Hacker News new | past | comments | ask | show | jobs | submit login
Former Twitter Employees Charged with Spying for Saudi Arabia (washingtonpost.com)
712 points by grzm 15 days ago | hide | past | web | favorite | 323 comments

The complaint [0] is both very interesting – particularly the details on how sloppy/non-existent Twitter's user-access-control was back in 2015 – and pretty funny, such as how one of the suspects tried to fake a digital document but didn't fake the timestamp, and the FBI noticed the receipt having a creation date the same day of their interview with him (pg 13).

According to one of the suspects' LinkedIn, he left Twitter in 2015, and then worked at Amazon for 3 years in marketing and social media. While I have little doubt Amazon's internal auditing and access control are better than Twitter's, it'd be nice to hear confirmation from Amazon that he didn't access any private user data.

[0] https://context-cdn.washingtonpost.com/notes/prod/default/do...

> such as how one of the suspects tried to fake a digital document but didn't fake the timestamp, and the FBI noticed the receipt having a creation date the same day of their interview with him (pg 13)

It's even better: he typed the fake invoice up in his bedroom while the FBI was in his house, after explicitly asking the FBI not to follow him in there. I can picture the agents looking at each other trying not to burst out laughing.

Is that really that unusual though? Can you think of a situation where not asking the FBI to not follow you around the house would be reasonable?

And why would the FBI assume he was typing the invoice? If you ask me for certain documents I actually possess, depending on the document I might be gone 10 to 15 minutes as well, or even outright say that I need to find it first, I'll bring it to <X>.

I mean, if the FBI drops by for a chat, encouraging them to stick to the living room is probably not unusual. But if you're being asked for a document present in your house that's going to take 10+ minutes to find, inviting the agents along or bringing the relevant folders/computer/whatever to where they are sounds pretty reasonable.

Not necessary, which is obvious from the agents agreeing to this request. But maybe a good way to forestall concerns like "what if they think I'm forging the document right now?"

I think the assumption is if they are "at your door" they probably know you don't have it.

It's funny that the Post failed to convey this information.

Also interesting is on pg 17 where they search through his Apple ID account (notes specifically).

This is the Saudi Arabian dude who has sued twitter https://twitter.com/oamaz7

>While I have little doubt Amazon's internal auditing and access control are better than Twitter's.

You underestimate the power of stupidity of these people.

Tangent, but one of the most interesting things in the complaint -- to me -- was this language:

> Many Twitter users live in Saudi Arabia and some users of Saudi nationality or descent live outside of Saudi Arabia, including in the United States.

It's kind of surreal to use "Saudi" as the demonym for the people of Arabia. "Arab" would be normal. The language is Arabic, the country is Arabia, and those are both named after the people, the Arabs. The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.

>It's kind of surreal to use "Saudi" as the demonym for the people of Arabia

Huh? They use it as a name for "people from Saudi Arabia" and it's a very common use.

"some users of Saudi nationality or descent live outside of Saudi Arabia" --> people who are SA nationals/origin and live outside the country.

>The "Saudi" in the name of the country refers to the royal house, the House of Saud, and I would expect a "person of Saudi descent" to be Arabic royalty, not just any old Arab.

Saudi != Arab. If anything, Arab is a superset (and Saudis, if we talk about the nation state and not the ethnicity, are not all Arabs).

But the main point, is that the name Saud is commonly used for the nationals of Saudi Arabia, not just the royals.

Wikipedia: Saudis or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;

Arabia is a peninsula. Qataris, Yemenis and Emiratis among others would not appreciate Saudis attempting to appropriate Arabian to refer to those from Saudi Arabia.

And Arab refers to people from Morocco to Iraq so it’s equally unsuitable.

Exactly, imagine if people of the United States appropriated the name 'American'! I'm sure that every other country in the two Americas would be up in arms!

(It is a joke, laugh).

Some other countries actually use terms like United Statians or North Americans. And after traveling a bit makes the USA's use of 'America' seem arrogant or ignorant.

In italian "statunitense" is used, but probably not as often as "americano".

Canadians might still not be pleased about 'North American'.

I'm guessing you haven't traveled much. American is a virtually ubiquitous term to describe someone from the United States worldwide, no matter which language you're speaking. Countries which have a problem with calling yourself American are a minority, and even then it's usually a small minority of the younger generation.

If you go anywhere within Latin America, you'll find quite quickly that "American" is used to describe someone from the continents, and it's consider very odd to introduce yourself as "American" to a local. You say you're Estadounidense, or "Soy de Estados Unidos" (From the United States).

It's actually a very charged topic in Latin America, as many latinos feel that the word they use to describe themselves has been stolen.

I’m sure every other country with America in its name would be.

well, the complain was about calling Arabs the people from Saudi Arabia.

It was a bit of sarcasm, as it is exactly comparable. Go look at a globe and tell me which other countries have “America” in their name ;)

There are other Arab countries. Most people know what is meant by "Saudi" even if it's technically not correct

It is technically correct, although not official.

Wikipedia: Saudis (Arabic: سعوديون‎ Suʿūdiyyūn) or Saudi Arabians are a nation composed mainly of Arab ethnic groups who are native to the Arabian Peninsula and live in the five historical Regions: Najd, Al-Hijaz, Asir, Tihama and Al-Ahsa;

I think they just mean expats, or dual citizens, or Saudi Citizens living in the US. I don't think they meant the Arab ethnicity.

Is anyone surprised considering the amount of saudi money flooding around traditional and social media?

Now lets look into israel and their spying/influence in traditional and social media.

It was amazing the amount of "news" and social media spam we got about russia ( We were always at war with eurasia ). It's amazing the amount of "news" and social media spam we are getting about china ( We were always at war with eastasia ).

But one hardly ever hears a peep about israel or saudi arabia. Considering what is happening to the palestinians, yemenis, etc, you would think you'd hear a lot more "news" about them. Especially about saudi arabia from the feminist/lgbt traditional media considering the saudis probably treat women and the lgbt as badly as any nation on earth.

How come the "news" industry isn't going apeshit over more than half of the state and the US house of senate pushing unconstitutional anti-BDS laws?



A country founded on boycotts banning its corporations from boycotting a foreign country?

I can't stand these kind of takes that are based purely in anecdote. On what basis are you claiming we "hardly ever hear a peep about israel or saudi arabia"? How do you even measure that?

> How do you even measure that?

All this sort of stuff is claimed under Manufacturing Consent. Chomsky's point is often why don't we hear about these other incidents .. because the news isn't balanced and the government is trying to fashion a narrative and they use the media to do this by selectivly choosing what we hear and see.

One of the points of Manufacturing Consent is that it's not necessarily the government directly choosing a narrative (that sometimes does happen, especially through selective leaks) but that the news media itself and the people who end up doing editorial policy are largely aligned with the government to begin with.

It's not that they are aligned with the government, necessarily. Rather, they are aligned with large advertisers, and those tend to be powerful companies and conglomerates with global interests.

Essentially, if you're a media outlet, you'll try hard to not piss off the hand that is feeding you, and Chomsky's assertion is that this is how the media manufactures consent (for all the horrible things the government does to defend the interests of those advertisers abroad).

That is one aspect, but there is even more: in general, people who rise in positions of power, such as editorial positions on major media outlets, or political power, or capital, tend to have similar beliefs and interests. This is because of things like common education institution and social bonds.

Essentially, if your opinions are significantly different from those of most politicians (on the important topics), you're unlikely to rise up through the ranks in most major institutions.

Can you tell me a major news event that I haven't heard about?

For starters: "NSO (Israel) hacked Jamal Kashoggi's contact via WhatsApp & passed whereabouts of Kashoggi to Saudi Arabia which eventually led to his death." I've never heard of this news until I read this thread today, even though it was covered by NYT to some extent.

Not only negative news about some countries don't emerge in the Western society, but also positive news debunking the falsehoods and stereotypes about the "blamed" countries don't show up neither: https://theintercept.com/2019/08/14/trump-iran-worst-lies

A major problem of our global society is that public perception is biased towards the "winners" and we learn the truth, if we are lucky, about their negative impact long after the damage was done. Example: the US invasion on Iraq was based on the false narrative about the weapons of mass destruction. Again, there were some news outlets that were telling the truth, but it was ignored.

You're proabaly up to date with the war in Syria but why not Yemen? Why is Syria vastly more newsworthy than Yemen? Because this is what the column inches suggest.

The Yemeni Civil War makes it appear as if there is very little involvement from the three global superpowers, while the Syrian standoff was worryingly similar to a cold war era proxy war. Also quite close to Europe, thus more important for our media and upcoming elections.

Though with the Syrian conflict dying down, I'd expect others like Yemen to get more attention by filling the "war" slot in media.

Not that I totally disagree with the gist of your comments, but the Syria situation seems much more relevant internationally, with Syria involving direct military actions in of two world powers and a NATO member. Not to say that any of the attrocities are to be ignored...

Just as a non-anecdotal proof [0] that just because it's counter-intuitive doesn't mean it's not correct. Sometimes it's the most obvious absence of evidence that shouts the loudest. Looking at those planes there was absolutely no proof that some parts ever get hit and it would be crazy to even suggest that they do. Based on what evidence?

The US tends to come out with almost no bullet holes from SA and Israel but when one is found it's a howitzer. Every time something related to them really blows up you get to how deep they went and it becomes almost unbelievable to assume there were no signs whatsoever to the US and no reporting could have been done by the media.

WaPo has a vested interest in covering SA especially after Khashoggi and the Bezos blackmail incident. But the US and rest of the media are not as vocal as say when talking about anything related to China or Iran, where every piece of gossip is news, where every allegation becomes a sanction. The point to take from here is that "punishment fitting the crime" seems to be a very fluid concept also at country level and the questions to worry about are "Why are some getting a free pass? What are the strings?".

[0] https://www.motherjones.com/kevin-drum/2010/09/counterintuit...

The Communications Chief of Time Warner and former EVP at News Corporation writes speeches pro bono for the Prime Minister of Israel.



This is the opposite of the HN I encounter most days. It takes work to keep it that way, and off-hand sarcasm won't get you there.

Where is Israel coming here into your argument? Just because you don't like Israel and what they are doing doesn't mean you should treat them the same as Saudi Arabia and create a narrative around them together.

They're both prominent US allies; they're states with some religious identity fundamental to their existence; they're integrated into American civic society - Saudi money in the US economy, academic partnerships between US and Israeli universities; they disenfranchise their own citizens to varying degrees; they buy American weapons and count on American military support to maintain geopolitical relations.

Oh, and they both use the strength of their relationship with the US to make certain parts of the world unlivable for people they don't like.

False equivalency.

Israel is pretty much the only Democratic, liberal country in the middle East, with Western level women's rights/empowerment, LGBTQ protections, legal protection for minorites, etc. And a land of massive innovation. US universities aren't partnering with Israel because it's politically convenient, but because Israeli universities breed world leading research in many areas. Which is why most high tech companies have an Israeli division, and which is also why Israel has one of the world's highest per capita entrepreneurship, patents and peer reviewed scientific publications.

Contrast that to Autocratic Saudi Arabia where women weren't allowed to drive, or move about in public without approved male company until a year or two, where the LGBTQ are punished by death, where every non Muslim is systemically discriminated with a religions tax [1], where critical Tweets about the establishment routinely land people in jail, where the actual law of the land [2] is a throwback to the middle ages, with almost no scientific or cultural output of significance!

[1]: https://en.m.wikipedia.org/wiki/Jizya

[2]: https://en.m.wikipedia.org/wiki/Legal_system_of_Saudi_Arabia...

You sure rushed it with minority rights.

It's like Apartheid era South Africa arguments again. A shining beacon of civilization among the barbarians, yada yada.

yes, that behavior is expected of a shit-tier country like saudi arabia. Is that how Israel wants to be regarded?

first-world countries should be held to higher standards of jurisprudence (among all things) than rando third-world nations. if you can't deliver justice, then really are you first-world at all?

do you really think Israel delivers appropriate due process to its occupied territories? Let alone actual representation?

iirc Israel just rolled over and occupied Jerusalem within the last couple years. The US rubber-stamped it, not sure that changes anything.

I think we all agree with you here. But none of it contradicts what the parent said

I think you're the one doing the false equivalency.

I'm not defending Saudi Arabia, which is indeed as backward as it gets, but in the case of Israel, if you want to talk about discrimination and human rights abuse, you cannot ignore (like you did) the way the indigenous population is treated, in what is effectively an apartheid state.

The real equivalency is that Saudi Arabia, Israel, the US, Russia, China, and - increasingly - the UK and other satellite states are now essentially extreme nationalist regimes with a far-right political slant and a fondness for various forms of violence.

The differences are more about superficial local colour than political dynamics, which are becoming depressingly consistent across the board.

It's becoming less and less surprising that there are high-level links between all of them which converge through the use of social media and other tools of influence.

Claiming Israel has a far right political stance is disingenuous. In terms of what? Geopolitical strategy? Economically they're definitely not on the right by any US standards.

He wrote "extreme nationalist regimes". I really hope that the Palestinian minority, which isn't really small and keeps growing, gets a say in Israeli politics after all these years of being totally sidelined by the majority. I don't see any other path to peace in that region.

twchjop 15 days ago [flagged]

NSO (Israel) hacked Jamal Kashoggi's contact via WhatsApp & passed whereabouts of Kashoggi to Saudi Arabia which eventually led to his death.

If we cannot hold Saudi for human rights violations & let the enabler like Israel go scott free.

Is this true? Why nobody talks about this?

Apparently because it gets your post nuked, whatever it was

You can turn on show-dead in your profile and it is un-nuked.

I take serious issue with this. I completely agree that Saudi Arabia and Israel are significant national security and geopolitical issues that aren't being dealt with appropriately. The Israelis are spying on US politicians and others inside the US. It's crazy. And pointing out that the Israelis are doing so, and most likely also directly influencing politicians to treat Israel more favourably, is regarded solely as racism and "anti-Israeli" - as if Israel doesn't and isn't doing despicable things as well. They aren't above reproach, but they absolutely treated like they are. Saudi Arabia is far worse, and they're treated the same way in US politics.

But this doesn't mean Russia and China aren't doing bad things. This doesn't mean that they aren't bad actors that don't need to be dealt with. This is whataboutism, and it detracts from issues instead of productively extending the conversation. If one problem is mentioned, people like you jump out of the woodworks exclaiming, "NO, that's PROPAGANDA! listen to my favourite problem to talk about instead!".

All of these countires. USA. Israel. Saudi Arabia. China. Russia. They're all bad in their own ways, doing bad shit for shitty reasons and they all need to be talked about. But just because one of them does something bad doesn't mean you can't talk about the other ones as well. It doesn't excuse any of them. That's just moral relativism and it's destroying public discourse.

I don't mind everyone spying on each other.

I do mind pretending it's not happening.

I do mind that any one who points out the emperor is naked is shouted down, labeled a kook, gets eviscerated.

>This is whataboutism, and it detracts from issues instead of productively extending the conversation

This is a self contradictory statement. Calling someone's argument "whataboutism" is itself a logical fallacy designed to prevent extension of the conversation into a larger context

It's been surprising to me to behold the hawkish rhetoric we get in the press re: Turkey and Iran lately. I don't believe it's coming from people who are genuinely concerned about the fate of the PKK

> Now lets look into israel and their spying/influence in traditional and social media.


If it isn't used to defend the action (spying), establish it as justified and therefore clear the offender from guilt, the fallacy doesn't really apply.

The statement is bullshit on its own though.

> If it isn't used to defend the action

No, it's still a fallacy. Just because you feel the need to deflect attention towards your personal targets it doesn't mean your argument is sound.


Are you implying that the BDS movement is anti-semitic? That would be an extreme claim, which would require some kind of evidence. Being against Israel's actions towards Palestine, which is far and away the most important topic covered by the BDS movement, is in no way an anti-semitic sentiment.

What are you against?

Two state solutions have been offered multiple times. What you're really claiming is that Jews should evacuate the land that they're living on after fleeing consistent mass murders and persecutions throughout history. What you're really claiming is that Jews should either exit to countries that have empirically turned hostile to them over time or be unprosperous.

Two state solutions have been offered, agreed upon, and blocked by the US and Israel every time.

I am not in any way for citizens of Israel (Jewish or Arab or Christian or whatever else) evacuating the state. However, illegal Israeli colonies on what is universally agreed as Palestinian land are not acceptable. Opening fire on crowds throwing rubber wheels at a wall is not acceptable. Bombing civilian buildings in retaliation for terrorist activities is not acceptable. Blockading humanitarian efforts to deliver food, water, and building materials is not acceptable.

Every gram of Palestinian resistance is met with a kiloton of Israeli aggression, almost as official doctrine. This is not acceptable.

And all this from the only state in the world which illegally holds nuclear weapons without being a signatory of the non-proliferation agreement, but constantly threatens going to war against a different state for building civilian nuclear infrastructure (which is all the international inspectors have found in Iran for years).

Why do you immediately talk about a two-state solution? A single-state solution is also an alternative. And possibly the only viable one.

Is it possible to like Jewish people and strongly dislike the government of the state of Isreal?

You just described about half the population of Israel

Whether the insertion was contrived or not, what would it have to do with anti-semitism of all things?

It’s a topic about espionage and exerting power and cash to silence critics, two subject that Israel is globally known to excel at.

That has nothing to do with Judaism. Most people don’t claim it does.

> anti semetic

It's "antisemitic". And it doesn't mean what you think it does.

Don't like someone's narrative? Just call it racist/sexist/anti-semitic.

For shame.

Here's an actual news story about spying by Saudi Arabia. What motivates someone to turn it into a thread about Israel?

This is Hacker News. If there's a new story about Israel you want to draw to our attention, you can submit it just like everyone else.

I didn't know the Arab world has their own "wumao"s.

I think saudi arabia won largerly from the arab spring, and that was powered by social media. I think they view it as an investment.

We don't need to look into Israeli or Saudi Arabian money in US politics. It's there and we like it there. Those two countries are the most stable in the region by a mile and are willing to compromise with US interests to maintain the (fragile) stability.

Like it or not, US interests are inextricably tied to those of the region. Don't believe me? Most scholars attribute Trump's election, at least in moderate part, to the massive influx of Syrian refugees to the many countries they went to. If we had done a better job stabilizing the region, perhaps Trump would have never even sniffed power.

These are the most stable countries in the region because they are the only countries in the region allowed to be stable. Iran is by almost any measure a better country to live in than Saudi Arabia, except that it does not do the bidding of the US, so it is getting illegal sanctions imposed upon it, almost officially recognized industrial sabotage, it is cut off from world banking etc.

Note: I'm not claiming Iran is some tortured paradise. It is still a brutal regime, with horrible regressive views and which is acting tyranically towards its own population. It is much worse than Israel in that regard (though at least Iran is not waging a war of aggression on a neighbor sattelite state, and defying UN resolutions and international law in doing so). But it is still significantly better than Saudi Arabia in almost everything to do with human rights.

If one of your country’s official slogans is “Death to OtherCountry”, and so OtherCountry keeps not liking you ... it’s not that weird?!?

Its the way of the world. The Palestinians were weak so they got bullied around and Israel was born. They remained weak and Israel continues. This is the way of the world. Strong eat the weak. Whether its monopolizing tech companies or nation states. They can abuse their power. Once established, they can then rewrite history. Look how now Microsoft has become such a champion for open-source. Tomorrow the champion of privacy will be Facebook. Tomorrow the champion for human rights will be the Saudis and the Israelis.

This is how garbage spreads, without wisdom and foresight.

Israel could've been a much better product of creative thinking. Now it's an apartheid state with the indigenous kept in an open air prison that is regularly used for international weapons testing.... The unwise think in very short terms...and it comes back to bite them shortly after.

>> Tomorrow the champion for human rights will be the Saudis

I thought you were serious if not for the closing line... :)

I am serious but obviously sarcastic. Most the world is oblivious to the savagery of the Saudi war against Yemen. One day the Saudis will champion some liberal cause and hire some PR campaign to make sure its in headline news and placed smack middle of some Netflix movie. Poof!

> Look how now Microsoft has become such a champion for open-source.

to be fair, they didn't just doctor history, they actually changed their ways.

Let me know when telemetry in Windows can meaningfully be turned off fully, and permanently.

Everything else they've done is pretty much PR management.

I don't understand why you're being downvoted. Yes, there are valid technical reasons to use telemetry, but the tricks Microsoft is playing to get these data against the wishes of their users can't be considered fair.

It’s part of the campaign.

Am I out of the loop, what have Microsoft done to support open-source? Made linux containers easy to use on Azure? Wrote a code editor so that they extend and extinguish developer mindshare and get them onto Azure? Im being serious, what have MS actually done to claim they have supported open-source (and of course, open-source != free software)

They are one of the largest contributors to linux, donate $500k annually to Linux foundation (since 2016. Google joined in 2018), VS code, .net is open source to large degree, typescript is open source.

Here's a list of their open source projects.


(Microsoft may be the world's largest open source contributor


(Microsoft becomes 5th largest contributor to linux core https://www.ukfast.co.uk/microsoft-news/impressive-microsoft...)

The Linux kernel contributions link doesen't have a year, so I don't know if something changed. But the last time I checked this, they were "top" contributor for one quarter/some time because they basicly dumped all of their HyperV support into the kernel and after that they disappeared from the kernel contributors lists almost compleately. A quick google shows the latest Linux Kernel report by Linux Foundation from 2017[1] with the numbers, and they are not even there. It could be that some Microsoft employees are doing work on the kernel without attribution back to Microsoft, but generally speaking I think it's safe to say that the only contribution to the Linux Kernel from Microsoft was HyperV support quite some time ago.

Not saying that they didn't change their ways, but they are a long way from proving that this is not another EEE cycle. Not to even mention "breaking even" on the damage they did directly (and deliberately) to open source effort.

[1] - https://www.linuxfoundation.org/2017-linux-kernel-report-lan...

You ignored the 500k per year contribution to linux, VS code, the ongoing effort to fully open source dot net, them dumping Edge for chromium, their contributions to chromium especially on efficiency for battery is non trivial.

Microsoft could open source Windows and people will still mention EEE. Impossible right? But, open sourcing dot net was inconceivable just a few years ago.

You're talking about EEE. In fact, the organization that's actively performing the EEE strategy is Google. It's quite easy to spot if one isn't blinded by fandom.

E.g. webkit -> blink, rss, bundling of apps on android prevent manufacturers from using forked android, chrome OS has only one browser - MS didn't even do this to get in trouble, AMP project, and then experimenting with removing urls from the search page.

So whatever floats your boat.

It's quite possible to be skeptical of both MS and Google (etc). It's not a one-or-the-other thing. :)

Having projects as OSS is just plain sensible as in the majority of cases it's a better development approach then the proprietary ones.

That MS has made some projects OSS is just recognition they needed to up their game or be left behind.

It in no way means they're suddenly "good guys" (etc).

When their actions are those of "good guys", then perhaps they could be start to be viewed as such.

>It in no way means they're suddenly "good guys" (etc). Irrelevant to the topic at hand

>Am I out of the loop, what have Microsoft done to support open-source?

That's what I responded to.

No worries. :)

They’ve stopped being an arch enemy and twirling their mustache so often.

I worked directly with Ahmad at Twitter on the international media team. All I can say is I now understand how the next door neighbor to a serial killer can say "but he always seemed like the nicest guy." He really was very nice to everybody, worked hard, and seemed genuine.

They were definitely tools available to all of us that allowed this type of access to personal data and more. Specifically a lot of the lists that were generated about who to follow suggestions were manually curated at the time and we could put whoever we wanted on the list. We were expected to put people that were relevant in our industry on those lists, but I think Ahmed actually got in trouble for putting himself on that list to build up his Twitter following.

At the time it was certainly a major initiative to rebuild the legacy systems to fix exactly this type of problem. There were strong mandates from the top of the company that were made abundantly clear to us that while they were fixing these things we were all under agreement and NDA to keep all of this data private. The systems were broken no question, but the message was clear. That just makes it even more disappointing to see what he did. He has a very young family at home that is now going to be totally broken.

> All I can say is I now understand how the next door neighbor to a serial killer

Hey, i get it, its a little surprising and scary. But this is just a quick reminder that we do the whole innocent until proven guilty thing here in the US. He hasn't been convicted yet, just keep that in mind when thinking about your colleague.

Another thing to bear in mind is that people who commit espionage are often coerced into doing it by blackmail or threats. This is one of the primary reasons for background checks beyond simple criminal background checks: you want to make sure the people you trust don't have anything in their history that can be used to blackmail or otherwise coerce them.

In this case, the behavior of the former Twitter employee makes him appear unlikely to be innocent.

He tried to forge an invoice while an FBI agent was in his home:

“ According to the complaint, Abouammo created a false receipt using his home computer during the interview to show a $100,000 payment received from Asaker to disguise the payments as media strategy work.”

It's crazy how they don't bother to launder the espionage salary. Just a hundred thousand from Saudi Arabia, nothing to see here.

Innocent until proven guilty is for the US courts though. Real life operates by a different principle -- use your eyes and don't f* up.

There are accusations that a teacher sexually molested somebody, but the investigations never went anywhere; do you hire that teacher? I don't think parents are about to blame you for not hiring that teacher.

> There are accusations that a teacher sexually molested somebody, but the investigations never went anywhere; do you hire that teacher? I don't think parents are about to blame you for not hiring that teacher.

That has bad externalities. In particular, you'd be creating perverse incentives for people to make accusations against those they dislike (or threaten to do so), a very asymmetric weapon that benefits liars more than anyone else.

I agree there are perverse incentives and an asymmetry to power, but I'm not the one creating things, I'm making an observation of the land.

That "you" was in the sense of "one, not in the sense of "threatofrain".

That particular confusion in the English language is probably responsible for a noticeable amount of drama in the world...

Yes, it does. So I guess you will be hiring that teacher and putting your own children in their class, right?

..yes? What's the problem with that?

So you think it's fine to not hire someone and possibly ruin their career and life based on unsubstantiated allegationts?

What if you got falsely acussed of sexual assault? Will you go "well that sucks" and start collecting food stamps for the rest of your life?

I'm pointing out an observation, I'm not sure how interesting it is to ask me to imagine what if I were accused of sexual assault.

But while we are imagining, imagine that you are a school administrator who has hired such a teacher, and then there is another accusation of sexual crime with the same teacher. You suspend the teacher while investigations are ongoing, and ultimately the investigations go nowhere.

From the perspective of others, who is at fault? Isn't it time to quit because as an organizational leader you've lost the confidence of the public, which now impairs your effectiveness? As an observer, that is the answer I observe to be true of the land.

And let's not forget... the justice system gets things wrong sometimes. It's not a proxy for your eyes.

But isn't that what in practice often happen when the name and/or image of the accused makes it into the news?

It is not at all fine that someone gets their life ruined by falsely accusations, but identifying the accused in media goes a long way towards it.

And then it is very easy to destroy someones livehood and future. Or blackmail someone: "raise my grade or I'll tell everyone you touched me". Then the poor teacher with some kind of integrity will never have a job as a teacher again.

People tend to care more about their kids than they do about teachers. A lot of people even support the death penalty, even though it obviously means innocents will also be executed at times. Justice and punishment is always a balance, where hopefully an optimum is found where the least people suffer.

Punishment as justice is medieval though and is not accepted in civilised societies.

... except in the movies.

I don't know of any society that has a justice system without a punitive aspect to it.

The difference is that the punishment isn't supposed to in some way make up for, or balance the crime. In a modern society the punishment is for deterrence and rehabilitation.

That's laudable, and what most people in the justice system probably work for. But go and talk to the people that system serves, i.e. the public, and I think you'll come out with a different understanding of what purposes punishment in the justice system serves.

Not to mince words, we've managed to humanize the justice system to a large extent, but by no means have we been able to remove the desire of the public to see criminals humiliated and deprived of their freedom, even lives, on tit-for-tat moral grounds. So, while the justice system in many 'civilized' countries does the best it can to be rational, in order to keep the public happy, it also needs to be seen to be sufficiently harsh on crime.

This is traditional spycraft and HUMINT. Targeted intelligence collection of persons of interests will always be a problem, but it's not problem threatening the whole society as mass surveillance is.

Twitter (and Yahoo) deserve kudos for fighting back and being uncooperative. Twitter refused to join PRISM.

I’m surprised that anyone remembers Yahoo as being champions of privacy. Yahoo installed kernel modules on their servers to scan customer data at the request of the government, without even alerting their very own security team.


> He has a very young family at home that is now going to be totally broken.

Well maybe he shouldn't have spied for Saudi Arabia? I hope he enjoys federal prison.

First, he hasn't been convicted yet. Second, most civilians who do this kind of thing are coerced into it. "Do this thing for me or I'll kill your family. If you talk to the FBI, I'll kill your family."

If he doesn't get sent to prison, people who don't know the story and condemn him because of a headline will.

Yes. That's is the whole point I am making. He knew it was wrong, and a lot of people suffer, including his innocent children. Not sure if you think I am defending what he is reported to have done, but I am not at all intending to do so.

Additionally I think it disappointing that Twitter curates this type of content at all. I was never a heavy user, but currently Twitter just hasn't any draw at all anymore.

Should anyone have access to the actual data at their company? I feel like this is an indication of maybe scrubbing the said data is a "must" before it goes into the hands of employees.

Then again, what type of side-affects would that have on the quality of the products moving forward.

You can and should restrict the number of people with access to the data, but in a tech company there's always going to be a significant number of people with direct access to the raw data. Software engineers on an on-call rotation, full-time site reliability engineers, data analysts, maybe even some external contractors... maybe this isn't the case for Twitter, but many companies also have to put complete trust in their cloud provider or datacenter, which puts even more people in the loop.

Even if you follow best practices with access control, in the end you're always going to have a group of people who you need to trust with access to folks' personal data. Maybe the solution is better audit logging and even tighter access, but I'm not sure leaks of this nature are preventable.

"Software engineers on an on-call rotation...data analysts, maybe even some external contractors"

These groups usually get access through a bastion that anonymizes data and logs access. I remember that as a SWE at Google, I could run aggregated & anonymized statistics across query logs, but some info (eg. IPs, user logins) had been scrubbed before any of my code could get access to it, and for things that were more personal (eg. your GMail login) you could only get access to your own account.

There's nothing you can do about SREs who have root access on the box or the SWEs who need to implement & maintain the bastion servers, but that's presumably a more restricted, vetted, and trusted group.

> usually get access through a bastion that anonymizes data and logs access

I think this may be something that is unique to a certain size tech company that simply isn't the case at 99.99% of companies with user data in their possession.

It should be the case at Twitter though.

It hasn't been until recently. We are currently locking down all internal systems based on the minimum necessary accesses for various systems. We should have done this a lot sooner.

Good to hear it. Better late than never.

Even Google's policies aren't—or at least weren't—foolproof. In 2010 there was a major incident involving a Google SRE named David Barksdale: https://www.telegraph.co.uk/technology/google/8003925/Google...

Yeah, I was there when it happened (and it was a fairly big deal internally). He was an SRE with pretty high-level access. There's relatively little you can do for this kind of threat - the nature of their jobs usually requires that they have root on the box. (Though a sibling comment suggests that there's even more rigorous procedures now.)

The centralization of infrastructure has really changed the insider risk profile at that company. A decade ago it was common for a service to own their hardware and to have broad authority over those machines but not so much these days. Nobody wants to own their hardware, everything is uniform and it's easier to spot deviants that way.

Of course many of the changes around that time were in response to the breach by the Chinese government, not only in response to embarrassing privacy incidents. Later improvements came about because of things Snowden published.

Why would Google change because of the Snowden Leaks? They knew about it. They were handing over data to the NSA.

There was some spying by the NSA without their knowledge or consent. Network traffic between their internal networks wasn't encrypted, which enabled snooping.


IIRC they didn't know about the tap on their international cable and the leaks caused them to prioritize the encryption of traffic on their internal network. Not sure about anything else though.

Its the same for telcos, these days there is much stricter auditing and actual real security vetting - I know team leaders on some systems had to be PV (top secret in US terms)

I suspect that at some stage this might come for some FANG employees

Would it be smart for companies like google and twitter to publish how they vet people for these roles? That’s a seriously tremendous amount of power. I almost think it needs to be regulated like heath info. I get that that would make it more expensive to handle this data at all, and would serve as a significant barrier to entry for startups ... but data breach after data breach is pushing me in the regulation direction.

Pretty much nobody at Google has that kind of access. You can be an SRE of just about anything at Google and never access user data. The "break-glass" means of emergency access is ridiculously booby-trapped. A person wanting to do this thing has to 1) badge into a special room, at which time both production security and privacy incident teams are notified, 2) use a special hardware security device that is used for no other purpose than to activate a VPN box with a hard-line into the production network. By the way if a random Googler just rolls up to a datacenter without a reason to be there, that also triggers privacy incident response, even though physical access to production storage is virtually useless due to all the encryption.

I would say it is much more likely that Google will accidentally lose the organizational ability to become root-in-prod, than it is that a person has done this thing without being noticed.

In short, insider risk cannot be mitigated with hiring practices. You need robust technical measures against insider risk.

Thanks for proving my point, I guess? I’d love to see a formal write up from google about these procedures. It would go a long way to increasing confidence in how they handle this data.

Even if you managed to get direct access to production through the special room's direct link, you'd still need a special kind of credentials to send RPCs to any service.

There was a video with some of the datacenter security measures, e.g. iris scanning (just to get yours in the DB required approvals from senior people). On the actual floor, to which very few have actual access, you need to badge both on your way in and out, individually. If you badge out without having badged in, the door won't open and an alarm will go off.

When did that start? Here's an account of someone working at Google accessing info to stalk teens.


That story dates from 2010.

Snowden's revelations (2013) were a major watershed. There'd been several measures taken since, based on what I heard on the outside, largely through discussions, mostly public, a few direct, with Google staff via G+.

Starting on, of all days, November 9th, 2016, I began regularly posting an image of Jewish shop windows shattered during Krystallnacht, asking whether Google were thinking of brownshirt-proofing their data. That generated responses including from G+'s architect (then in a role with user data safety & privicy), and the data security lead.

It wasn't until some time later that I realised I'd entirely accidentally picked the anniversary of the event for the post. Though the coincidence was useful.

My understanding was that numerous protections were in place by that time. I continue to have concerns.

> I began regularly posting an image of Jewish shop windows shattered during Krystallnacht

This is so incredibly cringey. You're actively building the panopticon and yet you think of yourselves as righteous warriors for justice.

I don't mean this to be a personal attack, but yours is such a revealing comment about the mindset of people inside these surveillance behemoths.

(See also: this "pledge" http://neveragain.tech/ to not build registries for targeting citizens...signed by a bunch of people who work at companies whose entire business is targeting citizens with ads)

What I would love to see is somebody at Facebook comparing their barriers against accessing user data with these from Google.

I’m actually inclined to think they have similar procedures, if only because we haven’t seen “whistle blower” stories in the news about folks reading texts and looking at other private user data. Maybe I’ve missed them, but because bashing Facebook is kind of a trend one would think there’d be an appetite for “I read illicit group texts for a year here’s what I saw AMA” stories.

If this happens, every incentive (of every party that is aware) is to not whistleblow, as it is a criminal offence for the snooper, and a PR disaster for the company.

> Pretty much nobody at Google has that kind of access.

OK, Google.

> Pretty much nobody at Google has that kind of access.

Sounds like you'd be surprised at what storage, and backup engineers have access to.

Tremendous amounts of ciphertext?

Because encryption keys are never backed up by the same system either?


> Would it be smart for companies like google and twitter to publish how they vet people for these roles?

I think much like anti-hacking and anti-fraud efforts, publishing information about how they vet candidates would just make it easier for attackers to figure out how to game the system.

Ironically, one of the vetting regimes that has the most publicly available information about it is the US government's security clearance system. https://ogc.osd.mil/doha/isp.html

one of the vetting regimes that has the most publicly available information about it is the US government's

Why wouldn’t the information be public? It’s the same concept as crypto algos being published and peer-reviewed.

The same way defences industries do I would imagine for SF86 etc

"but in a tech company there's always going to be a significant number of people with direct access to the raw data"

This is absolutely not true. This number can and should be reduced to an absolute minimum number of people.

Sure, but it comes at a cost. Companies rarely push the limits of these kinds of policies because customers are not willing to pay for them.

Making the penalties for breaches far more severe would be a good place to start though.

Twitter is big enough to pay that cost. Easily.

The absolute minimum number of people may still be significant

Twitter has a lot of staff. Even 1% is a relatively large amount of people.

(Just as an FYI, the last time I checked that number was staggeringly skewed towards sales/marketing/evangelism teams rather than coders. Not that your point is diminished.)

Those people probably have more access to PII than staff engineers - that's who the data is for.

Hardly. They get the filtered data that SEs designed for them to get, probably on an account-by-account basis. It’s the raw data SEs have access to that we are mainly talking about here.

It doesn't need to be 1% of staff, it just needs to be a few dozen people (distributed geographically across the globe) who have root access.

Moreover, anyone seeking privileged access will percolate into such roles.

Maybe because tech companies tend to be careless with data. It isn’t NP-complete to track and monitor access to prod data, or prevent access to it entirely. It’s just that people don’t want to do it.

It is pretty damn hard to reliably operate a service that you can’t introspect or debug in any way. The real world is more creative than you; things will happen in production that you didn’t think of in your synthetic test fixtures.

That’s still no excuse. Maybe Bill has to access some customer data to troubleshoot. Fine, log it. Maybe Susan has to look at sensitive logs to fix a bug. Fine, log it. These aren’t new or unsolvable problems.

Who says there weren’t logs? They got caught.

Please back this up and define the terms used.

As in, define "tech companies" (name specific companies that do this and why you think that can be generalized to the entire industry) and define "careless" (it's a relative term so please say if it's less or more careless of other examples of organizations that manage similarly large amounts of data but that aren't "tech companies").

Because to me the opposite seems true. It's the non-tech companies (if you equate that to FAANG) that manage large amounts of data that tend to have a lot more data leaks (internal or external) than the tech companies.

> in a tech company there's always going to be a significant number of people with direct access to the raw data.


I've worked for a few large tech companies that handled very sensitive customer data, and they didn't allow unsanitized access to it by a significant number of people. Typically (on the dev side, anyway), there was a small designated team (less than 10 people) who were the only ones who had such access. Any dev work that absolutely required access to that data -- which was very rare -- was performed by that team.

It's not like this at smaller companies. It's anything goes.

I worked at one place that had the development network permanently VPN'd into prod. One day, a developer accidentally configured his local environment to connect to a production queue and database. It was like this for over a week.

A previous company didn't bother with the VPN. They had an AWS environment that predated VPC, so SSH and many other service ports were open to the office IP addresses. And several people's homes, for remote work.

> It's not like this at smaller companies. It's anything goes.

It depends on the company (as with large ones, apparently). I currently work for a small company, and it is no less diligent about this stuff than the major companies I've worked for.

Those large tech companies probably had a team or teams of people whose job is to look after the backups for production servers.

Backups generally have "god mode" access (best description) as they need to backup and restore not just filesystem data, but the audit log data as well.

Most (corp) places I worked, the developers and SysAdmin's working on production servers gave little thought to the backup component apart from making sure the software is installs and runs. ;)

You can significantly reduce these problems by decentralizing data and moving away from giant platforms that make such enticing targets for espionage.

No, even US people like police abuse license plate searches for personal reasons. It's not even a matter of nationality. If data is being collected and the only protection is a "policy," then it's being abused or will be.

There’s a difference between a policy that’s just enforced by an honour system and a policy that is enforced with strong access control, alarm bells, and a paper trail. It’s very possible to encode the sorts of policies that we need to protect peoples data into real restrictions that are strongly enforced. A police officer might need to do some routine queries, but they should probably have gone through vetting about people they are close to and not have access to their data. Additionally, there should be audits performed on a regular basis.

I think we're arguing semantics here. What I mean by policy is a de jure rule. I think you can have policy while not having any sort of de facto enforcement, and you can have de facto enforcement (encryption), even if you don't have a policy.

Policy is never useful because even if there is enforcement, there is never 100% perfect enforcement that beats out cryptographic enforcement, at which point policy is no longer needed.

For example Apple can state that your data is end-to-end encrypted and they have no access, and it would be redundant to also have such a policy saying they will not access your data—they can simply say they can't access your data which is a superset of any such policy.

I don't think it is semantics.

There are policies like "You are not allowed to access user data." and there are policies like, "All access, keystrokes, and applications that have access to user data are logged and those logs are tied to employee IDs. Further the logs are audited and there must by a form 505/2 on file for every access that details the need for the access, what was done with the data, and how the data was handled. If the auditors discover an access in the logs associated with your employee ID and there is no matching 505/2 on file, you will be subject to immediate termination and may be liable in civil and criminal court. Your signature below states that you understand these restrictions, you consent to monitoring of your behavior, and will abide by the policies."

Strong audit trails, logs that cannot changed by being created in an immutable way, logged access at all terminals and entry points. Combined with a separate auditing group that reports through a different chain of command (like through to the general counsel or something) and you have a policy with teeth.

Still punishing after-the-fact is no substitution. If the reward is greater than the punishment then it renders the policy moot.

If i publish my crypto wallet private keys and enact a policy that anyone who tries to take the wallet contents will be beaten to death, and get everyone to agree to this policy, then it would be rendered moot when the person who steals the wallet uses it to hire personal body guards.

I don't disagree, with this. The use of policies with enforcement is that it raises the risk to the employee so that raises the amount someone must spend to get them to take that risk.

Through contacts I've heard stories of practices at a wide range of establishments over the past 25-30 years. Practices have almost always severely lagged advice, and though specific leading firms or organisations might have strong data hygiene policies and practices, a great many other organisations do not.

Through roughly 2000, the principle saving grace was that disk storage was so expensive, and networking so slow, that large quantities of data were unlikely to be found online except in the case of very major organisations. Most financial firms would read data from tape for analysis or marketing programmes, as an example. A major credit card network might have a couple of, say, Sun Starfire class servers onto which a comprehensive union cardholder databset might be assembled and accessed. One friend reported accessing their campus workstation to which a large national medical insurance database was being processed, from the New York Public Library over Telnet (though I believe they didn't actually log in, they did receive the prompt). E-commerce software vendors and systems stored credit card information, which was accessed. Numerous services and datasets fly around all kinds of organisations, with little protection, and were transmitted in unencrypted FTP sessions. Social networks in which NOC addresses were directly accessible from the office network (WiFi access, natch), with millions of members' data directly accessible.

There are many ways to get this wrong. Few to get it right. And most organisations lack the staff, capitalisation, or incentives to do the right thing.

Google are problably among the best. That leaves open the question of how good they are, and what their past practices have been, even in relatively recent years.

Or how they might behave should their advertising monopoly and revenues fail.

My first year at a community college I was doing work study that was part of my FAFSA. I was late getting in there and I had limited options, one was working in the cafeteria, the other was working for the very job placement center that was tasked with finding me a work study job.

I got very lucky here. The work study job in the job placement center was turning job listings that were faxed in into html to post on our fresh new website. Nobody at the time new what HTML was.

A few years earlier I had bought a "Learn HTML in 24 hours book" and I made a Tony Hawk Pro Skater webpage that listed all the special moves. I used a lot if iframes and thought it was pretty good. CSS wasn't really a thing back then. iframes and tables got the job done.

But I got the job and they thought they got very lucky. I worked in this back room with a computer and a fax machine. Jobs listings would be faxed in. I would scan them and let the OCR software try, and then I would clean it up and add some <h> and <b> tags and then do my econ homework for the rest of my shift.

But as the digital stuff become more popular they hired another guy to be in the back room with me. Dude was a bit of a creep and a student came in looking for a part time job that would work around her classes. He kept on going on about how hot she was. A few weeks later he was talking about he signed up for a few of the classes the hot girl was taking.

Every single student record was available on our computers. Names, address, phone numbers, class schedule, SSN, FAFSA data. It was madness.

And I was a lowly fax to html guy.

Someone has to scrub the data, though...

Agreed, data governance is important for any company to get right, but someone has to have DB access in order to manage it. When you factor in that so many companies derive revenue from the data they generate, then it gets harder.

If you’re Twitter, how can you build the services you need as an architect or data scientist without the actual data?

The scrubbers do not need raw DB access. All they need is a strictly audited web UI.

Very, very few people need root access and the ability to see all raw data. For example, at Google, this is a tiny number of senior SREs and that's it. Your average employees should be using audited UIs running through service accounts that have restricted permissions.

I’ve achieved this without so much hassle at a smallish/medium sized company (~60 engineers). A typical engineer had access to anonymized data, only a few had access to query raw data. All their queries were logged with justifications. They also wouldn’t query raw data as a matter of BaU (outside of some very rare situations), it was pretty much only ever done when making changes to the ETL pipelines.

The solution we had wasn’t particularly difficult to set up, and actually made life much easier for everybody, because we’d provided everybody with a very easy to use interface for the data they wanted (much better than the old school shelling into a DB to run your arbitrary SQL statements).

Any chance you'd be willing to share more about your setup, at least high-level?

We had a data warehouse where we sent pretty much all the data we had in the organisation, and redash in front of it to allow query access, reporting, etc...

Everything in the data warehouse was anonymized, and people only had access to the schemas they needed (though this was defined quite broadly). Anonymization was handled by our ETL pipeline. When we first set it up, the requirements were pretty simple and we just wrote a little java app to do it. This scaled pretty poorly, and the team ended up putting a proper ETL product in there. I can’t remember which one they used, but there’s a lot of perfectly decent products in that space (even some open source).

Someone needs to have access to the data...

that's not entirely true - it's possible for all the data of that nature to be in an audit-logged data store, and to require specific business cases for access to the data. So you can only see a user's private information if there's a specific bug you're working on, and even then the access is audited.

I mean, the data is still accessible, it's just not easy to get it willy-nilly without setting off alarms.

Someone needs to build and maintain the audit log software.

True, but you don't need access to production data to build an audit logger. And any commits to it should involve code review.

Backup/restore of audit data can make things complicated. eg the ability to overwrite incorrect/damaged audit data (etc)

So far, I've not yet come across a system where some level of direct admin access isn't needed for at least "last resort" situations. (obviously, only available to a very specific set of trusted people)

Who does the scrubbing if not Twitter employees?

If they didn't collect PII, there'd be nothing to leak.

I mean, we all know that it's insane to store plaintext passwords. So why is it necessary to store anything as plaintext?

You never want to be able to retrieve a password after hashing and storing it in a DB. You _do_ want to be able to retrieve text content after possibly encrypting and storing it, otherwise it's useless.

It's no more useless than a hashed password is.

Depending, of course, on how you want to use it.

One could arguably build chat apps and social media that retained no PII. In my opinion, providers retain PII primarily in order to monetize it.

But the problem is that it becomes toxic waste. And it always leaks, eventually. Putting users at risk, and damaging providers' reputations.

Consider the Tox P2P chat app. Each user device runs a Tor onion service. And chats involve only connections among them. Users need disclose no PII. And there's no need for central servers holding PII.

Regarding social media, consider all the "dark markets" that have run as Tor onion services. There's no reason why any sort of social media that you want couldn't be implemented similarly. Although there'd be central servers, there'd be no need for them to handle any PII. Indeed, the fact that "dark markets" handle PII is one of their main weaknesses.

And it's not even necessary to use Tor. One can achieve substantial privacy and anonymity using nested VPN chains, with far less risk of attracting unwanted attention.

I liked the access controls at PayPal. Access to data was a function of insider status with real financial consequences (ability to sell stock was restricted much more for higher level insiders), subject to strict controls and auditing, and required need-to-know periodic renewals. I used to think PayPal was fly by night but my work experience there really grew my trust in their access controls and made me much more likely to use them for payment.

The best way to protect dissidents would be not to ask unnecessary personal information like phone numbers. Sadly, it is difficult to find a messenger or web email service that doesn't require it.

It's hard to deduplicate spam users without an identifier that is at least slightly costly to get. There's no easy/practical way to do "charge $0.02 per signup".

If you get 10k new accounts in 5 minutes and they're all from some VoIP provider in a tiny corner of the second or third world, you have some data to work with there.

Could someone who downvoted explain their disagreement? There seems a kernel of truth here that more than a few of us could agree on.

I think I have attracted someone’s ire, that seems to happen to all or most of my comments within a short window after posting.

This happened to me for awhile too. I think people that disagreed with you on a previous post are using bots to downvote you.

This would surprise me given the fairly high karma minimum to downvote.

Make a new account every time you reach the threshold, add it to the bot list.

Yeah, I thought of that, I was just thinking that surely someone able to create sufficient karma to do something like that would necessarily also be unlikely to be petty enough to bother.

Maybe I am too charitable.

You can gain karma fairly casually by just using the site, you get 1 karma per comment, so it's easy to make it a passive activity.

The site has also been around for over a decade, lots of opportunity to accumulate.

That and, everyone doesn't want you to have any way to uniquely identify them and contact them right up until the moment they forget their password.

Perhaps true. But the original cool thing about Twitter was that you could tweet just by texting the twitter number from your dumb phone. The service literally required your phone number, and made broadcast information happen in real-time before smartphones really were ubiquitous. Many messenger apps still use/link people through their numbers. While it is possible to not require numbers, and services like Facebook surely never needed it, there are times when providing phone numbers really reduces friction in communication.

"Reducing friction" is not worth costing people their lives or freedom.

> "Reducing friction" is not worth costing people their lives or freedom.

I mean, if you're a dissident in a country with a violent government, maybe don't use the service that requires personal information?

It seems a bit much to me to say no service ever should require people's phone numbers because somewhere, someone might make a bad decision and use the service when they shouldn't have.

That's like saying, "I mean, if you're a dissident in a country with a violent government, maybe don't use any service and keep your mouth shut because your freedom isn't as important as my VC money."

Maybe SV should try to innovate more instead of reverting to "Wow, sucks to live where you do; hold my craft beer" so much these days.

The internet was supposed to set people free. It's not working.

I had to command-f for "isp" and "comcast" because that's the stuff that should scare you. The kind of data someone can get and the ease of which they can get it while not even going through so much as a background check should scare you. We had internal tools, such as the aptly named Xray, which would give you a pretty detailed profile on someone, everything from the names of the devices attached to their wifi network, places that they used Xfinity Wifi, and even what they ordered on Pay-per-view. Going further down the rabbit hole, we had access to logging that could tell you what you passed into your voice remote, what channels you watched and for how long, and what you were downloading. To me, it is a matter of time until a tool like this is abused and you find out that some NFL star was watching scandalous pornography, or even worse, using the Xfinity wifi hotspots to get an idea on where someone was in the US.

This was talked about in the great PBS Frontline documentary about MBS: https://www.pbs.org/video/crown-prince-saudi-arabia-1jt2ey/

Interesting that MBS has ties to both Jack Dorsey and Jeff Bezos, CEOs of the companies where these spies were placed.

It's interesting to see how the phrasing of the headline makes this seem totally different. "Saudi Spies Managed To Infiltrate Twitter as Employees" reads very differently than "Former Twitter Employees Charged with Spying for Saudi Arabia".

It again raises my periodic wonder: how many spies, both for the USA, as well as the intel agencies of others, are employed in sensitive roles at Apple, Amazon, Microsoft, Google, and others? How many of them work on the cloud platforms? How many of them have access to HSMs and other internal systems that are used as trust roots?

Can we assume that any major platform provider's highest level keys haven't been stolen, perhaps without their own knowledge? It's safe to assume that if they were stolen by their own government's agents, they probably wouldn't tell anyone even if they found out (even if they weren't gag ordered, which they probably would be).

You can trust a company down to the ground but still necessarily realize that everyone who hires engineers is going to be vulnerable to this. AWS' GovCloud that only permits US citizens physical access to the facilities doesn't even totally solve the problem, it just (somewhat) reduces the risk, because even US citizens like bribes.

How do those titles sound different to you? Seems pretty similar to me.

Anyway, from the article it seems at least some of them were groomed after becoming Twitter employees, so it wouldn't be quite accurate.

Are they:

employees who happened to become spies


spies which happened to become employees

Seemed rather a weird coincidence that after leaving(or being fired from) Twitter, Ali was appointed the CEO of MBS's MiSK Foundation – which is essentially a mafia organization for his loyalists.

What other tech companies have in house spies. NordVPN? Wikipedia? Facebook? Gmail?

It seems like there is an inverse relationship between sophistication and risk. If everything is full-custom then it may be quite easy to integrate auditing tools for who accessed user data. If an org uses mostly off-the-shelf software then it's pretty much impossible to audit e.g. who connected to what mysql server and ran which queries. So I'd be a lot more worried about a Twitter (fairly unsophisticated deployments of standard software stacks), moderately worried about Facebook (hacks upon the usual stack) and not very worried about Google (literally everything written in-house).

The data scientists at Facebook have pretty much free reign to pull down whatever data they feel they need and often do. As much as there's talk about how much of a no-no that is there, it doesn't seem like anyone is really looking.

You should be a lot more worried about Facebook.

This pretty much applied to US government warrantless wiretaps as well come to think of it. Unfettered access isn't so hot if you like your privacy.

That's a different problem though. The fact that Facebook employees access your private data is not because of insider risk being taken unseriously. It's because looking at and distributing your private data is a core function for that company. They don't consider it a flaw.

>who connected to what mysql server and ran which queries

I'm pretty sure that is not really a hard task

It is quite common that sql servers run just with a few accounts. Helpful audit logs on critical systems have a high cost. So technically it is not hard but practically it is.

True but they can have systems which execute on the behalf of an authenticated user and pass that to the SQL server but the system in the middle would have logs of that query and by whom. Now, to be fair, there are usually holes that allow direct access as well.

I work in the public sector where we take these things fairly seriously, but it doesn’t really matter when the auditors are drowned in the vast amount of data.

We have 300 IT systems with 8000 users that take care of 700000 citizens. There is an ungodly amount of information on who accessed what and when. Data security, even post GDPR is a total illusion.

We’re working to build better access control, by indexing data and mapping user rights to job functions, but even then things are going to get lost in the audits.

> who connected to what mysql server and ran which queries.

Let’s say I’m a foreign spy who happens to be the company’s DBA. Audit logs don’t really help you there since it’s not particularly noteworthy that I was in the DB.

That's exactly my point. In a company like Twitter there is some person or probably many people who are "the dba" and accessing a mysql directly or even using tools to access the underlying storage is an event of no discernible consequence. By contrast in a Google-style stack there is no person who is "the DBA", making it far easier to audit. A Gmail admin might need to unwrap the encryption keys that protect your attachments to, for example, diagnose a message-of-death that is crashing their backends, but that event would be so rare as to be easily audited, and it would tie a specific actor to a specific victim. Also I would say a custom auditing stack is way more resilient to things like just deleting the logs off the server, restarting the server without auditing, and whatnot.

Yo...middleware is a thing.

Why would you think that MySQL is harder to get logs from than some custom in house database?

All of them. I imagine if you’re a high value target that can be blackmailed, some intelligence service knows all about you.

These guys weren't blackmailed. They were just bribed.

Worth reviewing: https://en.wikipedia.org/wiki/Motives_for_spying

> MICE: Money, Ideology, Compromise or [Extortion / Ego]

> RASCLS framework: Reciprocation, Authority, Scarcity, Commitment and Consistency, Liking, and Social Proof

See Also: https://en.wikipedia.org/wiki/Recruitment_of_spies

Thanks. I'm aware of those issues.

But in the three TFAs posted recently here, I didn't see anything about blackmail or extortion.

Are you talking about in house spies, or spies placed in companies by governments?

If the latter, then the answer is all of them.

Insider risk is not limited to "spies", there are lots of actors that may act against the best interests of the company in regards to how the access and use the data. There are procedures (basically layered security, auditing and monitoring) that can be followed to actively manage this. So yes, there may be "spies" at any one of those companies, or just people doing things they shouldn't do, but to me that's logical and not surprising in any way, any organization has to face this issue.

Since like 05 Google has had very high strictness on this kind of access but I'd still bet there are some SREs working as foreign agents

Any company that handles sensitive information, or information about a lot of people (even if not particularly sensitive) has to assume that they have at least one in-house spy of some sort. Partly to make sure they're not more vulnerable than they should be and partly because it's likely to be true.

I’d wager every single one of them.

If even 1 in 10000 people were spies...

Digital Ocean, Linode, OVH, Heroku, Cloudways, any cloud database provider, DockerHub, etc?

Every company that collaborates with the NSA (including Microsoft, Google, Facebook, Apple, and Dropbox) has in house spies. We don't like to think about it this way because the spies are on "our side".

If it's large and has access to data on lots of people you can bet there are spies.

Hell, Google has real time and historic GPS data for half of America. A government would have to be out of their mind not to go after such data.

This is a scary trend, it's bad enough that anytime I talk to someone online I question if they're a real person. Now we might be transitioning to an era where I can't trust my coworkers either.

So that mysterious Gitlab customer's demand to protect their data was... not unreasonable.

It was unreasonable.

1. You can build systems in a way that every access is strictly logged and audited.

2. Many companies like Facebook or Google employ engineers who could be possibly spying for Russia or China. But the systems and trust models are designed with this in mind.

Here we see unrestricted access to user data, not even sure there’s audit logging in place.

You can but most don't, even Twitter size, that's the lesson. And audit doesn't protect from leakage.

Please note, I'm not saying Gitlab response was appropriate, I totally agree with your second point. I'm saying the demand was genuine.

Google or Facebook employees in China do not have access to overseas data.

Gitlab doesn’t really serve China and has no need for support engineers with in China.

Correct, they do not have overseas data (at least in China).

However, GitLab's restriction also prevented them from employees moving to China as well. Many companies employ people in Asia/Europe timezones as a night-time on-call engineers and support.

Not to mention, the list (China, Russia) is a list of countries made up by GitLab, with no particular backing that's officially recognized by any particular government or organization, which makes the situation discriminatory.

I wonder if GitLab will add Saudi Arabia to their employee region block?

Saudi Arabia is a US ally, so family region block against them is unlikely. Even if it is a country that tolerates and promotes open slave trade (look up #maidsfortransfer on BBC).

A few comments about how a non-negligent company handles user data:

* They wouldn't respond to "emergency disclosure" requests from the Kingdom of Saudi Arabia about random users

* The average developer has zero access to user data besides names in crash logs and things that the developer has been explicitly copied on in the support system.

* Every command run on production servers by developers requires approval by someone above your org chart level (up to the executive level, when you just need someone at your level) and is logged forever.

* SREs who have to shell in to servers use Unix accounts that have no access to user data. Root access, which should hardly ever happen, requires org chart approval.

* Test environments use synthetic or anonymized data

* There is a separate team of dozens of highly paid people whose only job is it to identify, classify, and monitor access to user data. This is not even the same as the infosec team, who also would be looking for insider breaches.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact