According to one of the suspects' LinkedIn, he left Twitter in 2015, and then worked at Amazon for 3 years in marketing and social media. While I have little doubt Amazon's internal auditing and access control are better than Twitter's, it'd be nice to hear confirmation from Amazon that he didn't access any private user data.
It's even better: he typed the fake invoice up in his bedroom while the FBI was in his house, after explicitly asking the FBI not to follow him in there. I can picture the agents looking at each other trying not to burst out laughing.
And why would the FBI assume he was typing the invoice? If you ask me for certain documents I actually possess, depending on the document I might be gone 10 to 15 minutes as well, or even outright say that I need to find it first, I'll bring it to <X>.
Not necessary, which is obvious from the agents agreeing to this request. But maybe a good way to forestall concerns like "what if they think I'm forging the document right now?"
You underestimate the power of stupidity of these people.
> Many Twitter users live in Saudi Arabia and some users of Saudi nationality or descent live outside of Saudi Arabia, including in the United States.
It's kind of surreal to use "Saudi" as the demonym for the people of Arabia. "Arab" would be normal. The language is Arabic, the country is Arabia, and those are both named after the people, the Arabs. The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.
Huh? They use it as a name for "people from Saudi Arabia" and it's a very common use.
"some users of Saudi nationality or descent live outside of Saudi Arabia" --> people who are SA nationals/origin and live outside the country.
>The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.
Saudi != Arab. If anything, Arab is a superset (and Saudis, if we talk about the nation state and not the ethnicity, are not all Arabs).
But the main point, is that the name Saud is commonly used for the nationals of Saudi Arabia, not just the royals.
Saudis or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;
And Arab refers to people from Morocco to Iraq so it’s equally unsuitable.
(It is a joke, laugh).
Canadians might still not be pleased about 'North American'.
It's actually a very charged topic in Latin America, as many latinos feel that the word they use to describe themselves has been stolen.
Saudis (Arabic: سعوديون Suʿūdiyyūn) or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;
Now lets look into israel and their spying/influence in traditional and social media.
It was amazing the amount of "news" and social media spam we got about russia ( We were always at war with eurasia ). It's amazing the amount of "news" and social media spam we are getting about china ( We were always at war with eastasia ).
But one hardly ever hears a peep about israel or saudi arabia. Considering what is happening to the palestinians, yemenis, etc, you would think you'd hear a lot more "news" about them. Especially about saudi arabia from the feminist/lgbt traditional media considering the saudis probably treat women and the lgbt as badly as any nation on earth.
How come the "news" industry isn't going apeshit over more than half of the state and the US house of senate pushing unconstitutional anti-BDS laws?
A country founded on boycotts banning its corporations from boycotting a foreign country?
All this sort of stuff is claimed under Manufacturing Consent. Chomsky's point is often why don't we hear about these other incidents .. because the news isn't balanced and the government is trying to fashion a narrative and they use the media to do this by selectivly choosing what we hear and see.
Essentially, if you're a media outlet, you'll try hard to not piss off the hand that is feeding you, and Chomsky's assertion is that this is how the media manufactures consent (for all the horrible things the government does to defend the interests of those advertisers abroad).
Essentially, if your opinions are significantly different from those of most politicians (on the important topics), you're unlikely to rise up through the ranks in most major institutions.
Not only negative news about some countries don't emerge in the Western society, but also positive news debunking the falsehoods and stereotypes about the "blamed" countries don't show up neither:
A major problem of our global society is that public perception is biased towards the "winners" and we learn the truth, if we are lucky, about their negative impact long after the damage was done. Example: the US invasion on Iraq was based on the false narrative about the weapons of mass destruction. Again, there were some news outlets that were telling the truth, but it was ignored.
Though with the Syrian conflict dying down, I'd expect others like Yemen to get more attention by filling the "war" slot in media.
The US tends to come out with almost no bullet holes from SA and Israel but when one is found it's a howitzer. Every time something related to them really blows up you get to how deep they went and it becomes almost unbelievable to assume there were no signs whatsoever to the US and no reporting could have been done by the media.
WaPo has a vested interest in covering SA especially after Khashoggi and the Bezos blackmail incident. But the US and rest of the media are not as vocal as say when talking about anything related to China or Iran, where every piece of gossip is news, where every allegation becomes a sanction. The point to take from here is that "punishment fitting the crime" seems to be a very fluid concept also at country level and the questions to worry about are "Why are some getting a free pass? What are the strings?".
Oh, and they both use the strength of their relationship with the US to make certain parts of the world unlivable for people they don't like.
Israel is pretty much the only Democratic, liberal country in the middle East, with Western level women's rights/empowerment, LGBTQ protections, legal protection for minorites, etc. And a land of massive innovation. US universities aren't partnering with Israel because it's politically convenient, but because Israeli universities breed world leading research in many areas. Which is why most high tech companies have an Israeli division, and which is also why Israel has one of the world's highest per capita entrepreneurship, patents and peer reviewed scientific publications.
Contrast that to Autocratic Saudi Arabia where women weren't allowed to drive, or move about in public without approved male company until a year or two, where the LGBTQ are punished by death, where every non Muslim is systemically discriminated with a religions tax , where critical Tweets about the establishment routinely land people in jail, where the actual law of the land  is a throwback to the middle ages, with almost no scientific or cultural output of significance!
It's like Apartheid era South Africa arguments again. A shining beacon of civilization among the barbarians, yada yada.
first-world countries should be held to higher standards of jurisprudence (among all things) than rando third-world nations. if you can't deliver justice, then really are you first-world at all?
do you really think Israel delivers appropriate due process to its occupied territories? Let alone actual representation?
iirc Israel just rolled over and occupied Jerusalem within the last couple years. The US rubber-stamped it, not sure that changes anything.
I'm not defending Saudi Arabia, which is indeed as backward as it gets, but in the case of Israel, if you want to talk about discrimination and human rights abuse, you cannot ignore (like you did) the way the indigenous population is treated, in what is effectively an apartheid state.
The differences are more about superficial local colour than political dynamics, which are becoming depressingly consistent across the board.
It's becoming less and less surprising that there are high-level links between all of them which converge through the use of social media and other tools of influence.
If we cannot hold Saudi for human rights violations & let the enabler like Israel go scott free.
But this doesn't mean Russia and China aren't doing bad things. This doesn't mean that they aren't bad actors that don't need to be dealt with. This is whataboutism, and it detracts from issues instead of productively extending the conversation. If one problem is mentioned, people like you jump out of the woodworks exclaiming, "NO, that's PROPAGANDA! listen to my favourite problem to talk about instead!".
All of these countires. USA. Israel. Saudi Arabia. China. Russia. They're all bad in their own ways, doing bad shit for shitty reasons and they all need to be talked about. But just because one of them does something bad doesn't mean you can't talk about the other ones as well. It doesn't excuse any of them. That's just moral relativism and it's destroying public discourse.
I do mind pretending it's not happening.
I do mind that any one who points out the emperor is naked is shouted down, labeled a kook, gets eviscerated.
This is a self contradictory statement. Calling someone's argument "whataboutism" is itself a logical fallacy designed to prevent extension of the conversation into a larger context
The statement is bullshit on its own though.
No, it's still a fallacy. Just because you feel the need to deflect attention towards your personal targets it doesn't mean your argument is sound.
Two state solutions have been offered multiple times. What you're really claiming is that Jews should evacuate the land that they're living on after fleeing consistent mass murders and persecutions throughout history. What you're really claiming is that Jews should either exit to countries that have empirically turned hostile to them over time or be unprosperous.
I am not in any way for citizens of Israel (Jewish or Arab or Christian or whatever else) evacuating the state. However, illegal Israeli colonies on what is universally agreed as Palestinian land are not acceptable. Opening fire on crowds throwing rubber wheels at a wall is not acceptable. Bombing civilian buildings in retaliation for terrorist activities is not acceptable. Blockading humanitarian efforts to deliver food, water, and building materials is not acceptable.
Every gram of Palestinian resistance is met with a kiloton of Israeli aggression, almost as official doctrine. This is not acceptable.
And all this from the only state in the world which illegally holds nuclear weapons without being a signatory of the non-proliferation agreement, but constantly threatens going to war against a different state for building civilian nuclear infrastructure (which is all the international inspectors have found in Iran for years).
That has nothing to do with Judaism. Most people don’t claim it does.
It's "antisemitic". And it doesn't mean what you think it does.
This is Hacker News. If there's a new story about Israel you want to draw to our attention, you can submit it just like everyone else.
Like it or not, US interests are inextricably tied to those of the region. Don't believe me? Most scholars attribute Trump's election, at least in moderate part, to the massive influx of Syrian refugees to the many countries they went to. If we had done a better job stabilizing the region, perhaps Trump would have never even sniffed power.
Note: I'm not claiming Iran is some tortured paradise. It is still a brutal regime, with horrible regressive views and which is acting tyranically towards its own population. It is much worse than Israel in that regard (though at least Iran is not waging a war of aggression on a neighbor sattelite state, and defying UN resolutions and international law in doing so). But it is still significantly better than Saudi Arabia in almost everything to do with human rights.
Israel could've been a much better product of creative thinking. Now it's an apartheid state with the indigenous kept in an open air prison that is regularly used for international weapons testing.... The unwise think in very short terms...and it comes back to bite them shortly after.
I thought you were serious if not for the closing line... :)
to be fair, they didn't just doctor history, they actually changed their ways.
Everything else they've done is pretty much PR management.
Here's a list of their open source projects.
(Microsoft may be the world's largest open source contributor
(Microsoft becomes 5th largest contributor to linux core
Not saying that they didn't change their ways, but they are a long way from proving that this is not another EEE cycle. Not to even mention "breaking even" on the damage they did directly (and deliberately) to open source effort.
 - https://www.linuxfoundation.org/2017-linux-kernel-report-lan...
Microsoft could open source Windows and people will still mention EEE. Impossible right? But, open sourcing dot net was inconceivable just a few years ago.
You're talking about EEE. In fact, the organization that's actively performing the EEE strategy is Google. It's quite easy to spot if one isn't blinded by fandom.
E.g. webkit -> blink, rss, bundling of apps on android prevent manufacturers from using forked android, chrome OS has only one browser - MS didn't even do this to get in trouble, AMP project, and then experimenting with removing urls from the search page.
So whatever floats your boat.
That MS has made some projects OSS is just recognition they needed to up their game or be left behind.
It in no way means they're suddenly "good guys" (etc).
When their actions are those of "good guys", then perhaps they could be start to be viewed as such.
>Am I out of the loop, what have Microsoft done to support open-source?
That's what I responded to.
They were definitely tools available to all of us that allowed this type of access to personal data and more. Specifically a lot of the lists that were generated about who to follow suggestions were manually curated at the time and we could put whoever we wanted on the list. We were expected to put people that were relevant in our industry on those lists, but I think Ahmed actually got in trouble for putting himself on that list to build up his Twitter following.
At the time it was certainly a major initiative to rebuild the legacy systems to fix exactly this type of problem. There were strong mandates from the top of the company that were made abundantly clear to us that while they were fixing these things we were all under agreement and NDA to keep all of this data private. The systems were broken no question, but the message was clear. That just makes it even more disappointing to see what he did. He has a very young family at home that is now going to be totally broken.
Hey, i get it, its a little surprising and scary. But this is just a quick reminder that we do the whole innocent until proven guilty thing here in the US. He hasn't been convicted yet, just keep that in mind when thinking about your colleague.
He tried to forge an invoice while an FBI agent was in his home:
“ According to the complaint, Abouammo created a false receipt using his home computer during the interview to show a $100,000 payment received from Asaker to disguise the payments as media strategy work.”
There are accusations that a teacher sexually molested somebody, but the investigations never went anywhere; do you hire that teacher? I don't think parents are about to blame you for not hiring that teacher.
That has bad externalities. In particular, you'd be creating perverse incentives for people to make accusations against those they dislike (or threaten to do so), a very asymmetric weapon that benefits liars more than anyone else.
That particular confusion in the English language is probably responsible for a noticeable amount of drama in the world...
What if you got falsely acussed of sexual assault? Will you go "well that sucks" and start collecting food stamps for the rest of your life?
But while we are imagining, imagine that you are a school administrator who has hired such a teacher, and then there is another accusation of sexual crime with the same teacher. You suspend the teacher while investigations are ongoing, and ultimately the investigations go nowhere.
From the perspective of others, who is at fault? Isn't it time to quit because as an organizational leader you've lost the confidence of the public, which now impairs your effectiveness? As an observer, that is the answer I observe to be true of the land.
And let's not forget... the justice system gets things wrong sometimes. It's not a proxy for your eyes.
It is not at all fine that someone gets their life ruined by falsely accusations, but identifying the accused in media goes a long way towards it.
Not to mince words, we've managed to humanize the justice system to a large extent, but by no means have we been able to remove the desire of the public to see criminals humiliated and deprived of their freedom, even lives, on tit-for-tat moral grounds. So, while the justice system in many 'civilized' countries does the best it can to be rational, in order to keep the public happy, it also needs to be seen to be sufficiently harsh on crime.
Twitter (and Yahoo) deserve kudos for fighting back and being uncooperative. Twitter refused to join PRISM.
Well maybe he shouldn't have spied for Saudi Arabia? I hope he enjoys federal prison.
If he doesn't get sent to prison, people who don't know the story and condemn him because of a headline will.
Then again, what type of side-affects would that have on the quality of the products moving forward.
Even if you follow best practices with access control, in the end you're always going to have a group of people who you need to trust with access to folks' personal data. Maybe the solution is better audit logging and even tighter access, but I'm not sure leaks of this nature are preventable.
These groups usually get access through a bastion that anonymizes data and logs access. I remember that as a SWE at Google, I could run aggregated & anonymized statistics across query logs, but some info (eg. IPs, user logins) had been scrubbed before any of my code could get access to it, and for things that were more personal (eg. your GMail login) you could only get access to your own account.
There's nothing you can do about SREs who have root access on the box or the SWEs who need to implement & maintain the bastion servers, but that's presumably a more restricted, vetted, and trusted group.
I think this may be something that is unique to a certain size tech company that simply isn't the case at 99.99% of companies with user data in their possession.
Of course many of the changes around that time were in response to the breach by the Chinese government, not only in response to embarrassing privacy incidents. Later improvements came about because of things Snowden published.
I suspect that at some stage this might come for some FANG employees
I would say it is much more likely that Google will accidentally lose the organizational ability to become root-in-prod, than it is that a person has done this thing without being noticed.
In short, insider risk cannot be mitigated with hiring practices. You need robust technical measures against insider risk.
There was a video with some of the datacenter security measures, e.g. iris scanning (just to get yours in the DB required approvals from senior people). On the actual floor, to which very few have actual access, you need to badge both on your way in and out, individually. If you badge out without having badged in, the door won't open and an alarm will go off.
Snowden's revelations (2013) were a major watershed. There'd been several measures taken since, based on what I heard on the outside, largely through discussions, mostly public, a few direct, with Google staff via G+.
Starting on, of all days, November 9th, 2016, I began regularly posting an image of Jewish shop windows shattered during Krystallnacht, asking whether Google were thinking of brownshirt-proofing their data. That generated responses including from G+'s architect (then in a role with user data safety & privicy), and the data security lead.
It wasn't until some time later that I realised I'd entirely accidentally picked the anniversary of the event for the post. Though the coincidence was useful.
My understanding was that numerous protections were in place by that time. I continue to have concerns.
This is so incredibly cringey. You're actively building the panopticon and yet you think of yourselves as righteous warriors for justice.
I don't mean this to be a personal attack, but yours is such a revealing comment about the mindset of people inside these surveillance behemoths.
(See also: this "pledge" http://neveragain.tech/ to not build registries for targeting citizens...signed by a bunch of people who work at companies whose entire business is targeting citizens with ads)
Sounds like you'd be surprised at what storage, and backup engineers have access to.
I think much like anti-hacking and anti-fraud efforts, publishing information about how they vet candidates would just make it easier for attackers to figure out how to game the system.
Why wouldn’t the information be public? It’s the same concept as crypto algos being published and peer-reviewed.
This is absolutely not true. This number can and should be reduced to an absolute minimum number of people.
As in, define "tech companies" (name specific companies that do this and why you think that can be generalized to the entire industry) and define "careless" (it's a relative term so please say if it's less or more careless of other examples of organizations that manage similarly large amounts of data but that aren't "tech companies").
Because to me the opposite seems true. It's the non-tech companies (if you equate that to FAANG) that manage large amounts of data that tend to have a lot more data leaks (internal or external) than the tech companies.
I've worked for a few large tech companies that handled very sensitive customer data, and they didn't allow unsanitized access to it by a significant number of people. Typically (on the dev side, anyway), there was a small designated team (less than 10 people) who were the only ones who had such access. Any dev work that absolutely required access to that data -- which was very rare -- was performed by that team.
I worked at one place that had the development network permanently VPN'd into prod. One day, a developer accidentally configured his local environment to connect to a production queue and database. It was like this for over a week.
A previous company didn't bother with the VPN. They had an AWS environment that predated VPC, so SSH and many other service ports were open to the office IP addresses. And several people's homes, for remote work.
It depends on the company (as with large ones, apparently). I currently work for a small company, and it is no less diligent about this stuff than the major companies I've worked for.
Backups generally have "god mode" access (best description) as they need to backup and restore not just filesystem data, but the audit log data as well.
Most (corp) places I worked, the developers and SysAdmin's working on production servers gave little thought to the backup component apart from making sure the software is installs and runs. ;)
Policy is never useful because even if there is enforcement, there is never 100% perfect enforcement that beats out cryptographic enforcement, at which point policy is no longer needed.
For example Apple can state that your data is end-to-end encrypted and they have no access, and it would be redundant to also have such a policy saying they will not access your data—they can simply say they can't access your data which is a superset of any such policy.
There are policies like "You are not allowed to access user data." and there are policies like, "All access, keystrokes, and applications that have access to user data are logged and those logs are tied to employee IDs. Further the logs are audited and there must by a form 505/2 on file for every access that details the need for the access, what was done with the data, and how the data was handled. If the auditors discover an access in the logs associated with your employee ID and there is no matching 505/2 on file, you will be subject to immediate termination and may be liable in civil and criminal court. Your signature below states that you understand these restrictions, you consent to monitoring of your behavior, and will abide by the policies."
Strong audit trails, logs that cannot changed by being created in an immutable way, logged access at all terminals and entry points. Combined with a separate auditing group that reports through a different chain of command (like through to the general counsel or something) and you have a policy with teeth.
If i publish my crypto wallet private keys and enact a policy that anyone who tries to take the wallet contents will be beaten to death, and get everyone to agree to this policy, then it would be rendered moot when the person who steals the wallet uses it to hire personal body guards.
Through roughly 2000, the principle saving grace was that disk storage was so expensive, and networking so slow, that large quantities of data were unlikely to be found online except in the case of very major organisations. Most financial firms would read data from tape for analysis or marketing programmes, as an example. A major credit card network might have a couple of, say, Sun Starfire class servers onto which a comprehensive union cardholder databset might be assembled and accessed. One friend reported accessing their campus workstation to which a large national medical insurance database was being processed, from the New York Public Library over Telnet (though I believe they didn't actually log in, they did receive the prompt). E-commerce software vendors and systems stored credit card information, which was accessed. Numerous services and datasets fly around all kinds of organisations, with little protection, and were transmitted in unencrypted FTP sessions. Social networks in which NOC addresses were directly accessible from the office network (WiFi access, natch), with millions of members' data directly accessible.
There are many ways to get this wrong. Few to get it right. And most organisations lack the staff, capitalisation, or incentives to do the right thing.
Google are problably among the best. That leaves open the question of how good they are, and what their past practices have been, even in relatively recent years.
Or how they might behave should their advertising monopoly and revenues fail.
I got very lucky here. The work study job in the job placement center was turning job listings that were faxed in into html to post on our fresh new website. Nobody at the time new what HTML was.
A few years earlier I had bought a "Learn HTML in 24 hours book" and I made a Tony Hawk Pro Skater webpage that listed all the special moves. I used a lot if iframes and thought it was pretty good. CSS wasn't really a thing back then. iframes and tables got the job done.
But I got the job and they thought they got very lucky. I worked in this back room with a computer and a fax machine. Jobs listings would be faxed in. I would scan them and let the OCR software try, and then I would clean it up and add some <h> and <b> tags and then do my econ homework for the rest of my shift.
But as the digital stuff become more popular they hired another guy to be in the back room with me. Dude was a bit of a creep and a student came in looking for a part time job that would work around her classes. He kept on going on about how hot she was. A few weeks later he was talking about he signed up for a few of the classes the hot girl was taking.
Every single student record was available on our computers. Names, address, phone numbers, class schedule, SSN, FAFSA data. It was madness.
And I was a lowly fax to html guy.
Agreed, data governance is important for any company to get right, but someone has to have DB access in order to manage it. When you factor in that so many companies derive revenue from the data they generate, then it gets harder.
If you’re Twitter, how can you build the services you need as an architect or data scientist without the actual data?
Very, very few people need root access and the ability to see all raw data. For example, at Google, this is a tiny number of senior SREs and that's it. Your average employees should be using audited UIs running through service accounts that have restricted permissions.
The solution we had wasn’t particularly difficult to set up, and actually made life much easier for everybody, because we’d provided everybody with a very easy to use interface for the data they wanted (much better than the old school shelling into a DB to run your arbitrary SQL statements).
Everything in the data warehouse was anonymized, and people only had access to the schemas they needed (though this was defined quite broadly). Anonymization was handled by our ETL pipeline. When we first set it up, the requirements were pretty simple and we just wrote a little java app to do it. This scaled pretty poorly, and the team ended up putting a proper ETL product in there. I can’t remember which one they used, but there’s a lot of perfectly decent products in that space (even some open source).
I mean, the data is still accessible, it's just not easy to get it willy-nilly without setting off alarms.
So far, I've not yet come across a system where some level of direct admin access isn't needed for at least "last resort" situations. (obviously, only available to a very specific set of trusted people)
I mean, we all know that it's insane to store plaintext passwords. So why is it necessary to store anything as plaintext?
Depending, of course, on how you want to use it.
One could arguably build chat apps and social media that retained no PII. In my opinion, providers retain PII primarily in order to monetize it.
But the problem is that it becomes toxic waste. And it always leaks, eventually. Putting users at risk, and damaging providers' reputations.
Consider the Tox P2P chat app. Each user device runs a Tor onion service. And chats involve only connections among them. Users need disclose no PII. And there's no need for central servers holding PII.
Regarding social media, consider all the "dark markets" that have run as Tor onion services. There's no reason why any sort of social media that you want couldn't be implemented similarly. Although there'd be central servers, there'd be no need for them to handle any PII. Indeed, the fact that "dark markets" handle PII is one of their main weaknesses.
And it's not even necessary to use Tor. One can achieve substantial privacy and anonymity using nested VPN chains, with far less risk of attracting unwanted attention.
If you get 10k new accounts in 5 minutes and they're all from some VoIP provider in a tiny corner of the second or third world, you have some data to work with there.
Maybe I am too charitable.
The site has also been around for over a decade, lots of opportunity to accumulate.
I mean, if you're a dissident in a country with a violent government, maybe don't use the service that requires personal information?
It seems a bit much to me to say no service ever should require people's phone numbers because somewhere, someone might make a bad decision and use the service when they shouldn't have.
Maybe SV should try to innovate more instead of reverting to "Wow, sucks to live where you do; hold my craft beer" so much these days.
The internet was supposed to set people free. It's not working.
It again raises my periodic wonder: how many spies, both for the USA, as well as the intel agencies of others, are employed in sensitive roles at Apple, Amazon, Microsoft, Google, and others? How many of them work on the cloud platforms? How many of them have access to HSMs and other internal systems that are used as trust roots?
Can we assume that any major platform provider's highest level keys haven't been stolen, perhaps without their own knowledge? It's safe to assume that if they were stolen by their own government's agents, they probably wouldn't tell anyone even if they found out (even if they weren't gag ordered, which they probably would be).
You can trust a company down to the ground but still necessarily realize that everyone who hires engineers is going to be vulnerable to this. AWS' GovCloud that only permits US citizens physical access to the facilities doesn't even totally solve the problem, it just (somewhat) reduces the risk, because even US citizens like bribes.
Anyway, from the article it seems at least some of them were groomed after becoming Twitter employees, so it wouldn't be quite accurate.
employees who happened to become spies
spies which happened to become employees
You should be a lot more worried about Facebook.
This pretty much applied to US government warrantless wiretaps as well come to think of it. Unfettered access isn't so hot if you like your privacy.
I'm pretty sure that is not really a hard task
We have 300 IT systems with 8000 users that take care of 700000 citizens. There is an ungodly amount of information on who accessed what and when. Data security, even post GDPR is a total illusion.
We’re working to build better access control, by indexing data and mapping user rights to job functions, but even then things are going to get lost in the audits.
Let’s say I’m a foreign spy who happens to be the company’s DBA. Audit logs don’t really help you there since it’s not particularly noteworthy that I was in the DB.
> MICE: Money, Ideology, Compromise or [Extortion / Ego]
> RASCLS framework: Reciprocation, Authority, Scarcity, Commitment and Consistency, Liking, and Social Proof
See Also: https://en.wikipedia.org/wiki/Recruitment_of_spies
But in the three TFAs posted recently here, I didn't see anything about blackmail or extortion.
If the latter, then the answer is all of them.
Hell, Google has real time and historic GPS data for half of America. A government would have to be out of their mind not to go after such data.
1. You can build systems in a way that every access is strictly logged and audited.
2. Many companies like Facebook or Google employ engineers who could be possibly spying for Russia or China. But the systems and trust models are designed with this in mind.
Here we see unrestricted access to user data, not even sure there’s audit logging in place.
Please note, I'm not saying Gitlab response was appropriate, I totally agree with your second point. I'm saying the demand was genuine.
Gitlab doesn’t really serve China and has no need for support engineers with in China.
However, GitLab's restriction also prevented them from employees moving to China as well. Many companies employ people in Asia/Europe timezones as a night-time on-call engineers and support.
Not to mention, the list (China, Russia) is a list of countries made up by GitLab, with no particular backing that's officially recognized by any particular government or organization, which makes the situation discriminatory.
* They wouldn't respond to "emergency disclosure" requests from the Kingdom of Saudi Arabia about random users
* The average developer has zero access to user data besides names in crash logs and things that the developer has been explicitly copied on in the support system.
* Every command run on production servers by developers requires approval by someone above your org chart level (up to the executive level, when you just need someone at your level) and is logged forever.
* SREs who have to shell in to servers use Unix accounts that have no access to user data. Root access, which should hardly ever happen, requires org chart approval.
* Test environments use synthetic or anonymized data
* There is a separate team of dozens of highly paid people whose only job is it to identify, classify, and monitor access to user data. This is not even the same as the infosec team, who also would be looking for insider breaches.