I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
The sad fact of the matter is that we cannot trust individuals that have ever worked with these agencies, nor with the private contractors that supply them. The risk of insider attacks is too high. Equally, we cannot trust companies that employ those individuals.
If silicon valley is to recover the confidence of it's customers, it must go through the painful and heart-rending exercise of dismissing all employees with any connection whatsoever to government espionage. Many innocent people will lose their jobs, and will face the prospect of being excluded from high-tech employment in the private sector, but I cannot see any other way of regaining trust in our fundamental infrastructure.
Why would the anti-virus industry refuse to hire people that had developed viruses? Aren't those the people that think like virus writers and could write better antivirus software? Same with the hacking half of that. Those are the people that best know how to secure systems.
Wouldn't it be the people that used to be blackhat and have transitioned to gray or white-hat hacking that would be the best people to provide their services for pen-testing/anti-virus writing/etc?
Is the probability of an so-called ex-virus-writer writing in exploits into the system higher than someone else?
Anti-virus endpoint software is essentially (and necessarily) a rootkit. Businesses installing antivirus software are placing an incredible amount of trust in the antivirus vendor.
Without trust, the antivirus vendor has no business whatsoever. As a result, they are (or jolly well should be) ultra-careful to earn that trust. This includes subjecting their employees to a certain degree of vetting.
In the age of cloud computing, the same relationship dynamics are observed between businesses and the cloud vendors to whom they entrust their data.
because of their underlying lack of ethics. You need to have ethical hackers that are interested in the wellbeing/security of a community/society. Even if they know the systems from both perspectives, if they even have a moral deficiency, what's to stop them from committing insider attacks/writing exploits of the system? You cannot trust that type of people unless you know for certain that they have abandoned their prior convictions and truly follow white hat hacking, and knowing for certain is hard to do.
I'm not sure if any security company would gain much by avoiding former government employees - you'd decline Abe Honest because he had worked in government earlier, but any Joe Infiltrator from NSA could come to your interview with CV, online profile + references/contacts claiming that he's worked in, say, Microsoft for 20 years.
I imagine anyone with a line on their resume that says "NSA - Software Developer - 2009:Present" is going to have a hard time finding a new job at many companies (although certainly not all).
Breaking: most people, even most people in the tech community, don't look on the NSA with that level of contempt, if any at all.
This is unfortunate--in a just world everyone doing this would be imprisoned for many years and have all their ill-gotten gains stripped from them--but a real fact. And the typical NSA software developer is certainly highly qualified and very, very smart. Going purely by business concerns, if you have a need for someone with the skill set that'd come from working for the NSA, you can't afford to pass them up just because they worked with the NSA.
You can also be sure that, even if the NSA were disbanded fully and all its employees hated so much that they could not get domestic employment anywhere, many international actors would be extremely excited to pay top dollar for their talent. And by top dollar, we're not talking piddling six figure salaries.
Agreed. Skills would be irrelevant. A brain dump alone would be worth hundreds of millions. That is the scariest thing about all of this. Every time I hear someone bash on Snowden about how he was a dropout, etc, etc I just think "ok, so you gave this guy who you say is an irresponsible idiot the ability to blackmail anyone who has a google search history?"
When the NSA sends people out to infiltrate companies, they won't write "NSA" on their resume. For the rest of former NSA employees, a lot of them will have resumes that say: Palantir, Booz Allen Hamilton, etc.
I suspect that anyone who has been a software developer at the NSA (or FBI) for five years has robust job security. Government employees have some extensive benefits, and these guys get to play with some serious hardware. If they like working there, I would be surprised if they were unable to keep doing so for a Long Time in the future.
Now, if they decided they wanted out, well ... good luck with that in the manner you describe. I suspect that it won't be too hard, though. They deal with "Big Data" problems at a scale that few do, so being an NSA engineer likely is bound to be a similarly prestigious resume line as working for Google. Aside from the working for an evil entity part, that is, but some employers will not care as much about that.
On the flip side of that, maybe you do want ex-NSA staff with the inside knowledge so you can protect yourself against their tactics. Isn't that the same reasoning for hiring ex-black hat hackers?
If someone is willing to divulge inside knowledge of his last employer you have to assume that in the future he will be willing to divulge your inside knowledge.
I am pretty sure they would be considered a traitor if someone told their new company how the NSA was doing things, just look at what they are calling Snowden.
You have to trust your developers. You can do audits, but the problem is intractably difficult. Developers have a TREMENDOUS amount of power. Trust is absolutely, utterly, irreconcilably fundamental to the job. If you cannot trust your developers, you are screwed every which way to Sunday. If your developers are compromised, you have to assume that your whole business is compromised.
While this another angle, I was referring to the fact that many people will see these engineers as immoral and spineless. I know that I would not hire the person who drew that smiley face or any of their accomplices.
I used to work in the antivirus industry, and, as I recall, anything that even hinted at a history of hacking or virus-writing would lead to instant dismissal and black-listing (from pretty much the entire computer security industry). I imagine that the same prohibition would now apply to former government employees also.
The sad fact of the matter is that we cannot trust individuals that have ever worked with these agencies, nor with the private contractors that supply them. The risk of insider attacks is too high. Equally, we cannot trust companies that employ those individuals.
If silicon valley is to recover the confidence of it's customers, it must go through the painful and heart-rending exercise of dismissing all employees with any connection whatsoever to government espionage. Many innocent people will lose their jobs, and will face the prospect of being excluded from high-tech employment in the private sector, but I cannot see any other way of regaining trust in our fundamental infrastructure.
Why would the anti-virus industry refuse to hire people that had developed viruses? Aren't those the people that think like virus writers and could write better antivirus software? Same with the hacking half of that. Those are the people that best know how to secure systems.
Wouldn't it be the people that used to be blackhat and have transitioned to gray or white-hat hacking that would be the best people to provide their services for pen-testing/anti-virus writing/etc?
Is the probability of an so-called ex-virus-writer writing in exploits into the system higher than someone else?
Is their knowledge worth the chance?
Anti-virus endpoint software is essentially (and necessarily) a rootkit. Businesses installing antivirus software are placing an incredible amount of trust in the antivirus vendor.
Without trust, the antivirus vendor has no business whatsoever. As a result, they are (or jolly well should be) ultra-careful to earn that trust. This includes subjecting their employees to a certain degree of vetting.
In the age of cloud computing, the same relationship dynamics are observed between businesses and the cloud vendors to whom they entrust their data.
See? There it is again: Trust.
Important stuff.
because of their underlying lack of ethics. You need to have ethical hackers that are interested in the wellbeing/security of a community/society. Even if they know the systems from both perspectives, if they even have a moral deficiency, what's to stop them from committing insider attacks/writing exploits of the system? You cannot trust that type of people unless you know for certain that they have abandoned their prior convictions and truly follow white hat hacking, and knowing for certain is hard to do.
4 replies →
> ... instant dismissal and black-listing (from pretty much the entire computer security industry)
I'm not sure where you got that from. A large percentage of the security industry is made up of people who got their start as blackhats.
That is sincerely what I had thought, as well.
I'm not sure if any security company would gain much by avoiding former government employees - you'd decline Abe Honest because he had worked in government earlier, but any Joe Infiltrator from NSA could come to your interview with CV, online profile + references/contacts claiming that he's worked in, say, Microsoft for 20 years.
I imagine anyone with a line on their resume that says "NSA - Software Developer - 2009:Present" is going to have a hard time finding a new job at many companies (although certainly not all).
Breaking: most people, even most people in the tech community, don't look on the NSA with that level of contempt, if any at all.
This is unfortunate--in a just world everyone doing this would be imprisoned for many years and have all their ill-gotten gains stripped from them--but a real fact. And the typical NSA software developer is certainly highly qualified and very, very smart. Going purely by business concerns, if you have a need for someone with the skill set that'd come from working for the NSA, you can't afford to pass them up just because they worked with the NSA.
You can also be sure that, even if the NSA were disbanded fully and all its employees hated so much that they could not get domestic employment anywhere, many international actors would be extremely excited to pay top dollar for their talent. And by top dollar, we're not talking piddling six figure salaries.
Agreed. Skills would be irrelevant. A brain dump alone would be worth hundreds of millions. That is the scariest thing about all of this. Every time I hear someone bash on Snowden about how he was a dropout, etc, etc I just think "ok, so you gave this guy who you say is an irresponsible idiot the ability to blackmail anyone who has a google search history?"
When the NSA sends people out to infiltrate companies, they won't write "NSA" on their resume. For the rest of former NSA employees, a lot of them will have resumes that say: Palantir, Booz Allen Hamilton, etc.
Indeed. "Confessions of an Economic Hitman" is worth a read.
I suspect that anyone who has been a software developer at the NSA (or FBI) for five years has robust job security. Government employees have some extensive benefits, and these guys get to play with some serious hardware. If they like working there, I would be surprised if they were unable to keep doing so for a Long Time in the future.
Now, if they decided they wanted out, well ... good luck with that in the manner you describe. I suspect that it won't be too hard, though. They deal with "Big Data" problems at a scale that few do, so being an NSA engineer likely is bound to be a similarly prestigious resume line as working for Google. Aside from the working for an evil entity part, that is, but some employers will not care as much about that.
On the flip side of that, maybe you do want ex-NSA staff with the inside knowledge so you can protect yourself against their tactics. Isn't that the same reasoning for hiring ex-black hat hackers?
If someone is willing to divulge inside knowledge of his last employer you have to assume that in the future he will be willing to divulge your inside knowledge.
3 replies →
I am pretty sure they would be considered a traitor if someone told their new company how the NSA was doing things, just look at what they are calling Snowden.
1 reply →
I would expect Google and similarly enormous companies to have a process in place to keep rogue agents from inserting backdoors and malicious code.
You have to trust your developers. You can do audits, but the problem is intractably difficult. Developers have a TREMENDOUS amount of power. Trust is absolutely, utterly, irreconcilably fundamental to the job. If you cannot trust your developers, you are screwed every which way to Sunday. If your developers are compromised, you have to assume that your whole business is compromised.
While this another angle, I was referring to the fact that many people will see these engineers as immoral and spineless. I know that I would not hire the person who drew that smiley face or any of their accomplices.
1 reply →
http://xkcd.com/898/