloudflare

Internet engineers blamed a piece of automated networking software – a BGP optimizer built by Noction – that was used by DQE to improve its connectivity. And even though these kinds of misconfigurations happen every day, there is significant frustration and even disbelief that a US telco as large as Verizon would pass on this amount of incorrect routing information.

Source: BGP super-blunder: How Verizon today sparked a ‘cascading catastrophic failure’ that knackered Cloudflare, Amazon, etc • The Register

During the social network’s heyday, multiple Myspace employees abused an internal company tool to spy on users, in some cases including ex-partners, Motherboard has learned.

Named ‘Overlord,’ the tool allowed employees to see users’ passwords and their messages, according to multiple former employees. While the tool was originally designed to help moderate the platform and allow MySpace to comply with law enforcement requests, multiple sources said the tool was used for illegitimate purposes by employees who accessed Myspace user data without authorization to do so.

“It was basically an entire backdoor to the Myspace platform,” one of the former employees said of Overlord. (Motherboard granted five former Myspace employees anonymity to discuss internal Myspace incidents.)

[…]

The existence and abuse of Overlord, which was not previously reported, shows that since the earliest days of social media, sensitive user data and communication has been vulnerable to employees of huge platforms. In some cases, user data has been maliciously accessed, a problem that companies like Facebook and Snapchat have also faced.

[…]

“Every company has it,” Hemanshu Nigam, who was Myspace’s Chief Security Officer from 2006 to 2010, said in a phone interview referring to such administration tools. “Whether it’s for dealing with abuse, or responding to law enforcement or civil requests, or for managing a user’s account because they’re raising some type of issue with it.”

[…]

Even though social media platforms may need a tool like this for legitimate law enforcement purposes, four former Myspace workers said the company fired employees for abusing Overlord.

“The tool was used to gain access to a boyfriend/girlfriend’s login credentials,” one of the sources added. A second source wasn’t sure if the abuse did target ex-partners, but said they assumed so.

“Myspace, the higher ups, were able to cross reference the specific policy enforcement agent with their friends on their Myspace page to see if they were looking up any of their contacts or ex-boyfriends/girlfriends,” that former employee said, explaining how Myspace could identify employees abusing their Overlord access.

[…]

“Misuse of user data will result in termination of employment,” the spokesperson wrote.

The Myspace spokesperson added that, today, access is limited to a “very small number of employees,” and that all access is logged and reviewed.

Several of the former employees emphasised the protections in place to mitigate against insider abuse.

“The account access would be searched to see which agents accessed the account. Managers would then take action. Unless the account was previously associated with a support case, that employee was terminated immediately. This was a zero tolerance policy,” one former employee, who worked in a management role, said.

Another former employee said Myspace “absolutely” warned employees about abusing Overlord.

“There were strict access controls; there was training before you were allowed to use the tools; there was also managerial monitoring of how tools were being used; and there was a strict no-second-chance policy, that if you did violate any of the capabilities given to you, you were removed from not only your position, but from the company completely,” Nigam, the former CSO, said.

Nonetheless, the former employees said the tool was still abused.

“Any tool that is written for a specific, very highly privileged purpose can be misused,” Wendy Nather, head of advisory chief information security officers at cybersecurity firm Duo, said in a phone call. “It’s the responsibility of the designer and the developer to put in controls when it’s being built to assume that it could be abused, and to put checks on that.”

[…]

Several tech giants and social media platforms have faced their own malicious employee issues. Motherboard previously reported Facebook has fired multiple employees for abusing their data access, including one as recently as last year. Last month, Motherboard revealed Snapchat employees abused their own access to spy on users, and described an internal tool called SnapLion. That tool was also designed to respond to legitimate law enforcement requests before being abused.

Source: When Myspace Was King, Employees Abused a Tool Called ‘Overlord’ to Spy on Users – VICE