> Facebook runs all of its mail and packages through a machine that can detect dangerous substances, according to the fire district. That machine notified workers that the package in question might contain sarin.
This is very interesting. Is this normal practice at companies of that size? I've worked for medium-large orgs (3,000 people) and never seen anything like this.
Google does... or at least they have a central mail-handling warehouse that "screens" all incoming mail (X-Ray at least, but I wouldn't be surprised if there are other checks they don't advertise). The threat model for high-profile companies is pretty wide-ranging -- everything from the shooting at YouTube HQ to disgruntled or confused people showing up at a random building lobby and causing trouble.
The Mountain View warehouse is massive, but even "smaller" offices like NYC, which is not that small, have been screening mail for years. It's not just a security measure: employees can relocate from one building to another at any time, so it's just easier for the company to do the final routing. Some places like the headquarters for Walmart and Mayo Clinic also get their own ZIP code.
Probably big consumer companies it's more common than big B2B companies. Seems like someone somewhere in the world would have a beef with say, Coca-Cola, just from the sheer scale.
Probably, depending on the industry - it’s called mail screening - the Royal Mail provides this as a service for companies in the UK. I’m a little surprised but the USPS doesn’t seem to.
It's not like USPS doesn't screen the mail, they obviously have far less ability to test things without a warrant (not a problem for the end recipient company) but it should concern everyone if (and a big if!) it's true that sarin was found and it made it past USPS.
>> but it should concern everyone if (and a big if!) it's true that sarin was found and it made it past USPS.
I mean USPS isn't perfect and can't test 100% of all packages with 99.9999999% accuracy. The cost we pay to ship letters and packages can't come close to covering that expense.
Private letters have long been acknowledged as covered by the fourth amendment, that is that searching requires at least a warrant based on probable cause. It’s changed over times whether searches of papers are per se unreasonable [1]. Consent can authorize agents to open mail of course, but it might be an interesting question whether it’s an unconstitutional condition to require waiver in order to access the mail services.
Seems like such easy ground for 4th amendment creep, I'm surprised it hasn't been tried yet.
Get all the big companies using it, then before you know it REITs and management companies will start using it for multi-tenant residences. Boom; 3 letter agencies will start popping up arguing there's no reasonable expectation of privacy since the user agreed to a "CommunitySafe mail protection services" clause buried in the lease.
Facebook is a target of dissent for good reasons. There are good reasons to protest FB. But hoax threats (and real ones) like these means someone went off the rails. They are no longer functioning within a socially accepted framework. It’s unfortunate that opinions can lead people to despicable actions like these.
I think we as a society have become more agreeable to poor discourse. We have people screaming at eachother in the street due to percieved differences of opinions, thats not acceptable.
I'm going to hold out hope that this incident was just a false alarm...
Sarin breaks down rapidly in the human body into a metabolite called isopropyl methylphosphonate. IMPA is the first compound for which the laboratories test, and finding it in a blood, urine or tissue specimen has long been considered evidence of exposure to sarin.
But that test can be fooled. Isopropyl methylphosphonate is sold commercially by major chemical companies. And IMPA is not only safe to handle but was found by the EPA to be harmless when consumed orally at doses of 3,000 parts per million.
Common processes for making sarin have diisopropyl methylphosphonate (DIMP) as a by-product, which is not very deadly[0]. You can buy it on Fisher Scientific for 30$. Not sure if biochem screens are matching for this compound, but it's still in the vein of what the parent comment was suggesting.
Someone who knows this information, which is not hard to find, might have ordered isopropyl methylphosphonate and shipped it to facebook in order to set off a false positive.
It's easy to order, unregulated, and most machines out there look for it rather than sarin itself because it's easier to detect.
I guess, but why that and not just the classic "thing-that-looks-like-a-bomb", if you wanted to cause panic/evacuation? Just seems like a really weirdly specific thing to do.
I could totally imagine some home-chemistry-lab Facebook employee bought this off the web and had it delivered to work because nobody would be home to sign for it.
I'm betting that it's a false positive on a chemically similar substance. Field detection systems for chemicals/drugs/explosives don't tend to prioritize having a low false positive rate because they'd rather be safe than sorry and most customers have enough qualified immunity it doesn't really matter if the security guards dogpile on some little old lady because the system thought her perfume was a bomb.
This is the best theory. The detectors usually key on specific functional groups characteristic of the molecule rather than the molecule itself. This overfits for a lot of inert chemistry in practice, though they try to pick functional groups that are selective (and cheap to detect).
It can be synthesized, it is a simple molecule, though not trivially. There are several ways in which the process could kill an amateur chemist if they weren't very careful, it is significantly more dangerous than DIY explosives.
>A machine at a Facebook mailing facility in Menlo Park alerted employees Monday that a package might contain sarin
where do one gets such a machine and how one comes with the idea of getting it in the first place. As an employee of a BigCo. such idea has never crossed my mind (and we do have our share of angry/frustrated/on-the-verge-of-nervous-breakdown customers - i mean it is real enterprise software we're dealing in after all :)
You'd get a generic chemical trace detection machine primarily to detect mail bombs, which sounds pretty reasonable when you're any sort of highly visible company.
Once you're known enough, you will draw the ire of some unstable person wanting to do bad things to you, no matter what you do.
> You'd get a generic chemical trace detection machine
Is this what the TSA uses when they swab my dog/my hands? I always assumed it was to look for a bomb but I’ve never asked because I figured using the “b” word at the airport would only bring more trouble.
I was once pulled aside for secondary screening by the TSA, and I was so bewildered that they asked if I'd taken a cab to the airport—and I had. The agent explained that it's a common cause of false positives like mine—"residue" gets left behind on the seats. I didn't feel like pressing them for more details, though.
I don't know the answer to your questions, but I recently read this and thought you may find it interesting, given your first question, as at some point Kurt Petersen developed devices that scan US mail for anthrax: https://spectrum.ieee.org/geek-life/profiles/kurt-petersen-2...
I'm waiting for the update on whether or not it's actually sarin. The article (rightfully) seems to be hedging at this point and referring only to the fact that the machine identified it as sarin, but sadly most readers of online news seem to brush past that...
A lot of people have all their Amazon Prime stuff (and other online orders) shipped to work. It's better than having it stolen off the front porch while you're not at home.
Not sure if Facebook allows this, but most companies I've worked for have been OK with it as long as you don't go overboard.
Oh, that's cool. I've never worked in a building big enough to need more than a couple people in a mailroom to handle that. Also, I guess I've never had my mail screened for sarin.
"Mailing facility" doesn't have to mean "warehouse", it can also be "we want to use more fancy words so we'll call the (large) mail room a mailing facility".
This is very interesting. Is this normal practice at companies of that size? I've worked for medium-large orgs (3,000 people) and never seen anything like this.