Hacker News new | ask | show | jobs
by penagwin 1734 days ago
Yeah it's a tricky one isn't it? On one hand many of the best security researches are ex-state employees, and many of them go from that into the private sector. On the other hand it makes it sound like they are friendly with potential adversaries.
2 comments
boramalper 1734 days ago
People are also against to see an ex-spy employed by a company that promises (to some degree) to protect their customers from the abuses of such governments—there is also a moral angle to it. "Daniel has a deep understanding of the tools and techniques used by the adversaries" because, well, he was one of the adversaries. It's like a private security company employing a former criminal.
link
mindcrime 1734 days ago
It's like a private security company employing a former criminal.

I mean... would you hire Kevin Mitnick's company? Lots of people do (apparently, considering they've been in business this long), but yet he's a former "criminal". It really is a tricky analysis. Who knows hackers better than a former hacker? But how can you trust a "former" hacker? Hmm...

link
boramalper 1734 days ago
I agree that the analysis is tricker though I disagree that Kevin Mitnick is an appropriate example—Mitnick is quite innocent in the scale of what Gericke’s employer (Signals Intelligence Agency [SIA]) has done[0][1], even if we were to exaggerate Mitnick’s crimes.

[0] https://en.wikipedia.org/wiki/ToTok_(app)#Surveillance_tool_...

[1] https://www.reuters.com/investigates/special-report/usa-spyi...

link
mindcrime 1734 days ago
That's the reason for the quotes around "criminal" above. Mitnick turning "white hat" just happened to be the first (roughly) analogous example that popped to mind.
link
duped 1734 days ago
I feel like the threat model for consumer VPNs doesn't include state actors
link
croshan 1734 days ago
You don't? I don't think activists only use TOR, I'd imagine they layer a VPN on as well, they're not mutually exclusive.
link
fragmede 1734 days ago
The threat model for "I want to watch Netflix in a different country than the one I'm in" is totally different from "I'm Edward Snowden and the CIA wants my ass". Consumer-grade VPNs protect against the first "threat" alright, but it's a totally different ball game to protect against an APT like the NSA/CIA, who will break into your VPN company's office in the middle of the night and replace all of the computer keyboards with exact replicas that have a keyloggers inside in order to get access to your data.

See also: https://news.ycombinator.com/item?id=25914734

link