Hacker News new | comments | show | ask | jobs | submit login
Pentagon contractor leaves social media spy archive wide open on AWS (arstechnica.com)
98 points by georgecmu 24 days ago | hide | past | web | favorite | 37 comments

Strong as the weakest link...NSA with virtually unlimited budget brought to its knees:

"Inside the agency’s Maryland headquarters and its campuses around the country, N.S.A. employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s arsenal is still being replaced, curtailing operations. Morale has plunged, and experienced specialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the N.S.A.’s leaked tools.

“It’s a disaster on multiple levels,” Mr. Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.” https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.htm...

Revolving door.

Gee, wonder if eventually someone will come to conclusion that the whole thing was not needed in the first place.

Unless, you know - there is some proven intel that this agency actually stopped mass-terror attack on a US soil; something that supposed to be their main task.

But hey! So long as military industrial complex find just another good-enough-for-public reason to spend more of tax-payers money, then there is nothing to see here...

What we need is an agency patching zero days as it finds them. We need that agency to have a double of the budget than the agency that weaponizes them.

In theory it could be both. Most companies take a long time to patch bugs.

Surely this is wishful thinking. Can we build enough public outrage to make a difference?

Nothing changed after Snowden revelations, so the answer is absolutely no.

I was going to say something, but then I realized this already conformed to my world views

It is surprising that the Shadow Broker leaks are seemingly being so effective at the NSA questioning itself.

There is so much cognitive dissonance about the NSA's acumen. People view software engineers hired at Google and Facebook with so much regard, and the schools they come from with so much regard, while simultaneously putting the theoretical NSA engineers above even those guys without realizing the NSA hires from state schools in the Maryland, DC, VA area.

My main point here is that software engineering programs aren't better or worse at Ivy League vs Tier 3 universities, and isn't much of an indication of the prowess of the engineer.

The NSA's unlimited budget, loss leading tasks of finding exploits, and immunity to execute these exploits is the only thing that sets it apart.

School 'Tier' has close to zero relationship to engineering talent at the high end.* Effectively sifting though large numbers of applicants, training them, and most importantly retaining them is far more important. NSA is very good at retention and training while still attracting vast numbers of applicants resulting in a world class work force.

Google/Facebook/etc suffer as people want them on their resume more than they want to work for them which hurts retention. The upside is this forces them to pay very well, but the downside is the average team is surprisingly poor.

*AKA a randomly selected Stanford/etc. grad is likely better than a randomly selected Virginia Tech/etc. grad, but the best at each institution is a toss up. If you want a large talented workforce you can't be selective in terms of schools as their simply are not enough of them.

Secrecy + PR is a good way to make a project look good.

Indeed, technologically enabled sociopathic behaviors emanate from Silicon Valley. Only the best and brightest would be capable of being part of such a machine.

It’s not an understatement to say that the big tech companies have a soul, with the same principles of survival perpetuated against its very users who give them life in the first place.

SV sees government as competition — another threat — particularly the NSA, data collection being the common basis of their value propositions. Culturally engrained rebellion, disconnect from nationalistic pride — our culture in America is quite the mashup.

Given the quote "influence high risk youth" and the fact that they were critical of ISIS I'd guess these posts are copies of posts created by the company to influence online communities.

That's one aspect, I'm sure. But they probably archived entire threads. For context, at least.

This is just too funny :)

Do we know if anything here was private? "Scraped" suggests it's already public content, in which case I don't see much of a problem.

Assuming the content was already public, the leak is the knowledge of what was scraped.

The alleged-foolish focus of the NSA on offense is perhaps a bureaucratic corollary of successful attacks getting lots of attention and funding and promotions within the org; and successful defenses fading quietly into the void, except when they fail and collect blame.

> raising questions about the collection of data from people located in the US

Isn't this the big item here. If this is evidence the govt is spying on US citizens this should create significant legal ground for civil rights/constitution protection groups.

This isn't intrusive spying. Collecting publicly available data is fair game and legal. Commercial data aggregators have prevented us from having any data privacy laws. The government may as well take advantage of a good deal too.

Is the government freely allowed to break Facebook TOS in the way that got others in trouble (see https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventur...)?

> collected user information from Facebook and displayed it on their own website

I think that's an important distinction.

As opposed to letting anyone who bumped into the bucket see it?

Quick, someone make a copy.

This is what happens when you force the military to outsource core functions to fleece taxpayer money for your buddies.

For a long time, there's been a push to not let the military develop capabilities in-house, despite repeated contractor fuckups and huge overspends.

Can we just admit privatization is a failure?

It's literally destroying national security.

The military cannot pay the salaries that are required to keep qualified people of certain professions/specialties. Surgeons and hackers, but also some other things too. so they must outsource to the private sector. But they certainly can require the contractor to use military provided/mandated security oversight. Mandate and verify good security practices, not tick checkboxes.

Why can they not pay the going rate at least in the NSA ?

Government job, government rules.

So change the rules

They're working on it. But those rules are there specifically to prevent overspending, are they not? If someone then ends up, or appears to end up, overpaid, you're going to have a different angry mob at the door. You have to be careful tearing that kind of thing out, to say the least.

As opposed to paying 3x the rate for some contractor from "Booz ma kindney" or the other usual suspects

Yes, as opposed to that. What I'm saying is that it's a hard problem. It's not one that's unique to government either; corporations have to decide when to outsource, too, with similar (but less dramatic) tradeoffs.

But unless your insane out source your core competencies and for TLA's you don't out source your cleaners as the risk is to high.

How -- conceptually -- does the military being unable to afford the salary of person A get fixed by subcontracting to hire person A through corporation B?

That literally just makes person A cost more money.

When you pay the contractor, you pay all your buddies that run and administrate the company too. It is all a staggering money grab, what better job is there than federal contractor that works on stuff so secret that congress doesn’t even really have oversight? That stuff is free money for ever. Plus I think they do it to evade rules, there are different penalties for the government breaking rules and laws than for these secretive companies. Foobar secret LLC could totally just target Muslims if they actually did work and it wouldn’t have to be a constitutional issue if they were ever caught.

Privatization was mostly done under Clinton in response to the fact that federal workers were even less effective, often more expensive, and impossible to fire. contractors aren't all wine and roses but before you knock them you need to carefully understand the alternative and why things are as they are.

.....eh, not exactly. While privatization was done under Clinton, he wasn't the first (at all, Carter ran on exactly that) and more importantly it wasn't done because of any percieved "effectiveness", it was an ideological pitch to Regan democrats and that all but invisible voter "moderate republican but I'll vote for a Dem if they woo me". And the idea that somehow federal workers are more expensive then contractors is .... bizarre. It is very much the opposite.

> Can we just admit privatization is a failure?

The United States has the most advanced military in the world. Boeing and Lockheed are private.

I'm not an expert, maybe it's just a coincidence.

> core functions

We're not talking about outsourcing tangential features, we're talking about the outsourcing of waging war and core abilities of the military, eg the hired hackers at the NSA or outfits like Blackwater.

Privatization isn't about purchasing supplies through corporations outside of the government, but having corporations perform key features of the government.

Your example isn't really about that, so you're right -- you're not an expert, you're talking about the wrong thing.

> The United States has the most advanced military in the world.

It's not just that Silicon Valley and other tech is in the USA. It's the result of a massive spending program.


The United States spends more on national defense than the next eight countries combined.

the United States has historically devoted a larger share of its economy to defense than many of its key allies.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact