Comment by ferrouswheel
1 day ago
It's interesting how many comments these days are like, "well of course".
Back in the day hackernews had some fire and resistance.
Too many tech workers decided to rollover for the government and that's why we are in this mess now.
This isn't an argument about law, it's about designing secure systems. And lazy engineers build lazy key escrow the government can exploit.
> Back in the day hackernews had some fire and resistance.
Most of the comments are fire and resistance, but they commonly take ragebait and run with the assumptions built-in to clickbait headlines.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
I take it you've never worked at a company when law enforcement comes knocking for data?
The internet tough guy fantasy where you boldly refuse to provide the data doesn't last very long when you realize that it just means you're going to be crushed by the law and they're getting the data anyway.
> I take it you've never worked at a company when law enforcement comes knocking for data?
The solution to that is to not have the data in the first place. You can't avoid the warrants for data if you collect it, so the next best thing is to not collect it in the first place.
"But I forgot my password! You need to fix this!"
The technology exists to trivially encrypt your data if you want to. That's not a product most people want, because the vast majority of people (1) will forget their password and don't want to lose their data, and (2) aren't particularly worried about the feds barging in and taking their laptop during a criminal investigation.
That's not what the idealists want, but that's the way the market works. When the state has a warrant, and you've got a backdoor, you're going to need to give the state the keys to the backdoor.
4 replies →
Yes, just hand over the encrypted data that you have no way of retrieving the keys for. "Have fun, officer."
Until the NSA knocks on your door and says encrypt it like this.
"Good" companies in the old days would ensure they don't have your data, so they don't have to give it to the police.
Plenty of companies would do that if they could. The problem is it has become illegal for them to do that now. KYC/AML laws form the financial arm of warrantless global mass surveillance.
6 replies →
If you design it so you don't have access to the data, what can they do? I'm sure there's some cryptographic way to avoid Microsoft having direct access to the keys here.
If you design it so you don't have access to the data, how do you make money?
Microsoft (and every other corporation) wants your data. They don't want to be a responsible custodian of your data, they want to sell it and use it for advertising and maintaining good relationships with governments around the world.
3 replies →
What are you talking about?
> I'm sure there's some cryptographic way to avoid Microsoft having direct access to the keys here.
FTA (3rd paragraph): don't default upload the keys to MSFT.
>If you design it so you don't have access to the data, what can they do?
You don't have access to your own data? If not, they can compel you to reveal testimony on who/what is the next step to accessing the data, and they chase that.
That's not the point. Microsoft shouldn't be silently taking your encryption key in the first place. The law doesn't compel them to do that.
It's not silent. It tells you when you set up BitLocker and it also allows you to recover the drive.
2 replies →
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
It has nothing to do with the state and has to do with getting the RSUs to pay the down payment for a house in a HCOL area in order to maybe have children before 40 and make the KPIs so you don't get stack-ranked into the bottom 30% and fired at big tech, or grinding 996 to make your investors richest and you rich-ish in the process if you're unlikely enough to exit in the upper decile with your idea. This doesn't include the contingent of people who fundamentally believe in the state, too.
Most people are activists only to the point of where it begins to impede on their comfort.
To be fair, house prices have a lot to do with the state.
My point was that it is not "[rolling over] for the government".
You are talking about Microslop. They have never been against government and in fact have always been anti consumer and in war with any hacker ethos.
There was no “back in the day” where big tech was on our side. Stop being a poser
> This isn't an argument about law, it's about designing secure systems
False. You can design truly end-to-end encrypted secure system and then the state comes at you and says that this is not allowed, period. [1]
[1] https://medium.com/@tahirbalarabe2/the-encryption-dilemma-wh...
Another one: https://www.theguardian.com/australia-news/2024/nov/05/sessi...
I'd love to see companies stop service in countries that request things like this, to put pressure on the governments to not be scumbags.
The engineers who developed this developed it to a spec so that microsoft demanded that allows them to get into the system at any time. There was nothing lazy about it. This would be easily found by anyone who has the impetus to encrypt their drive. Don't put things on your work laptop that you don't want Dom down in IT reading all of it or Phil the police forensics dick
The resistance is to switch to Linux.
it the natural results this site catter not just to tech nerds but one chasing venture capital money. its an inudustry that has never seen a dark patern it didn't like. we have gone from "don't be evil" to "be evil if makes the stonks go up"
yeah, every time someone says 'good, government must protect us from terrorists', they need to remember that sometimes
I don’t see that at all. Instead, I think tech workers, including the engineers and the product managers, are correctly prioritizing user convenience over resistance to government abuse. It’s honestly the right trade off to make. Most users worry about casual criminals, not governments. Say a criminal snatching your laptop and accessing your files that way. If you worry about governments you should already know what to do.
Look around you. At least in my company half the programmers are H-1B Indians. They're not going to resist anybody with the risk of getting deported back to India.
> Too many tech workers decided to rollover for the government
s/workers/Corporations/
A Corporation can't do anything without a worker's consent.
Your boss asks you to do something that is against your own principles. Do you quit that job on the spot?
I hope you put your money where your mouth is.
I actually understood that as in “of course . . . because Microsoft”
They rolled over to the money, not the government.
And too many tech workers decided to rollover for the big companies too. Accepting and advocating whatever they do. Even when it is tricky, can find the way to defend the big names, because they are big names, they know the way, they became big!
Unfortunately there's a loud contingent of incredibly proud idiots that post here as well that really like to pretend they know what they're doing.
The people going 'well of course' or 'this is for the user' drive me insane here because as said, there are secure ways you can build a key escrow system so that your data and systems are actually secure. From a secure design standpoint it feels more and more like we're living in Idiocracy as people argue insecure solutions are secure actually and perfectly acceptable.
It’s not about engineers being lazy, it’s about money.
Trying to resist building ethically questionable software usually means quitting or being fired from a job.
No this is lazy. Microsoft shouldn’t have access to your keys. If they do, anyone who hacks Microsoft (again) also has them.
I agree with you, but also think this is only true because we as an industry have been so completely corrupted by money at this point.
In the 90s and 00s people overwhelmingly built stuff in tech because they cared about what they were building. The money wasn't bad, but no one started coding for the money. And that mindset was so obvious when you looked at the products and cultures of companies like Google and Microsoft.
Today however people largely come into this industry and stay in it for the money. And increasingly tech products are reflecting the attitudes of those people.
> Back in the day hackernews had some fire and resistance
Hackernews is a public forum, and the people here change constantly. "Back in the day" there were mostly posts about LISP and startup equity. It's obviously not the same people here now.
> Too many tech workers decided to rollover for the government
Again, not the same group of people. In the 2000s "tech workers" might have mostly been Californians. Now they're mostly in India. Differing perspectives on government, to be sure.
> lazy engineers build lazy key escrow
Hey you should know this one, because it's something that HAS stayed constant since "back in the day": The engineers have absolutely no say in this whatsoever.
This is such a lazy take and ignores that this is the only system that has the property of not losing data when users forget their passwords and lose (or likely never write down) their recovery key.
That's it. That's the whole thing. Whatever "secure system" you build will not have this property and users will lose their data, be mad at you, and eventually you'll have to turn it off by default leaving everyone's data in plaintext. It's a compromise that improves security for people who previously left their disk unencrypted. It changes nothing for people who previously did their own key management.
You won't be able to turn the first group into the second group. That's HN's "Average Familiarity" fallacy. The fact that basically every 2FA system has a means of recovering your account by removing it should tell you that even technical people are shit at key management.
Yep... I've seen exactly this happen. People losing data/access by their own fault and yet being extremely mad at the OS developer or the company they have an account with. And, no, it does not matter if you tell them 100 times that they are responsible for not losing their own keys/passwords, they will still be furious that you set up your system in (from their perspective) such a shitty way that it's even possible for a permanent lockout to happen.
Saying "of course" doesn't mean we agree with it or fail to try to resist it. It's simply not surprising that this happened.
When you get high up in an org, choosing Microsoft is the equivalent of the old "nobody ever got fired for buying IBM". You are off-loading responsibility. If you ever get high up at a fortune 500 company, good luck trying to get off of behemoths like Microsoft.
It's why tech loves young engineers who just do what their told, of old engineers only as long as they can't say no. Once you dig into the system and see how all the pieces fit together, you can't ethically or morally continue to participate any longer. Learned that the hard way. In the middle of an attempt at midlife career change because of it to maybe free myself to write software that needs to be written instead of having to have a retained lawyer on hand to wrangle employment contract clauses to keep my work belonging to me.
> Too many tech workers decided to rollover for the government and that's why we are in this mess now.
It isn't really about the government. It's about a bunch of people trying to convince you that the locked-down proprietary closed source corporate crap that they use isn't in and of itself a security risk, no matter what the quality of the code that you've never seen is. Apple, Microsoft, Google etc. aren't your friends; no matter how brand loyal you are, they'll never care whether you're alive or dead.
FOSS isn't your friend either, but they're not asking you to trust them. Any exposure to these world spanning juggernaut military and intelligence contractor companies is a security hole. It's insane that people (thinking of Europeans now) get fired up to switch from this stuff because Trump but not because of course you should. Instead they're busy calling being suspicious of Microsoft old and hatred of Apple's customer corral stuck up and the desire to own your own machine fanatical and judgemental. Have you ever considered that you've been programmed to say and encourage dumb stuff that is completely against your own interests and supports the interests of the people who sell things to you?
You're convinced by the argument that people dumber than you have to be protected from their own machines (by corporations who have no interest in or obligation to protect them) - have you ever thought that people are saying the same thing about you? That you have to be protected from writing things you shouldn't write or talking to people you shouldn't be talking to? And the world isn't a meritocracy: the people on the top are inbred creeps. You've given up your freedom to dummies with marketing departments.
I used to be a principled freedom fighter. But others defected(thinking mostly about Apple users...). I promoted open source software, even dealing with the pains.
So now I just use whatever I want. Someone else can be a tech moralist.
The median user's threat model doesn't include the government, but does include data loss, forgetting the password, or a thief stealing your laptop. Microsoft struck the right balance.
I'm glad the knee-jerk absolutists are marginal, for one. A world run by you people would be much worse for anyone who isn't you.
The median user does not have a threat model.
Ask a non techy user:
* How do they backup their data/do they backup their data at all?
* Do they know 3-2-1 rule? Are they following it?
I bet 90% people will answer no to some of the questions.
And data backup is much more of an everyday topic compared to disk encryption.
A world one by "those" people would lead to a less abusive and exploitive world, our current world is one based on suffering if you aren't extremely wealthy. I think I know which world I would rather join.
Today the median users threat model absolutely includes the government! They are snatching people up left and right, including their electronics.
I don’t get how people like you trust the corporation or the government that much. If we were all more cognizant of security and privacy, it would be much harder for large orgs to break our society the way they are doing today.
The median user would be better off in a society where computers are not needed for daily life. The median user doesn't understand computers. In their life, computers only manfiest as a tool of control imposed by the people who understand computers over those that don't.
This is one such example.
This sort of utilitarian nitpicking over the convenience of a "median" user is like maximizing the happiness of a cow on a factory farm. The cow would be better off if it did not exist at all. It is a matter of freedom and dignity.