Hacker News new | past | comments | ask | show | jobs | submit login
NSA revelations could hurt collaboration with 'betrayed' hackers (reuters.com)
171 points by Chirael on Aug 9, 2013 | hide | past | web | favorite | 104 comments



The most dangerous and stupid meme percolating in pop tech culture is that the people engaged with tech culture have a unique claim to computer science, electrical engineering, cryptography, information security, and privacy technology. The Slashdot diaspora genuinely believes that most of the world's computer engineering talent reads their comments.

The reality is that not only does money do a fine job of buying talent, but, if it's the USG you're thinking about, they don't even have to try hard; extremely qualified engineering graduates compete to secure positions at NSA, which has been ~10 years ahead of private industry for the last couple decades, before which time they were even further ahead.

Part of the reason the USG doesn't actually have a problem recruiting people is that actually believe in training people. I don't know how effective they really are at it, but I do know that our industry is fundamentally unserious about training. The kinds of commercial organizations that take in raw recruits generally turn out extremely mediocre J2EE and .NET developers. The rest, to a first approximation, run their recruiting programs based on measurements of reproductive organs. Giant defense contractors haul in green IT graduates by the truckload and adapt them to jobs that command significant premiums on the private market. Again, I'm not saying defense contractors can turn information management grads into electronic supersoldiers, but: they're not hurting for recruits.

The reason I think you care about this is because it informs you of a hidden handicap that private industry and activist groups have when facing down the government. I'm very sorry if I'm the first person to break this to you, but if you're an activist targeting the USG, your adversary isn't stupid. In fact, I think it's likely that they're significantly smarter than any of us. Bear that in mind when you design your NSA-proof email applications.

I don't do work for the USG, and haven't before, but I'm realistic about the impact of that decision; it has more to do with my own psychological welfare than it does with anyone else's.


>In fact, I think it's likely that they're significantly smarter than any of us. Bear that in mind when you design your NSA-proof email applications.

Math is math and it's relatively easy to implement decent encryption -- it is possible to pass data securely from end to end.

The larger issue with these projects is that they're usually proposed by someone that can sling a bit of Ruby and fashions him/herself a cyber revolutionary, not someone that understands that the real power of the US Government in the tech sphere is its ability to apply pressure away from a keyboard - whether it be a subpoena for raw data from a hosting provider, legal fuckery, or sending armed soldiers to your doorstep.


Math is math

Physics is physics. We all know time is fixed, the universe has been around forever, and atoms are the smallest indivisible component of matter.

The world, under the guise of "everybody is created equal," has fallen under the spell of "everybody has the same intellectual capacity" (which is clearly wrong). Yahoo isn't paying a high school dropout $100 million + $80 million because of his snazzy FU-my-mom-dresses-me haircut — they're paying him that because he's different. He's better. He's done more in five years than you've done in 20. You can't train that. People just are.

The government tries to grab all the clearly better-than-everybody-else undergrads through their sneaky alliances with CS departments and professors. They usually win.

Programs are programs and it's relatively easy to implement a program. But, some programs are worth billions of dollars and others aren't worth half a farthing. It's the people who make a difference.


> The world, under the guise of "everybody is created equal," has fallen under the spell of "everybody has the same intellectual capacity" (which is clearly wrong). Yahoo isn't paying a high school dropout $100 million + $80 million because of his snazzy FU-my-mom-dresses-me haircut — they're paying him that because he's different. He's better. He's done more in five years than you've done in 20. You can't train that. People just are.

Don't agree. I don't like the idea that knowing some fancy-trendy-computer skill is equal to "He's different", "He's better.". Computer skills don't make you better than a plumber. It's just a skill. A skill that turns out to be in ridiculously high-demand today, but it doesn't make you better than the plumber or the janitor or the cashier at Starbucks. I know when I decided to get a BS in computer-science, I had the full intention of being a videogame developer barely making ends meet in a cockroach-filled apartment. I had absolutely no idea this whole Bay Area trendy-"web2.0"-linux-cloud-opensource movement was going to happen at all. I surely didn't plan to make even half the salary I'm getting now. This make my family incredibly fortunate, but not better than anyone else. I think HN-folks in general need reminders that we're not some group of superior beings, we're just insanely lucky we won the "career-lottery" for being in the right place at the right time with the right skills.

P.S. I don't know how we'd measure intellect, but I do believe that all healthy human beings do have the same potential for the amount of knowledge they can consume, at least at birth. And I'm not even sure how to define "healthy", Stephen Hawking probably doesn't meet most people's definition of healthy but he's very smart, right? And is he smart in all subjects? Or just physics, cosmology, astrophysics and other universe-related things? What subjects do you need to be well-versed in to be considered smart?


I do believe that all healthy human beings do have the same potential for the amount of knowledge they can consume

Nope.

There are a lot of non-intelligent people out there. No matter how hard they try, they're not going to be theoretical physicists. If you think these people have the potential, but they're just not trying hard enough, that's an extremely bizarre view of the reality of their existence.

You're right though that David Karp's $180M payout is, in part, a product of luck and forces beyond his control.

According to probability, Karp probably is better at most things than a random person on HN. But is he better because of his $180M payout? Karp experienced a unique set of circumstances beyond his control (as each of us do) and none of his life experiences prevented him from reaching this payout (extremely lucky).

No doubt, his success and achievements suggest he is smart, hardworking, dedicated, etc. But another person, twice as smart, twice as hardworking, twice as dedicated, is affected daily by a totally different series of external events beyond his control, any one of which might preclude him from realizing the scenario where he gets a $180M payout.

And, some people choose paths in science/engineering/software/anything that preclude the possibility of a $180M payout. The researcher toiling in a lab to push forward the boundaries of human knowledge and achievement is most likely going to earn a modest salary his entire life (modest, at least, relative to Karp's). Is he worse in any way because he didn't create a microblogging platform that existed at the right place at the right time? Of course not.


>> He's done more in five years than you've done in 20. You can't train that. People just are.

> I do believe that all healthy human beings do have the same potential for the amount of knowledge they can consume, at least at birth.

If there's anything I've learned from my experience in neuropsychiatry research, it's that there's a whole lot of natural and environmental variation in human biology and psychology. I've seen kids who would otherwise appear healthy and sociable score astonishingly low on cognitive tests (e.g., on executive function, pattern recognition, block design, etc.). I've also seen kids who would otherwise appear completely healthy and normal score amazingly high, by way of extensive schooling and parental attention (and also very often, wealth).

So I'd disagree with both comments above that (1) intellectual capacity can't be trained and (2) healthy humans have the same intellectual potential.


> I do believe that all healthy human beings do have the same potential for the amount of knowledge they can consume, at least at birth

This makes no sense whatsoever. Do you really believe that while people have genetics that control their skin color, hair color, susceptibility to various diseases, etc., etc., etc., somehow the brain is some magic non-biological organ that is not built by DNA?


Ok, let me put it another way. If there is a variation for the amount of knowledge the brain can consume from human to human, assuming they're "healthy", it's gonna be something like Infinity x 99, infinity x 8, Infinity / 2. Whatever it is, it'll be a limit that's way beyond what a human being could ever reach in a lifetime.


Optimism is good, but at this point, you're driving past believing in the intrinsic awesome of human beings into the territory of magical thinking.

"Amount of knowledge" isn't a useful metric, as anyone in pedagogy can tell you. It's not even about "healthiness", which is meaningless, or disability, which is less meaningless. Brains are not hard disks. They aren't knowledge storage machines. That's just one of its minor functions.


You're completely right. This discussion is almost impossible since, for the human brain, I can't define "knowledge", "capacity", "limit", "intellect". I mean really, what does it mean for a human brain to reach capacity anyway? What function is it not able to do once it reaches that point? What does it mean to be smart or intellectual? Do we all agree that Stephen Hawking is those things? Why? I don't know and I can't even begin to debate it, I'm not smart enough. ;)


> I don't know and I can't even begin to debate it, I'm not smart enough.

Well, no. You lack the knowledge for having a useful discussion about it. Spend time brushing up on pedagogical techniques, neuroscience, cognitive science, psychology: all the fields that touch on growth in the mental dimensions of a human being. My own expertise is pretty minimal, but just seeing the cutting edge of the research is fascinating and can help keep you honest when making claims.

This isn't a political/stylistic discussion. It rests on factual foundations, where people have actually looked at fMRIs or done longitudinal studies on schools or scrutinized the brain composition of different age groups.


Science doesn't fully understand the human brain so I cannot agree that intelligence can be fully measured by any scientific means today. We have some tests, but the value of them is debated.


So you don't believe that there's a spectrum of disability? You're either intellectually disabled to the point of not being able to dress yourself... or you're a potential Einstein - nothing in between?


It doesn't seem like I can reply to smtddr's sibling comment here (probably nested too deep?). So here's my two cents:

I agree that in context of memory, the brain's capacity does appear limitless. However, the brain's capacity to process all of the information that it's exposed to is quite limited. For example, for most people, working memory is limited to 7 items plus/minus 2. One part of a standard cognitive test is to expose the subject to a list of numbers, and after hiding the numbers, ask the subject to repeat them back to you (and again, but backwards). A similar test of memory is to ask a subject to remember a list of items, then ask a series of other questions, then ask the subject to repeat the same list some time later. Some people do pretty well at these tests; some don't (approximating a normal distribution in ). So while it's theoretically possible that all subjects do have all of the numbers stored in their brain, it's quite clear that there's differing capability at least in memory encoding and/or retrieval.

I guess I also wanted to mention the concept of saliency. Different people will pay attention to different things even if all of the people are exposed to exactly the same stimuli. This is important because the brain only encodes to memory what it finds particularly important and/or interesting (i.e. salient). This can be trained to a degree: more experienced or trained people will be able to detect what's important, like a soldier being better able to "sense" the presence of an IED in a warzone. So even if everyone has exactly the same memory capacity, there'd still be variation in how well the brain itself decides to use that capacity.


> It doesn't seem like I can reply to smtddr's sibling comment here (probably nested too deep?).

OT technical note.

The reason you do not see a "reply" link is because you viewed the comment within X minutes of its posting. HN disables the reply link for that period. However, if you click on the permalink (the "link" text), you will still get a usable text box for replying.

My strategy is generally to do this, but sometimes I actually just refresh to pick up any new contextual comments.


I can't define what it means to be "Einstein". I can only say that "capacity for knowledge" in a "healthy" human brain is well beyond what it could ever be exposed to in a lifetime. Note that when I say "capacity", I thinking in terms of a computer harddrive(which is questionable). No "healthy" human being can fill up their brain within a lifetime.

This discussion is pretty difficult in that there are things we can't define. I don't even know if we're all talking about the same thing when we say "knowledge" and we can't define "healthy", and the term "capacity" for the human brain is assuming we all believe the human brain really does have a limit. I can only assume there is some kind of limit in the same way I assume if I traveled in a straight line forever I'd eventually reach the end of the universe. It's just imcomprehendably large and nothing we do in a lifetime, currently 100 years or so, will reach that limit.


You make it seem like crypto is a solved domain. Implementation of crypto is incredibly difficult to do right even when the underlying "math" is provably secure.


Heh.


yeah right if your Bruce it is :-)



> NSA, which has been ~10 years ahead of private industry for the last couple decades, before which time they were even further ahead.

Do you have anything to back this up other than the old rumor that NSA (specifically their crypto) was ahead of private industry by 10 years, something even Bill Binney said is probably not accurate any more. And mind you, this old "10 year ahead" phrase was always specific about crypto, nothing else.

> In fact, I think it's likely that they're significantly smarter than any of us. Bear that in mind when you design your NSA-proof email applications.

I wouldn't bet on it. NSA and many other government agencies are full of incompetent or barely adequate people. Just look at our intelligence failures regarding terrorism and in both wars the last 10 years. NSA has a huge budget with billions of dollars to throw at their problems, so they get stuff done, sure, but smarter than private industry? Nah.


Yes, I do have things to back it up. No, I'm not simply referring to cryptography. NSA is a very large organization; Bill Binney's say-so doesn't mean a whole lot to me. Look at the kinds of people that "graduate" from NSA TAO, and note that that's the program they let us know about.

If you want to be wishful about this point, I won't stop you.


All of the truly remarkable intelligences I met, I met at NSA. There are certainly people that aren't (as with any organization), but the NSA is probably the only meritocracy in the USG. The pipeline for advancement is one of either taking a technical route or a management route. This means that you can reach the highest levels of the organization and pay grades simply by being good at what you do in an analytical sense or a leadership sense.

The thing that the average HN reader doesn't realize is how much responsibility is on the shoulders of those who choose to spend their time in service to the country (this could be for any country). I couldn't imagine the comments that I've seen about blacklisting former government workers and publicly shaming service men and women coming from anyone who has carried this kind of responsibility.

My sidelining aside, you're definitely correct about TAO people being very skilled. I would have definitely loved to join their ranks. They wanted to swap a couple bodies to trade for me, but my division head wouldn't let me go =\


I've met some genuinely sub-par-for-anywhere NSA people as well, though, although in the various letters which correspond to internal sysadmin support and the like.

If you believe government service has any value at all, you should also be willing to blacklist/ostracize when someone continues to support a corrupt/evil part of government. If I saw someone's resume from LAPD Rampart during certain years, I'd be quite suspect. Various foreign militaries. I'm suspect of CIA in the 1990s due to incompetence, not so much evil, DEA ~ever (which is lulzy because a lot of USG people at FBI and in LEOs in general moved from counterdrug to CT post-9/11), and while I think NSA pre-Snowden was quite defensible (and, indeed, honorable), I could imagine someone joining NSA today being viewed differently in a few years than someone who joined before.


> I couldn't imagine the comments that I've seen about blacklisting former government workers and publicly shaming service men and women coming from anyone who has carried this kind of responsibility.

I think the 'activists' that were derided are also working hard in the interest of the country. As for blacklisting and shaming former servicemen, see the aforementioned Bill Binney, and Thomas Drake, former NSA workers who dedicated decades of their lives to their country, and were blacklisted and prosecuted by their own government for daring to blow the whistle about violations of the constitution and Americans' privacy rights.


Bill Binney's complaint about the NSA was that they were wasting money on a system that did a poorer job of handling US-centric SIGINT. He was not himself opposed to collecting intelligence on US citizens; his own "ThinThread" system was designed to do exactly that, but with better technical controls over who could view the data.

The problem with the NSA's programs isn't that they lack technical controls; it's that they're allowed to supervise their own collection efforts and build their own controls in the first place.

The notion that Binney is a staunch opponent of PRISM-style surveillance is revisionist.


> his own "ThinThread" system was designed to do exactly that, but with better technical controls over who could view the data.

That's plainly false. His system was specifically designed to throw-out private data, that is, never to store it. There is no data to view if it's not stored. See his 29C3 technical talk where he goes over it. [1]

>The notion that Binney is a staunch opponent of PRISM-style surveillance is revisionist.

This ignores nearly everything Binney has actually said when asked about why he came forward to blow the whistle on NSA's spying activities. Also, see above.

[1] https://www.youtube.com/watch?v=XDM3MqHln8U


New Yorker:

Pilot tests of ThinThread proved almost too successful, according to a former intelligence expert who analyzed it. “It was nearly perfect,” the official says. “But it processed such a large amount of data that it picked up more Americans than the other systems.” Though ThinThread was intended to intercept foreign communications, it continued documenting signals when a trail crossed into the U.S. This was a big problem: federal law forbade the monitoring of domestic communications without a court warrant. And a warrant couldn’t be issued without probable cause and a known suspect. In order to comply with the law, Binney installed privacy controls and added an “anonymizing feature,” so that all American communications would be encrypted until a warrant was issued. The system would indicate when a pattern looked suspicious enough to justify a warrant.

But this was before 9/11, and the N.S.A.’s lawyers deemed ThinThread too invasive of Americans’ privacy. In addition, concerns were raised about whether the system would function on a huge scale, although preliminary tests had suggested that it would. In the fall of 2000, [General Michael Hayden, the director of the N.S.A.,] decided not to use ThinThread, largely because of his legal advisers’ concerns… .

I'm sure it discarded some things, but the basic technical control that ThinThread appeared to have that Trailblazer (and PRISM) lacked is cryptographic authorization controls.


The New Yorker's Mayer is paraphrasing an anonymous source, which she then counter-points in the very next sentence of the article with a quote from NSA historian Matthew Aid, who says: “The resistance to ThinThread was just standard bureaucratic politics. ThinThread was small, cost-effective, easy to understand, and protected the identity of Americans.” [1]

That's what Binney and Drake have said all along.

[1] http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_...


I think if you read my comments you'll find that I'm not denying that ThinThread had a goal of protecting the identity of Americans. The problem is that the collections programs underpinning PRISM and XKEYSCORE also have that goal. The problem isn't the technology.


> Yes, I do have things to back it up.

Such as? Bill Binney, having actually been one of the top mathematicians at NSA for 30 years, carries more weight than you do, unless you want to share specifics that back up the regurgitation of the "10 year ahead" phrase.


Binney and Wiebe left NSA at what I think was the low point of the agency, after losing political battles internally and getting marginalized.

TAO, the shift to attacking IP networks, the shift to active attacks on commercial technologies (vs. spending years to defeat a decade-long-lifecycle foreign comm or cryptosystem), etc. mostly happened after they'd left.


Cryptographers understand this fact more than most; what we know of crypto is often rediscoveries of secret stuff, years late, kind of like how open-source "big data" software is a clone of whatever Google was doing 5-10 years ago.


I love how tech activists behave as if they're just now discovering that NSA has far-reaching technical capabilities. As I recall, something like 1/5th of Applied Cryptography is dedicated to teaching people how powerful NSA is. When NIST standardized DSA, they had to try to document the process by which the groups were generated, because half the cryptography world just basically assumed as an article of faith that anything NIST standardized must be backdoored.

Hell, fundamental understanding of NSA's superior technological capabilities is as old as DES.


Generally I'd agree except for two points.

1) From what I've seen, at least on the military side, the "training people" concept was actually one of the things they've sacrificed over the past decade or so (and even in the late 1990s) -- it's still obviously done in areas where it's "inherently military or governmental" like flying fighter aircraft, but contractorization has caused the government sphere to revert to more like the commercial world -- fewer people genuinely trained to a good standard from scratch. There's both a higher bar for entry, and a lower output quality.

It might be totally different in the civilian government world stateside, but somehow I doubt it.

The only government jobs which seem to successfully recruit and build skills are government offense jobs (NSA TAO, etc.). Judging by results, on the defense side, they're doing a horrible job of recruiting and using their recruits. From that I've seen of DHS and USCYBERCOM recruiting, it's no better than the commercial world. USCYBERCOM has the benefit of the entire incoming recruit stream of the military, but they've been fairly slow even to train tech/operator level people. That the military is taking that big a role on civilian defense is a sign that DHS/etc. haven't been very successful recruiting for defense.

2) "10 years ahead of private industry" -- not really, since there's essentially a fusion of the contractor space and government. If BAH were somehow vastly more effective than commercial companies, you'd expect them to go into profitable civilian work as well, but only an abject fucking moron would hire any of the defense contractors to do anything if not required to do so by the government (government work is NOT more profitable than the best commercial work, so a competent firm would be motivated to do both). The flow goes the other way; Palantir came from the commercial world back into the government world.

Underestimating one's adversary is always a bad idea, but overestimating them is also bad (if it causes you to give up). The fundamental issue is that a large number of people don't consider USG to be their adversary, and for the most part, it isn't -- congress has abjectly failed in its oversight role, and programs have gotten far too big (in budget and scope), infringing rights (mainly theoretically, still), but a lot of people believe there's both a proper defense role for the military, and that the threats are growing/changing and require IT security.

Remember, even if you love the USG/NSA mission, they have three big handicaps: secrecy, bureaucracy, and security (i.e. being US citizen only). Think about how fucked up a tech company would be if it got to the scale of Microsoft or Google but without being able to hire non-citizens, have people enter/leave freely, hire anyone with at all a shady background, interact much with the outside world, etc. Then add politicians and political appointees, plus 1-2 year stint military, into key roles. From everything I've heard, NSA dealt with that in ancient times (pre-1990s) pretty well, by having career NSA people run things for other career NSA people, but they ended up in a rat-hole of focusing on the PSTN/leased line and under-exploiting the Internet. There were three main eras: the real cold war where everything was mission-driven by the soviets, the "lost years" between the end of the cold war and 9/11, and the new agency post-9/11 focused on commercial systems and "terrorists". CIA had the same challenge...a spy v spy mission, then counterdrug/etc. insanity, and then became basically global assassins and jailers.


I agree with you regarding defense. I do not think any part of the USG is truly competent at defending their own systems.

I agree with you that the USG is contractorizing infosec --- though note that this makes it even easier for them to recruit --- and that contractorization degrades their capabilities.

I disagree with you on offensive security. I also think you should be aware that the contractor resources the offensive side has don't entirely overlap the defensive stuff; there are better contractors available for the offensive stuff.

And all this goes out the window when it comes to pure signals intelligence and cryptography, where we're not even close.


Absolutely on the sigint/elint/etc and traffic analysis side, they are probably decades ahead (mainly because no one else actually cares. Pretty much the closest competition is people trying to meet FCC B regulations and amateur radio people. It's not even a race. There's CR and maybe a couple others beating the drum on side channel emissions and the commercial market seems to not care.)

I assume offensive is focused almost exclusively within NSA and maybe a few elements of DOE/DHS (I'd be utterly terrified if every random OIG office within the government had an offensive security team, like they do have SWAT teams now...) It's also probably a case where they can have a huge lead because (for legal reasons, as well as market reasons) there's limited demand in the commercial world for "full contact" offensive security -- just pentesters and the like, or actual criminal activity, or for the lulz.

The other thing is resources other than ideas. Even I could come up with ideas like "oh, so we need to intercept all the traffic? Let's put fiber splitters at the MAEs and IXes and such.", but having the resources to subsidize facilities, work with carriers, etc. is entirely different.


>I also think you should be aware that the contractor resources the offensive side has don't entirely overlap the defensive stuff; there are better contractors available for the offensive stuff.

This is an interesting comment because I would have thought that defense and offense would be fairly symmetrical. Is the asymmetry due to lack of interest in defense? Is it because it's easier to break things then to keep them from breaking? E.g. it's much easier to teach someone to shoot well than it is to teach someone to heal a bullet wound.


The government is a particularly painful place to do defense, but even in the commercial world, defense is pain and generally doesn't attract people who are as "awesome" as offense. It tends to be more a conventional IT function, just implementing standards on existing stuff, mainly policy, etc. (NSA/DOD uses totally conventional computers for almost all of its work, so it's really "how to secure large Windows networks")

It's different when you're designing/implementing security for a new system which is very limited in scope (e.g. I would have loved to have been on the PAL design team for nuclear weapons) and very important/high profile. If you're doing anything else, it's much more a conventional IT job.

In the commercial world, it's kind of like how bitcoin (being disruptive, even if relatively undeveloped and toylike) is super popular, and is exciting, while no one is really super-enthusiastic about implementing x9.9898908098, ACH, etc.

I actually had no idea about there being different contractors on the offense side, since my contact has been really with the defense/customer side (which is shared with most of DOD). It's somewhat reassuring, as I wouldn't actually trust the "defense" people I've met with the level of information and access NSA obviously has.


> Think about how fucked up a tech company would be if it got to the scale of Microsoft or Google but without being able to hire non-citizens, have people enter/leave freely, hire anyone with at all a shady background, interact much with the outside world, etc.

Not to mention not hiring anyone who smokes marijuana. That would eliminate like 60% of the best CS grads I know.


It's the "CS grads you know" thing that is the problem. There's plenty of Venn overlap between hardcore CS and ROTC, too. They're just not the people we hang out with.


FWIW, NSA doesn't hire people who "smoke" marijuana, but probably doesn't have a huge problem now (extrapolating from the past) with people who "smoked" marijuana. It's probably below "has a foreign spouse" on their rejection criteria, provided it was "a college thing".

FBI and other LEOs had a much more serious antidrug screening than DOD or IC.


Bear that in mind when you design your NSA-proof email applications.

Oh the patrony!


Sorry about that; you're right.


"The kinds of commercial organizations that take in raw recruits generally turn out extremely mediocre J2EE and .NET developers"

Maybe the NSA is different but from my experience, the big contractors that do programming for government programs are exactly the same. Lockheed Martin, General Dynamics, etc- they have lots of mediocre .NET and J2EE devs.

Those types of developers you can attract with money. But the truly bright and intelligent people just aren't interested.


"I don't do work for the USG". Talk about burying the lede. So where did you get this knowledge about the awesomeness of Government training? I DO work for a contractor, one that hires from the same market as everyone else, with lower salaries. We're not all morons, but I was unaware we were turning substandard hires into geniuses. I must have missed the training program.


In the terms of the hacker sophistication, hactivists tend to rank lowest, below criminal organizations, and then nation states at the top.

Notice something? The folks who get paid (criminals and state workers) are more sophisticated.


> In fact, I think it's likely that they're significantly smarter than any of us.

Bullshit. They're a pack of morons.

Unfortunately, they're a pack of morons with guns. Not that they have to resort to force. Frequently, they'll just use the legal system to beat you into submission.

Remember, while you have to pay your lawyer, they do not. Their legal funds are, for all intents and purposes, unlimited.


That's not actually a rebuttal, but if it makes you feel better...


This is wishful thinking.


There have always been reasons to object to working in national defense. During the Cold War quite a few physicists and engineers chose not to go into defense work because they did not want to feel like they were hastening nuclear Armageddon.

And yet, the U.S. government developed effective new defense and energy technologies during this time.

There are reasons to work for the government that are attractive to top tech talent: access to information and tools that no one in private enterprise has; gigantic budgets, with no demand for profitability; a great mission: protecting the American people.

And if the issue is privacy, there are objections to made at most top tech companies now as well--most of their product development treads on or over the privacy line of their customers.

I'm not advocating for defense work BTW, just expressing skepticism that the Snowden affair will substantially harm the government's ability to attract tech talent.

It probably will scare off the most innovative, forward thinking hackers...but they've never been a crowd that works for the government anyway. Too slow and bureaucratic.


> "There have always been reasons to object to working in national defense. During the Cold War quite a few physicists and engineers chose not to go into defense work because they did not want to feel like they were hastening nuclear Armageddon."

Robert Oppenheimer, the "Father of the Atomic Bomb," lost his security clearance and his position on the Atomic Energy Commission for voicing concerns and refusing to directly help build the hydrogen bomb in the 50s. He argued it was against the United States' best interests to develop it, because the USSR had no cities large enough to use it on, while the United States did. The United States also had plenty of large atomic bombs with pretty high yield already that were much cheaper to build. Thus, when the Soviets eventually created their own, they would be ones with a reason to have it, while we wasted tons of money giving it to them that could have been spent elsewhere.

Just for reference:

http://en.wikipedia.org/wiki/Robert_Openheimer#Atomic_Energy...

http://www.imdb.com/title/tt0078037/ Great miniseries on Oppenheimer done by the BBC, if one can find it.


I also highly recommend reading the book, American Prometheus.

http://www.amazon.com/American-Prometheus-Triumph-Tragedy-Op...


I'll have to pick it up. I've always considered Oppenheimer one of the most interesting people to have lived. He was very charismatic, winning over scientist and bureaucrat alike and a compromiser when necessary, but yet would not compromise when it came to the issue of the hydrogen bomb at the height of "McCarthyism". Too bad he's mostly forgotten in present day history.


He was interesting. It's a shame how much he was ostracized by the very same people who used him to get to the atomic bomb. The book does his life and his life's work justice. It's an extremely interesting and well written account.


Yes to play devils advocate working for Google on say algo updates means you are responsible for people losing their jobs.

And I wont go into two faced nature of removing organic search terms from Google analytics but allowing the PPC customers access to that data.

if I where Matt Cutts id sleep happier working for the NSA than Google at the moment


> most of their product development treads on or over the privacy line of their customers.

I think most people now understand and have well-embraced the idea of "if you don't pay for a product you are the product." Given the relative odds of being injured or killed by a terrorist attack, it's debatable if any utility is gained from giving up your privacy to government.


If by "most people", you mean "most HN readers", then I agree. But if you actually mean "most people", then I'd say that issue is probably not even on their radar.


I'm not convinced. People are very good at cognitive dissonance.

If you're passionate about tech, then there are some very interesting projects to work on in government.

Rocket scientists want to build rockets. Roboticists want to build robots. Hackers want to hack. They've gotten good at what they do by subordinating other concerns to their driving interests. So, why would they be put off by something that doesn't seem to directly affect them or their loved-ones?

EDIT> Regarding the furor over heavy-handed prosecution of tech-assisted offences: that only matter if you choose the wrong side. I.e. Work on this cool stuff, stay in line, and you'll never have a problem with the law. Not a hard sell.


Even before seeing that the submission was from techdirt, the headline itself contains the type of assertion that is highly questionable on its face.

1. What is a "top" hacker? Someone who has hacked the most systems? Hacked the most secure system? Created the most cleverest exploit?

2. How do you know that it's actually the "top" hackers who are refusing to work with the USG? Because quite conceivably, there are great hackers who are already working at the USG and aren't revealing themselves or quitting in protest. The hackers you have now speaking out may indeed be refusing to work for the USG, but your article is then based on a self-selecting sample.

3. Is being a "top" hacker an immutable thing? If top mercenaries said they'd never join the Navy SEALS, does that mean the SEALs are screwed? Only if you forget that they have no shortage of young men who are pruned and groomed to being elite fighters.


I'd love if we could add techdirt to the auto kill submission list. That would help cut down on the inflammatory noise articles being submitted without much substance.


Contrary to the article's inflammatory title, software engineers haven't quit their jobs at the USG en masse.

As for the "with the government" vs the "for the government" rebuttals: surveillance and research contractors haven't stopped working with the USG either.


I don't think there will be droves of people leaving because of recent scandals. But it sure will make it harder to answer a smart college grad who asks "Why should I work for the NSA?" when he/she has options at private tech companies.


The answer is easy.

I like money, I like job security, I like playing for a winner, I like being on the bleeding edge.

Were I crypto guy, I would snatch up a vacated-on-principle spot at the NSA in a heartbeat.


I guess at least you know your price.


I'm sure it will be a consideration, but I wonder how MUCH of a consideration it really will end up being. The loudest voices against the government in the current debate seem unlikely to be people who would work for the government under most circumstances anyway. At the end of the day, the NSA will always be a secret government intelligence gathering organization, 3 descriptors that seem at odds with a big part of the hacker community to begin with.


Except... They aren't only recruiting "smart college grads" they're recruiting smart college Freshmen etc. I know several people who did internships with the NSA/DoD starting their freshmen year. And I can tell you at that point there is still the shiny, "I work for the NSA! This is so cool!" feeling.


If their friends, condemned their actions i.e. working for a bunch of incompetent, paranoid spooks, their job outlook would change as well.


How would their friends know you you are working for the NSA? Shurly you sign the official secrets act (the US version of it) at the interview stage and have an agreed cover story for your referees.


I believe they let you tell people who ask since being evasive would raise more suspicion.


Thats why you have a cover story allegedly :-)


NSA has both overt and covert employees.


i agree with this statement. i don't think that anyone was saying they would quit the government en masse. i actually got the impression that they were talking about freelancers and such, but i could be wrong.


They just write stories like this so it will make it to HN and drives traffic. Nothing has changed. There are just more people running on that gerbil wheel on HN.


Doesn't really present much evidence that this is happening so far, but I wouldn't be surprised if the continuing revelations push more and more hackers in this direction, especially at the margins. The possibility of such a "self-correcting" measure to the surveillance state, even without legislative reform, is one reason to be optimistic (though it would be naive to put too much hope in that alone)


I dont know about your second point, but I definitely agree the link quotes another article that says something "might" happen. While I hope that the intelligencia of america wake the hell up and stop cooperating, this article is a crock of shit.


We really need to out and shame any engineer or contracting agency working for the NSA. If they can't hire anyone they can't spy on anyone.


Once you have done this outing and shaming, what do you expect to do? Burn the engineer or contracting agency at the center of the town hall? Have a fifties style whisper campaign where you refuse to go to their cocktail party?

Apart from the fact that it vaguely sounds discriminatory, I don't see what you could achieve on a practical level.


A de-facto blacklist where having the NSA on your resumé is as desirable as having NAMBLA?


What happens when the people you're trying to shame simply do not care about your opinion, or the opinions of anyone else?


The same thing as if you had done nothing.


Assuming sane people would respond to this criticism by leaving, what would be left with? As with any institution, perhaps it is better to have sane people working there, trying to change it from the inside.


It's worth pointing out that you don't need to work "for the NSA" to be contributing to state surveillance. If someone is hired straight out of college to work for any type of cloud services provider with revenues over a billion, it's probably safe to say that they your prospective employer has enough market reach to have attracted the attention of state surveillance programs. Of course, by law, your prospective employer would be required to lie to you about involvement.


> It's worth pointing out that you don't need to work "for the NSA" to be contributing to state surveillance.

The flip is also true: you're not necessarily contributing to state surveillance just because you work "for the NSA". Two easy examples are SELinux and the various NSA Guides to Securing <OS_of_choice>.


I always assumed SELinux was backdoored. I am still waiting on the proof that I am wrong.


Wow, awful. If you got to a InfoSec/Hacker Con the people there either work for Govt Contractors, Used to work for the Govt, or work at small companies (that get paid by the govt).

The "Top Hackers" certainly still will work for the government.....Why do you think so many are in DC


I'm certainly not a TAO offensive security type, but maybe I'm somewhat representative of median people in the security space. I was certainly more than willing to work for USG at one point, but the "crypto wars" of the 1990s (as well as the end of the cold war and lack of a mission) convinced me not to go to NSA then (I was going to do ROTC -> NSA). Post-9/11, I fully supported both the USG infosec mission and the use of sigint/etc. to go after specific foreign terrorist groups, and worked as a defense contractor with what that entails (although doing nothing so glamorous as NSA/TAO/etc., but at least not running a helpdesk for ITT either. I envied INSCOM/ISA so much.).

Now, I'd have a really hard time doing anything more contractory than selling totally standardized COTS products to the USG, even something non-threatening like a better teleconferencing system, until/unless there is re-established effective elected oversight (i.e. congress, as a whole, and not just 15 committee members with little interest, expertise, or competence) over these programs. Not really holding my breath on that.


This would all sound nice and all but where's the proof? Just hackers saying they will refuse government contracts doesn't mean anything.

I honestly hope they would do that but I lost hope in such a thing happening a long time ago.

Just dangle some money in front of the and they're just average suckers like the rest of humanity.


We do have a pretty clear historical precedent. In the late Vietnam era and immediately after, the prestige of the military, and thus the quality of recruits and soldiers in the US military was basically at its lowest point ever (at least since we started having a big standing military with WW2). I mean, really bad. I'm not sure how much of this was due to "evil babykillers" meme about Vietnam, or the stink of failure from losing our first (and unpopular) war, or what, but it's conceivable the same kind of thing could affect NSA recruiting. The post-Snowden fiasco is about 5% of the way toward doing that, though -- until we see evidence of actual people that "we" "care about" seriously harmed, it won't get much closer than we are now.

(It was bad enough that they had to pass laws to consider Vietnam-era veterans a "protected class" for discrimination. From everything I've read and heard about the post Vietnam military, especially the Army, it was even worse (at least until the 1980s, and really until Gulf War I in a lot of ways.)


The state are purposely allowed to break laws the citizens are not allowed to break.

It is illegal for a citizen to hack other persons and organizations computers and take their data. It is allowed for the government to hack other persons computers and steal their data. The government now has professional teams of hackers doing just that.

Thus the same laws does not apply for citizens as the government, thus the government thinks they are above the law.

It is almost the same as the government would have teams that steal credit cards and make drugs.

We are walking towards a Internet 3.0 which be heavily encrytped anonymized and reinvented by hackers. Imagine encrypted mesh sockets. ifconfig anoninet up Peer2Peer dns and trust authorities.

Not to mention the banks the government are protecting and the central banks, which purposely steals peoples money through inflation. The Fed is privately owned by the banks they are as Federal as Federal express not at all. The creature from Jekyll island.


"Closest to home for many hackers are the government's aggressive prosecutions under the Computer Fraud and Abuse Act, which has been used against Internet activist Aaron Swartz, who committed suicide in January, and U.S. soldier Bradley Manning, who leaked classified files to anti-secrecy website WikiLeaks."

With also Binney, Drake, Snowden, with the Justice Dept's Eric Holder and Carmen Ortiz prosecuting with trump upped draconian charges, and that we also know the intel/security agencies spokespeople with an eagle logo are consistent prevaricators, it is clearly recklessly dangerous to become directly involved with these federally sanctioned criminals. At least factor that in, while negotiating your compensation.


This is sadly far from true. There is plenty of talent to be bought for the right amount of money and plenty of talented people who can divorce morality from their job.

Besides that though there have been quite a bit of growth in nationalistic sentiment in the hacker community for some time. It seems that its been present in non-US/EU parts of the culture for quite some time, but I've noticed in recent years it becoming a bigger and more accepted part of US circles. Joking about popping boxes in .cn, seeing the whole country as an enemy, etc. It was a lot quieter on those topics in Vegas this year, but it was certainly a very present part of the dialogue 2010/11, etc.


one related thing that i have been wondering about: it's been argued that the internet-based voter support was key in getting obama elected. will that same team - or similar people - be willing to work next time round?

not work for the government, but for the democrats. will hackers work for democrats in the next presidential election? if it's disappointment with obama, will switching to clinton be enough? and will we see a move to 'blame obama' near the end of his term to help clinton?


It seems to me like a great way for the government to really start keeping close tabs on you would be to have any sort of tech job for them and quit -- especially after Snowden.


Interesting paragraph from the Reuters article:

"Some security experts remain supportive of the government. NSA Director Keith Alexander's talk at the Black Hat conference was well received on Wednesday, despite a few hecklers.

"...Alexander took a conciliatory tone during his Black Hat speech, defending the NSA but saying he looked forward to a discussion about how it could do things better."

The article portrays Black Hat as the more "professional" conference, as opposed to Def Con.


Mostly because DC20 happened a year ago, before Snowden.

I don't think GEN Alexander's PSD would have allowed him to attend Defcon this year. (not that his life would have been in danger, but enough violent/etc. heckling that people probably would have gotten hurt, which would be horrible press.)


"An illustration picture shows the logo of the U.S. National Security Agency on the display of an iPhone * in Berlin, June 7, 2013. Credit: Reuters/Pawel Kopczynski"

* Surrounded by cables that couldn't connect


tptacek what is your sourcing on this? I have spoken with people at engineering schools-- including those with close ties with the NSA, where NSA goes for hiring-- and they say the NSA is hurting. A recently retired (as in that month) fed at DefCon said straight up we are seriously behind you guys and cant keep up because of bureaucracy.


"it's significant that the NSA's massive XKeyscore program runs on a Linux cluster."

Is there an option in Creative Commons or GPL to exclude government use?


No, and at least on the GPL, this is by principle. Free software, as proposed by the FSF, is agnostic to these issues by design.


Such an exclusion would be incompatible with the GPL. There are other licenses that do have such an exclusion.


If they modified GPL code, maybe they can be sued to release changes.


The only action possible against the federal government for copyright violation is an action in the Court of Federal Claims to recover money damages. [1]

[1] http://www.law.cornell.edu/uscode/text/28/1498


No, and that is one of the reason GPLs in an immoral license.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: