
The White Hat's Dilemma - secalex
https://docs.google.com/presentation/d/1UfOxCIIlcU-iRcUeA6p6fyEE4qUbSuFMqmSuWjRsL_4/pub?start=false&loop=false&delayms=3000
======
throwaway3902
I used to work for Blizzard. The Chinese government requested that we modify
the WoW client so that they could intercept all chat. As far as I know, no-one
said anything, including me - and Blizzard, of course, was more than happy to
comply, given the size of the market and the risk of being forbidden to do
business there. There were plenty of other MMOGs happy to play ball and eat
that cake.

I didn't say anything. It was happening to "them", Chinese nationals. Not only
that, but "they" should know better than to say sensitive things online,
because even if we didn't install the back door, I reasoned, it wouldn't be
too hard to get that data through various other means.

I really regret not only my participation, but not making a big stink about
it. No-one did. I strongly suspect that that same system is being being used
domestically, now. Clearly it was the wrong thing to do. I've regretted my
role in that implementation for several years. I shouldn't have participated,
and I should have protested. Even if it didn't stop it, at least the company
leadership might have felt the heat. But I was a coward and I didn't want to
lose my job, didn't want to fight a legal battle, and, like I said, it was
just China spying on it's people, which everyone knew they do anyway.

And who knows? The news probably would have been ignored, or, if it wasn't, I
might have been branded as a coward and a disloyal employee, betraying the
people who put food on my table. And I being under 30, overpaid, over-
priviledged, etc. I can hear the Fox News commentators even now. That, to me,
has been the most difficult thing about Snowden, is that here's someone who
did the right thing, who revealed wrong-doing on the part of our government,
and there are a lot of people who say he's the wrongdoer, who attack him as
disloyal and worse. A back door in a game used by China? Who would even care
about that? And if they did, I'd just be torn to shreds, unemployable and with
heaven-knows-what kind of future.

The reaction to Manning and Snowden, particularly the lack of strong public
support, sends a strong signal that people don't want to know. They don't want
to upset the apple cart. They don't want to challenge the government, they
don't want to question it, not even when it's clearly violating it's own most
important rules - the rules that, presumably, we've been fighting to promote
these last 200 years. It seems hopeless.

~~~
mr_spothawk
Fuck it, I'll go ahead and say it:

First, thanks for coming clean. You're a human being who's made a really bad
decision.

You should feel terrible for this. "They" are not merely your possible
friends, or your relative's relatives, or your neighbors' cousins... "They"
are other human beings who might someday decide to stand up for their human
rights. "They" are millions of people you sold out for easy "dinner" & "rent".

And now the tool you helped build to invade their privacy is likely being
turned on all your real friends, and your real relatives, and your real
neighbors. And you're not even getting paid anymore.

You should feel terrible for selling out for so little. You weren't as afraid
of being unemployed as you were of having to do something. You were mentally
lazy and your moral compass was clearly defunct.

Too bad your behavior is not undoable and you'll have to live with it for the
rest of your life. Maybe you can do something to recover for it in the future.

Hopefully your ethical failure can serve as an example of what not to do.

~~~
icebraining
What did you hope to accomplish with this post? "Here's someone who did
something bad, who can't undo it, and who feels bad enough to come clean -
let's rub it in so as to discourage others from doing so"?

~~~
Skalman
I'd say that a clear goal of that post is to emphasize that it was a _choice_.
To me Spothawk is rubbing in the fact that it was a decision.

~~~
amirmc
And it's a lot of people's _' decision'_ to bury their heads in the sand about
the implications of Snowden's leaks. In that light, why isn't it also directed
at everyone who doesn't care, rather than one guy who does?

Edit: What about the employer's choices to go ahead with it? No anger directed
that way? This guy should have fallen on his sword but his company gets a
pass?

~~~
mr_spothawk
Yeah, every person in the chain needs to wake the f* up.

Please don't mistake my lack of attention to Blizzard's complicity as a
'pass'.

I actively campaign against folks who would bury their heads in the sand. In
the past decade I have spent huge effort (preaching?) to convince my peers not
to accept work in these Military Industrial jobs and to leave them if they're
already there. I've had quite a bit of success in that regard, and I would
encourage (as I tried in my response) that others would help educate their
peers as well.

------
tptacek
Here's an alternative vantage point, my vantage point, one I think makes these
kinds of ethical quandaries easier to navigate:

* I'm not a "white hat" or a "black hat"

* I'm not deliberately involved in any kind of "cyber" conflict

* I don't do what I do because I'm battling the forces of evil, or organized crime, or anything else

Instead: I do engineering. The same way a contract driver developer does, or a
Rails dev. I happen to work in a particularly challenging problem domain. My
work happens to have some interesting implications. But those implications are
not the reason I work in the field; I work here because it allows me to
grapple with compilers, number theory, low-level networking, hardware, OS
kernels, and every imaginable development platform. It's about the craft.

I find this vantage point, which appears amoral, makes the ethical dilemmas
easier to resolve. If a company like Narus asks me to help them make a network
monitoring system harder to evade, I don't have to put that request into some
ethical framework that considers the good that application might do. I just
turn the work down. Same goes for the US Government; no, sorry, not
interested.

Total respect for Alex (the "white hat consulting company" he founded is iSec
Partners, our sister company and former archrival). I get the sense that Alex
engages intentionally with these dilemmas, that he wants to be a part of
something larger than himself and, I think, larger than the craft. As a
result, sure, he has to live a carefully examined life, and make sure the
projects he's working on aren't skewing his compass. I admire him for picking
his way through those problems. But I'm every bit as engaged with the field as
Alex is, and I'm here to tell you that you _don 't_ have to get tangled up in
these kinds of ethical problems if you don't want to.

~~~
clicks
Reading what you just wrote reminded me of the famous Edmund Burke quote: "All
that is necessary for evil to triumph is for good men to do nothing".

If it had not been for the acquiescence of engineers who took part in the
creation of PRISM, XKeyscore, etc. we... well, we would not _have_ PRISM,
XKeyscore, etc. Increasingly there is no such thing as an "amoral" position
when it comes to a lot of these things -- you're either an entity who
willingly chooses profit over principles, or you do something to defeat the
evil as you see it (or, at least refuse to take part in it). In this day and
age the conscientiousness of man is one of the last remaining defenses to
fight the many evils, new or old, mercurial or familiar. It falls on all of us
to think of the moral ramifications of our actions, in the workplace and off,
and choose carefully and to the extent we comfortably can to see humanity
continue prosperously.

I don't mean this to be a thoughtless, idealistic anti-NSA tirade, I'm frankly
very okay with folks working on hip new technology that catches the bad guys,
I just think your decision framework which is devoid of any ethical
considerations is highly, highly dangerous and I wish for the good of us all
that it doesn't catch on.

~~~
tptacek
Did you read every other sentence of what I wrote? None of this has anything
to do with my comment.

~~~
clicks
One, I don't think it's the HN law that all threads should follow in some
precise linearity: there's such a thing as free-form debate. Two, my comment
did have something to do with your comment. Three, you very often reply like
this -- "did you read what I said?" \-- not that it matters much to me
personally, but can you please start making an effort of at least trying to
communicate such things in a little more civilized manner? The tone of such
comments is often toxic and inflammatory.

~~~
oinksoft
His authoritarian tone squares nicely with his approach to ethics as expressed
in threads like these.

~~~
tptacek
I think you think this is a stinging comment, but it really says more about
you than it does about me.

~~~
oinksoft
My comment being sincere, I don't expect it to sting you in the least. What a
petulant reply.

------
cyanbane
Great presentation and something that programmers in general (not just
infosec) need to have a personal decision model for. Everyone should be able
to make their own decision to these questions as they see fit, but the more we
talk about issues like this the more we see where other people like us (who
maybe were put into this position in the context of "work") have decided on a
stance (and the repercussions of said stance) the better off we all are. We
who work on machines and not man don't have an oath that we are taught to
follow and/or live by, and I don't necessarily think we should. That being
said, the Jr. programmer working for a small firm can encounter decisions of
ethical importance as much as a black/white/grey/green/mauve hat infosec can.
To me, this is the core value of what a site like HN provides and probably the
main reason I read the comments on HN more than I do the articles.

------
chipsy
My favored moral framework for most situations is the noblesse oblige: If, by
chance or by choice, you have the privilege of affecting a lot of people, you
now have the responsibility of supporting the most marginalized members of
that group, regardless of whatever prejudice against them you may have had.

This is, in a lot of cases, a nearly impossible obligation to completely
fulfill, but in application, it leads to both a closer examination of
privilege and to moral decisions and outcomes that are progressive.

------
scotty79
I'd say correct answer almost always is to leave quietly. Let's leave doing
immoral things to immoral people and let's hope their employers starve due to
elevated fees.

Also if you live in US you should always put your own safety in the first
place. US justice system becomes most significant threat to capable citizens.

------
dlitz
Slide 28. What does "IR" mean?

~~~
agnokapathetic
Incident Response

~~~
dlitz
Thanks!

------
treenyc
Thank you ALex for bring up these issues. I just would like to point out that
ethics and morality are both normative propositions (in the sense that they
are different cross culture and society). Basically what is consider desirable
vs. undesirable behavior. As we all must have found out by now, what is
consider desirable and undesirable that very different from place to place.

It would perhaps to be more constructive to consider a positive model of
integrity (Positive as in positive theory in economics). In many ways we have
confused morality and ethics with integrity. Integrity when distinguished in
the positive model it can be apply consistently across culture, societies,
groups or organization (kind like the law of gravity).

For those who are interested, you download the short paper by Dr. Mike Jensen
on social science research network related to positive model of integrity:

[http://ssrn.com/abstract=1511274](http://ssrn.com/abstract=1511274)

------
dajusu
What letter was asked to be signed at the end?

~~~
secalex
The EFF's CFAA reform letter. They had folks in the room to gather paper
signatures from attendees, and remote folks will eventually get a chance to
sign electronically.

[https://www.eff.org/deeplinks/2013/08/letter?utm_source=twit...](https://www.eff.org/deeplinks/2013/08/letter?utm_source=twitterfeed&utm_medium=twitter)

------
glomph
I think it is worth thinking about the idea that whatever your particular
moral framework is it should not be about 'making a difference' but making the
most effective difference you can. Actually if you hold something to be
important you should want to do the most that you can. Exceedingly often what
this means is doing something different to the majority of people. Often this
goes against conventional wisdom.

------
nonchalance
I question the slide regarding trade secrets:

* the names are misspelled: first person is Sergey Aleynikov (not alinikov) and second person is Samarth Agarwal (not agrawal)

* in each circumstance, there was actual trade secret theft. That part is clear. The slide itself seems to suggest something beyond that, but they essentially took code that they wrote for their employer (and they signed contracts clearly saying that it belongs to the employers)

~~~
secalex
Thank you for catching the spelling mistakes.

The point of that slide is that trade secret theft is a very old problem, and
that there is a long history of criminal and civil case law to look to when
punishing that kind of action. Those individuals were all charged under the
Economic Espionage Act and face extreme penalties. I see this as another
version of overcharging under the CFAA; the Federal Government has one
standard for doing something on paper and a much harsher one for the same
activities while using an SVN repo.

I am not defending the actions of those men, I just feel that the civil
remedies that have been used for decades are more appropriate than having the
soul-destroying power of the US DOJ turned against them on behalf of their
employers.

The ethical dilemma exists for the technologist who performs the investigation
and testifies against her former co-worker. What responsibility does she have
to see justice done? I don't have an answer, but that was the question posed
by the slides on justice.

------
gnosis
Does anyone have a link to a plain-text version of this that doesn't require
access to the Google spyware site?

~~~
casca
Are you asking for this? [https://docs.google.com/presentation/d/1UfOxCIIlcU-
iRcUeA6p6...](https://docs.google.com/presentation/d/1UfOxCIIlcU-
iRcUeA6p6fyEE4qUbSuFMqmSuWjRsL_4/export/pdf)

~~~
delinka
I think you missed the whole "...doesn't require access to Google..."

------
Selfcommit
Who is the finnish guy?

~~~
interknot
Mikko Hypponen, from F-Secure.

[http://mikko.hypponen.com/](http://mikko.hypponen.com/)
[http://www.f-secure.com/weblog/](http://www.f-secure.com/weblog/)

------
casca
I love the Ultima 4 reference

~~~
secalex
Thanks. Still my favorite game ever.

~~~
neilk
What class did you get?

~~~
secalex
I don't remember what I got the first couple of times I answered honestly. I
do remember manipulating the system to become a Paladin, which perhaps negates
the entire point of the morality system and makes me a rogue in real life.

~~~
neilk
Yeah, I did the same thing. I wanted to be a Ranger, because Aragorn in Lord
of the Rings is one, so I manipulated my answers. Plus it's in the center of
the graph, so I thought that had to be better.

But, I do recall I would get Mage (Honesty) if I did it, er... honestly. Today
I get Bard (Compassion). I guess people really do change over the course of
their life.

------
Qantourisc
Why do people even sign NDA's ?

~~~
lmartel
Have you ever worked for a company that didn't ask you to sign one?

That's not rhetorical, I'm curious--it seems that virtually every company has
some amount of proprietary information, isn't that what drives competitive
advantage in software?

~~~
osivertsson
I signed them when I was younger, but have been able to avoid them since a
couple of years. In my opinion, the law should be enough in most cases.

Recently I was offered a good and well-paying job. Late in the recruitment
phase there was this far-reaching NDA I would have to sign. I asked to be
given two days to read and evaluate it, which apparently labeled me as someone
very strange, I should just flip through it in 10 seconds and sign like
everybody else.

Two days later when I questioned their HR/Legal about some of the clauses they
got very uncomfortable, and tried to avoid making a big deal out of them,
saying it was "standard" and "at this site, they had never taken anyone to
court based on it".

I didn't sign, and hence they could no longer offer me the job. Oh well, their
loss, they would have to do without the value I could provide to their
business.

------
Rickasaurus
Was this talk recorded?

