There is an incredibly well produced podcast episode on these ex-NSA engineers working for the UAE that came out a couple of years ago. Check out Darknet Diaries Ep47: Project Raven [1].
Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.
+1 for Darknet Diaries. One of the best podcasts I've ever listened to. So simple, yet so gripping, and well told in a sweet spot between hard nerds and casual enthusiasts. I listened to all 100 episodes since discovering the show in July.
If you liked this check out You’re Wrong about. Incredibly well researched and incredibly well presented - information packed and funny at the same time.
It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability.
From a purely pragmatic perspective of a UAE royal family member worried about domestic dissent I can see why they would do that, not that I agree with it in the slightest.
> It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability.
Presumably, the latter is less of a risk; they probably don't want NSO to know their business and there's going to be at least metadata leaking that points to what they're doing. Plus, presumably, there's always a chance NSO could play them off to a higher bidder?
I agree about UAE wanting to keep their cards close to the chest, but I think the choice between NSO/other third party hacking groups and developing in house is an AND statement, not OR. At the end of the day, developing adequate zero day chains that provide access akin to NSO's Pegasus is an extremely time and talent intensive endeavor, and having multiple options to procure those capabilities is the more likely solution.
the principal agent problem. whenever you hire an agent whose interests are not specifically aligned with yours, theres an existential problem ensuring your principal concerns are acted upon.
so yeah, you want your agents to have a principal stake so havi g a nsa agen direct your staff brings more surety than some random third party like nso doing your dirty work even if its just handing over software. we all know it matters the route your hardware and software comes from if you are involved in national security.
> we all know it matters the route your hardware and software comes from if you are involved in national security.
No security apparatus in the world has the capability to build and execute everything they want to on their own. Hardware and software is always procured from multiple sources.
> It sounds to me like the UAE made a decision to stop paying vast sums of money to the NSO group and started throwing money at trying to develop their own similar domestic capability
Running an intelligence service is a lot more than hacking a random phone once in a while. They buy lots of products from lots of vendors, develop some things in house, and hire a lot of talent from overseas.
It's weird that the agents suddenly discovered their morals. It's not like they didn't know who'd they be working for before being pulled to the side, apart from the fact that the NSA has been helping all sorts of totalitarian governments with information that could have (and likely was) been used against dissidents etc.. It seems more like they pulled out because it was too blatantly illegal and risky and that was the motivation to leave project raven.
The moral of “chicken little” isn’t what you think it is. The key message is that bad authorities fail at listening and create perverse incentives towards misinformation, shirking their accountabilities with disastrous consequences.
People telling it to children are trying to silence their kids. They’re not focused on improving transparency, or on systemic outcomes, they just want to regulate individuals. So they are in fact the selfsame bad authorities.
The target of blame in the story is not the chicken.
Eh, pretty sure there's more than one moral there. No reason to ignore the "don't run off half-cocked spreading information you haven't confirmed or may not mean what you think" just because there's another lesson in there also.
This is the lie told by the failed managers of the community in which the chicken lived, hoping to shift the blame for their own poor attention to contingency planning onto a chicken.
If you have an early warning device with a high false positive rate, you don’t avoid catastrophe by ignoring the warning.
No, you don't ignore the warning to avoid a catastrophe, you ignore the warning to avoid alert fatigue, burnout and other bad effects.
If your only early warning device has a sufficiently high false positive rate, scrap it, or find another early warning device with a sufficiently different set of false positives and then require both of them to alert, before you pay attention.
In the Chicken Little story everybody except Chicken Little is eaten by the fox, do you mean the boy who cried wolf? Except oops, everybody dies in that one too.
Nobody listens to chicken little because he's overdramatic and hyperbolic, like most children who haven't had enough life experience to temper their reactions.
It's been awhile since I saw the film, but that's what I remember. Regardless, even taking my comment less literally and more like "it feels like a children's show" would still be an accurate take.
> It's been awhile since I saw the film, but that's what I remember.
Slightly OT, but you might want to clarify that you are talking about a film rather than the classical story.
If you haven't had the pleasure of reading it, it might be worthwhile to check it out, the version I read as a child had a suprisingly morbid ending for a children's book.
You don't have to see the film, it was a text fable for a couple thousand years before that. Plus, I'm skeptical that they all die at the end of a Disney movie version of the story.
And as with the Pied Piper, it’s the fault of bad management.
Only an asshole blames the chicken. You had a high sensitivity early warning device, and muted it because you couldn’t handle the false positive rate? That is not the fault of the device.
None of that is the fault of the chicken. The sky would’ve fallen on the idiots in charge anyway. They’re just trying to shift the blame. This is the true moral of that particular fable.
Also, don’t go around tempering children; “seen but not heard” is dark ages, Victorian values nightmare fuel.
In both of those stories the reason that happens is bec the eponymous character loses all credibility by telling many lies, when they finally tell the truth no one believes them.
No, in the Foxy Woxy version everybody believes CL and accompanies them to warn the king. The problem comes when they believe that Foxy Woxy knows a shortcut. Point being: Chicken Little is a crappy analogy to use against doomsayers.
BwCW is a little better in the abstract, but still inapt for this.
> The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns.
I find it pretty hard to believe any judge would buy this.
Yet this would be very familiar to anyone with previous intelligence experience in the US. The person with hands on keyboard will change depending on if the mission is being conducted under Title 10 or Title 50 authority.
Does an instructor who trains someone who goes on to commit murder using the techniques they taught become legally culpable for the murder?
If your company offers some service - consulting to set up their infrastructure, or helping them navigate AWS - necessary to the running of the company, and that company goes on to commit a crime are you at fault? They couldn't have done it with out you, after all.
Legally, it depends. The term you're looking for is "criminal conspiracy". In US law this is, roughly, an agreement between two or more people to commit a crime, and at least one of the people commits an "overt act" in furtherance of the crime. In the case of these officers, and in your two hypotheticals, there is an overt act taking place. An overt act does not need to be illegal, it just has to be an action taken to assist in the planned crime. For instance, buying ski masks is perfectly legal, but if you bought ski masks in preparation for your bank robbery, that counts as an overt act. But is there an agreement to commit a crime? Generally speaking, in the company-offering-services example, if you did not know the other party was going to commit a crime, and a reasonable person in your position wouldn't think the other party was planning to commit a crime, you are not engaged in criminal conspiracy. There's tons of special cases and nuances here, but that's roughly what happens.
That's if they charge conspiracy in the first place.
The more general answer here is that the criminality of exploitation depends a lot on your state of mind (a property of law that something HN always has a hard time with). A professor teaching a class to an anonymous group of students is not at all the same thing, in criminal law, as that same professor standing behind foreign intelligence operatives coaching them on a targeted attack.
The confounder here is that there are statutes you can theoretically violate by providing some specific exploitation tools to foreign nationals.
The MIT professor, in an MIT classroom, is never going to be charged (same almost certainly goes for a consultant teaching an exploit class at Black Hat USA).
Let's say you are a gun instructor. You take your student out to the street, hand them a sniper rifle and point at their victim. You walk them through the process of pulling the trigger and how to make sure they get their target.
The judge isn't going to let that slide. In both cases, you are an accessory.
Technically I think both parties would be guilty of murder, but that's specific to murder charges. For instance, getaway drivers have been charged with murder because the robbers they transport shoot someone.
That is specifically "felony murder", which wouldn't apply here (though conspiracy might?). Felony murder is the idea that you are guilty of murder if someone dies as a result of you committing another felony (sometimes from a specific enumerated list).
If you are a direct participant in the murder you might just get charged with it (perhaps as a conspirator which I think often has roughly the same penalties).
You're probably right, but I think it also depends...
Is a professor at MIT teaching cyber security exploit development guilty of the same crime?
What about a consultant teaching how to use a particular tool or how to look for a particular family of exploits? (Potentially legally dodgy, depending on the client, but probably ok in a lot of grey areas)
What about a consultant which performs a passive audit of a target for a 3rd party? (Starting to get pretty dodgy, but probably depends both on the 3rd party and the target and the nature of the audit)
It's... probably not so cut-and-dry. Though I agree that it doesn't sound like a get-out-of-jail-free card.
I'm sure the intent of the MIT professor/consultant passing their knowledge on to others is to get ahead of the actual attackers and help prevent further crime(s against humanity), not to actively participate...
Oh no, that wasn't my intent at all. I was just saying that things in court can get pretty messy when you try to define things precisely with laws that don't directly address edge cases. That's why you see headlines about rulings that seem so counterintuitive and ridiculous upon first glance.
my one gripe, if it can be called a gripe, is that the episodes are more often than not hard to follow due to the complex topic/length.
Looking thru the feed, 8/10 of the recent casts I've listened to are only about 1/4 the way thru before I had to go into work, answer a call, etc. Then it's too hard to get back into, and two more eps have been released by the time I get another itch for DD.
Of course, real life is complicated and isn't a movie with a plot, and DD's format rewards knowledge and listening. More of a "doing dishes" podcast. Highly recommend!
Short-form security podcasts are a dime a dozen though, and they usually fail to gain traction because Sec is a nuanced technical/social topic that doesn’t get covered in 20 mins. DD is very popular, IMO, because it handles this well by longer episodes.
This has nothing to do with the post nor the comment you're replying to. There's no need to inject an unrelated political point into the top post's top comment; just make your own post about the subject so it can be discussed there.
I take your point but disagree that they are unrelated. They are different news items, so I’ll try and isolate my comments in that way. I just think that people working infosec should care a lot about the sanctity of law and the importance of judicial review. If we let the court of popular opinion reign supreme, hackers will always lose and the powers that be, the elite, will always maintain control. Just my opinion, which I will try and keep more narrowly focused in the future.
I think there should be a corollary to Godwin's law to call out any thread that is very much subtle in trying to showcase just how much Donald Trump has been wronged by 'the media'. Sadly there's a surprisingly high amount of these on hn.
More interesting to me is that one of the named persons, Daniel Gericke, is the CIO of ExpressVPN [1] which sold yesterday, the same day that the DoJ came to this prosecution agreement (!), for just under $1 billion. [2]
I no more trust VPN providers than I do online pdf converters. I wonder how many people submit their sensitive documents to these online services to convert their documents to pdf.
If the only way they know how to make their document into a PDF is an online converter and they need the document as PDF them that's what they're going to do. It really doesn't help that exporting documents as a PDF was an arcane process for a long time.
For a lot of people? Yes, this is not intuitive. If a user wants to "save a file" then why do they have to press the "print" button and select a "printer" that's not actually a printer?
Saving/exporting as a PDF should be something you select in the same menu as saving a file normally. Or at least something very close an obvious.
Also, back when a lot of people first used computers the option to print as pdf might not have been available for them.
I'm in the same boat. Though I actually do trust my VPN provider Mullvad. Highly talked about, based in Switzerland, and Mozilla also uses them for their VPN service.
Edit: Sorry. Not Switzerland. Sweden. For some reason thought Switzerland.
The mail service that handed over data of a customer to a foreign government and changed the privacy statement on their site is based there too IIRC. The name eludes me know, surely several readers can provide it.
> The mail service that handed over data of a customer to a foreign government
First, ProtonMail can only hand over meta-data, because data is encrypted.
Second, "ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities."
> and changed the privacy statement on their site
The privacy policy was not misleading if you read it carefully. It was not "changed" as in removing a lie from the statement. At best, it was clarified to ensure *everyone* would correctly understand it in the future. It is accessible at https://protonmail.com/privacy-policy
What may have been misleading was the marketing message on the homepage. If you pondered each word of the one-sentence marketing message, you could have guessed that the expression "by default" was there for a purpose. Companies do not add useless words for marketing, they do it to avoid false advertisement. However, this is not the same thing as the privacy policy. And ProtonMail stated that they would fix that: "we will be making updates to our website to better clarify ProtonMail’s obligations in cases of criminal prosecution".
Not a fiasco as they're required by law to keep IP logs. You can disable the logging of IP sessions in the PM dashboard, but you can't guarantee that PM will not keep logs, since their servers are all Public Internet Facing. The only way Protonmail is 100% zero knowledge is to be a 100% a dark-net/Tor service, which immediately turns off 99% of their users.
If you misled your users into thinking that this isn't something you would do, but as soon as shit hits the fan and the PR makes it impossible to keep the ruse going. It's a total fiasco to that business' marketing department.
It is even worse in Portuguese; there is only a two letter difference: Suécia (Sweden) vs Suíça (Switzerland) — or three letters depending on your perspective, but in Portuguese the c with cedilla is not considered to be a different letter from a plain c, and in this case both forms are pronounced the same. Therefore some level of confusion is understandable, even expected.
In English they are similar as well but spelling and pronunciation are different enough that there should be less confusion, at least on paper. Not sure why there is such confusion in practice.
Just yesterday or so I watched an "Alternative Contries"[1] video on YouTube where the most hilarious proposal -- took me a while to grok -- was Australia-Hungary.
___
[1]: Kind of a sub-genre of alternate history and/or history-simulation-game AI timelapse videos.
Using a public VPN anonymizes your traffic if you assume many other people are using the same VPN server. A MITM can easily see you're using the VPN but not easily what websites you're accessing. If the VPN provider is truthful about not keeping logs, it's hard to prove that you visited a particular website and not someone else using the VPN. A DO droplet does not provide the same thing. You can visit a website, the website can store your IP for months or years, then LE can subpoena DO for the person with that IP at a given time. Plus setting up a DO droplet VPN sounds like a PITA.
As for why to trust Mullvad in particular, you can't trust them completely but they list all their employees and their ownership structure publicly, they have a good track record, they have documentation which seems like it's written by people who know about security and their customers' potential threat models, and they don't have a suspiciously large advertising budget.
However, I wouldn't trust any VPN if you have to withstand targeted scrutiny from governments.
> Using a public VPN anonymizes your traffic if you assume many other people are using the same VPN server
Gotcha
> Plus setting up a DO droplet VPN sounds like a PITA
It's actually very easy using https://getoutline.org/ - can highly recommend it if you need a fixed IP. And you can buy DO droplets with cryptocurrency through Bithost
Because the threat model is different than the one you have in mind. VPN providers for 5$ a month will give you multiple proxies throughout the world. Spinning up 70 droplets in different regions is not a viable cost effective solution.
You can use Mullvad without supplying any personal information (not even an email address) and pay by literally sending them an envelope with cash in it. That's as good as it gets when it comes to preserving privacy.
The US has spent considerable time and money to add backdoors to any piece of software & hardware that exists out there. So, i'd imagine, VPNs to be high on the list because of their nature.
I would not trust VPNs for any kind of serious privacy, at least not the popular ones. Maybe some small niche VPNs can fly under the radar.
If VPNs really protected from anything they would be illegal. At best you can slightly avoid being targeted by advertisers.
I assume any system I use is compromised already.
There's always trust involved. You have to trust the DNS infrastructure, you have to trust your ISP, you have to trust the VPN provider. You don't have to trust them completely, but you have to trust them at least somewhat.
We take steps to reduce the amount of trust required, such as splitting that trust across many parties, so any one party hopefully can't betray us enough that it matters or that we don't notice, but there's still a lot of trust. For example, we use SSL certificates and certificate authorities that are known ahead of time to protect from problems on the network, but that requires you trust your OS and/or your browser, which is generally how you receive those certificate authorities. If I'm able to get my own CA on your system and trusted, and I can see your traffic, it doesn't matter whether you're using HTTPS connections.
A VPN provider might say they're not keeping logs, or that their servers are not beholden to a third party and traffic is not being analyzed, but ultimately all you have is their word on that. Ultimately, the only thing different between you connecting to the NSA and routing all your traffic (even if your traffic is mostly encrypted) through them so they can look at it and a VPN provider is that you trust the VPN provider when they say they aren't the NSA and they aren't looking at your traffic.
It’s worth mentioning that, if you listen to the podcast mentioned in this thread, DarkMatter, the hacking company, at some point ran a certificate authority that was recognized by browsers including Chrome and Firefox, until lately that news about them came out.
Oh, I don't, it's just also really hard to vet that stuff adequately as a single person, and also why HTTPS isn't always adequate.
There's DNS and root servers to consider as well (but that might be harder to hide with all the caching going on).
I almost edited my above comment a few minutes afterwards to append something like "and honestly, it would be pretty hard to convince me the NSA or some other group hasn't run one or more VPN providers in the past. The only question in my eye is whether it was a popular one or not."
And likewise, although I don’t trust Cloud service providers all that much… I’d sooner spin up my own VM and run strongSwan or WireGuard than use a VPN provider.
Wouldn't it just be a different type of vector in terms of being able to nail you though?
Since the VM company (unlike a VPN such as mullvad) makes zero promises with respect to keeping logs, if you visited badsite.com, then later the FBI raids badsite.com, sees a VM company IP address, subpoenas your VM company who says that your particular VM was leasing that specific IP at time XX:XX:XX, then you're done.
Further, mullvad gives you several relatively anonymous means of purchasing a VPN, whereas the vast majority of VM companies (digital ocean, linode) will require and store all manner of personally identifiable information about you.
Now you have to trust your VM provider, mostly US providers, that actually mention they collect some data and traffic to improve their services and comply with law.
Double hah, original headline: "Three Former U.S. Intelligence Community and Military Personnel Agree to Pay More Than $1.68 Million to Resolve Criminal Charges"
- That billion more than covers. Given the circumstances, the settlement is a bit paltry.
They get no jail time? They get to buy their way out?!
> “Hackers-for-hire and those who otherwise support such activities in violation of U.S. law should fully expect to be prosecuted for their criminal conduct.”
I know they lose their clearances and pay a bunch of money, but this seems like it merits a lot more punishment than that.
Well first, treason specifically is very narrowly defined in the US.
>Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort.
They didn't levy war against the US, or adhere to an enemy (because the UAE isn't one).
But in general, it's not illegal for US citizens to join foreign armies (if they aren't enemies). Lots of Jewish citizens, for example, serve in the IDF.
"According to the U.S. code, any citizen who "enlists or enters himself, or hires or retains another to enlist or enter himself, or to go beyond the jurisdiction of the United States with intent to be enlisted or entered in the service of any foreign prince, state, colony, district, or people as a soldier or as a marine or seaman … shall be fined under this title or imprisoned not more than three years, or both." But a court ruling from 1896 involving U.S. citizens who fought with Cuban revolutionaries against Spanish colonial rule interpreted this to mean that it was only illegal for citizens to be recruited for a foreign army in the United States, not to simply fight in one."
> Lots of Jewish citizens, for example, serve in the IDF.
How many is "Lots"?
Apparently the US doesn't keep records of this phenomenon that are easily accessible.
This article^ from 2017 says 1,000 Jewish Americans serve in the IDF.
Of the ~7,000,000 Jewish Americans, that's ~0.0143% of Jewish Americans serving in the IDF.
If 1,000 joined and served each year, and live to an average age of 70, doesn't that mean ~50,000 people? That would mean ~0.714% of Jewish Americans having served in the IDF.
People like to use the term treason a lot, but as it is defined under Article III, Section 3 of the US Constitution, their actions are not treasonous. If you can prove otherwise, I am all for it though!
Specifically, the were charged with:
Violations of U.S. export control, computer fraud and access device fraud laws. The Department filed the DPA today, along with a criminal information alleging that the defendants conspired to violate such laws.
I think they are losers, scumbags and unethical and I hope that no one who reads HN ever hires them and that they never work in any capacity that comes into contact with IT, Infosec or any other hi-tech industry.
How is going to work for more money a loserish activity? My understanding is that the US contractors underpay so being patriotic Americans they went to work for a better company.
Having a desire to increase your income is fine. For some, it is their primary motivation, for others it is a result of being recognized for producing valuable results. Each person has their own moral code; for some, even working for Google or Facebook falls outside of that code.
I have worked with various companies that have contracts with the US military and other agencies. I wouldn't say they underpay. I would actually say they pay pretty well, but once again, this has to align with whatever your personal values are. Some people are quite happy to work for a three letter acronym agency and couldn't ever conceive of working for a FAANG or a foreign entity.
I am sorry that a general perception of Americans might be that we are mercenary and will run after the highest paying opportunity. There are 300 million of us, and I would say that a majority of Americans are driven by values that don't include the theft of national intelligence assets or chasing after money no matter the consequence.
Why apologize for greatness, the entire ethos of America is that it’s the best place for the individual. That other countries choose to impoverish and restrict rights is nothing that require apology.
Is income really the only signifier of what makes an activity loserish to you? Not who they work for, the work they're doing, who it may target, the rules they may actively be choosing to break in the process, etc.?
Looking at the document it appears that they are working for the same nation state, they just cut out the red tape and a few layers of middlemen.
Most people feel in the software field feel the ITAR regulations as applied to code are ridiculous including but not limited to the EFF. Most consider it to be an abridgment of their 1st amendment rights.
UAE is a US ally and so they likely do not want to put a chill on their relations.
"The United Arab Emirates has been described as the United States' best counter-terrorism ally in the Gulf by Richard A. Clarke, the U.S. national security advisor and counter-terrorism expert."
Treason has a pretty narrow definition, if you aren’t directly conspiring with a foreign power (and at that probably an enemy) against the US, it probably isn’t treason. People like to jump to that judgement, but it almost never happens.
It's not probably, title 18[0] is pretty clear that it's an enemy that matters. However, since the United States is at war with a noun, then that makes the definition of enemy very flexible.
It's really, historically no different than any soldier that chooses to fight in another country's war, and that is pretty common along history. Usually, they were only punished if the geopolitical scenery called for it.
Famously https://en.wikipedia.org/wiki/Karl_Llewellyn was in Paris when WWI broke out, but managed to reach Germany, and briefly fought alongside (without joining) the German Army.
NSO is an Israeli company, which means they need to follow Israeli export laws when it comes to weapons. All of NSO contracts will first go through the Israel Defense Ministry.
The US has a similar process, where companies that sell weapons to foreign governments need to get permission from the US DOD. In this case Marc, Ryan and Daniel did not go through the DOD and that is why they are being charged.
Pelosi said Trump will be 'fumigated out' if he refuses to leave the White House. How was that supposed to happen, if not for the military. Communication between Pelosi and
Military leaders were ongoing.
"House Speaker Nancy Pelosi said she spoke to Joint Chiefs of Staff Gen. Mark Milley about precautions that could block President Trump from “ordering a nuclear strike” or accessing launch codes and starting military hostilities"
He refused concede the election like he was supposed to, and continued to question the validity of mail in ballots and challenge the election results.
Probably not after he found out the military was going to fumigate him out.
Soldiers who spent years in the exploit-finding units of 8200 (Israeli NSA) can work for NSO and stay in Israel. But they can also leave the country and work for foreign entities. Sometimes without even knowing who their employer is
One famous case was "Dark Matter" a UAE company who set up offices in Cyprus and offered 8200 soldiers 7 figures (in USD) a year salaries to relocate, outside of the Israeli Government oversight - which NSO need to adhere to, and work for them
> The bureau’s dedication to justice is commendable... the most significant catalyst to bringing this issue to light was investigative journalism - the timely, technical information reported created the awareness and momentum to ensure justice
A lot of moral superiority there when based on how Stroud has talked about her own work with Project Raven [1], she was perfectly happy to help the UAE kidnap, torture, and disappear dissidents (including children), human rights activists, and journalists.
If you actually read OP's link, the charges seem to have nothing to do with the fact that these individuals once worked for the US gov. Instead, the US federal government seems to be asserting that knowledge of offensive security tools and practices in Cybersecurity consultancy is somehow ITAR restricted in the same way that a weapon blueprint would be. That strikes me as absolutely preposterous and I'm disappointed the defendants settled rather than pushed back on obvious federal overreach into the lives and careers of private persons.
There's a lot of stuff that's ITAR restricted. You can't be privy to classified information such as submarine prop design, or turbine blade design, and then branch off your own for other clients using said information.
Under ITAR you can't even sell your own submarine props to foreign countries, even if you were never exposed to classified designs, right? That's why ITAR originally applied to PGP.
"Prior to their departure, U.S. Company One repeatedly informed its employees, including the defendants, that the services they were providing constituted “defense services” under the ITAR, and that U.S. persons could not lawfully provide such services to U.A.E."
If the above was documented, I don't think "I didn't know" would have worked in court. Also even if they fought the ITAR charges, they were accused of CFAA charges
Settle now OR spend 20 years and millions of dollars fighting it and relying on judges who've never used a computer to understand complicated technical matters...
As a non-US person, could someone explain a legal construct of "paying $XXX to resolve criminal charges"? Doesn't "criminal" mean there must be some real punishment?
Eric holder, the former attorney general, wrote a memo outlining the concepts around the time of the 2008 financial crisis iirc. The idea behind a deferred prosecution agreement is that extracting money and good behavior out of powerful/wealthy defendants is the best possible option when compared to the "collateral consequences" of fully prosecuting them.
Right. Let’s see how bad the “collateral consequences” actually are. Though, the result of inept or malfeasant prosecution could be the equivalent of formal immunity thereafter. I’d still like to take my chances.
Unfortunately it is - the collateral consequences discussed is oriented towards companies labeled too big to fail, but is used to make it easier on prosecuters to attain a form of conviction on less economically impactful prosecutions as well.
The German legal system knows a similar concept in § 153a StPO. Basically, if a crime isn't considered particularly severe, and both the prosecutor, the accused, and in some cases the judge agree, the criminal charges are dropped in exchange for "stipulations" (typically restitution, paying a certain amount of money to the state or a nonprofit, working community service, anger management courses, ...) - which means you're never found guilty, making it a great deal in most cases.
The idea is that less severe crimes can be handled without the full overhead and without excessive punishment. In practice, this can be 'a bit' controversial, e.g. when Bernie Ecclestone resolved his corruption charges this way by paying 100 million EUR. https://en.wikipedia.org/wiki/Bernie_Ecclestone#Bribery_accu...
Sure, it's a "financial penalty", technically. Plea deals are common in many jurisdictions, and the settlement imposes additional penalties. They're being punished.
You are right that a fine is a real penalty but that’s not the real problem. The problem is that someone who committed the same crime but has less money wouldn’t qualify for this option.
Is that true? I'm not a lawyer, but I know that in certain criminal plea agreements, such as in antitrust cases, the financial penalty can be paid over installments, the size of which is tied to the company's financial performance. See e.g.
> If the parties agree that the recommended fine needs to be paid in installments because of the defendant's inability to pay the entire amount immediately, the plea agreement will include the installment schedule and any interest terms.(58) The payment of a special assessment(59) and any recommendation on a term of probation(60) or expedited sentencing(61) for corporations, or requests by individual defendants to be placed in a specific correctional facility,(62) will also be addressed in the plea agreement.
And to get back to the original comment I replied to, this critique seems like it would apply to any financial punishment, not something that came down to a technical distinction between "fine" and "financial penalty".
Someone with no/low income will take eons to repay $1.685.000, even if made in installments. I doubt it would even be a serious option unless you were wealthy.
I think there have always been powerful people that feel this way, in all countries. The problem is thinking it's something new or unique to here, which leads one to think it can be solved if we just look for what changed to make them that way.
No. They've always been there, they've always acted this way. It's not a problem because of increasing lack of patriotism, or a divided populace, it's just power and greed and people that see themselves as not beholden to to any one state. Thinking it's something it's not will just lead to proposed solutions that don't actually do much to affect the problem. Any solution needs to be internalized and divorced from the idea that this is a recent problem that we can stop caring about once we "solve" it.
The more interesting story with that site is how many of those charts indicate whatever is going on with the data it's showing happened a decade after or a decade before the date in question, and people just blindly take it as evidence of something happening in 1971.
> The Nixon shock was a series of economic measures undertaken by United States President Richard Nixon in 1971, in response to increasing inflation, the most significant of which were wage and price freezes, surcharges on imports, and the unilateral cancellation of the direct international convertibility of the United States dollar to gold.
Back in my school days, we used to have lots of poems which would often go on to say that money is the biggest trouble of life, or that money is the biggest corrupter of people's minds, or that money is the root cause of all evil. Most of these poems were written before the 20th century. I would often disagree with these poems, naively thinking that one just had to have some sort of self-control when it comes to money. Now I know I was terribly wrong.
Its really saddening to see the the main objective of people is to own a Lamborghini ,a mansion and live with some hoes, just like that "YouTuber guy".
I don't agree with the website, but I think I know where they are coming from.
The year 1971 was when the US dollar was made to float, instead of being backed by gold. [1]
I think that the website wants to have our monetary system change back to being backed by something that is a limited resource, and I bet Bitcoin fits the bill in their mind.
For better or worse I've started to think of 'elites' more as people that have differential outcomes in regards to the law. So in this case these people are 'elites' because they managed to stay out of prison for hacking US citizens and doing corporate espionage. A non-elite would be in prison for these actions, and there are lots of people who are in prison for hacking others.
Isn't your definition an example of a No True Scotsman fallacy?
Aren't you liable to wind up in situations where you find yourself saying "Ah-hah, now that person I thought was not one of the elite is now one of the elite because they didn't go to prison. Ah-hah, now that person I thought was one of the elite is not one of the elite, because they are going to prison."?
"For better or worse I've started to think of 'elites' more as people that have differential outcomes in regards to the law"
So it's not that elites don't go to prison, in this case they didn't, it's that they get extremely favorable outcomes as compared to the average population. Epstein is a good example of this. The first time he was convicted he spent a meager 1 year in prison in conditions that would never be afforded to the general public.
These hackers are another good example of this, they got a large fine but they're not spending any time in prison, and yet lots of people have gotten prison time for hacking.
Being elite is a lot different from being Scottish, in that there are only vague signals for being elite, and none of them are so easy to measure as being Scottish. I think it's safe to say that the vast majority of elites are wealthy, but I don't believe that all wealthy people are elites. There are people with a lot of localized power like mayors or state senators, but those people certainly aren't nationally elite. To my mind the clearest signal is when the system interacts with a person, how does the system behave, versus when it interacts with an average person. Now this is by no means a definition, just how I've started thinking about the question of who is elite.
I was being too indirect. Your framework doesn't have predictive value. 'This person had an extremely favorable outcome, therefore they are elite' is a retrospective judgment, it can't be used to form a hypothesis. It is unfalsifiable.
Whether someone is Scottish, or any "easy to measure" fact, has nothing to do with the No True Scotsman fallacy.
Elites across history have seen their countries as a resource to be mined long before the invention of the concept of a nation-state. This concept significantly predates nationalism.
What's unusual is that in the past few centuries, the rest of us have been explicitly conditioned to act in national interests.
It sounds like the three defendants are also cooperating with ongoing investigations; that would certainly play a role in the terms of the deal, if so.
I'm not making any assertion about DOJ corruption. I just thought they took this sort of behavior very seriously. (violating export controls, computer fraud and access device fraud)
I was discussing this case with a former DOJ attorney and he was saying that it's hard to know what exactly went into the calculation for penalties. Apparently cooperation with DOJ on future investigations can play a big role so idk what to think.
I really don't think deferred prosecution is warranted here, this should have been a plea deal. I'm ambiguous on whether or not these guys should serve jail time, but they deserve a criminal conviction and a criminal record.
One of these officers is CIO of ExpressVPN. Can you really trust a service with these ties, which also just sold to an ad agency? I personally would not.
While being federal agents they try to spread democracy with bombs. Once they leave, the pretence is dropped and squash any organic calls for democracy and dissent with hacking.
Outraged when these countries are hacking individuals? Then also be outraged when you sell them F35s
> to obtain remote, unauthorized access to any of the tens of millions of smartphones and mobile devices utilizing a U.S. Company Two-provided operating system
U.S. Company Two provides a mobile operation system. Hmmm, now who could that be?
> In August 2017, U.S. Company Two updated the operating system for its smartphones and other mobile devices, limiting KARMA 2’s functionality.
I didn't find any meaningful security updates by Apple in August 2017: https://support.apple.com/en-us/HT201222 The only one listed on that page was about using HTTP to send analytics data, which I don't think is the one that disabled KARMA 2.
Looking at CVEs, my guess for KARMA 2 is CVE-2017-8248, patched in 10.3.3. Bit of a stretch, though. Looks like whatever was patched was never really publicized.
There's really no reason why they should be able to buy their way out of prison time. It's kind of a shame. Justice is supposed to be blind, including to financial assets of the perps.
What makes you think GrapheneOS is any better? Yeah its open source but it must be looked at a lot less than any iPhone. Is security by 'open but not as well examined' actually more secure?
I seriously doubt the developers of GrapheneOS have really done as much due diligence on their custom ROM as Apple has done on iOS. For one, Apple controls the whole stack down to the CPU. GrapheneOS is forced to rely on many external parties to not be hostile from Google with their Android stack to the Linux base to whatever the SOC maker has put into their silicon.
Synopsis is that the UAE hires ex-NSA employees as "penetration testers" and when they enter the country for cybersecurity work, some are pulled aside to be briefed to an opportunity called "Project Raven" to assist Emirati intelligence with targeting, allegedly in the interest of counter-terrorism. The thing is, only Emiratis have "hands on keyboard" while the US engineers sit beside them and guide them, which supposedly dodges any legal concerns. Those who Jack interviewed decided to leave Project Raven when it became clear they were targeting dissidents, human rights activists, and later, Americans. As you might imagine, ex-NSA employees who target US citizens for a foreign government are breaking the law. I do wonder if it's these ex-Project Raven engineers that have led prosecutors down the road to where we are now.
[1] https://darknetdiaries.com/episode/47/