Today, Yahoo announced a hack of 1B accounts. They say they don't know who it is, but we can conclude it's not the US government because Yahoo is willing and legally able to publicly disclose it.
Previously, Yahoo willingly assisted an attacker in compromising 1B accounts. In this case, they did not disclose the attack publicly, or even to their own chief information security officer, because in that instance the attacker was the US government itself.
US intelligence activities are actively harmful to American commercial interests because they destroy trust, particularly from customers elsewhere in the world.
Or are Chinese companies doing some interesting walling-off?
I've had to explain to clients on numerous occasions why I enabled TLS between things in the same data center. Security requires layers and just because the data is on a network you own doesn't mean nobody can get in.
I get it why somebody would argue this before but things like letsencrypt make it easy to manage the certificates for your internal hosts. I guess it gets more complex if you have your apps in containers that need their certificates managed etc. Even that shouldn't be this big a deal to make sure renewal is automated with some scripting or even managed properly with a backend CA like r509 ... Also the argument for performance no longer counts when the sales argument could be "we guarantee you e2e encrypted services etc" ...
Also Data Engineering jobs become a lot more complicated when suddenly certain data-points are no longer available for visualization on "BI-dashboards" consumed by wann-be tech-savvy CxO's, so that too may be a factor.
See also crime, criminal
The "te with l" tip was for the original "'criminate" and not very clear.
I'd say if you believe there are any real checks or balances to the NSA's power you're naive.
This implies a potentially fatal assumption that IC agencies perform clandestine activities with prior notice to mission targets.
It's possible however that agency doesn't realise it's a clandestine operation by another US agency. Or they do, but now the operation is complete (this was three years ago) and they want a way of informing yahoo about the breach without admitting who was behind it in the first place.
Did Yahoo Mail even use HTTPS? In that case a FISA warrant would just be an extra level of assurance that they got everything from that person's inbox (plus inboxes of 3 hops of everyone they ever emailed). Otherwise they were just an XKeyscore query, probably filtered by US geodata, away from getting whatever email they wanted (plus unlimited hops).
Otherwise they would collect any email ever sent unencrypted via submarine fiber wiretaps. While feeds into XKeyscore.
> Turns out the data collection is not so limited. In testimony yesterday before the House Judiciary Committee, National Security Agency Deputy Director Chris Inglis said that the NSA’s probing of data in search of terrorist activity extended “two to three hops” away from suspected terrorists. Previously, NSA leaders had said surveillance was limited to only two “hops” from a suspect.
> Inglis said that the NSA looks at two to three hops from a suspect. To determine how many hops you are from Osama, for example, the NSA’s data analysis engine software constantly plows through information and builds a model of all the relationships between every phone number on record and every IP address. Other software robots query the graph to discover which “nodes”—phone numbers, IP addresses and email accounts—fall within three degrees of separation from an established suspect.
> If you have a direct relationship with a suspected terrorist or target (you’ve called them, you’ve emailed them, you’ve visited their website) that’s a “one hop” relationship; there’s a solid line connecting you to that person in the NSA’s relationship graph. If you talk with, e-mail, or visit the Facebook page or website of someone who’s got a one-hop relationship, you’re two hops away. Add one more person in between in the graph, and you’re three hops away.
> Under the NSA’s FISA requests, Google, Microsoft, and other Internet services companies can be compelled to hand over relevant data from their servers on any account that falls within the three-hop range and is flagged as belonging to a person of interest. If you’ve won this lottery, the NSA will get access to your e-mails on Gmail or Outlook.com as well as your chats and Web-stored contacts, your documents, your synced data from computers and mobile devices, your backups, and anything else that can be handed over—at least, so the documents Snowden leaked imply.
> Your raw Internet traffic will get more attention as well. Your IP address will be watched more carefully by deep packet inspection hardware at the NSA’s 'Net taps, and what you do online will get extra scrutiny.
I'm not sure if you're just a casual spectator, willfully spreading disinformation, or inclined to ignorance but the boogeyman dismissive posturing boat has long sailed. PRISM's only purpose is to fill in the gaps of passive collection by directly sourcing data, otherwise it comes in primarily from submarine wiretaps and the multitude of other various passive collection sources. Or associated five eyes programs.
And yes FISA warrants include 3 hops and if you know anything about the Internet you know that is a hell of a lot of data for a single warrant. And public data shows the FISA court only deny around 0.1% of warrant requests. Even rubber stamps have to pretend they are doing their job.
PRISM doesn't "fill in gaps." It is their main source of actionable intelligence according to the leaked slides, and it only contains the data of the person being watched, requested via court order, approved by the company, and then sent to the FBI.
> 50 U.S.C. § 1861 (b)(2)(C).
These call detail orders cannot last longer than 180 days. Additionally, in an application for call records “two hops” from target—call records from people in contact with the identified target—the government must base its request on “session-identifying information or a telephone calling card number identified by the specific selection term” used in its first request. In December of 2015, the FISC ruled that USA Freedom does not require the government to show that these “two hops” call records are relevant to an ongoing investigation.
The only development Ive found has been that they promised to use 2 hops instead of 3. Which is good. But I'm not convinced the 2, previously 3, hops is limited to simply metadata.
Additionally this whole discussion of FISA warrants and limitations are strictly for Americans. They can collect full content and metadata of every foreign traffic they passively intercept.
The issue with metadata that was debated is primarily because they had unlimited warrantless access to American metadata since it's basically public data in their view. No one cared about non-americans. The FISA orders are for granting analysts access to full content on Americans (most likely they already have most of this data, they just aren't allowed to query it without a warrant.
They don't need warrants to collect metadata.
Your "further proof" also shows that they don't ask for three hops. It says that in order to request call records (phone call metadata, not the communications themselves: https://en.wikipedia.org/wiki/Call_detail_record), the investigator must show that the user is two hops by communication from a target. They determine this from the full-take phone metadata collection program that ended last year (https://www.washingtonpost.com/world/national-security/nsas-...) despite being ruled legal by the courts (http://www.reuters.com/article/us-usa-court-surveillance-idU...). According to Snowden's leaked documents, analysts have neither the authority nor the tools to look at anybody's call records in that full-take data but are only able to query it in specific ways (e.g., list the anonymized numbers that are 3 hops away from a particular number). The government can then apply for a court order to request the call records for a particular number according the rules you quoted.
> They can collect full content and metadata of every foreign traffic they passively intercept.
They can, but according to Snowden's leaks, they don't outside of a handful of hostile countries. The poster's friend is unlikely to live in one of those countries. This is not unique to the US -- Pretty much every country's laws allow the government to collect any data on foreigners.
> The issue with metadata that was debated is primarily because they had unlimited warrantless access to American metadata since it's basically public data in their view.
Also false, as I explained above. They have legal access to collect it, as I showed above, but the law allows them to query it in only a few restricted ways.
> The FISA orders are for granting analysts access to full content on Americans (most likely they already have most of this data, they just aren't allowed to query it without a warrant.
Completely wrong. FISA Section 702 orders can only be for non-Americans living outside of America. Data for a non-American living in the US cannot be requested, and data for an American living outside the US also cannot be requested. You're thinking of NSLs, which also must specify the particular user whose data is requested.
Unverifiable comments like this are harmful.
I think, they actively harm US corporations because they fundamentally destroy trust of US citizens too.
Foreigners, especially foreign corporations, are the portion of the market whose buying decision is most sensitive towards these issues.
I agree, though, that this is a much smaller issue than the loss of foreign sales. Surveillance won't kill US iPhone usage, but it could probably destroy Cisco's foreign markets.
We already stand as the most powerful country on earth. It's a great testament to ineptitude in government that this is the current reality.
I honestly find this hard to believe because:
- When there is conflict in the world, countries always come to the US first for military intervention
- When there is a serious disaster of some kind, countries always expect us to send billions in aid (both militarily and financially) to help them
- When a country is trying to obtain nuclear weapons or weapons of mass destruction, they come to us to stop them
Essentially it comes down to everybody comes to the US first for everything. When that starts to change, maybe I would entertain the fact that we won't be the most powerful country. When so many countries and millions of people rely on us for so many things, our position as being a global leader won't change in the near future.
And quite honestly, I know there's large chunks of our population that would welcome some other countries stepping up and taking the lead instead of the US. It would certainly save us thousands of military personnel that have been lost over our involvement in questionable conflicts in the Middle East.
> I know there's large chunks of our population that would welcome some other countries stepping up
>t would certainly save us thousands of military personnel that have been lost
The US spends more on its military than the next 30+ countries combined of which only one is not a NATO ally.
We in Europe seem quite content with the situation. We get the fruits of the american sacrifice, but not the economic and cultural burden. We spend all that money on social issues in our little paradise. Then we either point our fingers at the US and naively assume our freedom & security comes from us being such darn nice people. Not realizing it is the United States who are walking the perimeter of our little paradise of moral superiority.
But outside of Europe, there are lots of countries who definitely want more power and standing in the world (China, Russia, India). And the economic imbalance from our history is wearing off.
So financially, the military budgets are going to look more similar. The West will only keep its dominance in terms of culture and values, if we (Europe) and the other NATO allies start contributing our fair share. As a side-bonus: this would give us more influence in the more questionable aspects of the US military strategy. But like the spoiled child of rich parents, i doubt we will figure that out in time. The US might end up in a situation not that different from Germany after WWI or WWII.
I'm not arguing it's fair. But i don't have to explain to an American that everyone always roots for the underdog. And the US hasn't been the underdog for a long long time.
I will be curious to see what does happens once the US does have to share the military and economic influence you reference. Will we be happy to hand it off? It seems lately, our population has grown weary about waging constant proxy wars and getting involved in long standing regional and tribal disputes that go back thousands of years with no real end in sight.
I feel like there is the beginning of a vacuum and there are a lot of countries already queuing up to get a shot at that power and influence.
That is the way to bet, but it is also possible (though not very likely) that Yahoo disclosed this publicly before the relevant USG agency could get an NSL out.
I would assume, like most announcements, the reason that it's being announced is because the data is available out there and been seen in the wild.
The internet is already fucked up enough with governments and rogue corporations messing with its AS-adjacency topology in non-free ways at OSI layers 1-3 , before you even get into stuff like writing backdoors at layer 4+ to pass all email to the NSA.
- Refuse to take action. They want engineering done, they can bloody well do it themselves. Don't type a single keystroke in the direction of helping them.
- Announce what is going on anonymously. Plenty of avenues for this.
- Announce what is going on, publicly. See if they do indeed want to take you to court.
- Take down the service. Much easier if the service is only a part of your company. Helps a lot if you don't retain the information they're looking for.
- Destroy records (this is by far the riskiest action here, above a simple public announcement).
- Delay. And delay more.
- Keep information outside the jurisdiction, possibly controlled by a third party who will not comply with orders.
- Misunderstand ("Is that a one, or an ell?")
Most of these will get you into trouble, a few won't. Most of these are really difficult roads.
I've given this some thought before. If I found a backdoor in a product, I would remove it with a tracking bug and a checkin, and send internal email about a really bad bug that I'd just fixed; the more internal people that know, the better. And if a VP showed up and berated me, I'd just tell them to fuck off, and quit if it came to that.
see also: https://www.schneier.com/blog/archives/2016/06/1944_cia_sabo...
"general interference with procedures"
Don't do it in an obtuse manner; let them know in advance that you will be sending it following the meeting, maybe even get them to suggest the wording of it if you aren't convinced of the security of internal mail.
It's easy for either side to forget the exact points raised during a conversation like that, so good for everyone to have a written record.
In the event that you are asked to do something illegal, it may be illegal or inadmissible to mention that you were ordered to do so by the government (Matrix-Churchill trial passim)
From my reading of the case law, the crux would be that right to counsel can only be invoked "at or after the time that judicial proceedings have been initiated against him, whether by formal charge, preliminary hearing, indictment, information, or arraignment."
Does an NSL constitute adversarial proceedings? Also, how does right to counsel work with other legal gag orders (e.g. if I'm cooperating to provide information on a criminal case but have been ordered not to inform the targets)?
That's actually exactly why we have counsellors.
The nature of such an order requires you to be able to tell the people who need to do it what it is that you need them to do, even if you can't tell them why.
Additionally, anybody with the power to veto such a change also must be provided with a good reason why they can't veto this one. Your legal counsel needs to understand why the change must happen, so he can respond appropriately to questions from pissed off developers and ensure that your company is complying with the letter of the demand (and no more).
- CEO gets a Letter. Does the CEO start learning Python/C++/PHP and Cisco configuration? Or does he tell a worker bee "Shhh! And read this Letter" ?
- Worker bee starts making changes to production code and systems. Suddenly he starts needing automated code reviews, and reconfiguration alerts go out when he frobs the firewalls. These changes are indistinguishable from an infiltrator with the worker-bee's credentials and ideally things are set up so that changes are generally shared around, a normal review process, to catch out-of-control worker bees.
- The build lab scripts are modified (by who?) to insert bad code. Oh, but the build checkers catch this ("Hey, we found a compiler bug!" / "Umm, no you didn't..."). Everybody starts handing around links to "Reflections on Trusting Trust".
- Things get even more exciting when the internal monitoring systems discover (say) equipment attached to the network that ain't supposed to be there. "Wot's all this then," says the network engineer, and he yanks the cables to the SkankSec-1000 that someone hot-wired into a rack. "Oh yeah, blue fiber is for NSA, green is for CIA, yellow is for GCHG, and black is for Russians, what else?" He leaves it unplugged. Let's ignore the security camera footage in the datacenter, since this is a thought experiment.
In an environment with self-monitoring for health and intrusion detection, applying changes for user surveillance requires quite a lot of internal cooperation and communication. No wonder the Yahoo stuff looked like a Bad Guy who got in.
We can probably extend the internal defenses to alerting on odd access patterns to sensitive database rows, too . . .
I don't know how Yahoo is organized but if teams works in silos, without any visibility on other teams, it is probably not that hard to introduced changes that are undetected.
Access to critical data should be similarly protected.
These are relatively tame intrusion detection systems that you would have to make changes to in order to remain undetected. That should be really hard to hide.
(They, of course, are bound to not share it further.)
Edit: But seriously, I'd take the job loss in a heart beat if my company was doing this crap.
I realize this stuff is easier said than done, but there's a lot of tough talk about the ethics of many things on HackerNews. How many people here work for companies like Yahoo or Facebook or many smaller shops that are legitimately harming people with these sorts of things?
This is why I've given it some thought. This is something that you probably need to spend a little time thinking about if you're in a similar situation, because things are not going to get better.
It's a personal decision. I can't tell you it's worthwhile to quit your job or risk legal action. But if you're responsible for the privacy and rights of millions of people, you should consider what your actions will be.
These are the legal actions of the United States government, executing the authority given to them to the people's elected representatives, and overseen by a judiciary duly selected according the constitutional procedures. Their legal and democratic authority is unassailable.
Further, you don't know what motivated these actions. Is it intelligence about a specific threat? Has the government identified how a specific adversary operates? You could be impeding the investigation into a deadly plot. You have no way of knowing this.
This isn't a game. We have real enemies who would gladly kill all of us. We have processes as a society for deciding how we defend ourselves. If you don't like our current policies, then exercise your vote, exercise your right to speak and publish and assemble. But don't usurp the sovereignty of the people of this country.
We have warrants for that. Subpoena Yahoo for specific records. I'm not willing to trade the freedom of an entire country for a single investigation. This isn't an episode of 24 and there is no Jack Bauer.
The fourth amendment was sold as follows:
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
I'm not a constitutional lawyer. I'm sure the actual amendment can be interpreted to mean whatever George W and Co want it to mean. But that's not how it was sold, and this government is not legitimate as far as I'm concerned. Not as long as it runs dragnet surveillance over the American people. Snowden is a patriot and the U.S gov't is betraying the public.
Ans: Tens of thousands of NSLs and other secret actions make it really improbable that a small set of refusals to cooperate will result in great harm. Or that the game the government is playing is really about "bad guys" most of the time.
"No really, this is about an actual bad guy this time!"
The government has lied repeatedly about this stuff. It has covered up the fact that it performs unlawful surveillance on its "sovereign people". If this is about a bad guy this time, rather than all the other times when it has been lies or cover-ups, then that's just too damned bad, isn't it? See also: The Boy Who Cried Wolf.
I have a fundamental disgust with arguments that attempt to appeal to blind loyalty. That "sovereignty of the people" you wrote about has been invoked too many times by scoundrels to be respected.
Sure, there are indeed bad guys who are trying to kill us. But that doesn't justify a wholesale surveillance state, or tens of thousands of NSLs, or secret courts. That's just stuff the powers-that-be want, and have used the bad guys as an excuse to get.
The judiciary is not meaningfully overseeing the parts of the state where law enforcement and national security intelligence mix. The FISC is a great example: it pisses off the agents and attorneys who have to deal with it, because it imposes an unholy amount of drag: they're trying to do their jobs, catch bad guys, etc.---and a FISC submission takes weeks of full-time work. But the FISC only exercises drag, not control. It can't steer---we see this because it never refuses a request. I suspect that's all one-sided proceedings can do, given the way we train our lawyers and judges. So it fails the needs of the citizens, and it doesn't protect liberty.
The FISC, and NSLs, will someday be looked at with the same light as Adams' Alien & Sedition Acts: as fundamental betrayals of the American promise by an executive too scared of what might go wrong to trust the country to go right.
Look, there's a lay assault on their legal and democratic authority: NSLs are not obviously a legitimate exercise of Federal authority. And for all that, if I were at the FBI and chasing a terrorist cell on American soil, I'd use one in an instant.
There are issues with FISC(like lack of transparency), but this specific point is unclear to me. Here are some possible scenarios where a low refusal rate wouldn't be a problem:
* The judge could informally tell the agent that the request needs to be amended before he'll grant it.
* FISC could publish clear guidelines on what is and is not allowed, so agents are never surprised and only submit legal requests.
* Agents only make requests in extraordinary circumstances, so every request comes with a lot of legwork and investigation done making it clear why it is necessary.
FISC is a court in name only. There is no oversight (I don't count the political appointees in the Senate as oversight), there are no checks and balances, there are no appeals. Calling it a court beggars the term.
problem is, that's the excuse that's always going to be given by the intelligence community for even the most obviously unconstitutional intrusive privacy invading stuff, like the NSA's "opticnerve" program.
This is imho the untold truth about why most communist / socialist regimes failed: people at all levels of society started doing their work gradually worse and worse, pissed off and stressed out by the lack of freedom and constant interference from state organs, until everything collapsed, and people now live in better economies and freer because they've destroyed their previous systems. Yeah, most of the people who performed such "low level sabotage" will not even recognize to themselves that they did it. And yeah, bad governments were also helped to fail by external interference and external sabotage, but imho a "socialist regime where the people would truly believe in socialism/communism" could have worked out and had good economic performance, problem is that when "good economic performance" can only be had at too high of a cost of "individual personal freedom", people will start, even subcounsciously motivated, without admitting even to themselves what they are doing, and with insect-like non-communicative coordination, to slowly and methodically weaken the system they live in from within, until it crumbles, even at the cost of their own lives sometimes.
This was America's secret weapon that helped "win the cold war" - people's inner "instinct for freedom or death" - thank god we all have it and a race of subhumans lacking it has not yet been engineered! It might also be the reason why so many Americans "voted for Trump", though this was probably engineered by some really smart "puppet masters" - the guy is clearly a "man of the establishment" despite it's clown persona...
Of course, there is no "monument to the lazy and drunk soviet worker that helped take down communism". And there will be no monument for the Google employee that writes a subtle bug in the "government reporting module XYZ" :) Of course, if the gov doesn't abuse its power and asks for too much, that poor programmer might not be so "overwhelmed" by it's duties so as to make stupid "mistakes" with dire consequences...
Probably one of the worse and most mentally damaging ways to enact social change. Now you have democracy, but also a society with 50% of the seniors infected with a toxic mentality that will stay with them until they die - once you do something over and over again it becomes a habit and a habit of subtle systemic and self sabotage is horrible. And some of it managed to pass it on to younger generations, hence extra laziness and crime. Almost like the fallout of a "mental nuclear war" that keeps lingering and "irradiating people's minds" long after the old problems disappeared.
I'm just remarking that in its slow and lives-wrecking way, this... works!
It's difficult to reconcile this idea of democratic sovereignty with the utter secrecy in which the operations under discussion are performed.
There absolutely should be mechanisms to challenge or appeal against any action of government, and when there isn't as seemed to be the case with NSLs that's a very good indication that the system is being grossly abused by government agencies.
You either missed the entire 'democratic legitimacy' part of my point, or don't actually know anything about the Nazis in the late 30s.
Yahoo may still be court ordered to implement it, just hopefully not with their best and brightest developers. I also have a theory that a lot of the recent terrible news coming out of Yahoo is due to staff complying with the letter of the legal order but not the entire thorough spirit of it, intentionally doing a quick, shoddy bug ridden job.
While I've never had to make such a choice, I can tell you that my personal attitude towards what I would and wouldn't do changed the day this restriction was removed.
The government wins by making it personal, by threatening prison and death for your obedience. It's not an abstract threat. It is directed to a specific person not a company or security team.
The people who comply can quit those companies but they don't. I'm not referring to the ones down the chain (e.g the security team who was unaware) but the ones who obeyed and pushed something they believed was wrong.
Whether it is public shaming or having a permanent stain on their reputation next time they go job hunting, we need a way to retaliate.
Right now, they can fuck us and get away with it and what's their excuse? "the government told me to do it. Just doing my job. I had no choice."
There are no societal consequences to cooperating with the government even when we believe it's wrong.
Create a climate of "snitches get stitches" and maybe they will think twice before selling out the lives of a billion people.
The same way these government officials hide behind patriotism when they mean blind obedience to my authority.
Committing crimes against people who defect is obviously not going to work. They'll just arrest you for it.
But suppose we create a certification. To get certified all you have to do is promise not to work on a specific list of things: Mass surveillance, backdoors, etc. To lose certification forever all you have to do is work on one of those things.
Then we can have companies offer to put it in their contracts with their international customers that they'll only hire employees and contractors with that certification. Any companies that aren't actually working on mass surveillance etc. are happy to do this because it gives their customers more confidence that they aren't, and if it becomes popular then any companies that don't will become suspicious and lose business.
Then all employees at all companies will have to think twice before working on such things, because it would mean giving up any possibility to work at any of the companies who won't hire such people, which with success will constitute most of the industry.
There, fixed that for you. That small detail is why your attractive idea wouldn't work in real life. How many years it took for the car industry scandal about tampering with emission tests to be revealed? And it only got to ruin the the reputations of the few engineers involved in the forgery.
The same goes for theft and graft and murder. You don't get punished if you don't get caught. But you could get caught, and you don't know ahead of time whether you will or not.
I fear you may be making a potentially dangerous assumption about how engineering works in a compartmentalized environment. Engineers do not always know the purpose of the systems on which they work.
Once upon a time in Texas I spent several years working on a system to run a binary sample through a series of plugins that produced analysis of the binary sample. I was told that this was to help detect malware - and it could certainly do that.
Did I know that for certain? No. Were there other possible uses, such as to determine how detectable a given piece of experimental malware was? Yes. Did I have any way, shape, form, manner, or means of finding out what 100% of uses were? No.
A lot of software has more than one possible use.
If you want to change the government, there are far better ways than retaliating against citizens unwilling to risk life and limb for your ideology. I think you need to learn to direct your anger. Not everyone is in so privileged of a position to be taking your specific moral high ground over their own well being.
2/ In any case "the law" is only the result of a very imperfect process; it's not the word of God: it can be changed (it often is) and it doesn't have any special moral value. Your moral code is yours, it's dictated by your conscience and should not be taken whole from texts written by other people.
In the 20th century, many crimes have been committed by people following the law, and not just in Nazi Germany. French Jews were arrested and delivered to the German authorities by members of the French police who were simply following orders. The ones giving the orders have indeed been tried after the war, but not the ones following them; in fact they never had to suffer any consequence for their actions. But the truth is, had there been no cops willing to participate, there would have been no deportations.
"I'm just doing my job" or "I was just following orders" is NOT a valid excuse. It's a cop out (pun intended).
Let me guess, you believe all government actions are lawful. All lawful actions are righteous and justified. The only permissible way to change the system is through the system.
Did I get the gist of your morality?
In which case, keep voting and I'm sure you will see the changes you want reflected in legislation just so they can be ignored in by secret courts and intelligence services.
In the real world, people respond to threats (e.g prison). That's what the government uses. Why are we expected to behave differently?
It's an expression. How about "Losing your livelyhood." It's a real thing for some people.
> Let me guess, you believe all government actions are lawful. All lawful actions are righteous and justified. The only permissible way to change the system is through the system. Did I get the gist of your morality?
You're way off on my morality. It's more centered on not causing harm to others, which is what you're suggesting people do, to others that don't fit your sense of morality.
> In which case, keep voting and I'm sure you will see the changes you want reflected in legislation just so they can be ignored in by secret courts and intelligence services.
In the real world, people respond to threats (e.g prison). That's what the government uses. Why are we expected to behave differently?
Do you really think voting or threats are the only two methods to enact change? Neither work particularly well. What does work well is changing the opinion of the majority, and until you do that, you must question whether your minority opinion is actually the correct one, and provide reasons for others to change their opinion of you believe it to be so. Taking the low road and suggesting punishing people who aren't the cause will get you nothing but negative comments on hackernews.
In a capitalist system, where your alternatives are "work or stave", yes.
"I just did what the authority figure told me to" is one the oldest excuses in the book.
The main connotation which invoked my response was equalling the resentment of following the law unilaterally to the mindset of a criminal organization.
"Privilege" doesn't enter into it. Everybody has the option to do the right thing, if they're willing to accept the consequences. Not everybody will of course, but there's nothing truly preventing one from doing so.
I didn't see anybody say that, so I'm not sure what your point is.
At the end of the day, sometimes doing "the right thing" has horrific consequences. Some people can and will accept that, some can't or won't. But the choice is always available.
Consider that the Founding Fathers of the US had "Give me Liberty or Give me Death" as a rallying cry, not "Give me Liberty, or erm, well no more than minor inconvenience". Sometimes you have to be willing to accept death, imprisonment, etc. for a cause you believe in. Look at Edward Snowden, who did what he though to be "the right thing" even though he knew the most likely consequence involved death, imprisonment or torture (or some combination of all of the above).
You're taking an ideological stance on privacy, one I generally agree with, and forgetting the motivator behind the overreaching laws, which is quite simply to ATTEMPT to do something to make this country safer. Does it work? I don't think so, but a lot of people do. It's pretty hard to quantify since the data isn't open, and by its nature can't be.
It's a pretty severe jump from disagreeing with whether or not this system works, and what liberties can challenge the system, to pulling your godwin card out.
While on topic, if they threaten you with prison if you don't do their bidding (with no due process, etc), doesn't that make them the terrorists (eg: they're using terror/fear to get people to do what they want).
Sometimes it's an active issue and at the end of the day someone must implement something terrible (knowingly or not -- direct a junior engineer to do some complex task with the expectation they'll leave behind security vulnerabilities, just as good as getting someone to intentionally leave an issue). Ethical engineers can and probably should quit -- who knows how much a required, dull ethics course would influence that though?
Other times at the end of the day it's just lack of engineers doing something -- typically due to management not signing off/budgeting. Ethical management won't even necessarily help here, the incentives don't change. Some sort of stronger corporate liability for negligence is needed, probably, but the problem is not generally the engineers -- engineers, with an ethics course or not, are typically the only people who care about these sorts of things in the first place! What's the largest dip in stock price due to a password leak? How about shady government collusion? Have any groups of shareholders demanded more care to avoid such issues at any company?
I'll wrap up with a joke: "It should be noted that no ethically-trained software engineer would ever consent to write a "DestroyBaghdad" procedure. Basic professional ethics would instead require him to write a "DestroyCity" procedure, to which "Baghdad" could be given as a parameter." --Nathaniel Borenstein
I think that was the moment I realized I made a $100,000 mistake.
Then again, it's not particularly surprising that a Jesuit institution would be strong on ethics. More institutions should take their lead, though.
Plenty of HN posts laud people for working for the government, the entity which engages in war crimes, torture, and mass surveillance.
There are still lots of people willing to join the TAO and the like, but the NSA has been pretty open about struggling to recruit top talent. Not all of that is ethical stuff, they lose people for reasons from salary to drug and felony screens, but some of it is.
Bear in mind that the NSA only needs good talent to compromise systems, not elite talent. They have some elite talent (Stuxnet anyone?), but their domestic work is largely hacking theater. After all, you don't have to covery your tracks like a private hacker if you can just ship out an NSL to bury the matter. Hell, some of their projects involved a lawyer, a bunch of analysts, and no internal talent - they can just ask for what they want.
It's a major part of the NSA, and generally considered to be where the bulk of the "serious hackers" work. The Equation Group is (probably) tied to TAO - they're the access group that was recently affected by the Shadow Brokers leak.
Bartweiss provided a better, short summary.
Ultimately, though, an ethics course isn't going to make people stand up for their ethics. A professional organization along the lines of the American Medical Association (at least in terms of political strength) that stands up for its members and censures those who behave unethically would do far more for strengthening engineering ethics collectively.
When there are few professional consequences for unethical behavior at the behest of your employer, taking an ethical stand is ineffective and quixotic. You will be fired and another engineer will likely complete the job.
I disagree. I've seen this in action where people who were CCIE-level senior network engineers at one of the five largest ISPs in Turkey quit and got new jobs elsewhere (outside of the country) rather than be an active participant in the autocratic government's messing about with internet censorship and null routing of IP blocks. These were not people who could just be replaced by advertising an open position.
The more junior staff members left behind had trouble with the government's diktat, with less clue and technical capability, and ultimately ended up implementing what was required in a less effective and shittier way than an unethical CCIE could have.
As morgante said below "If you can professionalize a certain set of ethics, you can make it impossible for your employer to find anyone to complete the job."
For example, capital punishment is increasingly hard to carry out because anesthesiologists refuse to participate and drug companies won't supply the drug.
Similarly for surveillance, if you're only able to implement crude solutions people will be disgusted. "So you're saying Yahoo was compromised because no good engineers wanted to work there due to government interference?" We don't know whether it's true, but the assumption is already damning.
It seems unlikely you know anyone you know supports the death penalty. The death penalty has almost universally been abolished despite public support for it. I say almost only because I am too lazy to check whether or not it was in fact universal. Norway was among the first countries to abolish the death penalty and they brought it back especially for Vidkun Quisling.
I'm not going to go looking through the Pew World Survey for attitudes to the death penalty but at a guess Sweden probably has the highest proportion of the population opposed. If you got less than 1,000 people volunteering for the firing squad for the kinds of crimes that get the death penalty in the USA I'd be very surprised.
Collective action like this demands doing a lot of work to make it difficult to get a job without being a member, and then works on limiting the influx of members: For instance, you'll find that the attempts of a professional developer association in Spain advertises how it'll increase the value of your college degree, and protect you from having to compete with intruders, like those with physics degrees, or that learned programming from an accelerator, or on their own. And professional organizations have to do this kind of thing, because otherwise they lack the power to get anything done.
So no matter how much I personally dislike mass surveillance, I'd not be caught dead supporting the creation of a professional organization. Instead of using force, how about growing the utility of our work so much, everyone knows they can change jobs the next day to a place that doesn't do mass surveillance? If enough great jobs exist, the awful can't retain talent. That's why developers in the US have far better working conditions like in my native Spain, where finding another job is not something you can do in a week.
As part of my former life, I had to take an Ethics course for my accounting license. It focused on topics like conflicts of interest. Even though many professional (licensed) accountants have taken the ethics course and passed an ethics exam, it doesn't mean that much. Ultimately, behaving ethically will come down the individual's morals.
Well quitting a job as a concentration camp gas chamber constructor may merely slow down the operation a bit, but that could mean more lives saved until VE day arrives.
And yes I did just make that metaphor.
I actually really enjoyed the one I did, although it had just gone through a major rewrite to improve it a lot. And yet, I don't think I ever heard any of my peers mention the course with anything but contempt.
The description for the course:
TCH301 is designed to introduce students to essential concepts necessary to evaluate the ethical implications and potential impacts of the use of new technology within human society and culture. Students will explore modern ethical dilemmas in technology, looking at multiple aspects of how the introduction of technology redefines law and values.
It was and still is a required course to graduate with a degree from UAT.
Ethics is easily thrown out the window once some executives falsely proclaim that they are required by law to do what's best for shareholders. Since shareholders have a minimal voice outside large holders, it's easy for those executives to claim, "the shareholders want profits, period." Of course, they don't mention that executives want bonuses too.
An interesting thing about ethics when you study History. When asked how they could indiscriminately kill Jews during the Holocaust, Nazis usually claimed the first few times were difficult, but the acts became a matter of course; normal as anything else in their day. In that same war, the Soviets committed brutal atrocities of the German cities they conquered, as did the Japanese in China. Every country has committed heinous acts in their history. Once it starts, inhumanity can spread like wildfire.
We as developed world citizens believe we are civilized, and for the most part we are; but we are only a stones throw away from being capable of casually committing what we would think of as atrocities as the norm.
Every once in a while I hear someone call for more people to have to sit in Platitude Class, and I can't figure out why.
I'm not sure that class is having the intended effect.
Why limit to CS or EE? Why not ... everybody?
I did take one for my Masters in Computer Science. I think it was required. Unfortunately, for some reason I didn't understand most of it. Don't know why. My suspicion is that they didn't know what they were talking about or it was just a class full of BS.
Source: I'm a former member of Yahoo's Paranoid team.
That would be a nice idea, but short living.
Say for an example, we had "free software." Now many say "open source." As long as we are having greed for money or power, nothing is going to change.
How do we make all the unregulated ways of learning how to code (e.g. coding bootcamps) include ethics in their curriculum?
The Moral Behavior of Ethicists and the Power of Reason, Joshua Rust, Eric Schwitzgebel
Professional ethicists behave no morally better, on average, than do other professors. At least that’s what we have found in a series of empirical studies that we will summarize below.
None of these answer practical issues like what happens when the law is bad or when one's livelihood is on the line. None of these give practical advice on how to fix a society where ethical behavior is not inherently incentivized.
Granted since it is taught to all engineering disciplines the material is quite broad, mostly focusing on topics like bribery and negligence, but it does also cover whistle blowing.
First Semester of our first year we got a dedicated ethics class.
Can you please explain how this works? I would like to understand.
example: the turkish government orders ISPs to null route IP blocks of things they disagree with (occasionally all of youtube).
The only scenario where I think the question matters is if you do something really stupid that would get you fired if this was an actual exploited external access.
So, after someone under the gag realizes the situation, they get the company's lawyers in contact with the agency to see what to do. The agency would then gag the white hat.
IMO, that's a huge part of why NSL's are scary. You are in an absolute strangle-hold and are at the mercy of the agency for your every move.
If I remember correctly, people even had to argue for the ability to talk to a lawyer about receiving an NSL. So, the feds are really not messing around here and will do absolutely everything to ruin you if you don't cooperate fully. Any perceived resistance is crushed.
He doenn't live in the US. Once he realizes this is going on, he'll disclose.
Philosophical dilemmas are fun to talk about, but only as long as you take the premises as granted. People who carry swords tend not to waste time trying to disentangle knots that they can simply cut in half. Most "technical" solutions to "human" problems suffer this vulnerability.
Seems you're assuming the white hat hacker is from USA. I'm not so sure the NSA is going to be able to silence a white hat hacker from say Russia, or anywhere out of USA for that matter.
There are lots of carrots (e.g. job offer, lucrative contract) and whips (e.g. a threat to ruin his business or professional reputation) that a government agency can use to persuade someone, even a foreigner, to keep something a secret for a certain length of time.
This obviously won't work on someone who is under Putin's protection, for example, but then we're talking about cyberwar, not a lone white-hat.
I assumed it was a direct development in the other day's story re: the largest hacking to date for YHOO.
Personally, I missed this story when it was first posted, but regardless reposting now definitely adds an interesting additional perspective to the recent announcement, especially as we all wait for more information to be released about how the hack was executed and what the broader implications are. Combined the two stories are more insightful than seperate IMO.
Hm.. One more proof to avoid using non-free binary blobs in Linux kernel. Be safe. Use Debian GNU/Linux without non-free repo or any better one.
Marissa Meyer, if she approved this, should be deeply ashamed of herself.
Fixed that for you.
"Yesterday morning, Reuters dropped a news story revealing that Yahoo installed a backdoor on their own infrastructure in 2015 in compliance with a secret order from either the FBI or the NSA"
Edit: Looks like it's changed back now - great. For a brief period the title was set to "Surveillance, whistleblowing, and security engineering".
Our only solution is to go 100% open-source and 100% end-to-end encryption.
That's part of the beauty of open source - once the cat is out of the bag, there is no getting it back in.
But you do already see block-chain technology used by huge industries like for diamonds
and projects like ZeroNet are surprisingly user friendly and visually pleasing (though sadly most zites use a centralized identity authority.)
Usually a "backdoor" is something you would be aware of in your home. You know you have a door round the back. This is more like your landlord giving the keys to a stranger who comes and stares at you every night when you're sleeping and rifles through your draws and cabinets.
I've spent 5 years now on this very topic and my conclusion is that the people just don't give a shit.
Seems to me people are getting used to accounts being hacked, it's not such a big deal any more, in fact it may be even an expectation.
And as for government NSA hacking, well that's just old news and a given isn't it?
I don't think people have stopped caring, they just feel helpless. This means that normal people may be willing to adopt new protocols (end-to-end encryption), something they wouldn't do if they were accepting of NSA spying.
Snowden leaks showed that they get billions of hits each month from the various submarine cables as well as direct access from telco backbone fiber stations in the US, Europe, Middle East, and elsewhere.
> As this map shows that almost 3 billion data elements from inside the United States were captured by the NSA over a 30-day period ending in March 2013, Snowden stated that this tool was collecting more information on Americans located within the United States than on Russians in Russia
In addition, the MUSCULAR program involved tapping the data links between data centers of Google and Yahoo.
So I'd say there is an 80-90% chance the NSA has a good chunk of his friends email. Closer to 95% if he was located outside of the US.
The only thing stopping them from getting the full content of each Americans (plus 3 hops) passive data collection (besides 100% of metadata they get legally) is a FISA warrant. They have no restriction for foreigners.
Maybe you need to reread some of those slides because you clearly missed the big picture.
MUSCULAR provides similar filtering capability within Google's and Yahoo's networks, though not anymore because they encrypt all traffic. Again, only metadata. And again, the email envelope collection had already been shut down prior to the leaks according to the leaked documents. According to Snowden's leaks, the NSA is not allowed to keep communications from a US citizen or anybody even living inside the US without a court order, so no, his friend's emails don't reside with the US government.
News like this are no news to me :)
Somehow, _we_ need to get the upper hand over the surveillance monster the US is becoming.
I left Google and Facebook but me and the other 3000 people don't actually matter. You'll never get a non-negligible number of people to forsake their comfort zone for anything so trivial as rights, privacy, etc.
Kinda makes you think of "marks" in the carny sense (http://grammar.yourdictionary.com/slang/carny-slang.html)