88 comments

[ 3.1 ms ] story [ 137 ms ] thread
Have to appreciete the direct honest approach:

"It's true that you must be a U.S. citizen, and you'll need a security clearance that requires a background investigation and polygraph. But ... If you have a few, shall we say, indiscretions in your past, don't be alarmed. You shouldn't automatically assume you won't be hired. If you're really interested, you owe it to yourself to give it a shot."

Indeed. That has to be a first from a US government agency.
I think its great though that the NSA is acknowledging the resource that DEFCON is though.
Kind of a no-brainer, when you're trying to circumvent your population's security and break its encryption, to attempt to buy off people with related skills.
From what I learned and searched for (sorry, no references), in general the important thing for a security background check for government agencies is not that you have shady business in your past - but that you're willing to be totally transparent to your (governmental) employer. Was in the past a heavy consumer of weed/was part of a cult/always attending protests against federal government policies? No problem, just tell us that on the forms/interview BEFORE we find it out for ourselves (and they will find it, because you'll give them permission to).

Transparency and trust is the most important thing here, not your history (in the non-extreme cases).

So willing applicants, don't let your history prevent you from trying.

EDIT: to clarify, the main reason it's being done is because one of the main actual real-life-no-movies-plot threat for such agencies is that someone will find something in your past they don't know about and will blackmail you for confidential information. It's ALL in their interest not to disclose your past shady activities as that will deter recruits from being frank with them, supplying blackmail potential to adversaries. Judge on your own, but if you were my friend I would advice you not to be afraid to fully comply with the screenings as you'll just do harm to you and your country.

Doesn't this approach seem kind of backwards though?

For example, weed. If they want to prevent enemies from blackmailing their employees for past weed use. They should come out and say we don't care how much weed you smoke, we're not going to drug test you now or ever, we just don't care what you do in your free time.

The fact that they polygraph & question you to find the exact # of times you have done drugs in the past opens the door to blackmail situations.

Polygraphs are not perfect, I'm sure some people that work for the NSA claimed no drug use on the application when that was not the case or claimed to have done it a handful of times when they really did it a lot more. Now an enemy could blackmail those people because they would be afraid of losing their jobs if the truth came out.

I don't know the specifics about the NSA (or about any other agency), but the whole "don't care much about past, caring about trust and transparency" is pretty standard security model in western governmental agencies. Notice that CURRENT illegal activities can be a source of blackmail - if I'd work for the NSA and run over someone with my car I wouldn't expect a three letter agency to come and make the charges disappear (and that's a good thing of course, we don't want an above-the-law military class).

As I said, I don't know the specifics of the NSA (maybe they do or do not care about future light drug use) but I would expect them not wanting you to continue any illegal activities, to a reasonable degree (continue stealing the office toilet paper if it gives you kicks).

Unless you're some sort of a world-level genius they would probably also shy away from evident extreme sociopathic behavior. From a reasonable human resources angle, not just security. Most of us wouldn't want to work with someone who released a worm that specifically targets thesis drafts for example.

ANOTHER EDIT: I really think the #1 concern for applicable defcon recruits is "computer crimes", not drug use. Found/tested exploits? Use bittorrent? Cracked WinRAR (and hopefully something else that is more than simply changing a je to jne)? don't be afraid to send a CV and be honest. That is all.

> They should come out and say we don't care how much weed you smoke, we're not going to drug test you now or ever, we just don't care what you do in your free time.

The threat is that a foreign nation will take over a DEA field office and blackmail you. "We can overlook the pot this time if you cooperate and wear this wire. Don't cooperate and we'll do an asset forfeiture on your house and report your kids to CPS for being homeless." In a few months you'll be doing dead drops for a Chinese handler and thinking you are doing the right thing for family and country.

It is not about drugs but the abject corruption of the War on Drugs.

Polygraph interviews are not anout ferreting out all secrets, they are about finding how hard it is to get secrets out of you.

That's exactly correct. I'll been through the Single Scope process and it was brutal. Remembering what I had for breakfast yesterday is hard enough let alone remembering a coworker from 10 years ago. My clearance took over a year, of course I lived in various East Asian countries for 6 of the past 10 years, so it made it far more interesting.

Discovery of a "Potential to coercion" is the main objective of a poly. If it's all on the table, there'd not much that can be used against you.

(comment deleted)
and polygraph

Are they still serious about doing the polygraph dance? Even after all these years with questionable results and even the Supreme Court rejecting it as neutral evidence. I guess they are starting pretty early in making employees believe into made-up Security Theater mechanisms.

The polygraph isn't about lie detection. If you can't beat an NSA poly, they wouldn't want you. The poly isn't about finding 'truth' inasmuch as it's about your abilities to pass it. I can't speak to the NSA specifically, but in other agencies, the poly is a screening tool. Even if you're lying but can beat the poly, then you have proven that you can maintain while under extreme pressure. Intel agency polys are seriously stressful. Often 3 days long, sometimes administered in a generic northern Virginia chain hotel room with constant badgering. The goal is to maintain physiological control under mental duress. Polys are worthless as lie detectors, but they are a good test of mental toughness (or sociopathic skills.) the easy part is just to tell the truth. Unless there's something in your immediate past that's a disqualifier, usually within the previous 12 months, then there's nothing to fear.

If you're easily rattled, even if telling the truth, the poly weeds that out.

The polygraph to me is about the ability to lie without being detected. Psychopaths pass them with flying colors.

You tout that as a "good thing" -- you've proven you can tell lies, come join our team.

What kind of people do you end up with in the end then? -- yes people who are tough, but also psychopaths, people who can lie well and can then easily turn on you and sell that $150M spying project to someone else for $50k.

Polygraphs are passable by non-psychopaths. Its a broken test that is useless and not scientifically verified.
That's actually not true, as far as I know. If they can't get an actual emotional reaction out of you there's no way you're passing.
I suppose someone with a bullshit threshold high enough to take a polygraph would do better in a government agency than someone who wouldn't.
It's more about your ability to withstand interrogation if you're captured.
I seriously doubt that the nsa is worried about hiring mathematicians with psychological control under mental duress. That's more like cia agent training.
As mentioned the polygraph bluntly measures lying-ability (to a lesser degree) and measures mental stress-management, which in this line of work is very mandatory.
Polygraphs measure your ability to clench your rectum (www.youtube.com/watch?v=bScv6kfxRyE).
Having some experience of this I know that background is crucial, as is current circumstance. Both need to show beyond doubt that you're trustworthy.

What that means is that if you've been convicted of something you should point that out. If it's serious, like assault, you're out. If it's not serious, like exceeding the speed limit, and you didn't mention it, you're out.

Current circumstances are about trying to uncover anything that might be used as leverage against you. So having excessive debt means you're out. Being gay is absolutely ok, but keeping it a secret from your parents is not.

All techniques, from completing the application form to polygraph and interviews are about finding the chinks.

It seems financial problems is the top reason for clearance denials. The other major one as you pointed out is falsifying information (lying or hiding stuff).
> If it's serious, like assault, you're out.

i've seen some examples that suggest it might not be as cut-and-dry as that. i don't have the url handy, but some time ago someone in one of this discussions linked to a publicly-accessible record of clearance decisions. the one that jumped out at me had a guy who'd been a drug addict and involved in dealing in the past--he was clean now and fully informed them about it during the screening, and was approved.

> polygraph

WTF?

What security expert would want to work at a place that takes seriously crackpot bullshit like polygraphs?

Some people are saying the polygraph is to prove you are trustworthy, others are saying it's to test your ability to lie. These two notions appear to contradict each other, though.
Have to appreciete the direct honest approach

You know, they are only referring to smoking pot once or twice, right? Admit to running a small botnet or monitoring GSM calls and I'm sure your 2nd interview will be with the FBI .. not for a job.

This whole NSA/DEFCON relationship smells funny. I've lost a lot of respect for DEFCON.

Yeah, the fact that DEFCON brought in an NSA director to keynote is pretty vile. By helping legitimize the NSA and allowing it to openly recruit hackers DEFCON is doing their part to help compromise the privacy and infosec of American citizens.
> Admit to running a small botnet or monitoring GSM calls and I'm sure your 2nd interview will be with the FBI .. not for a job.

I just assumed that they're trying to lure blackhats into submitting incriminating resumes.

I bet it'll work too.

Many of the leaders of DEFCON work for the government. I've come to suspect that it's 'pwned' and is now revealing its form as a recruiting tool.
Many of the leaders of DEFCON work for the government

I can confirm this. Though, to be realistic, I haven't encountered any conference or local 2600-type meeting that hadn't been pwned by government representatives. What I haven't seen is the active promotion of the very agencies that are working hard to put meeting attendees in jail.

I can't believe this shit flies here.
A few NSA reps should hang around HN, if they are not already, to respond to any questions and partake in the discussion on this thread.
A few NSA reps should hang around HN

Please don't give them any ideas. I mean, I imagine they monitor this site already anyway, but why encourage them?

What would be really cool, would be if pg could determine if an incoming request was from the NSA, and redirect any such requests to youporn.com or something.

Now sure how you'd detect the NSA requests though. I doubt they publish which netblocks they snoop from, and I doubt their browser UA string says "NSABrowser 1.0 (Mozilla 4.0/Compatible)" or anything.

How do you know that they're not doing that already? Always and forever assume that you're being watched by somebody, somewhere.

Even if it's just Ceiling Cat.

Embrace, extend, extinguish
Embrace, extend, extinguish

But is the NSA EEE'ing the Hacker community, or is it the other way around?

<!-- OK. You found the Easter egg, but don't think you're clever just 'cause you identified an HTML comment. There's more to find if you take a closer look. And if you really want to prove yourself, apply for a job and show us what you can really do. -->
Then if you zoom in on bottom of the background (http://www.nsa.gov/careers/dc20/images/Back.jpg) in the light blue swoosh there is a message: "GNXR N PYBFRE YBBX NG ANGVBANY FRPHEVGL NG AFN"

Which is ROT13 for "TAKE A CLOSER LOOK AT NATIONAL SECURITY AT NSA"

Nothing there, I'm afraid.

That is, unless they're intercepting Google searches for the decoded phrase, in which case, hello! Feel free to check out my resume, which you can find in my Documents folder, and I look forward to hearing from you shortly.

I can confirm it's there, look closer.
Oh, I saw the ROT13 text; I was saying there's no real easter egg there, just a dead-end tagline.
Wow, ROT13 and HTML. I'm impressed with the NSA ...
"No need to send us your CV, we already have it"
There was joke among mathematicians at US universities for a while about how if you want to work for the NSA, pick up the phone, call your mother and ask to be employed at the NSA.
My old research advisor told me a story about a conversation he had with an NSA rep who seemed to know an eerie amount about his work. When he pointed this out to her, she insisted they had spoken previously. He's pretty positive they never did.
It was more of a one-sided conversation I guess ;-)
Impressive, who would have thought a government agency could have signs of imagination and even <gasp> fun!
Appalling.
Why? Because you don't agree with what they do?
Because its all doublespeak, protect and serve, while attacking and exploiting, just word games, trying to spin the NSA in to a good light. The Defcon talk by the NSA head guy was pretty much the same, doublespeak all the way. In the UK we have GHCQ trying to do the same things their advert was a little more interactive http://www.canyoucrackit.co.uk/
Unprofessional Keith B Alexander goes out of uniform to preach government spy jobs to innovators. Makes me doubt if the DSMs and DSSM on his class A's are fake too. Why not wear the MOH on your class A's Keith? You do not have to worry about being out of uniform.
And if you think it's ok to use national security means to spy on foreign companies to rig the economic competition and if you think a human being from another country has less rights to privacy than one with a US passport, apply.
Right. Because China and France would never do that. One of the primary purposes of French Intelligence is industrial espionage. Before you make ignorant statements about the NSA how about getting some facts?

Also, if those 'human beings' are trying to blow up Americans, then I don't care about their rights. I have a right for my kid to not get killed while traveling on the subway. I have a right to not have bombs blowing up while out at a nightclub. Is the NSA perfect? Of course not, but it's a dangerous imperfect world. When people stop blowing shit up in the name of their deity, then I'll gladly revise my opinion of the relevance for the NSA.

Where's your outrage over Syrian and Iranian Intelligence and their tactics? How about North Korean intelligence and their wholesale kidnapping of hundreds of Japanese citizens? How about the Chinese and their operations in the US? It's a popular sport to pick on the US from the safety of an armchair, but it's quite another to address the reasons the NSA and CIA do what they do. I'm not defending all of the actions of those agencies, but I will certainly defend their mission and goals.

The fact that you can even safely criticize the NSA and feel secure that you won't be arrested is a testament to the freedoms the NSA helps preserve. Spend ten minutes in China and start posting messages about their MSS and see how long your comment stays up (and how long before you get a visit from a local Public Security Bureau officer.)

Where's your outrage over Syrian and Iranian Intelligence and their tactics?

Your entire rant is irrelevant. Independently of how much you dislike foreign agencies, working for the NSA might also pose ethical problems.

Murder is unethical, but when you're at war..
False dichotomy. You're only comparing it to the worst examples. Let's assume that the NSA doesn't spy on Americans, and what they say about only collecting data on foreigners is accurate (haha).

Why do the Swiss have no privacy rights? Australians? Canadians? What makes any of their average citizens not worthy of respecting? They don't "export terror" or have large scale state-sponsored abuses.

"Where's your outrage over Syrian and Iranian Intelligence and their tactics?"

Even though this isn't addressed at me, my response would be: Where it belongs, in conversations with Syrian and Iranian intelligence officials.

For all we know, they excuse what they do with what the US is doing. There was the cold war, then that ended, and without missing a beat military budgets kept growing. Now there's Al Quaeda (former resistance fighters against the Soviet Union, whee), and China. There's always something. It's propaganda 101, and they do the same. The game isn't "nation X against nation Y", it's elites in all nations against their populations.

"I'm not defending all of the actions of those agencies, but I will certainly defend their mission and goals."

But we ARE talking about their actual actions, instead of their espoused goals, so how is that relevant? We get it, it's not nice for drones to see free people... then just look elsewhere, because we aren't going away.

>The fact that you can even safely criticize the NSA and feel secure that you won't be arrested is a testament to the freedoms the NSA helps preserve

The NSA going against the Constitution and conducting mass domestic surveillance is a funny way of "preserving freedom".

By offering uncritical support of institutions that undermine freedom you are working against freedom and helping the US continue to move in the direction of China.

I love their CSS naming convention.

    #maincontent {
   	width:941px;
	margin:0px auto;
	}

    #maincontentleft {
	width:228px;
	margin:0px auto;
	text-align:left;
	float:left;
	 
	}		

    #maincontentright {
        background-image : url(images/tableGrad.png);
	width:699px;
	margin:0px auto;
	text-align:left;
	 
	float:right;
	color:#ffffff;
	}	

    #maincontentright1 { /* a lowercase L or a number one ? */
        padding:15px;
	}


In their careers page (http://www.nsa.gov/careers/), there is a comment that reads: <!--do not remove the extra close a tag, needed to fix an error in ia/academic_outreach/nat_cae/cae_r_program_criteria.shtml-->

I thought they would be using template inheretance for such a big site.

For a government hiring req, this is shockingly well written.
One of this really interesting things I've discovered over the last year is that the government is really heterogeneous; extraordinary competence exists in many places. When you think about it, it makes perfect sense. There are talented hackers working on the kernel instead of Wall Street for ideological reasons. It not that great of a leap to imagine that there are also talented hackers (and people who are talented at recruiting) who ideology causes them to work in government.
Or the government is just the last place left where you can count on a stable paycheck, and lots of engineers like to optimize for that instead of for the possibility of striking it rich.

It used to be, anyway.

What about Google, Microsoft, IBM, etc?
You mean the IBM that almost disintegrated in the 90s, and that now employs an entirely different workforce than it did then because their core business has completely changed? And IMO Microsoft is being driving into the ground, it certainly won't be known as a stable employer within 20 years. We'll see what happens with Google, I guess.
It's certainly a choice

Less variance or more variance. But I think it really doesn't pay off (unless it's for high level jobs, think NASA, DOE, etc)

That's actually why I do government consulting. I would make more money working for twitter, but IMO my skills are much better utilized working for the government.
I know at least one HN reader doing crypto work at the NSA. I'm sure there are others, and they know their audience.
"Help us monitor the communications of private citizens all over the world, even if they use encryption!"

( Need I remind you of this? http://www.wired.com/threatlevel/2012/03/ff_nsadatacenter/ )

Hey it's challenging work! Just like devising new algorithms for helping Wall Street rape the world's economies!

It's exactly what a true hacker wants and needs. Tinker with your favourite programming languages and tools! Go crazy with mathematics! Help us rape the little folks!

That's just nonsense. Where's your outrage over the stuff the Syrians, Iranians and North Koreans. You can bury your head in the sands of outrage, but meanwhile, people are working hard to maintain your freedom to enjoy your conspiracy theories. Wall Street isn't raping world economies. That's just anti-capitalist nonsense. "The most important single central fact about a free market is that no exchange takes place unless both parties benefit."
I was offered a nice contracting job at a USAF base. All I had to do was run a single large Oracle server (Sun Enterprise 10000). I asked "what does the system do?" The recruiter told me the database handled the parts ordering system for foreign countries that need to order replacement parts for F-15 fighters that the US ships to them.

I turned down the position for ethical reasons. Somehow, I'm not comfortable knowing that I helped facilitate the export of US weapons systems to foreign countries that history has shown us are likely to use them to bomb their own people, or innocent people in their neighboring countries. The fact that most of these F-15s end up in middle eastern countries seems to be standard operating procedure for the US government. Then, later, when the next dictator they propped up starts bombing innocent civilians, the politicians will act outraged "who knew that by supplying weapons systems to a dictator he would ever turn them on innocent people?"

Sorry, but I don't want the blood of innocents on my hands. Working at the NSA might not directly be as damaging, but you better believe that people will die indirectly because of something you helped work on. Do you want that guilt on your conscience?

I don't understand the moral intuition here: why is working on that Oracle server morally wrong, but not paying taxes to the country which bombs those innocent civilians?
It's a realistic choice.

One can usually choose not to work in a military-related occupation and probably not face any major repercussions. However, if one chooses not to pay taxes, one may soon find oneself without the ability to earn an income of any sort, for starters.

Everyone has limits to what they feel they can do in protest.

I've been in a similar situation, and I think it's about risk. It's relatively easy to decline a job, you're not going to jail for turning down a gig. Not paying taxes will get you some serious jail time though. So morally, yeah, both actions are enabling the same results, but one is easier to commit to.
Also, not paying taxes has less prospect of leading by example. The sheer majority will attack you for not paying your "fair" share, as they internalize their rulers' plans as their own to feel a sense of purpose.
There's some justification for that, though. If you don't pay your portion, then that's less funding for the things that are common good, as well as common bad.

I don't particularly think it's all that great that childless homeowners pay school taxes on their property, but I accept the reasoning for it.

That's a false dichotomy as not all of the taxes you pay go toward national defense. He sees a closer connection to actively (and willingly) working on systems that could be used to oppress people in other places than the 50-someodd percent of his Federal taxes finding their way into National Defense spending (which, by all accounts, he probably wouldn't pay if he had the choice).

Even if that wasn't the case, the argument can simply be "why contribute even more to the military war machine than I already have to," which isn't at all an unjust argument.

This argument also presumes there's no barrier to simply changing residency of country, when in fact, it can be very difficult to get a visa, let alone a job, for a militarily neutral country like Switzerland.

I can't choose not to pay taxes. I can choose not to spend 8 hours a day assisting in the delivery of weapons systems.
(comment deleted)
Sure bombing innocent civilians is bad, but for me it would be enough to simply say I won't run a large Oracle server for ethical reasons.
What about all the lives your work might save? What if you figure out how to crack the encryption of a network of evil doers so that the next bombing of civilians is prevented?
Have the foreign operations of the US government in the last ten years saved or ended a larger number of lives?
How could we possibly know, given that most of the operations are I assume clandestine and we'll never hear about them, positive or negative?

For some anecdotal evidence, I worked with a guy who was a colonel in the Army reserve. He was called up a few years ago to head up a base in Africa. His mission? To bring food and water to the citizens there. The army was doing this because they had to fight off the warlords who would try and steal the aid that was being provided.

So sure, you hear about a whole bunch of things the government is doing that is evil, and I'll be the first to stand with you and agree, but there is a lot of good being done too.

Imagine if the NSA had intercepted the plans for 9/11 and been allowed to stop it. 3000+ lives would have been saved, and you would have never ever heard about it.

And that has happened on numerous occasions. The number of Hezbollah fronts that have been stopped in just Houston alone saved a large number of lives by disrupting financing mechanisms that facilitate illicit materiél aquisitions. But the tin foil hat crowd would prefer to fixate on missteps. There was plenty of bad stuff the US (and Brits) did in WWII, but cracking Enigma codes saved potentially millions of lives. I don't know who would argue that working on the Enigma project was harming the worl, except maybe Germans at the time. The intel world is very ambiguous. It a person can't deal with ambiguity, then they'd be better off staying out of the intel community.
So, working on any open-source component that military will use accounts to killing?
I'd rather work for the CIA, at least they have morals.