Security Researchers Face Revenge of Spy Agencies (theregister.co.uk) 120
mask.of.sanity writes: Researchers tasked with revealing malware attack campaigns are being harassed, locked out of tenders, and in some cases deported. The retaliation by the unnamed spy agencies is in direct response to the popular published advanced-persistent threat campaigns that have coloured information security reporting over recent years. More details from researcher Juan Andrés Guerrero-Saade are available in a paper (pdf).
For Your Own Good (Score:5, Funny)
Can't you see that our good friends the government agencies are protecting us from those evil researchers?
We wouldn't want freedom of speech and privacy now, would we?
Re:For Your Own Good (Score:5, Insightful)
Why are the government spy agencies unnamed?
Because that would require actual evidence, and TFA has none. It is much easier to make vague accusations and include lots of scary handwaving.
Re:For Your Own Good (Score:4, Informative)
These are the agencies that, at least in the US have sadly been able to blockade access to the evidence that would confirm wrongdoing. Even in cases where they accidentally released such evidence proving its existence they have effectively got courts to treat it like it didn't exist because of "national security" (aka complete lack of accountability).
Re: (Score:1)
These are the agencies that, at least in the US have sadly been able to blockade access to the evidence that would confirm wrongdoing.
This is just more vague accusations and hand waving. Like TFA, you don't actually name the agencies, and you provide no information whatsoever to substantiate your allegations.
I love a good conspiracy theory, and I am always more than willing to believe the worst about the American government, but you have to do better than this. Even the 9/11 and moon landing kooks have a better argument than you.
Re: (Score:2)
You can't prove she's not trustworthy! All those other guys - they must be fools!
Except the problem here is not lack of "proof", but lack of any evidence whatsoever. Even worse than that, the accusations are so nebulous and non-specific that they are meaningless. Somebody somewhere that isn't named, and works for an "agency", that is also unnamed, did something wrong to some other anonymous person, at some unspecific place and time, maybe, and nothing can be named or specified for reasons that aren't given. Are we really supposed to be outraged about that?
Re: (Score:3, Insightful)
Why are the government spy agencies unnamed? You would think those security researchers affected by these agencies would name names. I call bullshit on this story likely planted by the government as part of its propaganda campaign.
Maybe, if they were named, then the researchers that named them would face revenge?
Re: (Score:2)
But supposedly these researchers are already facing revenge so why not name names or present some actual facts to bolster the claims of this story?
surprise (Score:1)
People of questionable morality don't like to be thwarted in their nefarious activities and retaliate.
Re: (Score:2)
My first response to this was, "Umm.. Duh? What the hell did you expect?" No right or wrong. Just, well, that's exactly what I'd expect to happen.
Re: (Score:2)
Are you talking about the "Security Researchers"?
In other news... (Score:2, Funny)
Security researcher Juan Andrés Guerrero-Saade was found dead in his apartment. Investigators found Guerrero-Saade laying next to various narcotics including heroin and suspect a drug overdose as the cause of death. His neighbors say he was a quiet man that mostly kept to himself.
Re: (Score:2)
Non-encrypted one. Because, you know, security researchers do not know how to do that...
Apparently the US is the best (Score:5, Insightful)
"In many places intelligence services tend to be more civilised than in others -- you would be lucky to deal with them in the US versus wherever else, Latin America, Asia, or Eastern Europe where they take very different tactics, "
The article is referencing other nations where freedom of speech is less guaranteed...for now.
Re: (Score:2)
Re: (Score:1)
Is Eastern Europe no longer part of Europe? I know its been a while since I took geography, but I didn't think plate tectonics worked that quickly.
Re: (Score:1)
Re: (Score:1)
Ayy, stop this pointless discussion!
OK, I agree my comment was flawed [economist.com], that use ambiguous word. I update my comment:
The article did not mention Western Europe, Southern Europe, Scandinavia, so more precisely, U.S is better than Latin America, Asia or Eastern Euro
Re: (Score:2)
Media are already plural. The singular is "medium".
BTW, I don't know where you live, but here in Europe, we usually understand "Europe" to mean "that big peninsula thing hanging off the west end of Asia, in between the Atlantic and the Urals".
Re: (Score:2)
So ... if (when? who knows?) the UK leaves the European Union, you'll no longer count it a European country?
Wearing my "geologist" hard hat, I can assure you that plate tectonics does not operate that fast.
And of course, Norway has never been part of Europe. Or at least, never part of the EU. It is part of the European Economic Area and of the Schengen "passport-less borders" arrangements, but they're not the same thing.
Re: (Score:2)
I love being precise. The article stated precisely this, "deal with them in the US versus wherever else". Unless you interpret wherever else to mean everywhere but Europe, you are precisely wrong.
Re: (Score:1)
The article "precisely" pointed out what "wherever else" is.
That why, I said "the article *did not* mention Europe" (Western, Southern, Scandinavia).
From this article, can you conclude about "Europe"!? Nope!
Re: (Score:2)
Is the resemblance between your nick "guestapoo" and "Gestapo" intentional or coincidental?
Re: (Score:2)
Considering the number of kleptocratic abusive fascistic governments which the US has installed and supported in Latin America and Asia over the years, then you can be sure that the US government knows exactly what it wants to bring about at home.
Practice makes perfect!
Re: (Score:2)
Operation Socialist (Dec. 13 2014) https://theintercept.com/2014/... [theintercept.com]
The fun of discovering issues, correctly reporting the matter and waiting
Re: (Score:1)
TFA Lacks Substance (Score:3, Interesting)
While I have no reason doubt that harassment and revenge is happening quite frequently, the article doesn't provide any information to substantiate their statements.
Tenders? (Score:1)
What does it mean to be "locked out of tenders"? My Google-fu fails me here.
Re: (Score:2)
Re: (Score:2)
Nope. I'm quite sure they mean these [mcdonalds.com] bad boys. These NSA-types play mean and dirty.
Re: (Score:2)
I don't know what the word means in your country, but on this side of the Atlantic (Europe), a "tender" is a proposal that a company puts out to invite other companies to bid for a contract. EU law has some strict issues about how all contracts above a certain value should be put out to public tender, with specified levels of advertising, the amount of detail that needs to be made public in the advertising, etc. This is intended to damage mono
Re: (Score:2)
We're supposed to take the word of an AC who can't spell "fuck"? I'm defo with that, eh.
Re: (Score:2, Informative)
What does it mean to be "locked out of tenders"? My Google-fu fails me here.
Companies regular respond to tender requests issued by government. In this context a tender is a contract open for bidding by organisations external to the government department or agency responsible for issuing the tender.
Re: (Score:3)
What does it mean to be "locked out of tenders"? My Google-fu fails me here.
It means their grant application wasn't approved. That could be because their research is crap, or it could be, as the TFA claims, proof of a vast government conspiracy to silence them.
Locked out of tenders (Score:2)
Re: (Score:2)
When I went on a cruise recently, a "tender" was the boat you took to the island. Perhaps they're tossing them onto desert islands and then locking them out of the boats to return home? Then again, considering the island I took the tender to, that wouldn't be a bad thing. (No Internet access but otherwise was incredible.*)
* The no Internet access isn't a problem if you're visiting the island. If I was forced to live there, though, it would become a problem.
Re: (Score:2)
This explains it pretty concisely: https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Re:Locked out of tenders (Score:5, Informative)
What the heck is a "tender"?
Tender, noun. (commerce) a formal offer to supply specified goods or services at a stated cost or rate
They're getting locked out of bidding on contracts. At least, that's what the sentence means. Not sure if it was used correctly.
Re: (Score:3)
A tender is an offer to provide a requested service for a government. Governments put out a request for a service (say, "we need somebody to help us ensure our computer systems are secure") and companies and individuals can tender an offer saying, "these are my qualifications, this is my price range". Government will then select one of those tenders to get the job.
Presumably, people who speak out against governmental practices are having their offers tossed.
At least, that's how I read it.
Re: (Score:1)
A tender is an offer to provide a requested service for a government. Governments put out a request for a service (say, "we need somebody to help us ensure our computer systems are secure") and companies and individuals can tender an offer saying, "these are my qualifications, this is my price range". Government will then select one of those tenders to get the job.
Presumably, people who speak out against governmental practices are having their offers tossed.
At least, that's how I read it.
In previous jobs where I've worked that dealt with government contracts those were called RFPs (Request for Proposal), I've never heard them called "Tenders" before.
Re: (Score:2)
It's a common word in common usage. Look no further than your nearest dollar bill to see it used this way!
Re: (Score:2)
It is something less than a contract as far as I understand. More temporary employment, or "hey, we need a dozen computers" not a years long contract to provide service or products.
Re: (Score:1)
It's a deep-fried, breaded piece of meat product (usually chicken), best served with sweet and sour sauce. Proprietary synonyms include Chicken McNuggets
Re: (Score:2)
But what if you prefer ranch or barbecue sauce?
Re: (Score:2)
In naval terms a Tender is a supply ship, or a boat carried on a bigger ship capable of transferring personnel or goods between either ships or a ship and land (a live boat is not a tender, a tender has a 'Captain' and a role and potentially a crew, plus passengers)
Tender is also used as a word for currency or money.
Security Clearance (Score:5, Interesting)
I find it interesting that not having security clearance is viewed as an impediment.
I'm well employed in computer security and not having any clearance, not having signed any government secrets agreement has been an essential part of being able to do my job.
While I work with people with clearances, I simply cannot trust them for specific things because it is not possible to know who they are really working for. Once you have signed up, you are clear for some government work, but tainted for work on the outside. Take your pick.
Re: (Score:3)
How does having a security clearance taint you? The only thing it indicates is that you either don't have much of anything to be blackmailed with, or that you have already disclosed such material to the government. There are other contracts you could have signed like NDA's, but that isn't part of having a clearance. Hell it's actually possible for a person to be granted a clearance without them having signed up for one at all.
Re: Security Clearance (Score:1)
Assumptions that they are bound to withhold precious spook bugs instead of spotting or patching them because they were marked as classified by previous government jobs?
Re: (Score:2)
I suppose you could have a situation where someone knows some secret vulnerability and can't spill the beans to fix it because they knew about it previously through classified means. But I would imagine that the number of people who know that kind of information, and then seek out private employment specifically looking for and fixing those kinds of things, to be a very small number. You are probably more likely to have co-workers who find and keep vulnerabilities secret so that they can sell them than keep
Re: (Score:2)
That's not necessarily true, but one can't be certain, and there are areas one can't investigate.
Re: (Score:1)
Wow. And what are you trained to do? Troll?
Re: (Score:2)
You may not read secret material anymore unless specifically authorized to. Yes, that includes if it is printed in the NY Times. You also have to report certain types of conversations. I accidentally did that to somebody with a clearance a while back and had that explained to me afterwards. (I don't have a clearance, but have done research outside of the US that is at least "secret" there and may well be classified quite a bit higher.)
So, yes, it taints you and significantly so.
Re: (Score:2)
A clearance is just a certified opinion of your trustworthiness from the issuing agency.
Deliberately reading information that you know to be classified can cause you to lose that clearance depending on the following investigation. And yes, if you want to maintain a clearance you need to log specific types of conversations and contacts with foreign nationals. Mainly you do that though so you can provide it to the investigator whenever your clearance comes up for review. If you don't care to maintain the clea
Re: (Score:2)
I beg to disagree. When I talk to some fellow researcher about my work, and suddenly she gets an expression of fear in her face, clamps up and runs away, that is something that does impact me. My impression is you are sugar-coating to an extensive degree in your statement.
Re: (Score:2)
I can't imagine why they would be afraid, but I guess to each their own.
Re: (Score:2)
I suppose it could be a fear of stirring up a reportable incident. In some situations just an investigation could lead to suspension of clearance until the investigation is completed. If her job was dependent on having the clearance then she might have to take some leave until it's cleared up. But so long as she didn't disclose or acknowledge some classified information she shouldn't have anything more to report than that some other researcher independently discovered something that she knows or suspects is
Re: (Score:2)
The problem might be that a simple nod at the wrong place can disclose classified information. And yes, this person was very much dependent on her clearance. The absolute requirement to report anything relevant, even things that are not really that hard to find out, effectively gags them and they cannot be part of a civilized conversation between adults anymore.
Re: (Score:2)
You can be granted access to a clearance, but as soon as you try to use the clearance, one of the first papers they have you sign is an NDA.
Re: (Score:2)
It also has an impact on what you can be trusted with. I would not employ you in any capacity that was a position of trust over customer security. You say it was guidance systems, but if you were seeking the key management job, it would raise questions about what your motivations are.
It's not a pejorative thing. It's just how trust works. It isn't transitive and it goes both ways.
Re: (Score:2)
You say you were working on a guidance system, but if it's a classified project, I can't ascertain that you're telling the truth.
So, yes, it has an effect on the ability to trust you by anyone who don't both have the proper clearance and a government approved "need to know".
Re: (Score:2)
I do agree with you that working on a job that requires a security clearance is no more than any other legally enforceable NDA, where the company demanding the NDA won't share information. In fact it's exactly the same thing.
So yes, you are right, I am suspicious of candidates from any NDA job. But most companies don't operate large spy agencies, so you can know that the NDA isn't covering for them. I don't suspect companies of hiring people secretly to do things that the companies don't do. But if ther
Re: (Score:2)
Re: (Score:2)
It depends on the country, the decade, the boss and the endless tax payer no bid gov/mil contracts.
The problem with a security clearance is that the person is then obligated to report on all material and people they come in contact with by default.
If the material looks like it could be security related, the cleared staff will have to report the matter and all connected people back to the go
Re: (Score:2)
Just presenting public, open academic crypto information is getting interesting in an educational setting.
Re: (Score:2)
So if you had worked on the development of a secret governemtn cryptographic attack against the ECDLP, and you were now being asked to implement an ECDH exchange in consumer software that was subject to that attack, what would you do?
Would you go right ahead and implement it knowing it was unsafe, or would you warn people of the danger? I don't think you would do the latter.
People go to jail, people die when crypto fails them. Not everyone, but certainly some.
Re: (Score:2)
It is quite clear why that is. If, in the US, you have a clearance, you may not look at secret material anymore unless specifically authorized to. For example, reading the Snowden documents while you have a security clearance is a crime. For that reason, if you do security research, the only sane thing is to refuse a clearance even if offered.
Punishments without a fair trial (Score:5, Insightful)
Re: (Score:2, Insightful)
Wha...? Snowden has been effectively exiled for doing the right and moral, if technically illegal, thing for the good of his country. Assange is effectively under indefinite house arrest and had his reputation destroyed for helping people find out what their governments are doing secretly in their name. Both live with the knowledge that if western intelligence agencies can find them they will almost certainly disappear "in mysterious circumstances" and (possibly, if the PR guys think it would spin well)
Surveillance (Score:2)
It appears that government has used the Microsoft Word "search and replace" function to substitute the word "cybersecurity" for every instance of the word, "surveillance".
Re: (Score:1)
Re:Bernie Sanders (Score:5, Funny)
Cthulhu for President. Why vote for the lesser evil?
Re: (Score:2)
So you are saying that Trump isn't speaking facts? As far as I have seen people are getting pissed because all he speaks are facts. NBC and Univision got pissed because he quoted a Univision owned magazine about crime in immigrants, can't have him quoting us on the subject, that is racist!
Carson also speaks his mind, and is getting fury from the press over it. He talked about how Islam is incompatible with freedom, do you doubt that to be true?
Re: (Score:1)
Please everyone on /. support Bernie Sanders. Thank you.
Bernie Sanders drinking game: Any time Bernie says "Socialism", take a drink of someone else's beer.
Re: (Score:2)
It's okay - I'm willing to share my beer. It's less expensive and disruptive than you stealing all of it because you don't have any. So, have a sip. Hell, take one 'for the road' when you go. (You should probably have someone drive you.)
Re: (Score:2)
You have a quarter of the money, while others get the rest of what you earn by sitting at home drinking. You are lucky to be able to afford beer.