Hacker News new | past | comments | ask | show | jobs | submit login

The NSA has clearly recruited employees from companies like Google, Facebook, Cisco, etc to compromise and place vulnerabilities that the NSA can exploit. The fact that the NSA has decided that the legal channels to acquire data through warrants and actual investigations no longer applies must be stopped.

As an example, I have a small VoIP company. At one point, we were processing about a billion calls a week. A malicious employee could probably setup a trace and collect call records or record calls. I'd have no real defense against hiring someone that worked for the NSA.

An employee at a hosting company could do huge amounts of damage. Consider SSL certs can be issued just by checking email to prove "ownership". At some large ISPs/datacenters, it'd be "fairly easy" to intercept the confirmation email and get SSL issued in a company's name "legitimately" (that is, no bad effects to the CA and not traceable to the NSA).

Subverted employees is a huge threat and we should really consider that when looking at security in general.

Hey BugBrother, I don't know who is downvoting all your comments, but they seem within scope and inoffensive to me, so don't let the cowardly phibjobblers get to you.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact