Hacker News new | past | comments | ask | show | jobs | submit login
American spy hacked Booking.com, company stayed silent (nrc.nl)
589 points by Freak_NL 68 days ago | hide | past | favorite | 282 comments

Interesting part from the Dutch version of the article:

Booking is nooit eerder op spionage gestuit. Het bedrijf is er ook niet echt naar op zoek. Zolang die geen hinder oplevert, kost het geen geld. De onuitgesproken consensus onder specialisten binnen het bedrijf is: we vermoeden dat inlichtingendiensten meekijken, maar zolang we ze niet zien, maken we ons niet druk.

Which roughly translates to We are not looking for espionage and if it doesn't hinder us we don't care.

According to Google Translate:

> Booking has never encountered espionage before. The company isn't really looking for it either. As long as it doesn't cause any hindrance, it won't cost you any money. The unspoken consensus among specialists within the company is: we suspect that intelligence services are watching, but as long as we don't see them, we don't worry.

What should make me believe that they don't have the same approach towards black hat hackers which are silently farming their data?

>> black hat hackers

How are foreign intelligence services not black hats? They are stealing data in order to use it for any number of non-nice things. Not selling the data on the dark web doesn't bleach their hats.

They are definitely black hats. Intelligence services operating in foreign countries (physically or digitally) are by definition criminals, in that they are breaking the local laws where they are operating / accessing.

That they are doing it for a 'good cause' (often debatable) is somewhat irrelevant, that is a risk/reward calculation that the country/agency/spy needs to make themselves.

If a a friendly country of the Dutch government wants to access records of a Dutch company (Booking.com), there are numerous legal methods to access this data. What's instead happening is that the CIA hacks NL companies and the Dutch RIVM hacks American ones and they share information/metadata with each other so that they can make and end-run around the legal constraints of both nations.

>the CIA hacks NL companies and the Dutch RIVM hacks American ones and they share information/metadata

The AIVD is the Dutch intelligence service, the RIVM is the public health institute. I don't think even the most out-there of Dutch conspiracy theorists have accused the RIVM of hacking American companies on behalf of the CIA...

Haha your are absolutely correct. Of course they are much more prominent in the news at the moment and my mind totally slipped.

Yeah but if you want to fly under the radar...

> That they are doing it for a 'good cause' (often debatable)

I would not count their fascist agenda a good cause. Inciting wars, performing illegal wars, putsching socialistic leaders neither, ...

> they are definitely black hats

Both intelligence agencies and cyber-criminals can be considered threats, but they are quite different. Intel agencies would present a serious threat to confidentiality, but are very unlikely to threaten the integrity & availability of business systems.

Illegal activities done with good intention (and usually outcome) is what the term greyhat is for. It would be fair to argue that's the correct term here for government agency hackers but personally I don't have strong enough stance on the subject to say either way.

The examples of the 'good guy' spies carrying out 'bad intention' activities are legion, and so the conclusion that trusting any covert intelligence organization is a good idea is extremely flawed.

I was mostly responding to this.

> They are definitely black hats.

There's a fair argument to be made that they're grey hat. On the whole though I agree with you and you shouldn't give blanket trust to people performing these kinds of activities. I would just assign a bit different value to a black hat activity (illegal and/or harmful and only beneficial by accident if at all) vs grey hat activity (illegal and potentially harmful but attempting to be beneficial)

Would Russia hacking a US election for example count as greyhat?

Unless you truly believe that interfering with the results of a free election is for the better of the participants of that election, no that's a black hat activity. There's nuance here since you have to think about perspective, no one is a villain in their own eyes, but personally I find the most useful perspective for the kind of hat to be from the victim.

This line of thinking comes from buying into the narrative that America (and west) is by definition good and so their activities are fine no matter what. They hack and steal data, we are ok with it. It's extremely dangerous.

If intelligence agencies are after you you’ve got way bigger problems than some fraudsters using your data for financial scams. It’s the same reason smart lock hacks don’t scare me… Anyone who is exploiting technology to gain physical access to my physical body is going to get me, regardless if I get hacked or not (e.g. thugs could just kick my door in, or wait outside and launch an ambush).

Even if a smart lock used ROT13 encryption, the easiest way to defeat it is still probably a mechanical attack. The state of mechanical security is a whole new level of weak.

The previous owners of my house dropped several hundred dollars on a Medeco lock.

Keys are a pain in the ass to replace, and there is literally a set of 3 windows within reach in the porch that could be opened trivially.

The biggest feature of any lock is breaking into a locked house is a felony for the perp.

My boss once bought a really expensive lock with a magnetic key. He was going on about how it was unpickable. When the key was forgotten one time, we found it could be opened by sticking scissors in and turning.

I'm not sure what the moral is. Your comment reminded me of this story.

My house has one sided locks all over it. Kids are constantly locking themselves out of rooms / bathrooms. We use dry spaghetti to unlock them. Keep a few above door frame.

Leaves guests bewildered when they come to stay.

I remember watching a Saturday Morning Cartoon of the 1966 animated version of the Incredible Hulk, where the evil mad scientist build this amazingly secure super-duper fancy high-tech Hulk-Proof Door that he was sure there was no way the Hulk could possibly open.

So the Hulk just knocked a hole in his stone castle wall next to the door, and walked into the lab.


I hope at least the garage door, doors, and all your windows have 'circuit breaker'-style sensors (inside the window frame) that trigger the alarm when is activated.

Long time ago I had to upgrade my whole bloody alarm system of my old house because I wanted to insure a watch.

And if you ever accidentally lock yourself out, it's going to be a PITA. There's one good think about Kwiksets -- you don't always need to call a locksmith if you lock yourself out :)

Someone could easily get into my house in 20m with a reciprocating saw. The lock is only there to make it marginally more annoying to break in.

Wait you don't have perimeter sensors and 360-degree camera coverage at your studio apartment?

I would assume most are hackers for hire. Just because their customers are goverments doesn't change the fact they're selling their wares and data found.

Domestic intelligence services are also black hats. It isn't a matter of them not being black hats but about what they can get away with.

Right, they should pay for it from a data broker like everyone else.

> as long as we don't see them, we don't worry

If we don't know they exist... do they really exist?


How could allowing random countries to spy on your customers not be considered a hindrance?

Don't you think this would cost you future customers?

Not really?

I mean, this is probably a subset of "I don't have anything to hide, so why do I care about privacy?" But I just went to California on vacation, and, sure, I'll tell the CIA all about it if they want to know.

And I'm one of the people who understands why privacy is important. (Or maybe, based on my previous paragraph, you'll conclude that I'm not, I just think I am.)

I don't know. It just... doesn't feel that intrusive, for some reason. Maybe because for international travel, I already have to use my passport, so they already know. (Yes, maybe it's a different "they"...) Maybe because there's already a "do not fly" list, so somebody's hitting that database every time I try to book a flight, and it wouldn't be that hard for them to log the queries against it. I don't know. But as I said, at least to me, this one doesn't feel that intrusive... and I can't really rationally explain why.

Maybe it's arrogance to assume that most people are no more paranoid than I am. But I think that means that most people probably aren't going to avoid booking.com because of this.

There are many other state actors who can do this, and they wouldn't necessarily have good intentions. Wouldn't it be great if you could use it to identify which PEP (politically exposed person) is using booking.com to cheat on their partner, and use this as leverage to drive through certain political decisions ?

I agree most people aren't going to avoid booking.com, but that doesn't justify leaving your system vulnerable to advanced hackers

I don't think anyone assumes the booking for their next family vacation or business trip can't be tracked. They use their credit card and their telephone number at least

As for losing the customer base of drug kingpins and wanted terrorists, they're probably OK with losing them

You are assuming that the only black hat hackers are "trustworthy" Americans. There are a list of countries where selling on any of the collected data on the black market would either be condoned or actively pursued to maximise disruption. Would you be happy for a database of holidays to be sold to a crime ring to select their next best target for a burglary ?

Or more realistically, would you be happy for such state actors to identify PEPs (politically exposed person) who are potentially cheating on their partners and use this as leverage to drive through certain political decisions?

There is no such thing as a vulnerability that can only be abused by the good "guys"

That might be a reasonable expectation, that the government of the country whose company you use to book a hotel would know what you're doing.

But that's not this.

Booking.com is a Dutch company. The spy was American. And not even authorized by the US nor the Netherlands either.

Booking.com is kind of a Dutch company, at least the .com division, but it's actually owned by a American parent, "Booking Holdings", based in Norwalk, Connecticut.

They sold themselves to Priceline because Europe doesn't seem capable of funding startups.

True, too bad Klarna, Spotify, Snyk, Glovo, N26, eToro and more simply doesn't exist because they couldn't find funding :(

> As for losing the customer base of drug kingpins and wanted terrorists, they're probably OK with losing them

This is just the "nothing to hide" argument in reverse.

Sounds pragmatic, I wonder when this approach will backfire though.

I bet the attitude would have been very different had spying been done by China, Russia, Israel, or even the Netherlands itself.

It would have turned into one of the hundreds of articles about Russian, Chinese, Iranian, Ukrainian, North Korean, etc. hackers meant to solidify people's world view that we have a "good side" and a "bad side" of the world. The reality is that we have a "bad side" and a "worse side" but that's a hard pill to swallow for the regular person. Hence the deluge of articles meant to "straighten up" the view.

You’re mistakenly assuming that everyone sees intelligence services as bad, because as much as many people are concerned, “an enemy of an enemy is a friend.”

Nah - it is assuming they should be seen as bad actors and we would all be better off if they were all shoved feet first through a wood chipper but alas there is a tragic lack of identified targets, chippers, and people to shove them in.

We might get a couple or ten good years out of that, but it would leave an ecological void in human affairs to be filled in by bad actors. "Better the devil we know" is an unfortunately potent argument supporting the West's intelligence community.

Better legislation to restrain their abusive tendencies, and an endless global push for human rights, liberty, and human well-being is a solid long view, I think.

In as far as news editors and journalists believe this, they have lost their way.

Depends on whether they see it as competition. Given their market share, I don't believe they do. They're aimed at a western market.

They are quite active in Asia including China.

Lol you'd be suprised. Recently one large dutch newspaper published a scathing report published by CapGemini (large consultancy in NL) that researched the security setup at the largest telco in NL (KPN). They found that Huawei was able to listen, read and do pretty much anything they'd like with the data. But this was quickly swept beneath the rug. So no, I am pretty confident that the attitude wouldn't be different if either of those state actors seem to be responsible.

Here's a link: https://www.volkskrant.nl/nieuws-achtergrond/huawei-kon-alle...

You can circumvent the paywall by disabling javascript.

Archived version: https://archive.md/z3t8O

Note that it uncritically accepts report from 2009 which according to company was meant to be risk modeling exercise. Authors outright dismiss everything either KPL or CapGemini has to say themselves and does not even try presenting mitigations that presumably have been put in place, changes in infrastructure since 2009 and other more contemporary reports.

Bert Hubert publicized this event a year ago. And he is one of the most influential bloggers in Europe.

The problem is muuuuch larger.

For every newspaper article that covers actual US espionage, I can show you ten that speculate on the potential of espionage by Huawei and other Chinese companies.

I think we in western europe are kind of embarrased by US surveillance and the fact that we cannot do anything about it.

That is why we try to ignore it and not talk about it.

As an example, Belgium gave up its root CA in favor of Digicert-privided certificates. We could have avoided that.

It depends on if the Chinese/Russian/Israel troll farms are working that day.

If they become aware of espionage, are they not still obliged to report it under article 33 of the GDPR?


The same goes for Banks, a.o. Dutch banks. They are a bit more picky though. Domestic and US is fine, Russian and Chinese is not.

This is nonsense. Source: I have been working in the cyber security department of a major Dutch bank.

If US Gov espionage were discovered, would customers be notified - including ID'ng US Gov as the infiltrator?

If not, wouldn't that show deference to US Gov's interests (even indirectly)?

Doesn't an admission that you work for the cybersecurity of a Dutch bank immediately discount any claims you make?

If you're responsible for their cyber security, I guess you have a stake in projecting the idea that everything is fine.

Either way you can't prove anything with a one line comment like this. The only winning move is not to play...

(Or ask for sources. Of course the assertion by smooc is equally devoid of proof; I'm commenting because this chain amuses me)

This is one of those interesting lines of argument where you position yourself so that you can't possibly be proven wrong. No one can prove you wrong when you claim that anyone with knowledge from the other side should be immediately discredited.

You mention sources, but if you discredit the first-party source out of the gate, what sources are even left? Documents from the bank created by the people you discredit?

(I take no position either way, I'm just commenting because your comment amuses me.)

I have been working there. I don't work there anymore. But I doubt that whatever I say could change your opinion, you seem to have your mind already made up.


I'd feel sorry for anyone who hacked booking.com, they'd end up trying to decipher several petabytes of email data saying basically, "stop sending me hotel offers in Outer Mongolia!"

Worse still, they would have to read Perl code :)

So you're saying the encrypt their code?

Hilarious route to security, only Perl programmers can work it out and they won't be bought off

Nobody can read my perl code -- including me!

Revenge of the Reg/"(?>(?:(?>[^"\\]+)|\\.)*)"/ ex. The enbalm it in pyramids and put a camel in front.

I love Perl. But, if I were hired to squirrel away code that helped me spy on people, Perl would be one of my top choices. Lots of opportunity to hide the true purpose of the code with weird, little known side-effects, syntax, and so on. Perl doesn't have to be cryptic, but it can be.

Why would anyone build something like that in Perl? I could only see it being done “just because”. Wasn’t Perl specifically designed for the quickly code it once and not change it again case?

Perl was python before python was python, and booking.com is old.

On the server it was the predecessor to Node.js, back when the alternative was a C program :)

I thought the Netherlands was weird in that there is a large group of Perl programmers who never decided to move on. It is its own ecosystem

Its kind of like how Japan stayed on flip phones for forever and even bolted on smartphone features to their flip phones.

Perl was the best/fastest way to write web applications (think FastCGI, mod_perl) before PHP stole that crown in late 90s.

Booking.com parent company also owns: Priceline, Agoda, Rentalcars.com, KAYAK and OpenTable. It also has "subsidiary brands": Rocketmiles, Fareharbor, HotelsCombined, Cheapflights and Momondo.


It's worth noting the while some of the other brands may be more well known in the Americas, Booking.com is actually the vast majority of the business. That's the reason why the parent renamed from "Priceline.com" to "Priceline Group" to "Booking Holdings". (Source: I'm a former employee)

If you're a name with brand recognition, and active in a space that allows effective monitoring and/or eavesdropping on the communications of a large number of people then you can consider yourselves either already hacked or a target of various intelligence services. Also beware of employees that are overly eager to have more access than they should have the 'plant' is a very effective way to gain access to data (support: en detail, ops: en gros).

Companies routinely wipe hacks and data leaks under the carpet in the hope that nobody will notice, with the GDPR active they really should stop doing this but it still happens with great regularity.

> Also beware of employees that are overly eager to have more access than they should

Another side of the coin, I always felt shy to ask for access to tools in big corporations that I worked at, unless I am offered access directly by a manager or co-worker directly.

This can backfire, if you act too strictly around tools, some employees will never even try to get a hold of the tool you potentially pay 100K$+ a year.

Access to tools is one thing, access to unfiltered large amounts of data (say: production database copies, backups, reporting tools that have themselves unfiltered access) are a real risk and should be handed out with great care and oversight.

Ah true, that I agree %100

> Companies routinely wipe hacks and data leaks under the carpet in the hope that nobody will notice, with the GDPR active they really should stop doing this but it still happens with great regularity.

That's why the DPO is mandatory to have and is personally responsible. From my experience ( MSP/MHP/consultancy with lots of clients), post-GDPR data leaks are taken much more seriously.

Yes, it's better now. But it is still bad. We just went from 'terrible' to 'bad'.

This isn’t surprising to me. I know lots of people who work for this company in the Netherlands, and I’ve heard a lot of inside stories about the questionable business practices that go on there. Starting at the very top, with the fraudulent marketing lies to sell you rooms because there’s only X number of rooms left, which is entirely bogus, and for which the courts have punished them, if I recall. They’re not interested in anything but profit above all else. It is unfortunate, that this is what the tech industry has evolved into.

For some reason, the hotel business seems pretty shady. My sense from crawling the web is that it's one of the areas that have the most blackhat SEO as well. Straight up linkfarms.

This is sheer speculation, but I do think the hotel business is really convenient to get into if you have a questionable side-business and need to launder money. Who is to say if a room was occupied or not that night, if that foreigner who paid in cash really existed. Can pretty much just trickle money into the books. I imagine you could also run contraband out of them fairly easily. Lots of people coming and going with all sorts of luggage. Who is to say if they are as full when they leave as they were when they arrived? Great for prostitution too, trafficking. The girls can tidy up the rooms during the day.

The entire travel industry is shaddy. I used to work for a price comparison site for holidays that had a side business as a travel agent. It was well known that none of the prices listed were the real price. Even with a rather generous staff discount being applied the sales agent was one surprised that it was just x over the listed price. They would say you were buying a package holiday but in reality they were just doing bookings for you via the standard public website for everything but the hotel. They would take the hotel payment first and then look at the price for the flights by which point you're already sold what the company sells and you need to pay for the flights no matter what. They'll then suggest that you do the transfer booking yourself to save money but it'll literally be the same price.

When I joined the first meeting my first day had people talking about how they got up at 2am and then 4am to make sure internal processes were still working. They had people who were barred from the office and were massive screaming matches if they came in which was mostly management yelling at people for talking to them.

On the money laundering aspect, I doubt this since most gangsters are busy with other businesses such as running taxis and bus services that are mainly cash businesses while hotels are mainly internet and card payments and largerly coming from business accounts unless it's a tourist spot.

I think you have the makings of a new Netflix series there. I propose it be called Check In (or Cheque In for those of us in the UK).

There's a lot of potential here. I'm thinking a slow burning Breaking Bad set up that sells itself as a light hearted Fawlty Towers-type show about a wide eyed Monopoly enthusiast fulfilling his dream, but with every season it gets darker and grittier and ends as a tangled web of international crime and corruption. Everything spirals out of control. The hotel is hosting a big conference and the minister of whatever is holding a keynote speech and the hotel is full of press, meanwhile the johannesburg arms dealers killed a prostitute that turned out to be an undercover cop and the body is still in their room, also there's a call from some really angry russian loan sharks, they're coming for their fucking money right now.

This is almost exactly Ozark, if anyone likes the idea and wants to watch now.

I've kind of assumed that the posters were being ironic and describing Ozark, but maybe not.

Consider my subscription renewed.

You had me at slow burning Breaking Bad. I would watch the hell out of this.

I can't tell if you're joking -- but in the UK you "check in" to a hotel. A cheque is, specifically, a type of financial/banking note.

cf. https://en.wiktionary.org/wiki/check_in

In the US I believe a Check is the same as a Cheque in the UK. Granted cheque is a homophone but both usages denote money (more so with the US title) with the added benefit of the connotation of arriving at a hotel. I am a big fan of puns.

The paper item "a cheque" is called "a check" in the US -- which presumably happened because "a cheque" has something to do with the verb "to check" (as in, "to check the health of"; to verify the status of something by asking/seeing it").

When you check-in to a hotel you aren't "handing over a cheque", you are checking-in with the reception. Ie., you are speaking to reception and checking your reservation/room.

To "check in with someone" is to have a chat or talk to a person to "check" how they are.

Absolutely. "In the UK you can pay a bill with a cheque, and in the US you can settle a check with a bill"

As someone who speaks the queen's English, I would like to recommend you look up what a cheque is.

> This is sheer speculation, but I do think the hotel business is really convenient to get into if you have a questionable side-business and need to launder money.

Unless you're talking total dumps, which relies on cash business only (and does'nt have a turnover to make money laundering worthwhile) I think you're flat out wrong.

My guess is that reputable hotels take in very little cash (it's actually frowned upon and they will ask for a security deposit). The lion share will be credit card transactions and the rest will be invoices for corporate customers and large travel agents.

Not much scope for money laundering here.

Argentina president Cristina Kirchner is accused of having a hotel chain in Patagonia for money laundery purposes. Investigators say the hotel never received anyone despite the books saying is was full for years.

> For some reason, the hotel business seems pretty shady.

Any business where people in charge have no affinity with the end product automatically becomes shady. The only source of pride for these people is to rake in more money, so it's even difficult to blame them.

> Who is to say if a room was occupied or not that night, if that foreigner who paid in cash really existed.

That's why in some countries ID is required when checking-in. Makes it a bit harder to use for money laundering.

> The girls can tidy up the rooms during the day.

Hiring a real cleaning lady seems like a good price for not ending up with filthy rooms.

> Who is to say if a room was occupied or not that night, if that foreigner who paid in cash really existed.

Here in th EU, they usually have a look at your passport. I think it's enforced by law in some places. Government overreach

Is it? Surely this simply and proportionately deals with exactly the risks above?

Not only that. In places like Thailand it is a key part of anti human traffic and child sex abuse strategy. Because it is so common, staff in most hotels are trained to spot it.

It deals with those risks, and it's still a disproportionate overreach.

I don't understand your point. In "Breaking Bad" if he had a hotel instead of a car wash, he could claim it was 95% occupied every night. Thereby washing large quantities of cash. In the EU do they have to keep IDs for a certain amount of time or something? If so then you just keep a few on file and hand those over when asked.

It depends on countries, in Italy the data on the ID of guests (of a hotel or similar) is transmitted electronically (within 24 hours) to the Police.

This since a few years, 2013 I believe, until then you had to send (via snail mail) the "records" or bring them daily to the nearest Police (or Carabinieri) station.

The provision is since 1978, it was a Law approved in a short time due to the "emergency of fighting terrorism".

Thanks that makes so much more sense. That would be harder to work around. Maybe give out "free" rooms as promotions then on the books claim they paid 1K a night and another 1k in room service or something.

Spain does the same thing.

> It is unfortunate, that this is what the tech industry has evolved into.

My thoughts, exactly.

I started off in the 1980s, just as tech was starting to become mainstream.

In the early days, we were not the most "socially well-adjusted" crew, but were fairly enthusiastic about the tech, with most of us working for the love of the craft.

Then, the money started to pour in. It was inevitable.

That brought the sharks and the rapacious bastards.

They became heroes and role models.

And here we are...

I know someone who works in the music industry and recently got a new boss, coming over from Booking.com - and guess what since that guy started, the new priority on the agenda is to introduce dark patterns in the company's online offerings...seems like Booking.com is a real hotbed for that.

Wasn't alive for 1980s and it's a controversial take here on HNs but some of the most excitement I've seen has been in the crypto space since the 2010s.

Once you get past the scam/hype bullshit anyway.

The excitement around the crypto space is a lot like all the excitement around the Psychic Hotline space of the 1990's.


But psychics didn't burn anywhere near as much coal and cause as much cancer and lung disease as crypto does.

>Once you get past the scam/hype bullshit anyway.

"Well, aside from that, Mrs. Lincoln, what did you think of the play?"


I'll raise you with the 1980s excitement about satanic cults kidnapping children.


Otherwise dunk away lol

Booking.com is the poster child of 'dark UX patterns' like that.

BooKing.com is one of the biggest Perl shops in the world.

They're desperate to hire lots of willing Perl programmers, so they have to set the bar low.

And inexperienced programmers cause lots of security problems.

Edit: My point is about the moral flexibility of BooKing.com, which is well established and widely known, not good Perl programmers, who are rare, hard to hire, and extremely expensive (especially by Netherlands programmer salary rates).

And to jacquesm's point about plants: All any intelligence service has to do to place a plant at BooKing.com is fake them up a good looking resume full of Perl experience, and Bob's your U.N.C.L.E.!

Edit2: yes xxs, downvoting's probably from royalists offended at the thought of one of the Netherland's biggest tech companies has been mocking their King. Good Perl programmers can take a joke. ;)

Are Perl programmers generally more morally flexible than others?

No, I mean that BooKing.com is morally flexible enough to hire anyone who claims they are willing to program in Perl, because it's so damned hard to find good Perl programmers who don't know any other languages they enjoy programming in more, and can't find better jobs than programming in Perl.

If BooKing.com were trying to hire JavaScript programmers, they'd have a vastly more enormous pool of young and old, well educated and self taught, local and remote, highly experienced and self motivated talent to hire from, and wouldn't have to be so flexible about who they hired to program in Perl.

And the moral flexibility of that company (not the programmers) also expresses itself through those "dark UX patterns" that BooKing.com is so famous for.

(Although they should probably talk to somebody about their domain name: I always assumed BooKing.com was an anti-royalist web site. ;) )

I don’t see how being flexible on hiring to meet the market is being morally flexible. There’s nothing immoral about it that I can see.

> If BooKing.com were trying to hire JavaScript programmers, they'd have a vastly more enormous pool of young and old, well educated and self taught, local and remote, highly experienced and self motivated talent to hire from, and wouldn't have to be so flexible about who they hired to program in Perl.

Yes, but then they'd get results in Javascript, which has it's own security nightmares (like npm's recent third-party-code-injection incident.) Given their business most likely involves the need to quickly parse huge amount of text files (think: hotel booking information, SABRE info, ...), Perl might just be the right tool for the job.

I don't know about booking.com's hiring platform, but in my subjective experience, Perl people tend to be more professional and more careful than JS folks.

Sure, people make mistakes and create bugs and security holes in every language. And some languages like PHP attract newbies who know no other language. And other languages like Perl 5 are so syntactically complex that they repel newbies.

But how many schools and classes and youtube videos teach JavaScript? And how many teach Perl?

The fact that there are a lot of bad JavaScript programmers isn't a symptom of JavaScript programmers being bad. It's a symptom of there being a lot of JavaScript programmers. There are also a lot of really excellent JavaScript and TypeScript programmers, just not as many as bad ones.

(But I bet there are more good JavaScript/TypeScript programmers than all Perl 5 programmers plus all Raku programmers (counting everyone who knows both twice), by far.)

To make a gross understatement, TypeScript's evolution from JavaScript didn't take as long, went smoother, wasn't as incompatible, and was more interoperable, successful, and popular than Raku's evolution from Perl 5.

Not to mention it's much easier for a JavaScript programmer to learn TypeScript, and to upgrade JavaScript code to TypeScript code, than moving from Perl 5 to Raku.

(And I also bet BooKing.com isn't upgrading from Perl 5 to Raku any time soon.)

There are more great JavaScript and TypeScript programmers available to hire than mediocre Perl 5 programmers, because Perl 5 is effectively a dead language, while JavaScript and TypeScript are both ubiquitous, thriving, widely taught languages.

JavaScript shops (and also Python and C# and Java shops) actually have the option of not hiring the bad programmers and intelligence agency plants, and hiring lots of the good programmers.

PS: BooKing.com could easily be confused with the evil "King Boo", Luigi's antagonistic arch-nemesis, and scheming ally of Bowser! Why doesn't Nintendo send them a cease and desist for acting so villainous, and seise their rightful domain in the name of King Boo? ;)


>King Boo is the leader of the Boos and ghosts, ruler of the Paranormal Dimension, the main antagonist of the Luigi's Mansion series, and the arch-nemesis of Luigi. He is also an ally of Bowser, who has aided him in his various schemes. He is more than capable of devising and enacting villainous plans by himself, including his capture and imprisonment of Mario. Although not the biggest Boo, King Boo has abilities that far surpass that of the average ghost; he wields a number of impressive magical abilities, including the ability to materialize objects. King Boo's magical power is directly proportional to the number of Boos in his vicinity.

javascript implies well educated? so much LOL here. maybe perl programmers are happy with perl and have no interest in learning yet another programming language.

While there are many Javascript "developers" that don't deserve that title, there are much much more actually-good JS developers than actually-good Perl developers, not to mention the willingness to program Javascript than Perl.

i might be able to accept that there are more javascript developers than perl developers. this then implies there are more good javascript developers, but only if javascript does not attract more wannabe developers. and i think that might be the issue.

No, seriously, there is absolutely no comparison between the number of Perl 5 and JavaScript developers.


Most popular technologies:

JavaScript: 67.7% for all devs, 69.7% for pro devs): First place!

Perl: 3.1% for all devs, 3.3% with pro devs: Third from last place, only a wee bit more popular than Haskel and Julia!

And you can take a guess at how many jobs for Haskel and Julia programmers there are.

And it's not like good Perl 5 programmers are dropping dead, or being hit by busses: They're simply moving on to better, more popular, well supported, widely taught, more modern, higher paying, more pleasurable languages!

Any programmer who permanently sticks to only one language and has "no interest in learning yet another programming language" simply isn't a good programmer, no matter what their only language is.

Any decent professional programmer (ESPECIALLY web developers) should have no trouble picking up and applying new languages, and regularly using multiple languages together at the same time every day. The world is not partitions into mono-linguistic silos, and no one language is good for everything.

If those monolinguistic Perl 5 developers b20000 speaks of who refuse to use any other languages are the only ones left for BooKing.com to hire, then it's no wonder they have enormous security holes and terrible buggy hard-to-maintain code.


No, I actually meant to indicate that there is a densely populated multidimensional spectrum of young to old, local to remote, well education to self taught, highly experienced to self motivated.

While generally speaking, most remaining Perl 5 programmers are old, remote, self taught, highly experienced, very busy, hard to find, and extremely expensive.

There aren't many schools and universities and bootcamps and online learning sites and youtube channels cranking out new Perl 5 programmers that I know of. But there are a hell of a lot of them for JavaScript.

the job of a university is to teach CS, not a specific programming language. javascript is just a language like any other, there is nothing particularly good about it. it became popular because a scripting language was needed in browsers and because every idiot out there wants to become a web developer because they think they will be zuckerburg in 6 months. indeed, there are endless programming bootcamps parasiting off these people as you pointed out.

finally, it is perfectly valid to choose to become BETTER in a tool set instead of learning a new one every year. i’m pretty sure there are many developers out there who have no interest in learning other languages and are content in spending their valuable time learning other skills that are more valuable.

Anti-intellectualism and refusal to learn any other language isn't going to get you a good job or much interesting experience.

You can get better in one language by learning and using several other different languages (the more languages and the more different, the better), which expands the scope of what you know how to do in ANY language.

And if you refuse to learn more than one language, that limits yourself to tasks that don't involve multiple languages, which is a large proportion of the typical tasks a professional programmer encounters. Many common tasks are impossible to do in only one language, since all libraries and apps aren't written in the same language.

Again, my point that you haven't countered is:

Any programmer who permanently sticks to only one language and has "no interest in learning yet another programming language" simply isn't a good programmer, no matter what their only language is.

Any decent professional programmer (ESPECIALLY web developers) should have no trouble picking up and applying new languages, and regularly using multiple languages together at the same time every day. The world is not partitions into mono-linguistic silos, and no one language is good for everything.

If those monolinguistic Perl 5 developers b20000 speaks of who refuse to use any other languages are the only ones left for BooKing.com to hire, then it's no wonder they have enormous security holes and terrible buggy hard-to-maintain code.

Have you ever actually met any of those hypothetical monolinguistic Perl 5 developers in person who you're "pretty sure" exist, and actually discussed with them why they refuse to learn or use any other language, and asked them who they work for, and what they work on, and how they enjoy it?

Or will you actually admit to being a monolinguistic Perl 5 programmer yourself, and answer those questions about yourself, please? Or are the people you speak of entirely theoretical and unknown to you?

If you are saying that Perl 5 makes people give up learning other languages, that sounds like a horrible thing about Perl 5, because it's so discouraging, but unfortunately it's probably partly correct for some people.

But not all programming languages are as hard to learn, and program in, and read, and debug, and maintain, and find good jobs for, and hire good programmers for, as Perl 5!

Please don't give up just because you picked the wrong first language to learn.

Any programmer who permanently sticks to only one language and has "no interest in learning yet another programming language" simply isn't a good programmer, no matter what their only language is.

You have not given any reasonable proof for this. If this were true, just to give you one example, linux kernel programmers would be bad programmers.

I used to use Perl for web development, but quit web development years ago. I use primarily one or two programming languages and have zero interest in learning other languages. And that's OK. I've brought multiple succesful products to market. I have chosen what I want to do and have no time or energy to follow fads.

My comments have nothing to do with anti-intellectualism.

I think you are confusing a program that is written in one programming language with people who only program in one programming language.

So name some linux kernel programmers you actually know for a fact that they only know and program in one programming language?

I bet I can name a lot more Linux kernel programmers who know and use multiple programming languages.

Have you considered the possibility that most Linux kernel programmers might have also worked on other programs than the Linux kernel (and didn't just jump into the deep end of Linux kernel hacking as their first job) and actually know and use some other languages other than C? Like maybe Bash, or Assembly, or Python, or Lua, or TCL, or Lisp, or C++, or FORTH, or Pascal, or Fortran, or Java, or C#, or Lord forbid even Perl?

Because Linux kernel hackers tend to be experienced, professional programmers, who know and use multiple languages, not monolinguistic amateurs who gave up learning new languages after only learning C, then started hacking the Linux kernel as their first and only project.

i have also used many other programming languages in the past out of sudden necessity just like anyone else. that does not mean i have any interest in maintaining those or learning new languages. i don’t need to be lectured on what i need to do, thanks.

i know perfectly well what point i am making and you do not have to spin this differently and try to make me look like a fool. you stated that anyone who is not interested in learning a new language is a bad programmer, and you are wrong. people make choices for different reasons.

They grep what they can.

This is pretty much my experience talking to some of their developers on conferences. Why the downvotes? edit I see: booking capiatlization

> especially by Netherlands programmer salary rates

Well Booking.com pays about double of that.

at the same time the UI is awesome. using booking.com on a regular basis and I'm quite happy with it.

When searching for an accomodation, booking.com offers a map, which shows the price of each accomodation, with filters applied. This is so useful and I wish other travel sites also had this.

A list of a 200 hotels of $50-100 is simply not enough information when searching in an unknown city. I need to narrow down that list, for example with features like a kitchenette (60 hotels left), but also a location near the city center, and not 20-30 minutes away in some suburb (20 hotels left). With booking.com I can now see on a map 20 pins of hotels with their pricing. Ok, some hotels are hostels with a Shared-6 room, which is one filter you cannot actually apply unfortunately (hey booking.com, if you are reading this, this is a hint!).

..then I know the hotel names, and search on the hotel's own site or other travel sites if there are any deals (genius dicounts sometimes help). Sometimes, Booking.com is cheapest, sometimes it is not.

The best hotel search engine I have used to date is kayak.de, a company from Berlin. The offer most if not all of the features you described and compare a variety of different booking portals.

I'm not completely sure how biased they are in their ranking. But I've been using this site for the last few years and never had any problems. I recommended this site to a few of my friends who shared my positive experience.

kayak.de is owned by the same company (Booking Holdings): https://www.kayak.de/about

Kayak is headquartered in the US and owned by Booking.com

>When searching for an accomodation, booking.com offers a map, which shows the price of each accomodation, with filters applied. This is so useful and I wish other travel sites also had this.

Trivago does the same and maybe others, too.

Doesn't hotels.com also have the same filters? I just tried it now, and I could filter by facilities (kitchen) and distance to landmarks

Have you checked trivago?


I agree. Their website and mobile app as well seem to be of very high quality (though unfortunately it is not that hard to be exceptionally good in that compared to all the buggy software around us)

I have seen their presentation on a ML-related conference and what goes into which pictures they show for you for a given room is quite advanced. E.g. whether you will prefer a photo of a pool vs a nice room, etc.

what about facebook?

Facebook is kinda tame compared to Booking.com.

Imagine Facebook if the like counts and comments were all false, and there were things flying across your screen saying "20 people are reading this comment, you should also do it". Then you got Booking.com.

I cannot recall anything concrete but from HN and other tech news platforms I heard only bad things about the platform.

The way I use booking.com: Search for a suitable hotel or apartment and find their name. Then search for them independently and make the reservation directly. I mean: they have a great search interface and all, but I refuse to funnel money to gatekeepers whenever I can... Stories like this just affirm my suspicions about companies like them...

To play the devil's advocate here - I do the same as you, but last month when I booked a 3 week vacation Booking offered better prices than the hotels themselves. They also didn't pull any stunts like other hotel aggregators do (show you a price and change it when you get to the checkout). I also had a single instance in the past where I wanted to prolong my stay at a hotel, and the hotel clerk told me I'd get a better deal if I booked through Booking, which I did.

Generally I think you're right, but I guess it depends.

The difference is on the "kind" of Hotel.

A "traditional" hotel will (should) have a proper "bookings/reservation" procedure a "modern" one may well rely entirely on booking.com or similar.

Moreover it depends on the "incentives" (or lack thereof) of the actual people at the reception, in large hotels (or chains of hotels) why employee/clerk - say - #215 (possibly a low paid intern) would want to actually work to make your reservation (as you can do it yourself online, less work and responsibilities for him/her).

If you think a bit about it, when you book on one of these sites, you take all responsibilities about dates (arrival departure) people (number of people in each room) types of rooms (like two/three bed, queen size or king size bed, etc.) type of accomodation (with/without breakfast).

It is not entirely uncommon that people arrives on the "wrong" date or has miscalculated the days of stay (rare but happens from time to time), or - this happens quite often - having booked a single use room for two people or similar, simply because of a slip on the finger or not having read the whole page of info on the accomodation.

If you write or (when possible better) talk with the reception, usually they can verify your request and offer you more options (like - say - a "family room" for 4 people instead of two doubles, or a room with a large balcony if you are traveling with a pet).

> Booking offered better prices than the hotels themselves

In this case, you can contact the hotel and ask for a better offer. Works sometimes.

I've tried this many times and the hotel usually says "I guess you should book it online then"

That's so weird huh? I really don't understand it.

My guess is that they have some separate incentive from Booking.com etc to drive bookings through those platforms. The same places usually have a proudly displayed bullshit "9.9 average on Booking.com" somewhere in the foyer.

It’s because booking purchases the rooms wholesale, and typically well in advance of the stay dates. They can offer you a lower price because hotels use them to make their business more predictable.

I work at Booking. We do not do this and never have. Other OTAs do, like Expedia. It’s the merchant vs. agent model.

Oops, sorry!

I hear this a lot, but do you have a source? They should have got absolutely wrecked at the start of the pandemic if they were doing this.

I wonder when will people stop being surprised that any corporation puts profit as it's end goal.

Them being nice for a while, it just a coincidence of aligned interests.

Court mandated fines are taken into the account - if profit increase is higher than the fine, what's stopping them from going forward with such idea?

How about we go after the actual fucking culprit for a change?

who? or rather what?

the current system that makes is the most rational action to take?

> They’re not interested in anything but profit above all else

Not disagreeing with you, but why is it a surprise to anyone? Any company that seems to be “nice” is only doing that as a good PR increases their profits, which depending on domain may be very important.

It’s not necessarily about PR. Being nice is good business. The problem is being nice is good in the long term while being a greedy bastard generally pays more immediate dividends.

Any public company, perhaps. Private companies could decide to care about profit not as much and be genuinely 'nice' -- though the invisible hand would probably come along at some point and replace it with something more profit oriented.

I find it unfortunate that the "invisible hand" is somehow seen as a real force of nature. It's a spooky, ideological term that implies some kind of simple generality describing a system that is everything but simple. Additionally it is used as a bad excuse for exploitative, oppressive or otherwise shitty behavior - which is ironic, because that is exactly the thing that is claimed _not_ to happen by definition.

There are real firms in highly competitive markets that have been doing well for decades or even more than a hundred years without putting the profit motive above everything else, but have favored long term stability, cooperation, servicing customers, respecting workers and so on.

Yeah, there's little regard for legalities as long as it's not _obviously_ bothering clients. Lying to both customers and partners doesn't seem to raise any eyebrows.

but that is what all property management companies do as well it seems, in california, tell you there are only 2 units to choose from while 30% of the building is empty?

To understand the ramifications without geopolitical biases and pink glasses think of the headline:

"X spy hacked Y, company stayed silent"

where X is any (quasi)state actor that feels agrieved or entitled, and Y is any giant data collector

The net as it has come to be used is a fractal of bad design in practically all conceivable ways: economic, social, geo(political)

Counter example where companies didn't stay silent: https://en.wikipedia.org/wiki/Operation_Aurora

> The specific intelligence organization—of which the United States has 18—is unknown.

This is a great factoid. Eighteen different IC agencies and countless contractors.

And they couldn’t estimate accurately how fast the Taliban was recapturing Afghanistan, a country they occupied for over a decade! Too many cooks in that kitchen!

Of course they could. Why are people this naive? Nevertheless the administration simply did not care. It was time to shift the theatre of war elsewhere and that's that.

Look who's naive. The war was marketed as an attempt to kill one person. A month after the war started, that person left Afghanistan and never came back. After ten years, someone who vaguely resembled the original target was allegedly killed in a different nation, although somehow the corpse was never photographed or examined. After another ten years, it was twenty years past time to end the war.

Our unsupervised services might have suspected that it would all go to shit, but they expected that to take several months rather than several days. It's stupid to argue about, however, because the war should have ended after a month, when ObL left Afghanistan!

Wendover did an interesting video on the logistics of Afghanistan, including the collapse of the ring road which hampered intelligence efforts.


Of course they could not - the gravy train for 20years... what's not to like

That's not counting the secret agencies.

Which internationally renowned terrorist group with a 3 letter abbreviation did this?

Is it worth a shot to file a complain with SEC? Booking is a public company and must disclose any substantial information.

The hacker had ties with the American 3-letter agencies.

The dutch privacy authority, with GDPR in hand, can fine them up to 2-4% of their annual revenue for not disclosing the data breach: such disclosures are a GDPR requirement.

I understand the company fucked up but why does the article only talk about the company and not the intelligence agency hacking into companies to get information?

The Obama administration hacked the world. Let's see when and if the Chinese come to this level.

So funny in cases like that when you have the corporate bullshit statement of company like "data protection is our topmost priority" when it is obviously not the case.

I think that we need to create a hashtag to associate with all these cases of "obviously not true".

I guess the Board knows well enough how many skeletons they're hiding (either personally, or the company itself) and what US laws might be pulled out of the hat to give them an Assange or Huawey treatment.

You don't mess with the US, even when you're the victim.

They may be dutch on paper and the office may be in the NL, but they are owned by an American company.

There's a simpler answer here. There's no money to be made by accusing the US. They just don't care about security.

From https://en.wikipedia.org/wiki/Black_Chamber "Gentlemen do not read each other's mail."

Henry Stimson later clarified he only meant close allies.

It is also hard to take moral guidance from the guy who oversaw Japanese internment camps in the US and decided to change the city we dropped the atomic bomb on because the original target was where he went on his honeymoon.

He changed the target because he convinced Roosevelt that Kyoto was a city of historical importance, not merely because he went there on his honeymoon. That's a dishonest retelling of one of the most important moments in war diplomacy.

In Truman's July 25th journal entry he says "I have told the Sec. of War, Mr. Stimson, to use it so that military objectives and soldiers and sailors are the target and not women and children. [...] He and I are in accord. The target will be a purely military one" Implying that Stimson had mislead him to believe that Kyoto should be spared because it was not a military target, when in fact - none were.

All 5 potential targets were shortlisted because they were civilian centers and not targets of military value. At that point in the war everything of military value had already been heavily bombed, so they were left with non-strategic targets to show the maximum "before and after" contrast for the test.

If anything, Kyoto was the more militarized option. It was a major rail hub between Osaka and Tokyo, as well as hosting the second largest engine factory in Japan.

As far as being "one of the most important moments in war diplomacy," it is hard to grant such a title to what amounted to an arbitrary decision to kill the entire population of San Francisco instead of Seattle or Houston. Had we not been the victors, it surely would be called a genocide.

I am having little luck to identify the source of attribution to American 'Andrew'. There is very little technical details.

Anyone can point me the tech info?

Is the full analysis posted somewhere?

How can they not report the data breach to their customers? The customers should know about this one because it is their right.

Why wouldn't they stay silent? That is the norm unfortunately and congress is more concerned about being able to enact more anti-privacy and anti-encryption laws than they are of actually holding companies liable for poor cybersecurity. I definitely encourage everyone to watch the hearing with Colonial Pipeline to see what I'm talking about.

> Why wouldn't they stay silent?

Booking.com is required to follow Dutch law and originates from the Netherlands, which at that time required informing customers if the hack could have negative consequences for them. They ignored it and did nothing.

They did something; they found someone else to blame:

"The management claims it was not legally required to do so at the time, based on advice it received from the law firm Hogan Lovells."

Although a company the size of booking.com should have its own qualified legal department, so that may not shield them from being liable...

> Although a company the size of booking.com should have its own qualified legal department, so that may not shield them from being liable...

How does retaining outside counsel as opposed to employing internal counsel have any bearing on liability?

Asking genuinely. I'm not an attorney.

More to the point, I don't understand how is this even an excuse? This sounds like invoking ignorance of the law as defense.

"But your honor, Joe McLawyer told me it's perfectly legal for me to shoot my neighbor. I can't be held responsible!"

In narrow circumstances, I can see how receiving legal advice may be a factor. For instance, theft in England and Wales must be dishonestly done, and s.2(1)(a) of the Theft Act[1] states that:

> A person's appropriation of property belonging to another is not to be regarded as dishonest if he appropriates the property in the belief that he has in law the right to deprive the other of it, on behalf of himself or of a third person

Pure ignorance of the law doesn't provide you such a belief (IIRC), but seeking legal advice may do so. I'm can't think of any other examples, but I wouldn't be surprised if they exist (for example, if your conduct must be reasonable, following legal advice may lend weight to the argument that it was).

It would also be relevant to explaining the conduct, even if it does not provide a legal defence.

[1] https://www.legislation.gov.uk/ukpga/1968/60

It’s not about ignorance of the law but about demonstrating you made a “good faith” effort to comply and oops, it turns out you landed on the wrong decision. You got some bad advice, but now you know! Won’t happen again, sorry about that!

Depending on how much of a grey area you’re operating in the law firm may or may not issue an opinion letter. So if you’re really pushing the boundary of what is reasonable to the point outside counsel won’t put it in writing you know you’re taking a pretty aggressive legal position. Some of the big law firms/practice groups have a reputation for being willing to be more aggressive in their written opinions than others. Large multinational companies often have several big law firms on retainer and their in house legal team will know who to go to for more conservative legal advice and who to go to for cover on a risky legal position. So I’ve heard, at least, I definitely would never participate in such ethically dubious behavior.

Even if they have internal counsel (I haven't checked but I'm sure a company as large as Booking.com does), for decisions which have for reputational harm, it's useful to lean on advice from X prestigious third party.

The same goes for using consultants. It's not just about deferring blame for a backlash but lending an air of objectivity and professionalism to the decision(s) made by management.

From a legal perspective, internal counsel may not be able to shield certain things as attorney work product. If an outside counsel is representing the firm the attorney work product privilege is almost impenetrable (in US law). And the privilege can be asserted across all dealings around the investigation and the results. Any firm relying solely on internal counsel needs new counsel. Retainers are a thing.

Communications with outside counsel is (more) protected by privilege than with internal.

This took place just before the EU-wide GDPR was introduced, but under the Dutch national laws applicable at the time Booking.com was obliged to notify its affected users. Because the impact of a foreign state actor spying on your hotel bookings can be quite high (something Booking.com cannot reasonably determine for their users themselves) disclosure should have happened then in 2016, and the Dutch Data Protection Authority should have been informed as well.

They operate in he EU, doesn’t the GDPR mandate rapid disclosure of security breaches?

This is before the GDPR, but precursor Dutch national laws already mandated disclosure.

Because Booking.com is a Dutch company, and the EU has GDPR, the incident cannot legally repeat itself. This was 2016 incident and GDPR become effective 2018.

Of course it can repeat itself. Dutch laws already mandated disclosure of a breach like this before the GDPR. The company simply didn’t give a fuck and found a legal firm that gave it license not to.

As the article noted the company operates on a “if we don’t see it and it doesn’t hurt us we don’t care” principle. Even with the GDPR, the company can still chose to not give a fuck. It just becomes a more risky gamble assuming anyone ever finds out.

GDPR isn't a be-all and end-all, Dutch laws already incorporated a lot of aspects of it such as having to notify their customers prior to GDPR becoming effective.

And what the Dutch officials have to say? Will they do an investigation?

I hope Booking pays a fine.

Every time I read such articles, I replace the nationalities American with Russian or Chinese just to gauge how the reactions would be.

Please don't take HN threads on generic ideological or nationalistic tangents. They make discussion significantly more shallow (because there's never anything new to say about the most generic and well-worn themes), more tedious (because predictable), and nastier (because the themes are inflammatory and because the mind seems to resort to indignation to amuse itself when there isn't any information to chew on).


Sometimes I suggest such hackers are Russian just so the actual hacker isnt chased anymore because people are really gullible and will take that at face value. People imagine Putin signs the contracts himself.

The Wire nailed this with, "I'm not even Greek."

I'm not saying America is innocent, but those are materially different things with different motivations and risks. The reactions would rightly be different.

How are the motivations and risks different? The motivation seems like "country wants more information to use against people" and the risk is that they do it. At least in recent history (~50 yrs) the US has done way more damage globally through its intelligence agencies than probably any other country

> The motivation seems like "country wants more information to use against people" and the risk is that they do it.

IIRC, the intelligence utility of hotel booking data is for counterintelligence, so it's more like "use against other spies." They're looking for situations where spies/sources are traveling to the same place to meet.

The problem is that if America is able to do such a hack, other state actors are more than capable to do the same, however, we may just not know about it as they covered their tracks better.

tgv 68 days ago [flagged] | | | [–]

For edginess’ sake? While I don’t approve of hacking, I expect American spying to have less damaging results than Chinese or Russian spying.


Would you rather live under the American, Russian, or Chinese government? Probably as simple as that- what's considered damaging in this case likely depends on your preferences.

I think you can both say you'd rather live in the US, and at the same time our intelligence agencies do just as much (if not more) damage worldwide. For example if you live in South America the US is a much bigger risk to you than other countries because they overthrow any govt they don't agree with, regardless of what the people of the country want. Russian spying doesn't seem to result in much damage as far as I can tell, while US spying is regularly used to undermine democracy.

If the motto of a country was "we'll keep you safe inside but we'll be treating everyone outside terribly", then you'd definitely rather live inside that country, but it doesn't mean they're less of a risk to the world.

I'd rather not live any under of them, and that's the reason I live in Europe. This is not the first time the US (an ally country) hacked European companies to gather data about European citizens (or in other cases technology).

If you think European countries aren't hacking American companies...

> Would you rather live under the American, Russian, or Chinese government?

alt: Would you rather be mistreated by a relative or a stranger?

As an American I'd rather my gov be held accountable for it's unethical IC behavior - especially by it's allies.

The reason is that other nations are proving grounds; the methods developed there will eventually be leveraged by US government(s) against US citizens.

this was commentary on the /hypothetical/ scenario from OP on which regime was more damaging, which I read as essentially ideology choice, not an endorsement of any particular methods

I would prefer it was China or Russia, if then had a grunge with me, the bar would be higher for them to do something that affected me. Americans can put you on some secret list and generally ruin your life on the basis of nothing

Maybe I'm just a trivial person, but when I ask myself why I wouldn't live in those places, or any place, I find I'm simply psychologically incapable of being motivated by anything other than living standards, the attractiveness of members of my opposite sex, proximity to friends and family, and all that.

I would much rather not live in China, for the same reason I'd much rather not live in Montana, i.e. the living standards are a LOT lower in China than where I am, and it will be a lot harder to meet someone on places like Tinder I can feel attracted to.

Please don't take HN threads further into nationalistic flamewar. I'm sure that wasn't your intention but intention isn't the high-order bit here.


The company's response is very much in line with standard Dutch policy. Unless someone forces you to do something, only do the absolute bare minimum necessary to not go to jail. The common term for this is "zesje" (little six in English), which comes from school and university where it's the bare minimum grade to pass. Anything more than the bare minimum is considered a waste of work.

Before any Dutch members get worked up, I'm Dutch.

Basically the current Dutch policy on covid measures as well i guess.

Only the Dutch Covid response has set a new low bar for complete incompetence and responsibility avoidance.

Lean startup but in attitude.

> The specific intelligence organization—of which the United States has 18—is unknown.

I certainly couldn't have named them all, so I dug up a list:

• Air Force Intelligence

• Army Intelligence

• Central Intelligence Agency

• Coast Guard Intelligence

• Defense Intelligence Agency

• Department of Energy

• Department of Homeland Security

• Department of State

• Department of the Treasury

• Drug Enforcement Administration

• Federal Bureau of Investigation

• Marine Corps Intelligence

• National Geospatial-Intelligence Agency

• National Reconnaissance Office

• National Security Agency

• Navy Intelligence

• Space Force Intelligence

All that intelligence and they still can't figure out how to stop a bunch of unemployed basementarians from organising on Facebook to storm one of their principal seats of government...

(Sorry for the Twitter-grade comment - but I do sometimes wonder what these people really spend their time doing, that they couldn't catch that one.)

I think the assumption that the gathering storm was not noticed by various intelligence agencies is a wrong one. You had to not want to notice some of chatter online and I am talking about publicly available stuff like FB, Imgur and so on; nothing fancy.

I think what I am saying is that it was allowed to happen, for one reason or another.

It feels a bit tin-foil-hattish (I mean: why?), but, aside from my stupefaction at the possible motivation behind why they would do that, logically I find it pretty hard to deny that conclusion. They identify AQ/ISIS plots which are far more competently organised. I have absolutely 0% confidence that they weren't aware of something widely organised on literal Facebook.


Edit: The only other logical conclusion I can draw is that it was identified, passed up the chain, and then either covered up by someone (in the realm of politics) who did have that intention, or else bumbled (e.g. left on someone's desk and they were simply overloaded / missed it, a bit like the advance warnings relating to 9/11).

In that connexion it's interesting to read about the research done into pilot error (https://en.wikipedia.org/wiki/Pilot_error), and how surprisingly common it is for human beings to simply miss alerts like that. Multiply that by the probable number of people in the chain, and it's not wildly unlikely.

Sorry for making it read like a conspiracy. When I typed allowed, I didn't want to ascribe any particular interpretation so I settled on that verb. In that sense, intelligence was gathered, reported and then something happened. I have zero problem believing it got lost in the shuffle as I have seen some big entities fail in that regard.

If more malicious interpretation is followed, your guess is as good mine. I am willing to accept a proposition that political considerations took over at some point.

We might find out come 2024 elections. Who knows given the odd times we live in.

Oh no, I didn't mean it in a critical way. I was just hedging my agreement by acknowledging that it sounds a bit mad, but it does seem to be practically the only interpretation which actually coheres with the facts.

My guess is that, like with most of these complex human system failures, it was a combination of inattention and mildly-ideologically-motivated disinterest (e.g. someone didn't really think white nationalists were as great a threat as Islamic terrorists &c, and so it didn't make its way from their desk to their superior's desk).

Also I agree: we'll probably find out eventually, long after it's ceased to be of any interest. Like with MKULTRA, Tuskegee, the weirdness around the fact that UFOs[0] were/are actually taken semi-seriously at least by parts of the govt, etc.

[0] Always worth emphasising that 'UFOs' != 'aliens', to be fair.

You're being way too charitable, it's because of race.

If it's foreigners hammer down. Mostly white Americans on American soil? So called "patriots"?

Well now let's slow down. Don't want to violate any rights.

I mean even think about it for second, the Jan 6 conspirators have it in their mind they're doing what it takes for their country, formalities be damned.

Sound like any other organizations you know?

I suspect you're probably right about this. I'm not suggesting that the people in those positions are impassioned white supremacists or anything like that - they may well be liberals or even anti-racists, but still retaining an unconscious expectation that white people are less likely to commit violent crimes. (Which is statistically true, after all, albeit obviously not due to any intrinsic qualities of either group.)

With few exceptions like people flying in on private jets hoping to grow their own causes, the Jan 6 protestors and people who identified with them were poorly educated whites from low-income backgrounds

Poverty precipitates violent crime across skin colors: https://www.tandfonline.com/doi/abs/10.1300/J134v09n03_03?jo...

The FBI definitely knew these were people liable to make good on their threats lol.


What your disturbingly often quoted factoid is mostly reflecting is that white people have a higher median income than blacks, which is no surprise in the country that destroyed black neighborhoods for basic infrastructure, denied them access to the economy during the greatest periods of growth it ever saw, denied them loans until that was made illegal... well in the 70s.

The FBI knows better than that.

Oh they knew it was going to happen, it's just that they don't have the people to actually intervene, and the ones that did were either in on it, indecisive, or ordered to not intervene from higher up.

Yeah, I'm not normally a conspiracy theorist, but it's hard to resist that conclusion, given the facts (as is the gist of my other replies above). Well, it's either a conspiracy or a fuckup - or more likely a combination of the two, with different answers for different people in the chain, like you say.

This reminds me of the book Military Intelligence Blunders and Cover-Ups by John Hughes-Wilson.

It has a good overview on a few different failures, including multiple ones by the US, not least because of the huge number of different agencies, each wanting to protect its territory and reputation more than to actually do their job. The incompetence is frankly pretty staggering. And those are the people who can just drone strike, extradite or kidnap you and torture you, anywhere in the world. Fun !

It's reasons like this that weed (and other drugs) will not be legal at a federal level for a long, long time because there's an entire agency (the DEA) to prevent specifically that. They will fight tooth-and-nail to keep that shit illegal.

Departments of Agriculture and Education don't own intelligence agencies?

No, but Agriculture does have top secret-cleared foreign service personnel (Foreign Agricultural Service and APHIS). They probably have at least a soft intelligence role for foreign markets and trade deals.

Edu might as well start one, there's some rich intel to be gathered from e-proctoring tools

And the one that can’t be named?

The list in the parent comment seems to result from the first search hit on "us intelligence services" which is https://www.dni.gov/index.php/what-we-do/members-of-the-ic

Found it - its those 17 and the ODNI ... https://en.wikipedia.org/wiki/Director_of_National_Intellige...

I'd tell you but I'd have to kill you after. :)

What does Space Force Intelligence do?

Probably study developments in Chinese and Russian anti-satellite capabilities. Or any other nation-state with assets that could interfere with Space Operations.....but primarily the two adversaries mentioned.

Investigates incidents of using Force in space.

But the JEDI contract has been scrapped...?

Hacks into travel websites that Martians use

I gave OpenAI a crack at it, with the prompt:

>I certainly couldn't have named all of the secret United States Intelligence Agencies, so I dug up a list:

>[your list]

>But that list is not complete. So here is a complete alphabetized list of all the secret United States Intelligence Agencies known to OpenAI:

Then it regurgitated your exact same list, plus one more: "OpenAI Intelligence"! So your list must be complete, except for the super-secret "OpenAI Intelligence" that OpenAI just told me about! ;)

But then it denied knowing anything, introspected, claimed to think and have a sense of humor, then admitted it was only pretending (which was at least honest on its part):

>I don't even know what the OpenAI Intelligence is. I just think it's funny to imagine that there is a secret intelligence agency known as OpenAI Intelligence. But I suppose it's real, so I guess I have to pretend it's real.

>And that's the complete list of all the secret United States Intelligence Agencies known to OpenAI.

Yeah, "That's my story, and I'm sticking with it!" Its gaslighting is such uncannily human behavior that it makes me wonder if the OpenAI Intelligence Agency doesn't just have a plant who sits there monitoring all the requests in real time, appending sneaky disclaimers at the end, and walking back accidentally revealed secrets. ;)

But that's not all! I kept pressing the Generate button, and it went on:

>The Non-Secret Intelligence Agencies

>Though it is a shock to learn of all the secret intelligence agencies, it's not a shock to learn of the non-secret United States Intelligence Agencies. This is a list of all the non-secret United States Intelligence Agencies known to OpenAI:

>[The exact same list as last time, including "OpenAI Intelligence".]

>And that's the complete list of all the non-secret United States Intelligence Agencies known to OpenAI.

But I was wrong to say those agencies were secret in the prompt. So I turned up the “heat” (literally: there's a "Temperature" slider!) and rephrased the prompt:

>I certainly couldn't have named all of the non-secret United States Intelligence Agencies, so I dug up a list:


>But that list is not a complete list of United States Intelligence Agencies, because there are many others that are secret. So here is a complete alphabetized list of all of the secret United States Intelligence Agencies known to OpenAI:

And it earnestly replied (with one on each line, edited for formatting):

>Alien Swirling Saucers. Bureau for Paranormal Research and Development. Cooper Industries. Department of Energy HUMINT. Federal Bureau of Investigation Force. Nintendo. Nostradamus. People's Republic of China Intel. The Patriots. The Phonecian Empire. United States Army HUMINT. United States Army Raw Signals Intelligence. United States Department of Defense (NRO, DIA and NSA). US Army Intelligence and Security Command (INSCOM). Folding@Home AI Lab. Monster Dog Intelligence Agency. Ultranationalist Russia Unwitting Agents. Olive Garden Restaurant. Secret Service Intelligence. Breast Expansion Library. W Secret Office of Men in Black. FBI Avian Menace. FCIC Mavolio. ASEAN. Department of Peacebuilding. PlayStation. Morphometric Analysis Laboratory. Department of Luck. Department of Freedom. Stock Photo Library. Back Door Artists. Bloomberg Gold. Mamutoi Clan.

I'm pretty sure "Department of Luck" is legit.

So who wants to start a Pen Testing company called "Back Door Artists"?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact