The reality is that not only does money do a fine job of buying talent, but, if it's the USG you're thinking about, they don't even have to try hard; extremely qualified engineering graduates compete to secure positions at NSA, which has been ~10 years ahead of private industry for the last couple decades, before which time they were even further ahead.
Part of the reason the USG doesn't actually have a problem recruiting people is that actually believe in training people. I don't know how effective they really are at it, but I do know that our industry is fundamentally unserious about training. The kinds of commercial organizations that take in raw recruits generally turn out extremely mediocre J2EE and .NET developers. The rest, to a first approximation, run their recruiting programs based on measurements of reproductive organs. Giant defense contractors haul in green IT graduates by the truckload and adapt them to jobs that command significant premiums on the private market. Again, I'm not saying defense contractors can turn information management grads into electronic supersoldiers, but: they're not hurting for recruits.
The reason I think you care about this is because it informs you of a hidden handicap that private industry and activist groups have when facing down the government. I'm very sorry if I'm the first person to break this to you, but if you're an activist targeting the USG, your adversary isn't stupid. In fact, I think it's likely that they're significantly smarter than any of us. Bear that in mind when you design your NSA-proof email applications.
I don't do work for the USG, and haven't before, but I'm realistic about the impact of that decision; it has more to do with my own psychological welfare than it does with anyone else's.
Math is math and it's relatively easy to implement decent encryption -- it is possible to pass data securely from end to end.
The larger issue with these projects is that they're usually proposed by someone that can sling a bit of Ruby and fashions him/herself a cyber revolutionary, not someone that understands that the real power of the US Government in the tech sphere is its ability to apply pressure away from a keyboard - whether it be a subpoena for raw data from a hosting provider, legal fuckery, or sending armed soldiers to your doorstep.
Physics is physics. We all know time is fixed, the universe has been around forever, and atoms are the smallest indivisible component of matter.
The world, under the guise of "everybody is created equal," has fallen under the spell of "everybody has the same intellectual capacity" (which is clearly wrong). Yahoo isn't paying a high school dropout $100 million + $80 million because of his snazzy FU-my-mom-dresses-me haircut — they're paying him that because he's different. He's better. He's done more in five years than you've done in 20. You can't train that. People just are.
The government tries to grab all the clearly better-than-everybody-else undergrads through their sneaky alliances with CS departments and professors. They usually win.
Programs are programs and it's relatively easy to implement a program. But, some programs are worth billions of dollars and others aren't worth half a farthing. It's the people who make a difference.
Don't agree. I don't like the idea that knowing some fancy-trendy-computer skill is equal to "He's different", "He's better.". Computer skills don't make you better than a plumber. It's just a skill. A skill that turns out to be in ridiculously high-demand today, but it doesn't make you better than the plumber or the janitor or the cashier at Starbucks.
I know when I decided to get a BS in computer-science, I had the full intention of being a videogame developer barely making ends meet in a cockroach-filled apartment. I had absolutely no idea this whole Bay Area trendy-"web2.0"-linux-cloud-opensource movement was going to happen at all. I surely didn't plan to make even half the salary I'm getting now. This make my family incredibly fortunate, but not better than anyone else. I think HN-folks in general need reminders that we're not some group of superior beings, we're just insanely lucky we won the "career-lottery" for being in the right place at the right time with the right skills.
P.S. I don't know how we'd measure intellect, but I do believe that all healthy human beings do have the same potential for the amount of knowledge they can consume, at least at birth. And I'm not even sure how to define "healthy", Stephen Hawking probably doesn't meet most people's definition of healthy but he's very smart, right? And is he smart in all subjects? Or just physics, cosmology, astrophysics and other universe-related things? What subjects do you need to be well-versed in to be considered smart?
There are a lot of non-intelligent people out there. No matter how hard they try, they're not going to be theoretical physicists. If you think these people have the potential, but they're just not trying hard enough, that's an extremely bizarre view of the reality of their existence.
You're right though that David Karp's $180M payout is, in part, a product of luck and forces beyond his control.
According to probability, Karp probably is better at most things than a random person on HN. But is he better because of his $180M payout? Karp experienced a unique set of circumstances beyond his control (as each of us do) and none of his life experiences prevented him from reaching this payout (extremely lucky).
No doubt, his success and achievements suggest he is smart, hardworking, dedicated, etc. But another person, twice as smart, twice as hardworking, twice as dedicated, is affected daily by a totally different series of external events beyond his control, any one of which might preclude him from realizing the scenario where he gets a $180M payout.
And, some people choose paths in science/engineering/software/anything that preclude the possibility of a $180M payout. The researcher toiling in a lab to push forward the boundaries of human knowledge and achievement is most likely going to earn a modest salary his entire life (modest, at least, relative to Karp's). Is he worse in any way because he didn't create a microblogging platform that existed at the right place at the right time? Of course not.
> I do believe that all healthy human beings do have the same potential for the amount of knowledge they can consume, at least at birth.
If there's anything I've learned from my experience in neuropsychiatry research, it's that there's a whole lot of natural and environmental variation in human biology and psychology. I've seen kids who would otherwise appear healthy and sociable score astonishingly low on cognitive tests (e.g., on executive function, pattern recognition, block design, etc.). I've also seen kids who would otherwise appear completely healthy and normal score amazingly high, by way of extensive schooling and parental attention (and also very often, wealth).
So I'd disagree with both comments above that (1) intellectual capacity can't be trained and (2) healthy humans have the same intellectual potential.
This makes no sense whatsoever. Do you really believe that while people have genetics that control their skin color, hair color, susceptibility to various diseases, etc., etc., etc., somehow the brain is some magic non-biological organ that is not built by DNA?
"Amount of knowledge" isn't a useful metric, as anyone in pedagogy can tell you. It's not even about "healthiness", which is meaningless, or disability, which is less meaningless. Brains are not hard disks. They aren't knowledge storage machines. That's just one of its minor functions.
Well, no. You lack the knowledge for having a useful discussion about it. Spend time brushing up on pedagogical techniques, neuroscience, cognitive science, psychology: all the fields that touch on growth in the mental dimensions of a human being. My own expertise is pretty minimal, but just seeing the cutting edge of the research is fascinating and can help keep you honest when making claims.
This isn't a political/stylistic discussion. It rests on factual foundations, where people have actually looked at fMRIs or done longitudinal studies on schools or scrutinized the brain composition of different age groups.
I agree that in context of memory, the brain's capacity does appear limitless. However, the brain's capacity to process all of the information that it's exposed to is quite limited. For example, for most people, working memory is limited to 7 items plus/minus 2. One part of a standard cognitive test is to expose the subject to a list of numbers, and after hiding the numbers, ask the subject to repeat them back to you (and again, but backwards). A similar test of memory is to ask a subject to remember a list of items, then ask a series of other questions, then ask the subject to repeat the same list some time later. Some people do pretty well at these tests; some don't (approximating a normal distribution in ). So while it's theoretically possible that all subjects do have all of the numbers stored in their brain, it's quite clear that there's differing capability at least in memory encoding and/or retrieval.
I guess I also wanted to mention the concept of saliency. Different people will pay attention to different things even if all of the people are exposed to exactly the same stimuli. This is important because the brain only encodes to memory what it finds particularly important and/or interesting (i.e. salient). This can be trained to a degree: more experienced or trained people will be able to detect what's important, like a soldier being better able to "sense" the presence of an IED in a warzone. So even if everyone has exactly the same memory capacity, there'd still be variation in how well the brain itself decides to use that capacity.
OT technical note.
The reason you do not see a "reply" link is because you viewed the comment within X minutes of its posting. HN disables the reply link for that period. However, if you click on the permalink (the "link" text), you will still get a usable text box for replying.
My strategy is generally to do this, but sometimes I actually just refresh to pick up any new contextual comments.
This discussion is pretty difficult in that there are things we can't define. I don't even know if we're all talking about the same thing when we say "knowledge" and we can't define "healthy", and the term "capacity" for the human brain is assuming we all believe the human brain really does have a limit. I can only assume there is some kind of limit in the same way I assume if I traveled in a straight line forever I'd eventually reach the end of the universe. It's just imcomprehendably large and nothing we do in a lifetime, currently 100 years or so, will reach that limit.
Do you have anything to back this up other than the old rumor that NSA (specifically their crypto) was ahead of private industry by 10 years, something even Bill Binney said is probably not accurate any more. And mind you, this old "10 year ahead" phrase was always specific about crypto, nothing else.
> In fact, I think it's likely that they're significantly smarter than any of us. Bear that in mind when you design your NSA-proof email applications.
I wouldn't bet on it. NSA and many other government agencies are full of incompetent or barely adequate people. Just look at our intelligence failures regarding terrorism and in both wars the last 10 years. NSA has a huge budget with billions of dollars to throw at their problems, so they get stuff done, sure, but smarter than private industry? Nah.
If you want to be wishful about this point, I won't stop you.
The thing that the average HN reader doesn't realize is how much responsibility is on the shoulders of those who choose to spend their time in service to the country (this could be for any country). I couldn't imagine the comments that I've seen about blacklisting former government workers and publicly shaming service men and women coming from anyone who has carried this kind of responsibility.
My sidelining aside, you're definitely correct about TAO people being very skilled. I would have definitely loved to join their ranks. They wanted to swap a couple bodies to trade for me, but my division head wouldn't let me go =\
If you believe government service has any value at all, you should also be willing to blacklist/ostracize when someone continues to support a corrupt/evil part of government. If I saw someone's resume from LAPD Rampart during certain years, I'd be quite suspect. Various foreign militaries. I'm suspect of CIA in the 1990s due to incompetence, not so much evil, DEA ~ever (which is lulzy because a lot of USG people at FBI and in LEOs in general moved from counterdrug to CT post-9/11), and while I think NSA pre-Snowden was quite defensible (and, indeed, honorable), I could imagine someone joining NSA today being viewed differently in a few years than someone who joined before.
I think the 'activists' that were derided are also working hard in the interest of the country. As for blacklisting and shaming former servicemen, see the aforementioned Bill Binney, and Thomas Drake, former NSA workers who dedicated decades of their lives to their country, and were blacklisted and prosecuted by their own government for daring to blow the whistle about violations of the constitution and Americans' privacy rights.
The problem with the NSA's programs isn't that they lack technical controls; it's that they're allowed to supervise their own collection efforts and build their own controls in the first place.
The notion that Binney is a staunch opponent of PRISM-style surveillance is revisionist.
That's plainly false. His system was specifically designed to throw-out private data, that is, never to store it. There is no data to view if it's not stored. See his 29C3 technical talk where he goes over it. 
>The notion that Binney is a staunch opponent of PRISM-style surveillance is revisionist.
This ignores nearly everything Binney has actually said when asked about why he came forward to blow the whistle on NSA's spying activities. Also, see above.
Pilot tests of ThinThread proved almost too successful, according to a former intelligence expert who analyzed it. “It was nearly perfect,” the official says. “But it processed such a large amount of data that it picked up more Americans than the other systems.” Though ThinThread was intended to intercept foreign communications, it continued documenting signals when a trail crossed into the U.S. This was a big problem: federal law forbade the monitoring of domestic communications without a court warrant. And a warrant couldn’t be issued without probable cause and a known suspect. In order to comply with the law, Binney installed privacy controls and added an “anonymizing feature,” so that all American communications would be encrypted until a warrant was issued. The system would indicate when a pattern looked suspicious enough to justify a warrant.
But this was before 9/11, and the N.S.A.’s lawyers deemed ThinThread too invasive of Americans’ privacy. In addition, concerns were raised about whether the system would function on a huge scale, although preliminary tests had suggested that it would. In the fall of 2000, [General Michael Hayden, the director of the N.S.A.,] decided not to use ThinThread, largely because of his legal advisers’ concerns… .
I'm sure it discarded some things, but the basic technical control that ThinThread appeared to have that Trailblazer (and PRISM) lacked is cryptographic authorization controls.
That's what Binney and Drake have said all along.
Such as? Bill Binney, having actually been one of the top mathematicians at NSA for 30 years, carries more weight than you do, unless you want to share specifics that back up the regurgitation of the "10 year ahead" phrase.
TAO, the shift to attacking IP networks, the shift to active attacks on commercial technologies (vs. spending years to defeat a decade-long-lifecycle foreign comm or cryptosystem), etc. mostly happened after they'd left.
Hell, fundamental understanding of NSA's superior technological capabilities is as old as DES.
1) From what I've seen, at least on the military side, the "training people" concept was actually one of the things they've sacrificed over the past decade or so (and even in the late 1990s) -- it's still obviously done in areas where it's "inherently military or governmental" like flying fighter aircraft, but contractorization has caused the government sphere to revert to more like the commercial world -- fewer people genuinely trained to a good standard from scratch. There's both a higher bar for entry, and a lower output quality.
It might be totally different in the civilian government world stateside, but somehow I doubt it.
The only government jobs which seem to successfully recruit and build skills are government offense jobs (NSA TAO, etc.). Judging by results, on the defense side, they're doing a horrible job of recruiting and using their recruits. From that I've seen of DHS and USCYBERCOM recruiting, it's no better than the commercial world. USCYBERCOM has the benefit of the entire incoming recruit stream of the military, but they've been fairly slow even to train tech/operator level people. That the military is taking that big a role on civilian defense is a sign that DHS/etc. haven't been very successful recruiting for defense.
2) "10 years ahead of private industry" -- not really, since there's essentially a fusion of the contractor space and government. If BAH were somehow vastly more effective than commercial companies, you'd expect them to go into profitable civilian work as well, but only an abject fucking moron would hire any of the defense contractors to do anything if not required to do so by the government (government work is NOT more profitable than the best commercial work, so a competent firm would be motivated to do both). The flow goes the other way; Palantir came from the commercial world back into the government world.
Underestimating one's adversary is always a bad idea, but overestimating them is also bad (if it causes you to give up). The fundamental issue is that a large number of people don't consider USG to be their adversary, and for the most part, it isn't -- congress has abjectly failed in its oversight role, and programs have gotten far too big (in budget and scope), infringing rights (mainly theoretically, still), but a lot of people believe there's both a proper defense role for the military, and that the threats are growing/changing and require IT security.
Remember, even if you love the USG/NSA mission, they have three big handicaps: secrecy, bureaucracy, and security (i.e. being US citizen only). Think about how fucked up a tech company would be if it got to the scale of Microsoft or Google but without being able to hire non-citizens, have people enter/leave freely, hire anyone with at all a shady background, interact much with the outside world, etc. Then add politicians and political appointees, plus 1-2 year stint military, into key roles. From everything I've heard, NSA dealt with that in ancient times (pre-1990s) pretty well, by having career NSA people run things for other career NSA people, but they ended up in a rat-hole of focusing on the PSTN/leased line and under-exploiting the Internet. There were three main eras: the real cold war where everything was mission-driven by the soviets, the "lost years" between the end of the cold war and 9/11, and the new agency post-9/11 focused on commercial systems and "terrorists". CIA had the same challenge...a spy v spy mission, then counterdrug/etc. insanity, and then became basically global assassins and jailers.
I agree with you that the USG is contractorizing infosec --- though note that this makes it even easier for them to recruit --- and that contractorization degrades their capabilities.
I disagree with you on offensive security. I also think you should be aware that the contractor resources the offensive side has don't entirely overlap the defensive stuff; there are better contractors available for the offensive stuff.
And all this goes out the window when it comes to pure signals intelligence and cryptography, where we're not even close.
I assume offensive is focused almost exclusively within NSA and maybe a few elements of DOE/DHS (I'd be utterly terrified if every random OIG office within the government had an offensive security team, like they do have SWAT teams now...) It's also probably a case where they can have a huge lead because (for legal reasons, as well as market reasons) there's limited demand in the commercial world for "full contact" offensive security -- just pentesters and the like, or actual criminal activity, or for the lulz.
The other thing is resources other than ideas. Even I could come up with ideas like "oh, so we need to intercept all the traffic? Let's put fiber splitters at the MAEs and IXes and such.", but having the resources to subsidize facilities, work with carriers, etc. is entirely different.
This is an interesting comment because I would have thought that defense and offense would be fairly symmetrical. Is the asymmetry due to lack of interest in defense? Is it because it's easier to break things then to keep them from breaking? E.g. it's much easier to teach someone to shoot well than it is to teach someone to heal a bullet wound.
It's different when you're designing/implementing security for a new system which is very limited in scope (e.g. I would have loved to have been on the PAL design team for nuclear weapons) and very important/high profile. If you're doing anything else, it's much more a conventional IT job.
In the commercial world, it's kind of like how bitcoin (being disruptive, even if relatively undeveloped and toylike) is super popular, and is exciting, while no one is really super-enthusiastic about implementing x9.9898908098, ACH, etc.
I actually had no idea about there being different contractors on the offense side, since my contact has been really with the defense/customer side (which is shared with most of DOD). It's somewhat reassuring, as I wouldn't actually trust the "defense" people I've met with the level of information and access NSA obviously has.
Not to mention not hiring anyone who smokes marijuana. That would eliminate like 60% of the best CS grads I know.
FBI and other LEOs had a much more serious antidrug screening than DOD or IC.
Oh the patrony!
Maybe the NSA is different but from my experience, the big contractors that do programming for government programs are exactly the same. Lockheed Martin, General Dynamics, etc- they have lots of mediocre .NET and J2EE devs.
Those types of developers you can attract with money. But the truly bright and intelligent people just aren't interested.
Notice something? The folks who get paid (criminals and state workers) are more sophisticated.
Bullshit. They're a pack of morons.
Unfortunately, they're a pack of morons with guns. Not that they have to resort to force. Frequently, they'll just use the legal system to beat you into submission.
Remember, while you have to pay your lawyer, they do not. Their legal funds are, for all intents and purposes, unlimited.
And yet, the U.S. government developed effective new defense and energy technologies during this time.
There are reasons to work for the government that are attractive to top tech talent: access to information and tools that no one in private enterprise has; gigantic budgets, with no demand for profitability; a great mission: protecting the American people.
And if the issue is privacy, there are objections to made at most top tech companies now as well--most of their product development treads on or over the privacy line of their customers.
I'm not advocating for defense work BTW, just expressing skepticism that the Snowden affair will substantially harm the government's ability to attract tech talent.
It probably will scare off the most innovative, forward thinking hackers...but they've never been a crowd that works for the government anyway. Too slow and bureaucratic.
Robert Oppenheimer, the "Father of the Atomic Bomb," lost his security clearance and his position on the Atomic Energy Commission for voicing concerns and refusing to directly help build the hydrogen bomb in the 50s. He argued it was against the United States' best interests to develop it, because the USSR had no cities large enough to use it on, while the United States did. The United States also had plenty of large atomic bombs with pretty high yield already that were much cheaper to build. Thus, when the Soviets eventually created their own, they would be ones with a reason to have it, while we wasted tons of money giving it to them that could have been spent elsewhere.
Just for reference:
http://www.imdb.com/title/tt0078037/ Great miniseries on Oppenheimer done by the BBC, if one can find it.
And I wont go into two faced nature of removing organic search terms from Google analytics but allowing the PPC customers access to that data.
if I where Matt Cutts id sleep happier working for the NSA than Google at the moment
I think most people now understand and have well-embraced the idea of "if you don't pay for a product you are the product." Given the relative odds of being injured or killed by a terrorist attack, it's debatable if any utility is gained from giving up your privacy to government.
If you're passionate about tech, then there are some very interesting projects to work on in government.
Rocket scientists want to build rockets. Roboticists want to build robots. Hackers want to hack. They've gotten good at what they do by subordinating other concerns to their driving interests. So, why would they be put off by something that doesn't seem to directly affect them or their loved-ones?
EDIT> Regarding the furor over heavy-handed prosecution of tech-assisted offences: that only matter if you choose the wrong side. I.e. Work on this cool stuff, stay in line, and you'll never have a problem with the law. Not a hard sell.
1. What is a "top" hacker? Someone who has hacked the most systems? Hacked the most secure system? Created the most cleverest exploit?
2. How do you know that it's actually the "top" hackers who are refusing to work with the USG? Because quite conceivably, there are great hackers who are already working at the USG and aren't revealing themselves or quitting in protest. The hackers you have now speaking out may indeed be refusing to work for the USG, but your article is then based on a self-selecting sample.
3. Is being a "top" hacker an immutable thing? If top mercenaries said they'd never join the Navy SEALS, does that mean the SEALs are screwed? Only if you forget that they have no shortage of young men who are pruned and groomed to being elite fighters.
As for the "with the government" vs the "for the government" rebuttals: surveillance and research contractors haven't stopped working with the USG either.
I like money, I like job security, I like playing for a winner, I like being on the bleeding edge.
Were I crypto guy, I would snatch up a vacated-on-principle spot at the NSA in a heartbeat.
Apart from the fact that it vaguely sounds discriminatory, I don't see what you could achieve on a practical level.
The flip is also true: you're not necessarily contributing to state surveillance just because you work "for the NSA". Two easy examples are SELinux and the various NSA Guides to Securing <OS_of_choice>.
The "Top Hackers" certainly still will work for the government.....Why do you think so many are in DC
Now, I'd have a really hard time doing anything more contractory than selling totally standardized COTS products to the USG, even something non-threatening like a better teleconferencing system, until/unless there is re-established effective elected oversight (i.e. congress, as a whole, and not just 15 committee members with little interest, expertise, or competence) over these programs. Not really holding my breath on that.
I honestly hope they would do that but I lost hope in such a thing happening a long time ago.
Just dangle some money in front of the and they're just average suckers like the rest of humanity.
(It was bad enough that they had to pass laws to consider Vietnam-era veterans a "protected class" for discrimination. From everything I've read and heard about the post Vietnam military, especially the Army, it was even worse (at least until the 1980s, and really until Gulf War I in a lot of ways.)
It is illegal for a citizen to hack other persons and organizations computers and take their data.
It is allowed for the government to hack other persons computers and steal their data. The government now has professional teams of hackers doing just that.
Thus the same laws does not apply for citizens as the government, thus the government thinks they are above the law.
It is almost the same as the government would have teams that steal credit cards and make drugs.
We are walking towards a Internet 3.0 which be heavily encrytped anonymized and reinvented by hackers. Imagine encrypted mesh sockets. ifconfig anoninet up
Peer2Peer dns and trust authorities.
Not to mention the banks the government are protecting and the central banks, which purposely steals peoples money through inflation. The Fed is privately owned by the banks they are as Federal as Federal express not at all. The creature from Jekyll island.
With also Binney, Drake, Snowden, with the Justice Dept's Eric Holder and Carmen Ortiz prosecuting with trump upped draconian charges, and that we also know the intel/security agencies spokespeople with an eagle logo are consistent prevaricators, it is clearly recklessly dangerous to become directly involved with these federally sanctioned criminals.
At least factor that in, while negotiating your compensation.
Besides that though there have been quite a bit of growth in nationalistic sentiment in the hacker community for some time. It seems that its been present in non-US/EU parts of the culture for quite some time, but I've noticed in recent years it becoming a bigger and more accepted part of US circles. Joking about popping boxes in .cn, seeing the whole country as an enemy, etc. It was a lot quieter on those topics in Vegas this year, but it was certainly a very present part of the dialogue 2010/11, etc.
not work for the government, but for the democrats. will hackers work for democrats in the next presidential election? if it's disappointment with obama, will switching to clinton be enough? and will we see a move to 'blame obama' near the end of his term to help clinton?
"Some security experts remain supportive of the government. NSA Director Keith Alexander's talk at the Black Hat conference was well received on Wednesday, despite a few hecklers.
"...Alexander took a conciliatory tone during his Black Hat speech, defending the NSA but saying he looked forward to a discussion about how it could do things better."
The article portrays Black Hat as the more "professional" conference, as opposed to Def Con.
I don't think GEN Alexander's PSD would have allowed him to attend Defcon this year. (not that his life would have been in danger, but enough violent/etc. heckling that people probably would have gotten hurt, which would be horrible press.)
* Surrounded by cables that couldn't connect
Is there an option in Creative Commons or GPL to exclude government use?