
NSA revelations could hurt collaboration with 'betrayed' hackers - Chirael
http://www.reuters.com/article/2013/08/03/net-us-usa-security-hacking-ethics-idUSBRE9720A020130803
======
tptacek
The most dangerous and stupid meme percolating in pop tech culture is that the
people engaged with tech culture have a unique claim to computer science,
electrical engineering, cryptography, information security, and privacy
technology. The Slashdot diaspora genuinely believes that most of the world's
computer engineering talent reads their comments.

The reality is that not only does money do a fine job of buying talent, but,
if it's the USG you're thinking about, they don't even have to try hard;
extremely qualified engineering graduates compete to secure positions at NSA,
which has been ~10 years ahead of private industry for the last couple
decades, before which time they were even further ahead.

Part of the reason the USG doesn't actually have a problem recruiting people
is that actually believe in training people. I don't know how effective they
really are at it, but I do know that our industry is fundamentally unserious
about training. The kinds of commercial organizations that take in raw
recruits generally turn out extremely mediocre J2EE and .NET developers. The
rest, to a first approximation, run their recruiting programs based on
measurements of reproductive organs. Giant defense contractors haul in green
IT graduates by the truckload and adapt them to jobs that command significant
premiums on the private market. Again, I'm not saying defense contractors can
turn information management grads into electronic supersoldiers, but: they're
not hurting for recruits.

The reason I think you care about this is because it informs you of a hidden
handicap that private industry and activist groups have when facing down the
government. I'm very sorry if I'm the first person to break this to you, but
if you're an activist targeting the USG, your adversary isn't stupid. In fact,
I think it's likely that they're significantly smarter than any of us. Bear
that in mind when you design your NSA-proof email applications.

I don't do work for the USG, and haven't before, but I'm realistic about the
impact of that decision; it has more to do with my own psychological welfare
than it does with anyone else's.

~~~
mjolk
>In fact, I think it's likely that they're significantly smarter than any of
us. Bear that in mind when you design your NSA-proof email applications.

Math is math and it's relatively easy to implement decent encryption -- it is
possible to pass data securely from end to end.

The larger issue with these projects is that they're usually proposed by
someone that can sling a bit of Ruby and fashions him/herself a cyber
revolutionary, not someone that understands that the real power of the US
Government in the tech sphere is its ability to apply pressure away from a
keyboard - whether it be a subpoena for raw data from a hosting provider,
legal fuckery, or sending armed soldiers to your doorstep.

~~~
seiji
_Math is math_

Physics is physics. We all know time is fixed, the universe has been around
forever, and atoms are the smallest indivisible component of matter.

The world, under the guise of "everybody is created equal," has fallen under
the spell of "everybody has the same intellectual capacity" (which is clearly
wrong). Yahoo isn't paying a high school dropout $100 million + $80 million
because of his snazzy FU-my-mom-dresses-me haircut — they're paying him that
because he's different. He's better. He's done more in five years than you've
done in 20. You can't train that. People just are.

The government tries to grab all the clearly better-than-everybody-else
undergrads through their sneaky alliances with CS departments and professors.
They usually win.

Programs are programs and it's relatively easy to implement a program. But,
some programs are worth billions of dollars and others aren't worth half a
farthing. It's the people who make a difference.

~~~
smtddr
_> The world, under the guise of "everybody is created equal," has fallen
under the spell of "everybody has the same intellectual capacity" (which is
clearly wrong). Yahoo isn't paying a high school dropout $100 million + $80
million because of his snazzy FU-my-mom-dresses-me haircut — they're paying
him that because he's different. He's better. He's done more in five years
than you've done in 20. You can't train that. People just are._

Don't agree. I don't like the idea that knowing some fancy-trendy-computer
skill is equal to "He's different", "He's better.". Computer skills don't make
you better than a plumber. It's just a skill. A skill that turns out to be in
ridiculously high-demand today, but it doesn't make you better than the
plumber or the janitor or the cashier at Starbucks. I know when I decided to
get a BS in computer-science, I had the full intention of being a videogame
developer barely making ends meet in a cockroach-filled apartment. I had
absolutely no idea this whole Bay Area trendy-"web2.0"-linux-cloud-opensource
movement was going to happen at all. I surely didn't plan to make even half
the salary I'm getting now. This make my family incredibly fortunate, but not
better than anyone else. I think HN-folks in general need reminders that we're
not some group of superior beings, we're just insanely lucky we won the
"career-lottery" for being in the right place at the right time with the right
skills.

P.S. I don't know how we'd measure intellect, but I do believe that all
healthy human beings do have the same potential for the amount of knowledge
they can consume, at least at birth. And I'm not even sure how to define
"healthy", Stephen Hawking probably doesn't meet most people's definition of
healthy but he's very smart, right? And is he smart in all subjects? Or just
physics, cosmology, astrophysics and other universe-related things? What
subjects do you need to be well-versed in to be considered smart?

~~~
dmd
> I do believe that all healthy human beings do have the same potential for
> the amount of knowledge they can consume, at least at birth

This makes no sense whatsoever. Do you really believe that while people have
genetics that control their skin color, hair color, susceptibility to various
diseases, etc., etc., etc., somehow the brain is some magic non-biological
organ that is not built by DNA?

~~~
smtddr
Ok, let me put it another way. If there is a variation for the amount of
knowledge the brain can consume from human to human, assuming they're
"healthy", it's gonna be something like Infinity x 99, infinity x 8, Infinity
/ 2\. Whatever it is, it'll be a limit that's way beyond what a human being
could ever reach in a lifetime.

~~~
dmd
So you don't believe that there's a spectrum of disability? You're either
intellectually disabled to the point of not being able to dress yourself... or
you're a potential Einstein - nothing in between?

~~~
vwinsyee
It doesn't seem like I can reply to smtddr's sibling comment here (probably
nested too deep?). So here's my two cents:

I agree that in context of memory, the brain's capacity does appear limitless.
However, the brain's capacity to _process_ all of the information that it's
exposed to is quite limited. For example, for most people, working memory is
limited to 7 items plus/minus 2. One part of a standard cognitive test is to
expose the subject to a list of numbers, and after hiding the numbers, ask the
subject to repeat them back to you (and again, but backwards). A similar test
of memory is to ask a subject to remember a list of items, then ask a series
of other questions, then ask the subject to repeat the same list some time
later. Some people do pretty well at these tests; some don't (approximating a
normal distribution in ). So while it's theoretically possible that all
subjects do have all of the numbers stored in their brain, it's quite clear
that there's differing capability at least in memory encoding and/or
retrieval.

I guess I also wanted to mention the concept of saliency. Different people
will pay attention to different things even if all of the people are exposed
to exactly the same stimuli. This is important because the brain only encodes
to memory what it finds particularly important and/or interesting (i.e.
salient). This can be trained to a degree: more experienced or trained people
will be able to detect what's important, like a soldier being better able to
"sense" the presence of an IED in a warzone. So even if everyone has exactly
the same memory capacity, there'd still be variation in how well the brain
itself decides to use that capacity.

~~~
saraid216
> It doesn't seem like I can reply to smtddr's sibling comment here (probably
> nested too deep?).

OT technical note.

The reason you do not see a "reply" link is because you viewed the comment
within X minutes of its posting. HN disables the reply link for that period.
_However_ , if you click on the permalink (the "link" text), you will still
get a usable text box for replying.

My strategy is generally to do this, but sometimes I actually just refresh to
pick up any new contextual comments.

------
snowwrestler
There have always been reasons to object to working in national defense.
During the Cold War quite a few physicists and engineers chose not to go into
defense work because they did not want to feel like they were hastening
nuclear Armageddon.

And yet, the U.S. government developed effective new defense and energy
technologies during this time.

There are reasons to work for the government that are attractive to top tech
talent: access to information and tools that no one in private enterprise has;
gigantic budgets, with no demand for profitability; a great mission:
protecting the American people.

And if the issue is privacy, there are objections to made at most top tech
companies now as well--most of their product development treads on or over the
privacy line of their customers.

I'm not advocating for defense work BTW, just expressing skepticism that the
Snowden affair will substantially harm the government's ability to attract
tech talent.

It probably will scare off the most innovative, forward thinking hackers...but
they've never been a crowd that works for the government anyway. Too slow and
bureaucratic.

~~~
yareally
> "There have always been reasons to object to working in national defense.
> During the Cold War quite a few physicists and engineers chose not to go
> into defense work because they did not want to feel like they were hastening
> nuclear Armageddon."

Robert Oppenheimer, the "Father of the Atomic Bomb," lost his security
clearance and his position on the Atomic Energy Commission for voicing
concerns and refusing to directly help build the hydrogen bomb in the 50s. He
argued it was against the United States' best interests to develop it, because
the USSR had no cities large enough to use it on, while the United States did.
The United States also had plenty of large atomic bombs with pretty high yield
already that were much cheaper to build. Thus, when the Soviets eventually
created their own, they would be ones with a reason to have it, while we
wasted tons of money giving it to them that could have been spent elsewhere.

Just for reference:

[http://en.wikipedia.org/wiki/Robert_Openheimer#Atomic_Energy...](http://en.wikipedia.org/wiki/Robert_Openheimer#Atomic_Energy_Commission)

[http://www.imdb.com/title/tt0078037/](http://www.imdb.com/title/tt0078037/)
Great miniseries on Oppenheimer done by the BBC, if one can find it.

~~~
gregd
I also highly recommend reading the book, American Prometheus.

[http://www.amazon.com/American-Prometheus-Triumph-Tragedy-
Op...](http://www.amazon.com/American-Prometheus-Triumph-Tragedy-
Oppenheimer/dp/0375726268)

~~~
yareally
I'll have to pick it up. I've always considered Oppenheimer one of the most
interesting people to have lived. He was very charismatic, winning over
scientist and bureaucrat alike and a compromiser when necessary, but yet would
not compromise when it came to the issue of the hydrogen bomb at the height of
"McCarthyism". Too bad he's mostly forgotten in present day history.

~~~
gregd
He was interesting. It's a shame how much he was ostracized by the very same
people who used him to get to the atomic bomb. The book does his life and his
life's work justice. It's an extremely interesting and well written account.

------
JabavuAdams
I'm not convinced. People are very good at cognitive dissonance.

If you're passionate about tech, then there are some very interesting projects
to work on in government.

Rocket scientists want to build rockets. Roboticists want to build robots.
Hackers want to hack. They've gotten good at what they do by subordinating
other concerns to their driving interests. So, why would they be put off by
something that doesn't seem to directly affect them or their loved-ones?

EDIT> Regarding the furor over heavy-handed prosecution of tech-assisted
offences: that only matter if you choose the wrong side. I.e. Work on this
cool stuff, stay in line, and you'll never have a problem with the law. Not a
hard sell.

------
danso
Even before seeing that the submission was from techdirt, the headline itself
contains the type of assertion that is highly questionable on its face.

1\. What is a "top" hacker? Someone who has hacked the most systems? Hacked
the most secure system? Created the most cleverest exploit?

2\. How do you know that it's actually the "top" hackers who are refusing to
work with the USG? Because quite conceivably, there are great hackers who are
already working at the USG and aren't revealing themselves or quitting in
protest. The hackers you have now speaking out may indeed be refusing to work
for the USG, but your article is then based on a self-selecting sample.

3\. Is being a "top" hacker an immutable thing? If top mercenaries said they'd
never join the Navy SEALS, does that mean the SEALs are screwed? Only if you
forget that they have no shortage of young men who are pruned and groomed to
being elite fighters.

~~~
res0nat0r
I'd love if we could add techdirt to the auto kill submission list. That would
help cut down on the inflammatory noise articles being submitted without much
substance.

------
ihsw
Contrary to the article's inflammatory title, software engineers haven't quit
their jobs at the USG en masse.

As for the "with the government" vs the "for the government" rebuttals:
surveillance and research contractors haven't stopped working with the USG
either.

~~~
DevX101
I don't think there will be droves of people leaving because of recent
scandals. But it sure will make it harder to answer a smart college grad who
asks "Why should I work for the NSA?" when he/she has options at private tech
companies.

~~~
neutronicus
The answer is easy.

I like money, I like job security, I like playing for a winner, I like being
on the bleeding edge.

Were I crypto guy, I would snatch up a vacated-on-principle spot at the NSA in
a heartbeat.

~~~
Helianthus
I guess at least you know your price.

------
joshuahedlund
Doesn't really present much evidence that this is happening so far, but I
wouldn't be surprised if the continuing revelations push more and more hackers
in this direction, especially at the margins. The possibility of such a "self-
correcting" measure to the surveillance state, even without legislative
reform, is one reason to be optimistic (though it would be naive to put too
much hope in that alone)

~~~
hobs
I dont know about your second point, but I definitely agree the link quotes
another article that says something "might" happen. While I hope that the
intelligencia of america wake the hell up and stop cooperating, this article
is a crock of shit.

------
coldcode
We really need to out and shame any engineer or contracting agency working for
the NSA. If they can't hire anyone they can't spy on anyone.

~~~
eshvk
Once you have done this outing and shaming, what do you expect to do? Burn the
engineer or contracting agency at the center of the town hall? Have a fifties
style whisper campaign where you refuse to go to their cocktail party?

Apart from the fact that it vaguely sounds discriminatory, I don't see what
you could achieve on a practical level.

~~~
Karunamon
A de-facto blacklist where having the NSA on your resumé is as desirable as
having NAMBLA?

------
bit_genesis
It's worth pointing out that you don't need to work "for the NSA" to be
contributing to state surveillance. If someone is hired straight out of
college to work for any type of cloud services provider with revenues over a
billion, it's probably safe to say that they your prospective employer has
enough market reach to have attracted the attention of state surveillance
programs. Of course, by law, your prospective employer would be required to
lie to you about involvement.

~~~
majelix
> It's worth pointing out that you don't need to work "for the NSA" to be
> contributing to state surveillance.

The flip is also true: you're not necessarily contributing to state
surveillance just because you work "for the NSA". Two easy examples are
SELinux and the various NSA Guides to Securing <OS_of_choice>.

~~~
tomjen3
I always assumed SELinux was backdoored. I am still waiting on the proof that
I am wrong.

------
theboss
Wow, awful. If you got to a InfoSec/Hacker Con the people there either work
for Govt Contractors, Used to work for the Govt, or work at small companies
(that get paid by the govt).

The "Top Hackers" certainly still will work for the government.....Why do you
think so many are in DC

------
rdl
I'm certainly not a TAO offensive security type, but maybe I'm somewhat
representative of median people in the security space. I was certainly more
than willing to work for USG at one point, but the "crypto wars" of the 1990s
(as well as the end of the cold war and lack of a mission) convinced me not to
go to NSA then (I was going to do ROTC -> NSA). Post-9/11, I fully supported
both the USG infosec mission and the use of sigint/etc. to go after specific
foreign terrorist groups, and worked as a defense contractor with what that
entails (although doing nothing so glamorous as NSA/TAO/etc., but at least not
running a helpdesk for ITT either. I envied INSCOM/ISA so much.).

Now, I'd have a really hard time doing anything more contractory than selling
totally standardized COTS products to the USG, even something non-threatening
like a better teleconferencing system, until/unless there is re-established
effective elected oversight (i.e. congress, as a whole, and not just 15
committee members with little interest, expertise, or competence) over these
programs. Not really holding my breath on that.

------
Fuxy
This would all sound nice and all but where's the proof? Just hackers saying
they will refuse government contracts doesn't mean anything.

I honestly hope they would do that but I lost hope in such a thing happening a
long time ago.

Just dangle some money in front of the and they're just average suckers like
the rest of humanity.

------
rdl
We do have a pretty clear historical precedent. In the late Vietnam era and
immediately after, the prestige of the military, and thus the quality of
recruits and soldiers in the US military was basically at its lowest point
ever (at least since we started having a big standing military with WW2). I
mean, _really_ bad. I'm not sure how much of this was due to "evil
babykillers" meme about Vietnam, or the stink of failure from losing our first
(and unpopular) war, or what, but it's conceivable the same kind of thing
could affect NSA recruiting. The post-Snowden fiasco is about 5% of the way
toward doing that, though -- until we see evidence of actual people that "we"
"care about" seriously harmed, it won't get much closer than we are now.

(It was bad enough that they had to pass laws to consider Vietnam-era veterans
a "protected class" for discrimination. From everything I've read and heard
about the _post_ Vietnam military, especially the Army, it was even worse (at
least until the 1980s, and really until Gulf War I in a lot of ways.)

------
acd
The state are purposely allowed to break laws the citizens are not allowed to
break.

It is illegal for a citizen to hack other persons and organizations computers
and take their data. It is allowed for the government to hack other persons
computers and steal their data. The government now has professional teams of
hackers doing just that.

Thus the same laws does not apply for citizens as the government, thus the
government thinks they are above the law.

It is almost the same as the government would have teams that steal credit
cards and make drugs.

We are walking towards a Internet 3.0 which be heavily encrytped anonymized
and reinvented by hackers. Imagine encrypted mesh sockets. ifconfig anoninet
up Peer2Peer dns and trust authorities.

Not to mention the banks the government are protecting and the central banks,
which purposely steals peoples money through inflation. The Fed is privately
owned by the banks they are as Federal as Federal express not at all. The
creature from Jekyll island.

------
e3pi
"Closest to home for many hackers are the government's aggressive prosecutions
under the Computer Fraud and Abuse Act, which has been used against Internet
activist Aaron Swartz, who committed suicide in January, and U.S. soldier
Bradley Manning, who leaked classified files to anti-secrecy website
WikiLeaks."

With also Binney, Drake, Snowden, with the Justice Dept's Eric Holder and
Carmen Ortiz prosecuting with trump upped draconian charges, and that we also
know the intel/security agencies spokespeople with an eagle logo are
consistent prevaricators, it is clearly recklessly dangerous to become
directly involved with these federally sanctioned criminals. At least factor
that in, while negotiating your compensation.

------
dpeck
This is sadly far from true. There is plenty of talent to be bought for the
right amount of money and plenty of talented people who can divorce morality
from their job.

Besides that though there have been quite a bit of growth in nationalistic
sentiment in the hacker community for some time. It seems that its been
present in non-US/EU parts of the culture for quite some time, but I've
noticed in recent years it becoming a bigger and more accepted part of US
circles. Joking about popping boxes in .cn, seeing the whole country as an
enemy, etc. It was a lot quieter on those topics in Vegas this year, but it
was certainly a very present part of the dialogue 2010/11, etc.

------
andrewcooke
one related thing that i have been wondering about: it's been argued that the
internet-based voter support was key in getting obama elected. will that same
team - or similar people - be willing to work next time round?

not work for the government, but for the democrats. will hackers work for
democrats in the next presidential election? if it's disappointment with
obama, will switching to clinton be enough? and will we see a move to 'blame
obama' near the end of his term to help clinton?

------
scrabble
It seems to me like a great way for the government to really start keeping
close tabs on you would be to have any sort of tech job for them and quit --
especially after Snowden.

------
mcguire
Interesting paragraph from the Reuters article:

"Some security experts remain supportive of the government. NSA Director Keith
Alexander's talk at the Black Hat conference was well received on Wednesday,
despite a few hecklers.

"...Alexander took a conciliatory tone during his Black Hat speech, defending
the NSA but saying he looked forward to a discussion about how it could do
things better."

The article portrays Black Hat as the more "professional" conference, as
opposed to Def Con.

~~~
rdl
Mostly because DC20 happened a year ago, before Snowden.

I don't think GEN Alexander's PSD would have allowed him to attend Defcon this
year. (not that his life would have been in danger, but enough violent/etc.
heckling that people probably would have gotten hurt, which would be horrible
press.)

------
quantumpotato_
"An illustration picture shows the logo of the U.S. National Security Agency
on the display of an iPhone * in Berlin, June 7, 2013. Credit: Reuters/Pawel
Kopczynski"

* Surrounded by cables that couldn't connect

------
sharrocker
tptacek what is your sourcing on this? I have spoken with people at
engineering schools-- including those with close ties with the NSA, where NSA
goes for hiring-- and they say the NSA is hurting. A recently retired (as in
that month) fed at DefCon said straight up we are seriously behind you guys
and cant keep up because of bureaucracy.

------
joetek
"it's significant that the NSA's massive XKeyscore program runs on a Linux
cluster."

Is there an option in Creative Commons or GPL to exclude government use?

~~~
TeMPOraL
If they modified GPL code, maybe they can be sued to release changes.

~~~
dragonwriter
The only action possible against the federal government for copyright
violation is an action in the Court of Federal Claims to recover money
damages. [1]

[1]
[http://www.law.cornell.edu/uscode/text/28/1498](http://www.law.cornell.edu/uscode/text/28/1498)

