231 comments

[ 0.24 ms ] story [ 256 ms ] thread
(comment deleted)
This article seems to be saying that it's reasonable to expect that google should avoid reporting or fixing security vulnerabilities being actively exploited by the US government, and this isn't something that should make other counties consider Google to be working as an agent for the US government and therefore deserving of being blocked or sanctioned.

By the same token should we we also consider it reasonable for companies Huawei to avoid fixing security vulnerabilities being exploited by governments like China and not consider them to be deserving of having importation of their products blocked on this basis?

I don't think other countries would necessarily want to use google products if they are intentionally leaving security vulnerabilities open, so maybe it is better that all companies fix all security vulnerabilities they find?

It should be fair and equal. It's either everybody acts on behalf of their country of origin or everybody fixes all problems they find.

"Country A can do it, but B can't because A is X and B is Y" is not an acceptable solution IMHO.

No, I don't think that's practical.

Standards like transparency, rule of law and a clear separation between corporations and the government should be uphold completely independent from the fact that this isn't done exactly as rigorous everywhere on the planet.

It's a relatively new (and IMO flawed) idea that western democracies should corrupt themselves just because non-democracies exist.

I think it's rooted in insecurity over the long term superiority of democratic institutions. This might lead to western democracy being perceived as something you do not because it's strengthening the country but because you want people to enjoy it as a luxury as long as the country can afford it.

I think that's wrong and will surely be out of fashion as soon as more prominent autocratic regimes fail to deliver as consistently as they currently do.

> relatively new ... idea

The ghost of Henry Stimson would disagree.

It's not 'corrupt' to spy on other nations and it's not 'corrupt' to facilitate it.

It's not rooted in 'insecurity of the belief in a style of government' it's rooted in basic security measures. Western nations spy on other nations as a matter of national security policy much like they invest in early-warning satellites.

The 'corruption' stems from the type of authority that drives the activity, their motivations, and what they do with the power.

When spying on and manipulating other countries takes priority over protecting everyone including yourselves, that is indeed corrupt or twisted or whatever word you want to use.

Fixing a software bug or vulnerability is unequivocally good, and the sooner the better, regardless of who thinks they need that bug to make their global manipulations a little easier. The realpolitik BS is just too easy of an excuse for any monstrosity, and the blowback is always worse than the immediate problem.

It's not 'unequivocal' though - we don't have enough information to say that. You have to know what the vulnerability is, how it's exploited and what the consequences are.

While I don't doubt that in reality, erring on the side of closing it is probably the right thing to do, the fact is we don't know.

If the vulnerability is being used to thwart a rogue entity from developing nuclear weapons, the balance of facts may be on the other side. At very least, Google should have worked with agencies on getting it closed down.

If they were using it to make a drug bust, when then who cares, shut it down.

> If the vulnerability is being used to thwart a rogue entity from developing nuclear weapons, the balance of facts may be on the other side. At very least, Google should have worked with agencies on getting it closed down.

The rogue entities on this planet already have nuclear weapons (and no, I am not talking of North Korea). A widely overlooked fact is that the nuclear non-proliferation treaty obliges the nations with nuclear weapons to get rid of them[0]. This part of the treaty has never been uphold.

[0] https://en.wikipedia.org/wiki/Treaty_on_the_Non-Proliferatio...

This is a misrepresentation.

There are no 'rogue entities' with nukes outside of N. Korea unless you consider Pakistan to be 'rogue', or, their benefactors, Saudi Arabia who undoubtedly have access to the tech the moment they need it to be ... but they are not 'rogue', or rather, the action would be widely condemned but a different story altogether.

Iran, would be a 'rogue nation' trying to get nukes, which they have signalled they are trying to do.

A wayward state or quasi-independent province in the Caucuses, the M/E or Africa would be that as well. Or of course some legit terrorist group.

And it would have nothing really to do with non-proliferation obviously.

If the US was trying to thwart Iran from getting nuclear weapons through some back door, then it frankly would be in Google's best interests to help.

The notion that large corporate entities can exist in a geopolitical context and yet somehow ignore it at the same time is nonsensical. Once you are 'Google Scale' your piece is on the table and you have to play.

Edit: to put another way - Google's very existence is protected and enabled by the US Economic and Geopolitical situation in a tangible way. It's not abstract at that level, like it would be for a small company.

Remember how we thought of US Army in Iraq as 'Exxon's Army'?

Well it's 'Google's Army' now ...

To be clear, by "X" you mean "amoral" and "y" you mean "moral"?

I think it not only acceptable but incumbent to hold yourself to a higher standard of behavior than the lowest common denominator. "An eye for an eye will make the whole world blind."

(There's also a practical reason: China is much more effective at their approach than the US is, being much more experienced at it and also having stifled internal debate about it. If the US gives up its claim of being a morally superior employer than China, why would anyone skilled want to keep working for what will inevitably be the losing team?)

> To be clear, by "X" you mean "amoral" and "y" you mean "moral"?

It can be anything. It's intentionally X & Y, not X & !X or a more concrete word. Put whatever you fancy. Democratic, White, Sunny, Oreo...

I don't take sides or make a suggestion. I do not suggest that we should go to the lowest denominator but, we shall aim for much higher. OTOH, entropy loves lowest common denominator and drives everything down. Lowest prices in cost of quality. Chaos for minimizing energy, etc. We're trying to reverse natural chaos in many areas and it's worth it IMHO, btw.

For the same reason there are no country names in my comment. Fill the ones you want. My comment implies nothing. It's the readers' bias which puts USA/Russia/China/Moral/Ethical/Democratic/Totalitarian.

I see a lot of polarization in the world and everyone is claiming to be the good guys. We can improve when we accept that we're only guys and work upwards from there.

Your comment is in reply to a comment about China, which is why I referenced China. (But if you wish to say your point is abstract, then my comment also applies equally well in any direction - I don't think China should use the US's misdeeds, which are plentiful, as justification for their misdeeds either!)

I am unconvinced that abandoning the attempt to be the good guys will lead people to be good. I believe it will only allow people to be bad guys without feeling bad about it. While claims to be moral have of course been used by many bad guys through history, the correct response is to argue convincingly that they're immoral, not to give up the idea that morality is a worthwhile standard.

Or, in other words, I believe morality is qualitatively different from any of those other categories you list. If a store chooses to sell Chips Ahoy instead of Oreos, that's just a question of taste; if a store chooses to sell cookies filled with razor blades and arsenic instead of Oreos, that's a different matter entirely, and we are not obligated to accept it because we've accepted that stores can sell Chips Ahoy.

The comment wasn't about China when I first wrote it. It expanded a lot in 1-2 edits. In all honesty, I didn't plant any implicit meaning into my comment.

I'm not suggesting abandoning the intention of being the good guy. Instead, I suggest to stop using it as a shield or plausibility cover for misdeeds. Instead I suggest the viewpoint of "Hey, we're trying to be good, but we fail sometimes. Let's accept it and collectively try to construct a better good, which is fair and equal to everyone, as much as possible." I think this is workable and can be iterated upon to make a better world (I know it's very hard, but it's not impossible).

Morality and ethics is universal. They're hugely important values to build upon, but interpreting them according to one's desires or in a subjective light, without empathy, makes them hollow. Again, a lot of misdeeds can be conducted by abusing these very important values.

I deliberately don't give any examples, because the examples may derail the conversation and take the spotlight to the examples themselves. All possible examples and evaluation of them is left to the reader, as a multi-faceted mental exercise.

Hope this clears my intentions a bit.

All right, that's fair - I think that approach leads to something like like, country A should not do morally-questionable action M, nor should country B, and if country A chooses to do it anyway, this shouldn't justify country B saying "Well why can't we" - country B should stick to its position and criticize country A. I'd agree with that.

(I originally read your comment as saying that it is unfair for country B to be enjoined from action M if country A is engaging in it, and I think other commenters did too. I do absolutely agree with the goal of collectively constructing a better good in a fair and equal way, holding everyone to that standard, and expecting that people will fail but it's worth trying to meet that standard nonetheless.)

It should be fair and equal, and countries that do not agree to the fair and equal rules, they should be excluded from free trade.
Shall we start with ones which insist that fair and equal means what they choose to mean instead of what they mean universally?
"What they mean universally" is actually a harder thing to peg down than one might assume, which is one of the reasons we still have separate countries in the first place.
It's also why the "rules based international order" is not much more than PR for violent hegemony.
I don't think I understand what you mean. Is the European Union a rules-based international order? It doesn't seem to be a violent hegemony from the outside looking in.
EU happily bombed seasteading projects.

Also Somalia originally wanted to split in multiple countries and NATO interventions happened to prevent that and force them to remain only one country, and remain in Civil war

> EU happily bombed seasteading projects

How the EU member states act towards parties outside the EU seems a bit beside the main point: that the EU itself actually is about international rules and not a cover for violent actions between the various member states.

>How the EU member states act towards parties outside the EU seems a bit beside the main point[...]

It isn't beside the point. It is contradictory to your narrative. Big difference.

The EU isn't about international rules - members of the EU don't care at all about international rules. It's simply a covenant between countries that can be willingly entered and left.

The "rules based international order", on the other hand, is not voluntary. If the US decides that you are in breach, then it will be rectified with hard power. It's simply an abstraction for hegemony, and you don't get a choice to parcipate or not, the choice is made for you by the hegemon (which also happens to be its enforcer).

The EU is not the rules based international order, it's a supranational entity.

The "rules based international order" is supposedly the body of international laws and customs as well as their enforcement internationally, and is what the US uses to justify their hegemony, placing them as the guarantor of this order - while themselves violently breaching it.

It's also called the "US-led international order" or the "liberal international order". Put simply, it's the US and its allies enforcing a set of rules internationally with violence or the threat of violence (or economic sanctions)

See: https://en.m.wikipedia.org/wiki/Liberal_international_order

Yes, especially them (assuming you're talking about the US here)
You think -any- country is fair and equal when it comes to spying and their intelligence agencies? It's strictly limited by technical capabilities and nothing else. You're living in dreamworld if you think all countries aren't doing it.
The exact same logic applies to nuclear weapons. How many lives have they saved by being a credible deterrent over the decades? Every country should be allowed to possess them, or else none should. I'm not even sure if the latter is desirable (it'll lead to millions of deaths in conventional warfare), but it doesn't matter, since it is completely impossible (the tech exists, so it will be used, invariably). We're left with only one logical option.
Then let's declassify all nuclear weapon designs and allow everyone to build a lot of them.

Furthermore, let's create economic programs to build a baseline nuclear arsenal in every country. That'll prevent a lot of wars.

Some countries will object to that. Why?

Isn't everlasting peace much better?

Edit: Do I need to point out that I'm not writing these comments in support of war, but with a desire to spark a thoughtful conversation?

MAD works because both sides have something to lose. If you give a nuke to Osama bin Laden, he uses it.

At the same time, I feel like there's still something there. Having nuclear weapons makes existing states much more resistant to opposition. Other states can't topple them in the traditional way because of MAD.

But neither can local freedom fighters -- suppose pro-democracy forces took three major cities in China and started using them as an industrial base to wage a conventional war against the regime. The US and anyone else couldn't really help them the way France did the nascent American Revolution, because of MAD. And if they actually started winning regardless, couldn't the dying regime nuke the rebel cities?

If we don't want people to live under permanent authoritarianism, maybe we still need something to level the playing field.

Though it doesn't necessarily have to be nukes; establishing uncensorable distributed communications comes to mind as an anti-authoritarian power. The fact that Western countries aren't spending billions to comprehensively subvert the Great Firewall is a significant strategic failure.

> The fact that Western countries aren't spending billions to comprehensively subvert the Great Firewall is a significant strategic failure.

I have strong opinions in this matter.

The GFW is only possible because of metadata leaks that Western countries are exploiting too, for security and surveillance, or whatever.

Suppose Western countries start investing billions in subverting the Golden Shield, our own infrastructure and economy would suffer too.

A very naive but simple example:

I tried to train https://github.com/Kkevsterrr/geneva against a CheckPoint and a Fortinet ... It's not been fun for those "next gen firewalls", and CheckPoint is a NASDAQ-100, Fortinet an S&P 500.

the problem with nukes everywhere is one is going to get stolen or sold and used.
The nuclear question work entirely against your argument, and illustrates the naivte of the 'everyone or nobody' concept as totally unworkable.

'Nukes bring peace' mostly only if they are in the hands of a few major, stable powers, otherwise, nuclear proliferation probably is very bad.

These kinds of moral absolutions, i.e. projecting 'rights' into nations etc. (either we all have the right or nobody does) are pragmatically irrational.

Every nation is different, in a different set of circumstances, there's always some degree of moral relativism, but there's some degree of objectivity as well.

We have to balance the forces to figure out what to do in a complex world, and the rules may not always be so cut and dry.

(comment deleted)
No, that’s not logical at all. When ISIS creates its own state in some fragment of Syria, I don’t want them to have nukes because unlike Russia or Israel, they don’t really care if they get destroyed thus MAD as a deterrent doesn’t work.
Do you think the Chinese Communist Government is morally equivalent to the US government?
You can have "good democratic" country on a block and "bad authoritarian". If the good one commits murder it is still a fucking murder and hiding under "we are the good guys" umbrella is not going to help the cause. You either behave accordingly to standard or forget calling yourself "good guys". The fact that country X treats its own citizens better then country Y is irrelevant here.
From the viewpoint of which country and under which definition of morality?
Yeah, moral relativism isn't really a thing.
Yours. Hence, "Do you think..."
Yes, they are equivalent. The USG is somewhat nicer inside of its borders if you're not poor or exposed to crime, but is directly or closely responsible for over ten million deaths abroad, and nothing China has done in living memory abroad comes close to that amount of death, while domestically it is responsible for a lot of death but still maintained a death rate due to economic matters lower to similar countries. Morally, they are more or less equivalent.

Of course, this doesn't matter, neither of them care about being good guys, they just want to appear that way to accumulate power.

>>The USG is somewhat nicer inside of its borders if you're not poor or exposed to crime, but is directly or closely responsible for over ten million deaths abroad, and nothing China has done in living memory abroad comes close to that amount of death,

LOL. You obviously have never heard of the Cultural Revolution:

"Mao launched more than a dozen campaigns during his rule, which began when he founded Communist China in 1949 and ended with his death in 1976. Some are well known while others, such as a bloody campaign to "purify class ranks" in the late 1960s, which involved army units, have received little publicity.

While most scholars are reluctant to estimate a total number of "unnatural deaths" in China under Mao, evidence shows he was in some way responsible for at least 40 million deaths and perhaps 80 million or more. This includes deaths he was directly responsible for and deaths resulting from disastrous policies he refused to change."

Around 500k to 2 million people died during the Cultural revolution.

As far as the Great Leap Forwards, despite causing a great amount of death and suffering, life expectancy still increased during that period and the death rate in China during any 5 year period of Mao's reign was lower than countries that were comparable when he took power (India, Bangladesh, etc...).

All in all, the amount of death and suffering inside of China's borders during Mao wasn't any higher than it would have been if China had been ruled by a liberal democratic state. The reason for this is that by far the worst killer in those economic conditions is lack of access to healthcare bar none, and despite causing a famine, the improvements to access to basic healthcare as well as infrastructure during the Mao area more than compensated.

But that's if your only metric is death rate - in which case, yes, China did better than its peers. If you have a different metric that also considers freedom and rights and so on as I suspect you did, then one can't come to a conclusion so easily, so I err on the side of pessimism.

That said, if you only consider unnatural deaths and chalk up deaths due to poverty as natural, you will always find a bias against countries with higher state involvement because you'd be able to state that their poverty deaths due to state involvement are unnatural while those in market economies are purely natural, that's why it's important to consider only raw death rates between two cases with similar start points and conditions.

[0] https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4331212/

[1] https://www.wolframalpha.com/share/clip?f=d41d8cd98f00b204e9...

(comment deleted)
no, that's terrible, and also stupid. It's terrible because bad behaviour by one actor isn't an excuse to act in the same way. My neighbour steals thus I'm going to steal is morally bankrupt.

Secondly, from the point of view of the US it's also stupid. The US enjoys influence in the world because it propagates a rule-based order, not because it exploits everyone it can get its hands on. That would rapidly lead to a breakdown of trust and in this case result in every country trying to displace American technology from its markets. Which the EU say, could theoretically do.

> no, that's terrible, and also stupid...

Please read my other comments below (discussion with geofft). This is not the idea I suggest. In fact, it's the exact opposite.

> Secondly, from the point of view of the US it's also stupid.

My comment contains no countries and/or adjectives intentionally. It's neither about US or adjectives attached to US. I'm talking at a meta sense.

Again, please see my comments down the thread. This is not what I tried to say.

The core of the whole discussion is here [0].

[0]: https://news.ycombinator.com/item?id=26592112

It really feels like we're heading into or at least towards a new Cold War, with the U.S. and allies on one side and anyone they consider to be a threat on the other.

Both 'sides' will (and really already are) marshal private sector tech, media and social media companies.

non-aligned countries would do best to develop their own tech and media infrastructure because they won't be able to trust anything else.

I think slide into a Cold War could be slowed down by people working in those companies having and enforcing ethical and professional standards. In a case like this one it would mean blocking any hacking attempts that you can, irrespective of where they come from.

For social media companies it would mean devising rules about what content you will and won't allow and enforcing those standards whether the posters are from Russia, Arizona or Afghanistan.

> non-aligned countries would do best to develop their own tech and media infrastructure because they won't be able to trust anything else.

Better than "their own" -- develop free and open source software that will do it even in the participating countries. Which their people can trust because they can see and modify the code, rather than having to trust you, a foreign power.

That subverts the domestic propaganda machine there by allowing the people of the participating nations to talk directly to one another without being intermediated by a partisan spreading propaganda and imposing censorship.

Yeah that's an interesting idea.

There are a couple of issues with it though.

Let's think about Signal, Twitter, Facebook and Tor.

The US government is putting increasing pressure on social media companies like Twitter and Facebook to shape their content.

US government funded open source projects like Signal and Tor allow for the spread of US shaped social media in countries that want to limit it.

So the propaganda machine thrives , it's just that it's the US one.

(note I like and use Signal and Tor, an against censorship in China. This is just one aspect of a set of complex relationships. Etc etc)

We've been in an electronic / cyber cold war for 20 years+. The fact that it's leaked out more is related to the continued growth and dependence on the internet as a whole.

This isn't going to happen, it's already happening and there are plenty of public examples of it.

Not reporting vulnerabilities used by a friendly government is a backdoor backdoor.
TFA - "democratic" hacking is good: "How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime."
The CIA has a history of spying on Congress[0], overthrowing democratic governments [1], among a long list of nefarious activities I would not consider proper "democratic hacking." [2]

How is obligating big tech to cooperate with Western intelligence agencies a positive move for democracies?

[0] https://www.theatlantic.com/politics/archive/2014/12/a-brief... [1] https://en.wikipedia.org/wiki/1953_Iranian_coup_d%27état [2] https://en.wikipedia.org/wiki/List_of_CIA_controversies

I'm quite skeptical of the viewpoint in this article - just answering the question from the parent comment of "would China be justified in exploiting Huawei?"

The distinction that this article makes is that our clandestine operations have "democratic oversight." To be clear, I think the author would say that they are attempting journalistic neutrality, but they're giving considerable space to the argument that democratic clandestine services deserve a different standard.

It doesn't say "US government", it says "the hackers in question were working for a US ally", which makes it even more complex.

It was likely if it was counterterrorism this is about a Middle-Eastern ally, such Israel or Saudi Arabia?

Neither of these are always US allies, only sometimes.

I think you made a jump there. This could equally be one of the other in the Five Eyes group e.g. Canada, Uk, Australia, NZ.
Denmark, the Netherlands, France, and Germany are also all well equipped for this sort of thing and are as close of allies as you can get outside Five Eyes (DK/NL especially).

The Dutch were the ones who originally warned of interference in the 2016 election IIRC and had access to Cozy Bear for a while before that.

Well and for all the "legal oversight" much of the five eyes operations seems to have been designed around economic advantages, circumventing the rules about spying on your own citizens (it's not us who is doing the spying, it's the Australians). So I'm not sure if it being a five eyes operation makes it better or worse.
There's no "jump". The poster simply raised one hypothetical to consider. "Could be anyone", right?
More likely domestic counter terrorisms under FVEY. I don't know about Google, FB has called out Israeli and Saudi influence before. I imagine only Anglo countries gets default hush hush privileges.
Anyone who doesn't realize that the US government can rifle through Google's data on a whim (aka secret warrant via Patriot Act) is an idiot. That said they aren't direct intelligence agency like a lot of Chinese corporations. The US government doesn't have real time access to every bit of data that google has, but they are only one rubber stamp away from it. If you keep data on google encrypt it before you upload it.
"How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime.”

From a systems security standpoint, no. This is the same kind of idealistic naivety that causes the FBI to advocate for weak encryption, or senators to call for "security only breakable by us, because we're the good guys".

From my viewpoint the oversight given to the intelligence agencies is handled by intelligence friendly members of Congress. They don’t seem to let critical people into the committees and if they do they are minor players.

Even still, Clapper felt compelled to lie to their faces. How many others have done the same?

While this is absolutely correct, it is also true that the world we live in is not the clean world of Boolean algebra.

The same security flaw that lets “baddies” pwn us, also lets us pwn baddies. The same indefatigable crypto that keeps us safe and makes online anything possible, also lets people conspire in secret to overthrow governments — heck, I remember reading the idea of onion routing that led to TOR was a U.S. military project to help anti-government activists in China, and even if that was just an urban legend, one team’s goodies are another team’s baddies.

I don’t have any good solutions here.

This is security vs security, and my weak fleshy hardware is vulnerable to exploding things owing to a lack of backup solutions, therefore if my options were perfect security for my body or for my data, right now I would choose my body, even though loss of data has the potential to be catastrophic.

That said, if it were up to me, police investigations would involve a lot more remote sensing tech instead of hacking… but I say that knowing even that isn’t a no-downside option, and I know that I am unaware of the full implications of police having the budget and power to spy on targets of their choice.

(I’m also in favour of radical decriminalisation of just about everything that can be decriminalised, because I think omniscient surveillance is unavoidable and I don’t want criminals using it to automate blackmail).

> I don’t have any good solutions here.

The solution is for state actors to move their resources from offense to defense. Imagine half of the NSA budget going into auditing software, both closed source and open source. (They already do that, but AFAIK nowhere near half.)

There is a quite clear and simple line here: the people breaking security for any purpose other than fixing security problems are the "baddies", and the people defending systems are the "goodies".

If some intelligence service decides they want to covertly exploit security issues, they have made their choice to be "baddies" and should be treated as such.

(Coincidentally, this narrative of "XYZ got hacked by ABC hackers, bad ABC!" needs to change to "XYZ got hacked, bad IT sec at XYZ!" - it's your choice to plug your shit into the internet, and your responsibility to make sure you don't get 0wned.)

> XYZ got hacked, bad IT sec at XYZ

In this particular case I can't follow this part of the reasoning. It was a counterterrorism operation using sophisticated exploit chains.

Would you clarify what's the bad IT sec? "nobody should use a browser"? https://1.bp.blogspot.com/-37hyk7hERGk/YFDuISGgCNI/AAAAAAAAa...

I was trying to make an independent point with that "coincidentally ...", sorry if that was a bit unclear. In this case, the takeaway would be "we still don't know how to make secure browsers even though we're trying our darndest." But also, that exploit chain is limited to a single machine; there's still some opportunity to limit damages on a larger scale.
That's a bit extreme, but I find it worrying how the general public seems to have accepted that software just has bugs. Like it's this self conscious thing and nobody is at fault. Prisoners don't get released although they served their sentence? Software fault. People pay more tax thab they should? Software bug! Let's just shrug im confusion about that silly software problems that nobody os possibly responsible for.
Most people understand computers in the same way I “understand” law, the armed forces, and medicine: via Hollywood.

This naturally leads to a chronic gap between the state of reality and belief about the state of reality.

Only playing defense won't work for nation states due to similar thought processes of mutually assured destruction. If you're enemy has a bigger and scarier gun, it puts you at a disadvantage in geo politics.

Also, I'm not sure the clear line is that clear. There will almost always be a tipping point for people for this type of scenario. If the hacking operation that was exposed would have prevented an attack that kills 1 person, was it still OK to expose? 100 people? 10,000? It's almost impossible to know what the exposure cost will be but if people die due to it and it becomes known, some people will rethink what the "right" thing to do was.

This type of stuff seems like it should be decided by elected representatives and not by some team of coders that work for some for profit company. It seems possible to me that the decision they made was based purely on what was best for Google.

I think we as tech workers need to acknowledge and understand the viewpoints contrary to ours and try to compromise with those on the other side. This type of issue is complex and I think we really need to acknowledge that there is no easy "right" solution to something like this. Blind idealism on both sides of the issue won't be good for either side or for society in general. We as tech workers are not infallible and we don't deserve to dictate rules to society just because we know how to write code.

> [...] mutually assured destruction [...]

But that's exactly what this is not. Every big and scary gun the enemy might have is also a big and scary vulnerability that you could fix. While it's infeasible to have "perfect" security, you can absolutely make the enemy's offensive tools useless.

It's especially bad since when working offensively, you're incentivized to not fix issues. That might be OK for black hats & nations with "questionable" ethics, but how is this a thing in any democratic country? When state agencies are sitting on exploits and purposely not working to get them fixed, that's IMHO a kind of treason on your own country. It's leaving entry points open for others to find. And anything you can find, they can find too.

> Also, I'm not sure the clear line is that clear. [...] prevented an attack that kills 1 person, was it still OK to expose? 100 people? 10,000? [...]

The line is clear, because that attack that the "goodie" western hackers couldn't execute, and possibly resulted in deaths, might as well be an attack that the "baddie" hackers couldn't execute, resulting in people surviving.

Systems are generally designed such that working correctly is the intended best state (even for weapons support systems.) More work going towards keeping systems within their design parameters (i.e. not hacked) should be the best way to save lives. Even if we're talking about some terrorist building a computerized IED, there are likely systems whose correct functioning can help save lives - maybe some chemical detectors at an airport, or first responder management systems, etc.

It's also the only line that can be drawn on an objective standard. Regardless of whether you're the USA, EU, China, or North Korea - "systems functioning correctly to their design" is an universal standard. Do you think North Korea cares about any life that isn't their bonzo supreme leader?

> While it's infeasible to have "perfect" security, you can absolutely make the enemy's offensive tools useless.

This seems contradictory. If its not possible to have perfect security, how are you supposed to make your enemy's offensive tools useless?

> It's especially bad since when working offensively, you're incentivized to not fix issues. That might be OK for black hats & nations with "questionable" ethics, but how is this a thing in any democratic country? When state agencies are sitting on exploits and purposely not working to get them fixed, that's IMHO a kind of treason on your own country. It's leaving entry points open for others to find. And anything you can find, they can find too.

Yes, it is an extremely gray area that is tough to find an easy answer to. Whatever ideals you want to stick to, the fact is the other side more likely than not will not play by your ideal/"right" rules. It seems like China and Russia have no plans on slowing down pilfering intellectual property and causing chaos in the US. Is it really a good idea for the US to throw down all offensive cyber weapons for some ideal? That would only encourage China and Russia to act worse knowing that they don't have to worry about repercussions from their actions.

> The line is clear, because that attack that the "goodie" western hackers couldn't execute, and possibly resulted in deaths, might as well be an attack that the "baddie" hackers couldn't execute, resulting in people surviving.

In this case, the article was about google exposing a hacking operation of a government that was trying to prevent terrorism. If the terrorists are able to kill people due to this government operation being shutdown are you saying that it was better for google to have exposed it just because security flaws are bad and should be fixed? It isn't possible to know for sure which side is "right" in this situation. If the operation would have prevented deaths with no collateral deaths on the other side, how can anyone say that preventing some bits on computers being moved in unexpected ways is better than having people die?

> Even if we're talking about some terrorist building a computerized IED, there are likely systems whose correct functioning can help save lives - maybe some chemical detectors at an airport, or first responder management systems, etc.

> It's also the only line that can be drawn on an objective standard. Regardless of whether you're the USA, EU, China, or North Korea - "systems functioning correctly to their design" is an universal standard.

Clean, well designed and secure systems are nice and all but I don't a large majority of non-tech workers will agree that this standard trumps every other consideration when it comes to a functioning society. It doesn't seem fair that some tech workers like clean design and they deserve to dictate what is right and wrong in society.

I thought about replying in more depth, but your last line is just... weird.

> Clean, well designed and secure systems are nice and all but I don't a large majority of non-tech workers will agree that this standard trumps every other consideration when it comes to a functioning society. It doesn't seem fair that some tech workers like clean design and they deserve to dictate what is right and wrong in society.

I didn't say "clean". I said "functioning correctly to their design". I'm willing to wager a "large majority of non-tech workers" would agree that things are preferably working rather than broken.

Twisting a statement like that is very much in the domain of Eristic Dialectic. Please try to reduce your usage of such tools.

You make some really good points. Encryption advocates aren’t just pursuing some vague ideal though. The case they’re making is just that deliberately weakening encryption for one party weakens it for everyone.

In these discussions we should also distinguish between attacks by nation states and those by non state actors. It seems the argument for weakening encryption is mostly to catch or prevent illegal activities by non state actors who likely lack the sophistication to understand weak encryption fully. State actors would almost certainly know and avoid using weak encryption.

But it gets more interesting. Law enforcement is a perennial cat and mouse game. You catch today’s criminals harnessing weak encryption, the next generation of baddies will get smarter. The end result is weak encryption for everyone, without really helping society except to maybe catch the “current generation of baddies”. Advocates for strong encryption point out that this is an extremely short term and stupid thinking that destroys the protection offered by cryptography without really giving us all that much anyway.

Yes, I completely agree that weakening encryption is an incredibly slippery slope. I don't know what the right answer is. I just know that a lot of people would not be happy with a government that did not do everything in their power to prevent horrible acts from happening. There are bad people in this world that would not think twice about murdering thousands of innocent men, women, and children. To have the government immediately report any vulnerabilities that they find instead of using those findings to do good for their citizens will be a hard pill for most of the population to swallow. It will absolutely have negative consequences when they don't report those vulnerabilities immediately though. For a government to do perfectly well for its population, it would need to stay on the cutting edge of technology and ensure its population has the best security while at the same time staying able to exploit the security of their adversaries. But that would be incredibly hard to do.

On the completely secure systems end of the spectrum, bad people will take advantage of that complete security. You wouldn't have to worry about having your identity stolen, but I don't know how we would prevent bad actors like organized criminals or terrorists from taking advantage of those completely anonymous and secure tools. I'm also not too sure what living in an authoritarian regime with complete security would look like. Maybe dissidents would still have tools to fight the regime or maybe the regime would be better at controlling the population and squashing dissent.

> people would not be happy with a government that did not do everything in their power to prevent horrible acts from happening

I personally don't want government to do everything. Security is a trade-off and I wish more people understood this.

Yea, i think the tradeoff between liberty and privacy with security and safety is a tough decision to make and is why this hasn't been fixed with a law. Can one have both liberty/privacy and security/safety? A father living in a war zone would gladly give up privacy for not having to worry about whether or not he will outlive his children. I think a father living in a stasi-like regime may also be willing to make a similar tradeoff so that their children had the potential for a happy life. There are monsters on the fringes of the internet that do stuff like child exploitation and sex trafficking. There are also monsters across the world that want to hurt our society. Whether or not it was our fault in the first place is debatable but there are people who's job it is to prevent them from harming us. I can see the point of those that are tasked with finding those monsters. They are not ludite simpletons, they experience the horrors that some people can commit and want to prevent those horrors. I don't want to live in an orwellian state and I'm not sure the right answer is to create tools and policies that would allow for something like that to grow. But at the same time is it ok to just sacrifice a tiny portion of our society and allow some horror to be more easily committed to that tiny minority? I don't know how we find the least bad compromise or what something like that might even look like.
I really don't think the issue is complex. The whole what if 1 person dies, 100 people, 10,000 is a red herring. Also whom should we trust with saying this many people would do if it gets exposed the IC? Just look at the NSA list of how FISA protects the US [1], that's the justification for the biggest spying operation in human history aimed not only at foreign agents but also allied governments, their own citizens etc..

It's funny that it's being used as an argument for why 702 is good, because considering the scale of the operation it's almost laughable. Even more, how many of those points would have been exposed by old fashioned spying.

[1] https://www.nsa.gov/News-Features/Feature-Stories/Article-Vi...

Have you ever played a purely defensive game of chess? Not a perfect analogy, of course, yet a good demonstration that your opponent will eventually get in. You only have to make one mistake and you have nothing to counter with.

In that context (chess) the final evaluation reveals a well executed attack is superior to a defensive stance. I suspect the same is true of espionage and war. In other words, stop them before they have the opportunity to get to your king.

Another hypothetical: Imagine a future event when, for whatever reason, a band of twenty criminals is intent on breaking into one hundred homes in your neighborhood. The twist is: You can’t call the police for help. Which decision would lead to securing these homes: Each family stays in their home to defend it or one hundred neighbors join forces to repel them?

Not an urban legend, TOR was built in part by the US Navy and is still funded by the US government today (https://www.torproject.org/about/sponsors/)
That part is well known, I think the speculative part is its purpose in helping Chinese dissidents.
They never specified Chinese dissidents, but they did intend for it to get used by dissidents. And journalists.
The same security flaw that lets “baddies” pwn us, also lets us pwn baddies. The same indefatigable crypto that keeps us safe and makes online anything possible, also lets people conspire in secret to overthrow governments

On a more personal scale, think about jailbreaks/rooting, DRM, "trusted" computing, and all that other user-hostile stuff. The same crypto is also being used to enslave users and enforce monopolies, in which case the security flaws are a way to regain freedom and control. Leaked information is invaluable for the third-party repair industry. Who's the authoritarian one now...?

The world is definitely not black and white. IMHO, governments being afraid of strong crypto and viewing it as a (defensive) weapon are prescient. Why this fact isn't realised by more of the general population is indeed a real issue.

That’s security vs liberty, not security vs security, and governments (well, the UK at least) don’t seem to listen to security vs liberty arguments.

In principle a government can just demand businesses provide users with a “liberty” button that changes the root of all trust in the system. Even if technical reasons mean that button has to be pressed in the factory and its state is read-only forevermore, it is an option. Still secure, more liberal; if it is rootable regardless of this, I’d say it isn’t secure, because if a user can break in a hacker probably can too.

For a lot of countries in the world, "the baddies" are the USA Gov. Here is a big list of countries that suffered under USA intervention: https://en.wikipedia.org/wiki/United_States_involvement_in_r...

A lot of them were democracies.

n.b. for fellow readers: link is Wikipedia article called "United States involvement in regime change" - OP's implication every country involved is worse off for it is the usual surface-level analysis that's easy to make context-free, decades later, from the West - ex. I'm rather proud for the US being involved in regime change in most of these cases, and OP is too
So, which ones were better off?
Japan, Germany, Italy, France, Belgium...alas that's all I can remember from the one screenful I grabbed! I continue to believe it was a mistake to breezily link to Wikipedia and conflate those experiences with genuine harm :)
Easy to cherry pick WW2, which is pretty different from CIA secret ops overthrowing democracies and installing fascist dictators.
Agreed!

It is rather unfair to describe me as cherry-picking, however: every comment I've made firmly notes that posting an extremely broad Wikipedia article was flippant and dismissive of _actual_ atrocities. Asking for examples of the article being overly broad, then dismissing the examples as cherry-picking, is blinkered.

Ask some of us from victim countries. You'll find no one praising the interventions the US made for the profit of its ruling class.
Conflating your experience as one of the countries on that list, deeply, genuinely, hurt, with others such as Nazi Germany, genocidal Japan, etc. does an extreme disservice to your experience. You don't need to defend a lazy link to a Wikipedia article to defend your story :)
Putting s smiley at the end of that patronising paragraph reveals a lot about you and your motives.
Does dismissing the humanity of the person you're engaging with, based solely on a smiley, reveal anything about your motives?

Historically, HN avoids this kind of personality-focused commenting, particularly when it involves telling other people what they're thinking.

I, among others sympathetic to your care for other people and the impact of US regime change, would appreciate it if you would try the same. If you feel comparing, say, atrocities in Vietnam like My Lai to defeating Nazi Germany is justified, you're free to make that argument, and I won't try to divine your motives or politics in doing so.

You don't need to make up reasons to other me for holding there's a huge gap between US regime change in Germany and Vietnam, and that it is at best lazy and at worst erasure to do so. On HN, the quality of moderation & discussion is such that it can move at a more principled pace than Twitter.

Even that list is not exhaustive as it excludes indirect involvement. For example it mentions Operation Condor in Latin America but excludes other countries affected by it (e.g. there is no mention of the US involvement in Argentina’s Dirty War of the 76: https://en.wikipedia.org/wiki/Dirty_War)
While this is accurate it doesn't do anything to address to actual point being made.
Name a country whose government isn't "the baddies" to other people and countries?
(comment deleted)
> The same security flaw that lets “baddies” pwn us,

You're an American; that makes you the baddies. Whether it's Syria, Libya, Yemen, Iraq, Afghanistan ... Laos, Cambodia, Vietnam..., American troops have run roughshod over the rest of the world for generations.

America is not in charge of the world. It would be a better world if Americans remembered this.

> also lets people conspire in secret to overthrow governments

About that:

http://content.time.com/time/covers/0,16641,19960715,00.html

https://en.wikipedia.org/wiki/1973_Chilean_coup_d%27%C3%A9ta...

> You're an American

Not so, but like I said: one team’s goodies are another team’s baddies.

I think you are correct in that we need to pwn baddies.

But after reading the article i can infer that was not the intent here. Based on the article, it seems like the exploits were found because they (exploits) :

"caught the attention of cybersecurity experts thanks to their scale, sophistication, and speed. "

Notice the word 'scale' in there.

This ops seemed to not be targeting a bunch of guys in a mudhut putting together IEDs.

This was something scalable. With the potential to ensnare hundreds maybe even thousands of people...

Your last point is a very big deal. I don't believe people fully comprehend how awful the world will be when extortion is global and commonplace. If criminals are not already making extensive use of facial recognition and cellular tracking, they soon will be. It wont be long before there's enough dirt on political candidates that governments will be mired in problems that remain rare today.

We restrict law enforcement from using tools like Clearview for many legitimate reasons but there is no such restriction on crime that often involves the same reasons. Even something innocuous such as being in the vicinity of a certain area at a certain time coupled with better deep fakes will create headlines or fabricate evidence to sideline business deals.

I suspect we will be forced to move towards a world where people increasingly get a free pass for past behaviour and many crimes will simply have to be decriminalized for society to function. We are beginning to see push back for many whose careers have been ruined by so little as an errant comment and I expect change to spread from that.

> also lets people conspire in secret to overthrow governments

The USA was founded on this principle, and the framers felt it important enough to enshrine in the 1st and 4th amendment. Some could argue the possibility of citizen overthrow helped keep corruption in check for the first 200 years (but probably no longer).

I don't think this property is an absolute (in all cases) bad property.

> I don’t have any good solutions here.

There shouldn't be any. There is no good or moral way to perfectly control a human population. Anything of the sort inherently degrades the human condition because it requires complete submission to authority. Since humans are corruptible, authorities are also corruptible. Therefore, it is vital that crime and insurrection never become impossible even if only to preserve the threat against authority.

So, what exploit did they find, and who was spying on whom?
Also: "But while protecting customers from attack is important, some argue that counter-terrorism operations are different, with potentially life and death consequences that go beyond day-to-day internet security."

Which is great in theory, but raises the question of how you identify friend or foe. Since they do it indirectly by "hallmarks" of the organization, all a skilled adversary has to do is camouflage their code to look like it's from a friendly, and then enjoy flying under the radar.

I think that line was actually a lot worse than that, in particular:

>"with potentially life and death consequences that go beyond day-to-day internet security."

So this is setting up "counter-terrorism" as some sort of special thing far beyond "day-to-day internet security". But the whole problem is that day-to-day internet security absolutely can involve life-safety issues. Lots of vital infrastructure SCADA is on the internet and ludicrously exploitable. Internet monitoring is now used for all sorts of medical scenarios as well. Even in business settings like hospitals we've seen ransomware and the like cause major damage, but lots of individuals make use of internet devices to empower their ability to have the elderly stay at home longer for example, monitoring for falls or other issues. And even with "just" finance, if someone's small business is destroyed and everyone laid off, that can cause plenty of dangerous ripples.

If anything, I'd say terrorism is near the bottom of my list of threats to my own life and those close to me, right along lightning strikes. Sure, they do happen, and taking some basic transparent precautions is reasonable. But it gets lots of attention precisely because it's rare. Like, the entire point of it is right there in the name, to terrorize people into doing damage to themselves that the attacker could never manage alone. Terrorism is an expression of weakness, not strength.

Makes sense, even though not easy to ear for everyone, especially the last part: is it "an expression of weakness" that took my son from me? Terrorism is an expression of mercilessness, aggressiveness, bloodlustness, anything but "weakness", please, there is no place for weakness in terrorism.
FYI, the author’s LinkedIn profile [0] in case you’re curious how qualified he is.

Am I the only one who doesn’t see anything here that tells you why he should be working for MIT Review writing about cyber security?

[0] https://www.linkedin.com/in/howelloneill

Good catch. He's been a journalist for a few years, but surely the most important year was spent at "Aspen Institute". Nobody can figure out whether it's a pro-war think tank or a PPP loan scam, but they get lots of money from dictatorial "Western allies" (i.e., MbS). It must have been there that he learned to write a whole article littered with "western operations" without once writing "Israel" or "8200".
The US government would not hesitate to shut down Google inc., take over the company, or throw the entire executive team into prison if the company actively interfered with counterterrorist operations.

Google should thread carefully here.

The US wouldn't hesitate to come after and make an example of individual developers or small companies.

But Google? Our intelligence agencies are already relatively unpopular (if you can trust the polls) [1]. I'm not sure that the US government could attack Google like that without serious consequences from the public.

[1]: https://www.pewresearch.org/politics/2018/02/14/majorities-e...

@tremon, not only that but the definition of "democracy" is being increasingly stretched by modern politicians. For example many will have something to say about the Trump definition of "democracy" that we saw only just recently in the US. Others might have something to say about the Johnson definition of "democracy" in the UK. Others might not exactly consider Israel a democracy given the way they treat the Palestinians on their doorstep.

People are often all to quick to jump on "democratic country" as if its a simple definition of a country that is beyond reproach. The trouble is that modern politicians spoil that rose-tinted view.

Historic politicians spoiled it as well. Modern ones are by no means short of company.
Yes, especially how do you differentiate?

Also who says a lawfully elected representative government might not:

- act unlawfully, to undermine democracy to make sure they will stay in power.

- act unlawfully for other reasons, there are many such examples in history

- the CCP is also a lawfully elected representative government, because they make the laws so that they are. So you probably mean not "lawfully" but something like "properly"? Also I for example would say a lawfully/properly elected representative government requires that all people can vote and there is real choice about who to vote for. Guess which country has neither? (USA,it removes voting rights from citizens under certain situations and as a winner-takes-all de-facto 2 party system has no real, i.e. no democratic choice when voting. And that is ignoring the fact that the citizens votes can be overuled by a small group of propel, even if they normally don't do so).

Any perspective is usually purely idealistic and strongly influenced by the environment you were educated in. We tend to consider the theoretical aspects of democracy as the golden standard but ignore the practicalities of the implementation.

So as we take the idealistic approach, any hacking campaign lead by Western intelligence agencies or any initiative to weaken encryption are for most people "pure" in intentions, they're anti-terrorism, they're fighting pedophiles. But any enemy doing the same, China, Russia, NK, Iran, etc. are engaging in terrorism, authoritarianism. It's always very black and white because that's how people are educated.

The absolutely overwhelming majority of people are able to go about their lives every day never questioning how they can hold such dissonant opinions in their head simply because they were told "it's ok when we do it, it's bad when they do it".

And as you can see even the "democratic" approach has a chilling effect. The suggestion most people take away from a cursory parsing of the title or article is that Google acted irresponsibly. Imagine the day this point of view becomes prevalent fueled by the typical political campaign populism. Imagine people and companies being put off from touching the topic out of fear that they're branded irresponsible and unwittingly hindering anti-terrorism efforts because they're disclosing problems of general interest.

Also, with the revelations of Snowden you have to question the 'democratic oversight' part. We have no idea what our governments are up to and whether this is also being used to spy on us.
I'd also like to add that the whole notion of there existing "telltale signs" and fingerprinting to discern between good-guy Western governments and bad-guy Ze Russianz!11! is total BS. Unless Google is in the loop, it's completely unreasonable to expect them to know who is who -- and no, it's not reasonable to expect them to ask before they act.
I believe there are a lot of details we in the public won't get to know here, but in general Google isn't in the business of choosing to eff up police activity or allied espionage. The whole thing smells to me like either miscommunication or a situation where Google had additional data that made them decide to override the interests of the task force.
Obeying the law is not naivety. Protecting your customers is not naivety. Pass legislation through both houses of the US enforcing such privileged "Government Right to Hack" first before claiming any morality. Of-course that will likely lead to economic collapse as no-one (allies or enemies) will trust US software or services.
This is one of the best comments I've read in a long time on HN.
Good. Such vulnerabilities should always be reported and fixed, no matter who is abusing them. And it's even better if it wrecks a government operation, they shouldn't even be using these, they should always be reporting them to the software vendor.

I hope this doesn't discourage Google's threat analysis team, and others, from doing the same in the future.

The justification for not intervening is weak too - after all, we only have this article's word for it that the targets were 'terrorists'. They may well just have been freedom fighters, like Nelson Mandela was.

This new trend of "sign up to my newsletter to open a link" is infuriating.
Disable JS. Been manually whitelisting sites for 2 weeks now, rarely encounter a site I use often that breaks.
I would but that breaks many sites I frequent, but even if I can use (yet another) browser for this, it's just an annoying hassle.
> I would but that breaks many sites I frequent

That's what a whitelist is for.

Takes 2 clicks to whitelist a site permanently from ublock origin
> “The oversight is baked into Western operations at the technical, tradecraft, and procedure level,” they added.

At least for Germany this is patently untrue. Our parliament is stonewalled regularly and they get away with it. And even in the US, the congress is being lied to with no repercussions.

What's even worse about this is that intelligence agencies are highly suspect of outsourcing surveillance that would be illegal for them to conduct (e.g. because it's on their own citizens on their home soil) to allied intelligence agencies, thereby circumventing judicial oversight and local laws.
I dunno, I feel like "the only thing that can stop a bad guy with a buffer overflow is a good guy with a buffer overflow" makes even less sense than the original form of that.

Secure systems that do what they say they'll do help everyone. The idea that there's some sort of obligation to keep security vulnerabilities around so that the bad guys can get pwned feels as vile as saying that there's an obligation to keep medical knowledge secret lest enemy soldiers learn how to take care of their health.

This is a lot of words to say that Google found and caused the patching of security exploits in consumer devices such as Safari, iPhones and Android phones.

And the users of the exploits were a state actor that was friendly to the USA.

Which is effectively saying that wanting vulnerable software is a patriotic thing.

Especially calling it a "counter terrorism" operation. Where did the author of the article get that information from?

It seems like a hit piece.

The article quoted anonymous and named intelligence officials. Not a stretch to see where they’re getting their info from.
This is probably an intentional story.

The spooks reached out to reporters with approval.

I find it is unlikely information as sensitive as means and methods, with no seaming whistleblower spying on the people type motivation, would be disclosed by leakers without approval.

Strategic leaks like this are done all the time.

Though I guess there is precedent of releasing post-mortem facts like in the charges of the alleged vault 7 leaker.

It's an interesting tactic. I think a lot of people in the tech community are a bit skeptical of the NSA, CIA, etc. I wonder if the publicist's notion here is to gain some ground in public sentiment by pitting the intelligence apparatus against a yet more hated enemy -- big tech.
I don’t hold Google in high regard and actively avoid using their products but this article has raised my opinion of them ever so slightly. I’m pleasantly surprised to see they aren’t (yet) completely in bed with the “counter terrorism”-justifies-all thinking that seems to be prevalent among western governments and their surveillance tactics.
> I’m pleasantly surprised to see they aren’t (yet) completely in bed with the “counter terrorism”.

I think it would leak!

At least having seen Google from the inside, I don't think Google can keep a nefarious secret.

Most conservatives I know put three letter agencies on a pedestal and loathe big tech. I remembering being baffled by the previous apple iphone fiasco. They we adamant that apple should have backdoors in everyone's phone so the fbi could catch anonymous bad people while at the same time espousing how they don't trust apple. It was baffling.
Important to notice that political parties aren't a person. The people saying those things were neocons, and they've mostly switched parties now. Witness the liars from the CIA who used to appear on Fox now appearing on MSNBC or CNN instead. Meanwhile arch-neocon Liz Cheney, who presumably hasn't switched parties because a Democrat would lose in Wyoming, is facing a primary challenger from within the GOP.
Liz knows she has a long future in public life, without ever having to win an election again. There will always be a place for a previously-elected legacy reptile in the bureaucracy, as she gradually takes over her father's client book. She'll never have a problem getting Senate confirmation, no matter where they decide to stick her.
Funny... I'd expect conservatives to believe in less arbitrary government interference, not more.
"Conservatives" have pretended to be "libertarians" for so long that neither term really has a meaning anymore (in USA). Those who actually value freedom are anarchists. ISTM "conservatives" were always happy to oppress unfortunates, and likewise happy to enlist the help of the state in doing so. They invented police and FBI for that purpose.
Yes, that's why they used the active voice with counterterrorist operation. It's essentially the same debate of enhanced interrogations and the ticking time bomb.

A lot of the time it's mentally ill people like this: https://en.wikipedia.org/wiki/Liberty_City_Seven

They want you to picture Osama in these cases, when usually it's a bunch of buffoons.

It seems like the article didn't have a problem with patching the flaws, but rather publicizing their operation and outing the government hackers.
"counter terrorism" is the information/military agencies "why doesn't someone think of the children".

They were just annoyed that their OPSEC failed to protect their exploits.

There is a happy medium here: stop using the government to jail non-violent offenders.

If someone orders a drink with too much sugar, doesn't want to pay a 38% tax rate, or put solar cells in their yard without permission, wants to smoke a certain plant, just let them.

We spend extensive police resources jailing these people. If we use a society agreed to just leave people alone for stuff that doesn't matter, when the government is conducting an operation like this it'd be a little easier to let it go as there is no target for abuse.

Right now we're training in the opposite direction where everything that upsets someone needs a law and needs to be illegal.

"Counterterrorism" implies to me that the targets were not under the jurisdiction of the United States, and therefore could not have been jailed for ordering a drink with too much sugar (not that anyone in the US could, either, but let's pretend they could).
Yet. Nobody has been jailed for too much sugar yet.
Where does this idea that all law is enforced by police come from? Why is it so prevalent on HN?
Because it is: it's either enforced by the police, or by some other group that will fall back to calling the police if you don't go along with their enforcement.
That's unequivocally false.

For example: there are many legal concepts which are not a crime to disobey (and therefore there is no criminal reason for police to be involved) and/or it is not in the jurisdiction of any police force.

Possibly that's true in the US, but it's completely false in many other parts of the world.

In England there's a bunch of stuff that has no police involvement. Debt or tenancy are the two biggest areas.

If there’s no force behind the law then it’s just a suggestion
Not all legal constructs are practical, possible, or necessary to be enforced. And even for those that are enforced, not all necessarily need to be enforced by physical force.
> orders a drink with too much sugar, doesn't want to pay a 38% tax rate, or put solar cells in their yard without permission, wants to smoke a certain plant, just let them.

I would walk back here and say one of these is not like the other insofaras 'let them be' and the wider effects on society.

I think you should read up on the differences between civil law and criminal law.
> But while protecting customers from attack is important, some argue that counter-terrorism operations are different, with potentially life and death consequences that go beyond day-to-day internet security.

Maybe they shouldn't base life or death consequences on something as capricious as the existence of an undetected 0-day. It's not just Google, what about other security companies, independent white-hats, etc?

The alternative is basically saying, "you shouldn't/can't improve software security, coz terrorism", which not only feels super unethical, but also likely a 1st amendment violation.

> “The oversight is baked into Western operations at the technical, tradecraft, and procedure level,” they added.

So what the NSA has been doing (even after exposure by Snowden) has had "oversight baked in"? Who are we kidding?

This posturing, pretending that " the west is better than everybody else", is downright naive and idiotic. No organisation is pure of heart, moral, or ethics, and none have crystalline motives.

Blind exceptionalism is required to get by in the West. I can't see good reasons for it, Hollywood plays the fiddle.
(comment deleted)
You don't launch an exploit like one launches an attack. You can only ever share an exploit. As such, the more patriotic thing to do is to defend yourself and plug the holes.
Authoritarian 0-day bad!! Democracy 0-day A-OK, no problem!!
To me, this is not a difficult decision or a debate.

Allowing vulnerabilities to remain open/undisclosed because your government approves of them... for one thing, they aren't only useable by your government/allies, you don't know who else knows about them.

Our government's approach of finding security vulnerabilities and keeping them for their own use (instead of responsibly reporting them to get fixed) puts all our security in danger. There isn't much we can do about that (except, well, try to use our "democracy" to get the government to behave differently).

But in USA at least, private citizens can't generally be compelled to cooperate.

If engineers at a private company find a vulnerability, it should be responsibly dealt with to fix it. No matter who else knows about it or may be taking advantage of it.

I think it is unethical for a software engineer to do or go along with anything else.

The article cites that it raised alarms inside Google. I'm trying to imagine the furor that would be unleashed if Google told its employees that they weren't allowed to fix a security bug on order of the US government. There would have been massive pushback.
Yeah, it's weird that this is even a question from an employee perception perspective. I'm extraordinarily sympathetic to US intelligence agencies by our industry's standards, and even I would see that as a red line.
>weren't allowed to fix a security bug on order of the US government

What would happen? "Order of the US gov't" makes it sounds like serious legal ramifications would be handed out if violations were to occur. First, what would this look like? The CEO gets arrested? CTO? We've already seen that doesn't happen. The dev that pushed the change to fix the bug gets arrested, the PM in charge? Sanctions? Fines? All of this would have to have some legal standing in a court somewhere, otherwise, the offenders would have to be moved to some black site to prevent them from using any/all means to defend themselves.

In otherwords, it seems sort of like an empty threat and bluffing to someone not dealing with the stress of that particular moment.

Former Qwest CEO says refusal to comply with NSA spying landed him in jail: https://www.rt.com/usa/qwest-ceo-nsa-jail-604/

NSLs are alive and real: https://en.wikipedia.org/wiki/National_security_letter

"Former Qwest CEO Joseph Nacchio, who spent over four years in prison for insider trading, now says his conviction was based on his company’s refusal to cooperate with NSA requests to spy on its customers."

"Nacchio believes his conviction was in retaliation for his refusal to play ball with legally dubious NSA spying requests."

So, was he in jail for insider trading or violating an NSL? There's a difference between being convicted for violating a gov't order and someone pissed off at you to dig up dirt to put you in jail for something you did do. Lot's of people in jail believe they are in jail for the wrong reasons. Don't confuse my arguments as being in support of NSA systemic invasion of privacy. Just saying sometimes guilty people try to shift blame.

I understand the concept of NSLs. What I was really trying to get at is the fact that in all of the corporate shenanigans that have ocurred in recent times, no indivduals gets punished for actually doing the thing that was bad. The evilCorps get some fines levied or something similarly slap on the wrist level, but that's it.

It's a fair criticism that we can't really know the truth on.

If a nation state wants to railroad you—a single person—with the resources of the NSA/CIA at their disposal, how are you going to defend yourself? You could live off the grid like Crazy Ted, but that's an extreme reaction that most won't take, let alone a ceo of a major corporation.

The government is made of people just like you and me. Couldn't you see some folks in the national security state thinking a person was standing in the way of keeping America safe? Collateral damage but necessary.

I'm not saying it's good or should be allowed, but I can empathize with the mindset of that individual. Same thing happens with prosecutors/detectives when they get tunnel vision over a person that later is exonerated. They deal with bad people so often they become jaded by human nature and everything looks like a nail for their hammer.

2011: "New Evidence Adds Doubt to FBI’s Case Against Anthrax Suspect": https://www.propublica.org/article/new-evidence-disputes-cas...

Personally, I have zero doubts that if NSA/CIA types felt slighted by Qwest's (or anyone's) refusal to assimilate, that someone would attempt to railroad those that were to blame. That's only because of the hindsight of all of the revelations between then and now. That's just standard MO for anyone in power to clear the roadblocks.
rt.com is not a reliable source for US security news.
I think the article was advocating more for not disclosing the vulnerabilities and silently patching them. So the vuln goes away but no fingers are pointed.

Which is also a silly argument; enough security researchers will watch the updates/patches and immediately spot the vulnerabilities, then accuse Google of brushing it under the carpet and being in bed with govt.

Not patching is not doable.

Patching silently is not doable.

Vendors should do what google did. All of them.

It was a long and meandering article that seemed to be fishing around for every possibly related controversy it could find (and it worked, look at all the people talking about the article).

But Google's blog post weren't just about the vulnerabilities so much as the hacking operation, which had exploited multiple different vulnerabilities. As for publicizing the operation itself, which was the real controversial decision, they went halfway on it, by holding back key details.

https://googleprojectzero.blogspot.com/2021/01/introducing-i...

> This is far from the first time a Western cybersecurity team has caught hackers from allied countries. Some companies, however, have a quiet policy of not publicly exposing such hacking operations if both the security team and the hackers are considered friendly—for example if they are members of the “Five Eyes” intelligence alliance, which is made up of the United States, United Kingdom, Canada, Australia, and New Zealand. Several members of Google’s security teams are veterans of Western intelligence agencies, and some have conducted hacking campaigns for these governments.

> In some cases, security companies will clean up so-called “friendly” malware but avoid going public with it.

Ah, this explains why if you follow security-related news, it feels like U.S. or “Western” countries never conduct offensive operations ever.

Is the C++ programming language the ultimate back door? Did the NSA or whoever encourage it specifically because of its unsafety and prevalence of security flaws? Are any of the C++ standards committee members sock puppets for the NSA to water down any proposals to evolve the language towards safe defaults?

That’s a bit too conspiracy-minded; it’s almost certainly just an accident of history. It’s certainly convenient for black-hat and national security types though.

How long until some congressperson finds out about Rust, though, and decides it’s a threat to national security since software written in Rust has many fewer security vulnerabilities.

Google can neither truly verify an origin, nor do they have (or should they have!) the moral authority to determine an origin to be "good" or "bad". A security breach is a security breach and needs to be shut down on sight. I would've done the same in Google's techie's position.
So, what espionage operation it was, by whom, and against whom?
I think this is a net positive in the long run. Google has every right to publicly disclose and fix vulnerabilities. And while I support governments need to to perform counter intelligence, if this keeps happening hopefully it will cause them to start being more selective in who and what they target with these type of campaigns. If random google security guy visiting a site is being targeted with these payloads it's obviously not differentiating enough.
> There are certain hallmarks in Western operations that are not present in other entities… you can see it translate down into the code

Can someone help me understand why this is a good thing? By the arguments presented by other commenters, it seems to me that a) these hallmarks can be duplicated by someone else and b) by only running operations with said hallmarks, the intelligence agencies might miss other vulnerabilities.

It's good because they can choose to omit the hallmarks if they wish to hinder attribution, or they can take on the hallmarks of an enemy nation state to point the finger elsewhere/create false flags.
If "they" can include or omit "hallmarks", so can any other "nation state" operatives. In other words, this whole idea is complete bullshit, as it seemed to be when I first read it?
Google is the top of the new world order! Bravo!
Even though I've been skeptical about Google's "Project Zero" thing ever since they used it to attack a competitor[1], this seems like more of a fuck up by the intelligence agency than by Google.

Even if Google is legally obligated to ignore cyber attacks by allied nations, who's to say that they are even capable of accurately attribution?

1: https://www.zdnet.com/article/fortnite-epic-games-ceo-rails-...

A fundamental question I haven't seen addressed: if Google' security/threat analysis/whatever team can find evidence of "counterterrorism" 0days in the wild, what's to stop "terrorists" to find those 0days used in the wild as well and reuse them ? Or simply non-allied states that would use them against allied targets ?
"They took matters into their own hands . . . ".

Dissension in the ranks ? Treason ?