How does one store links like this? You'd need a bookmark file, which would sort of give the game away, I'd have thought. How do you make sure you notice when you visit a URL with the same readable prefix?
Figure 10 shows that most users (52%) use bookmarks, followed by locally-saved text files (37%), and referral to trusted web pages (35%).
Also, lots of people find themselves unable to determine an onion service's legitimacy (Figure 12), which is why phishing attacks are successful. We document one such attack in Section 5.1 of another research paper: https://nymity.ch/sybilhunting/pdf/sybilhunting-sec16.pdf
This is an unfortunate downside of onion URLs and a restriction imposed by Zooko's triangle (the CAP theorem of naming systems)[1].
One possible solution would be to issue a TLS certificates for both the clear-web and .onion domain (for services which are offering .onion services to provide better anonymity for users not their servers).
Unfortunately, the CAB forum has decided to not allow this -- only EV certificates can be issued for .onion services so you can't use LetsEncrypt for this.
> Cloudflare is using the 'alt-svc' header [...] The CIA is not, I'd have loved it.
It should be noted that alt-svc is an HTTP header returned which means you have first made an HTTP request before the onion request which affects anonymity. It's not a big deal over Tor because that HTTP call is on an exit node, but still should be noted.
It's a clever way, and standards-compliant, to distribute alternate onion addresses for existing services.
What I don't know is if Tor Browser Bundle has support for this natively, where if you visit tor.cloudflare-dns.com and it'll look for the alt-svc record and redirect you automatically to the onion address.
If it does, then you can just bookmark the regular URL knowing that you'll be redirected.
When I first started using tor, I suddenly had a realisation that I didn't know what sites to trust. I found a link to the hidden wiki, but could I really trust what they were telling me? Was the link to a silk road clone a legit site? The site seemed to work, but maybe the link was a man-in-the-middle attack.
What can you do when there is no central DNS to trust. I suddenly felt that I couldn't trust anything at all. I started to question those around me and spiraled into existential philosophical crisis of truth testing even my own senses.
I eventually found a real solution, but I'm on mobile and don't feel like typing the whole thing out.
Consider the case of carrying electronics (or storage) vs. shipping them, crossing borders, and implications for inspection.
If it's not on you, they can't beat it out of you.
Of course, they might decide to beat you anyway. Which raises the question of whether it's strong crypto or rule of law that matters more. I'm not sure which way I come dwn on that myself, though could argue for bits of both.
And the fact that the NSA spent a large amount of resources trying to break it. But law enforcement all over the world uses Tor to ensure that potentially-illegal websites can't fingerprint them.
The US Navy created the concept of onion routing. Tor was not developed by the US government, it was developed in public (by Roger Dingledine and the rest of the Tor community).
> The US Navy created the concept of onion routing. Tor was not developed by the US government,
Yes, it was, and it was released under a free license by the US Naval Research Lab in 2004.
> it was developed in public (by Roger Dingledine and the rest of the Tor community).
No, it was developed by Dingledine and others under contract with US Naval Research Lab before being released by that Lab under a free license. Further development occurred after it was released in a public project (most of whose funding over its life has come from...the US government.)
I have a question for the HN audience. Many here have gone to top schools and studied crypto, ML, etc with the best. And are probably the best in their field.
Do you currently work for any three letter agencies? Did your smartest colleagues go to work at three letter agencies?
I am trying to gauge the quality of talent at CIA, NSA, FBI, etc. All of my best colleagues went to the private sector, usually tech or security companies. I know some of these companies contract for the departments / agencies (and many colleagues have clearances). However, they are not actually working at the agencies themselves.
So what is the talent pool at the CIA et al. like?
A lot are grabbed out of college or post military. These agencies and governement research centers want degrees, but they are willing to grow desired skills in-house. The most common new employee is someone hired for their potential, with experience much more highly valued in the private sector.
There are ex-Googlers and such as well, but they're not super common. One guy said he got bored at Google because he was rebasing code all the time so switched over. Not everyone will take the more money for a job where your role can feel meaningless. In comparison, these DOD jobs definitely feel meaningful, almost no matter your role. Feelings inside are very similar to what you hear from military servicemembers about feeling like you're making an important difference. If you don't, it's easy to change positions; it is very desirable to have a load of different skills, and learning/training is not only available but pushed hard. Internal and external classes, paying for degrees and having partnerships with local colleges, externships with large private corporations, internships in other departments are all common. If you like to learn, it is appealing. As a result, there are certainly a lot of very smart people.
Being government, you still have a chunk of the pool who are basically done but hanging on til retirement. I'd say it's past the 15-20 year mark that people really start to phone it in in technical positions. I won't get into this too much, but someone who is not known as top of their field but is close to or has maxed out the pay scale, they're probably not useful anymore. There are a lot of these (everywhere in government).
I met with an NSA recruiter who was scoping out talent at a local hackerspace. It was one of the most awkward and out-of-touch experiences I ever had.
He began trash talking Edward Snowden within 60 seconds, and complained that anyone under 25 (pretty much the sole demographic present at the event) were averse to paperwork and would never make it in the "real world". He also uncannily romanticized doing paperwork and laughed aloud at the prospect of any employees doing any sort of creative work, saying that "engineers are just pencil pushers" (paraphrasing).
He mocked the media's representation of the NSA in a characteristically dissociative way, alluding to that he genuinely had no clue why the public perception of the NSA is what it is.
He finished it off by rambling about "quantum tunneling and metaphysics" (never knew the NSA was so interested in the works of Arthur Schopenhauer) and more or less begging the public at the event to come work for the NSA, saying they were desperately in need of talent.
Up until this experience, I had often considered the public perception of the NSA to be probably unrepresentative of reality, and my opinion could be summed up as "a big fan of Splinter Cell". Now, personally, I am entirely turned off to the prospect of employment with them.
Previously, I had envisioned that any issues within the agency could be remedied by new talent reforming internal policies, but I believe the problems that exist within it are pathologic, and I was enthusiastically informed that any position I had within the agency would be "pencil pushing", "paperwork", and a complete lack of creative fulfillment. What a way to kill prospective talent.
These would be great mental exercises for me to complete while I fill out paperwork, unlike the other millennials who are too afraid to step up to the plate (printer?).
>> unlike the other millennials who are too afraid
A serious consideration for recruiters working for these agencies is that millennial truly fear the interview process. They believe that the NSA/CIA has their entire browsing history on file, that the interview process may see them confronted by some awful website they visited late one night in their teens. Or they fear any examination of their past may be shared with law enforcement. These are legitimate fears that recruiters must address. The reality is that such histories are not kept on file and/or are not part of the interview process.
(Similarly, many people don't realize themselves illegal immigrants/dreamers until they try to enlist in the army.)
I was joking about the assertion that millennials refuse to do paperwork, but you are absolutely correct. I currently work at a place that required a government background check due to exposure to confidential information, and even though I have done nothing to warrant anxiety surrounding this, I genuinely was a bit afraid. I have heard many of my peers (college aged students) agree that they would never apply to a three-letter agency because of the same fear.
Having recruiters that further disparage the newer generations and grow increasingly out of touch is doing nothing to boost their numbers, at least in my field. Everyone I know who would be a best fit for their agency is a privacy geek who wants nothing to do with them. Outreach would be an incredibly lucrative opportunity for them to gain talent.
> They believe that the NSA/CIA has their entire browsing history on file, that the interview process may see them confronted by some awful website they visited late one night in their teens.
Even if they had this information, the most likely strike would be if you lied about it rather than if you actually did it.
They are fully aware of the range of behavior that humans are capable of, perhaps in a way that many 25 yos are not.
Isn't metadata stored in bulk for domestic traffic, and then queried retroactively? Usually queries require a real warrant, but doesn't filling out an SF-86 constitute consent to query? If not, why?
I am genuinely baffled why they wouldn't fire up XKeyscore to double-check the accuracy of the SSBIs.
It's a known fact in the military if it ever comes out that you've smoked weed at any time in your life you will hit a firm ceiling on your career and never rank up, unless you run for POTUS it seems :). Can't imagine how much talent any federal employer passed up on just for their myopic stance on pot of all things.
> It's a known fact in the military if it ever comes out that you've smoked weed at any time in your life you will hit a firm ceiling on your career and never rank up
I was in the US Navy for 10 years, and this 100% false. I don't know if this was just a setup for your punchline, but it is absurd. If you test positive on urinalysis, the navy has a 0 tolerance policy so you will be discharged. If it "comes out" that you smoked, almost no one cares.
AIVD (Dutch NSA/GCHQ equiv.) -inspired by GCHQ, who also might have this- have a Christmas puzzle. Its a bunch of 30+ puzzles which are challenging to solve.
The agencies don't care about degrees as much as they care for raw talent. Many years ago I was in vacation and was just talking about video games with some random dude, then pirating, how to reverse engineer and crack em and from there into buffer overflows and exploit. After our conversation, he told me works for the NSA and asked if I'll like to work for them. I asked about pay, and it was more than double what I made then. Told him I would think about it, but passed. Spooks gives me the creeps. Many that I know that have gone to work for them don't have college degree and were recruited solely on raw talent
Unless your an actual spy you could probably say you work at the NSA as an SE, linguist or something more mundane. I doubt you could talk about your actual work.
I’ve known people with clearances at Govt contractors. They could say what they do, EE/ME for X project but not many details beside that.
When you work at the NSA, you are not allowed to say that you work for the NSA. Full stop. (Contractors are a different story for some complex reasons, but are still at risk)
It's like this for many gov agencies working with intelligence because labeling yourself as an intelligence worker makes you a target for foreign intelligence agents.
That may sound a little strange if you aren't part of that industry, but it is the truth.
> When you work at the NSA, you are not allowed to say that you work for the NSA. Full stop.
I don't think this is as absolute as you make it sound. Plenty of NSA employees have published papers using their real names in conjunction with nsa.gov or ncsc.mil email addresses
This isn't necessarily true. I live and work in DC, often as a contractor for the government, including these agencies from time to time. As far as I can tell, those working for FBI, DIA, NSA, NGA, NRO, etc. don't have to hide their employer, though they wouldn't disclose it unless they know you.
OTOH, I have never met anyone who has admitted to working for the CIA - either directly or as a contractor. There is a definitely a non-disclose policy for them.
As horrible as casual racism is, that would be a much more comfortable explanation than the casual authoritarianism implied by the alternative interpretation.
I think there’s an aspect of your question that deserves sincere engagement, but I also think there is a very overblown idea of “the best in their field” and a misconception that if you were “good enough” to get hired into top private sector jobs, it somehow means you are better than peers.
For one thing, people grow & change. Out of some hypothetical cohort of peers in year X, some few may have been the “best” in science and engineering at the point of time when everyone was graduating college and getting jobs. Doesn’t mean they would still be the best 5 or 10 years later — in fact the best person from the cohort at that time may not even have ever studied computer science until later in life.
Even more importantly, top private firms like Google et al hire in a specific way that emphasizes a combination of rote memorization of facts and youthful resistance to burnout. While this may correlate with high skill in some age groups, for some types of work, it’s a very poor substitute for experience-based judgment and creativity, especially the stuff that cannot be mapped easily to rote memorization of computer science facts.
In this sense I’d guess the three letter agencies have employee skill about as good as most tech companies, with the exception that very junior employees are “better” on the rote memorization and burnout-avoidance predisposition at tech companies (and that agencies don’t care much about missing out on that overrated talent pool sector).
Many agencies also have long-time partnerships with professors and academic institutions that give them a lot of consulting support, often from literally world experts in things. Combined with FFRDCs that also have this type of consulting relationship and can often pay a little better to attract better talent, the agencies probably have no shortage of good talent.
The main question I have is why the agencies are able to pay such low salaries, sometimes even in urban areas, no bonuses, etc. I feel they have talented people who are massively underpaid.
> The main question I have is why the agencies are able to pay such low salaries, sometimes even in urban areas, no bonuses, etc.
I grew up in DC and have a bunch of friends that went to work for the Federal Government. Not in these types of agencies, but nonetheless instructive I think.
The incentives at these places are completely different. Pay is somewhat low at start but it's rock solid stable and grows predictably and can get pretty respectable over time, the level of stress and unpredictability can be very low, the promotions are on a schedule, and vacation time and flex time can be pretty attractive.
It's not for me, I would go crazy in that culture, but I have some friends that are really happy to have a job they can check into, do what they're told to do, and go home.
Having worked in a government job (not tech, but still government) this is it in a nutshell. It was nice having a job that I could go to, do my work, and go home without worrying about what might be happening at the office.
It was the best position I've ever had for work/life balance. The time off was extraordinary, the health insurance was stupid good, it was super stable, but the pay was 1/2 to 2/3 what I could make in private industry.
When I had small children, it was the perfect job, just due to the flexibility in time off and lack of real on-going stress.
I have a friend who worked for around 20 years in various companies in the private sector and then moved to government. She took a pay cut but she is so incredibly happy now, the quality of life improvement was more than worth it to her. In the private sector she'd have to login at night while on vacation to do work.
Government employees got back pay, so as long as they're financially stable to start with they experienced no lasting consequences as a result of the shutdown. (Unfortunately the same isn't true for government contractors who were unable to work due to the shutdown.) The last shutdown was also a historically unprecedented event. While shutdowns had occurred before, they were never on the scale of the latest one.
> I feel they have talented people who are massively underpaid.
They pay enough to get the talent they need * . Or in other words, if they're sufficiently staffed it's because people are willing to work there for less than market rate.
Patriotism, a chance (in some roles) to work on cutting edge tech / scale, and making a difference in the world attract people.
You can feel however you want about the agencies morally and ethically, but their work is unique.
* Subject to Congressional cooperation and government pay scales
> You can feel however you want about the agencies morally and ethically, but their work is unique.
Working for the NSA doesn't necessarily entail working on mass civilian surveillance, which I think is where the moral and ethical concerns are concentrated. They still do military and diplomatic intelligence, and defensive security for US many government systems, which I think only the most pacifist would have a problem with.
My experience is that I’ve worked at a federal agency and at a national lab, but in the waning days of the Cold War, so things may be different now.
For tippy-top talent, I imagine it’s kind of like the same way academia can compete with tech firms. You get freedom to work on interesting problems in a relatively low pressure environment. Additionally a lot of federal agencies (ironically it might seem) are no-bullshit places to work. There’s a published pay scale and promotion schedule. You show up do the work you move up. You never get laid off. One other thing is that certain national security important roles do get paid on a higher scale than the usual GS scale.
This sounds sill, but I have a really serious question -- how accurate are the Bourne type films w/r/t how things are at these three lettered agencies? If you are to believe even half the movies, it seems the workers are burned left and right as regular consequences of seniors' political battles. Is that how it is?
I know this sounds silly, but i've been at big companies before (Fortune 10) and have seen some pretty ugly things (once, three reports of a manager alleged a sexual attack on a rival manager; rival manager is fired; manager who's people made the accusation gets promoted.)
Now I can imagine these types of political battles at three lettered agencies might involve false accusations that might land someone at jail. Is it like that?
I'd honestly love to work at the intelligence agencies and serve the country in a role better suited given my technical skills, but I dont want to end up in some shark tank.
As with the private sector, it depends on the workplace. The DC area is a pretty political/cutthroat environment to begin with. However, it is uncommon for political battles or false accusations to land you in jail (although definitely a higher possibility than the private sector). It is far more common/likely for political battles/false accusations to lead to you losing your security clearance (and by proxy, your livelihood/future employment prospects).
Not that I ever saw, not really. What's far more likely to happen is that if you screw up too hard (or potentially piss off the wrong person) you can fairly easily get your clearance burnt, and that can easily (and permanently) cut your IC career off at the knees.
How devastating that is depends entirely on your level of investment in your career in intelligence.
I interviewed with Canada's CSE, an NSA equivalent but broke off the process once I had an offer with Amazon. The salary ranges at the CSE were so low that it would be over a decade before I made what Amazon was offering on day 1. I suspect my career income will be more than double.
Unless the jig is to go to the NSA for 5-10 years, build up contacts, then get recruited into a firm that pays insanely for your connections. As far as I can tell the near sole purpose of the NSA/CIA is national level corporate espionage.
If you qualify for a security clearance then you will qualify for jobs which require a security clearance. This means that you are basically recession proof. You will be competing (if that's an applicable word) against a smaller pool of applicants in a market (if that's an applicable word) which is protected by the full faith and credit of the US government.
The scary 3 letters agencies approach top talent, usually not the other way around. I had a high school classmate who was approached at the end of college. Haven’t heard or seen him since he moved to DC.
He was the type who could do whatever put his mind to and had the determination to do it, Doctor, Lawyer, engineer whatever. Professions were probably to easy for him to do.
i think a lot of math PhDs that don't go to finance probably head to one of them. it's probably going to provide unlimited amounts of tough problems for that skill set, and not much fear about losing funding or anything like that.
Some of my old buddies worked for the NHS. They said they all accept a paycut compared to the private sector because of the value and prestige of the agency itself.
In a way I think those in the spy-ish agencies also think along the same lines but they get no recognition from the public about the benefit compared to national health care.
Yah me too. I expected more “get shit done” and less “let’s meet to plan when we’re going to talk about putting together the design committee”. It’s an over-staffed bureaucratic nightmare with too many “helpers” and not enough “doers”.
To be fair there is some ENORMOUS talent in certain directorates, but a lot of that has gove over to SpaceX, Blue Origin, et alia.
A friend and I who have been around (not in) the "4 letter agency who shall not be named" have decided one of the problems is after the last "mall" program they started hiring people directly out of college instead of out of industry. This leads to a organization full of people with no real practical experience, in particular experience in making decisions. This leads to a lot of analysis churn trying to make things perfect instead of good enough.
The solution would be to partner with universities for the post-grad research stuff and hire people from "industry" as much as possible. Hopefully the people from industry could pick better people to hire from the post-grad research programs. Likely this will never happen, and it might not fix everything (or anything).
Yep. GCHQ was recruiting on our CS course and the starting pay they offered was within £30-35k range. Working for literally any IT company in the region would pay more.
(obviously there are perks working for the government that the private industry cannot match, so for some people lower pay is acceptable)
Don't forget the (massive) tax benefits as government employee. To get the same net amount at the end of the month, in Germany you would have to make several thousand € more per year in the private sector.
In the end, you are still right but it's still a factor.
Not only that, but the senior technical role they hire for, Lead Software Engineer, maxes out at £56,984. I know a handful of people who've gone from GCHQ to my company, and they seem satisfied with forgoing the government pension in exchange for tripling their salary.
I think the problem is that the civil service / defence industry think that technical "boffins" are some sort of cheery working class NCO who will work for tuppence ha'penny. the type who be played in the films by Normal Wisdom or George Formby
"mr Oldfield, that Kims a wrong un - I saw him taking money from the from the orphans fund"
I'm (still, despite the downvoting) suggesting one which I believe to offer a better route to gain experience, then the other which it seems everyone agrees generally pays better but perhaps more so in experienced roles.
The NSA does not negotiate salaries. You are assigned a pay grade. I don't think you can compare an offer unless it is the final offer before you make a decision.
One of my best friends worked at the NSA, then the CIA. Smart guy. Unfortunately he got charged for Vault7 leaks and is going to spend the rest of his life in jail.
So, in short, don’t work for them. It might seem cool, but it’s not worth it. If they don’t like you, they’ll fuck you.
I assume you are talking about this guy, since there are not many ex-CIA charged with Vault7 leaks who risk a life sentence.
I don't know enough about the case to form an opinion about it, but at first glance, uploading CIA-related source code to GitHub it's not what I would define as "smart".
There are lots of clues that indicates they have the right guy, or one of the guys.
For intellectual honesty "commit espionage against the United States" is not the choice of words I'd use.
The root of the prosecution for distributing secrets lies in the espionage act (plus amendments).
When I say someone is a spy I mean "someone sold secrets to a foreign power".
When a US judge says someone is a spy it roughly means "someone divulged classified information and/or ..<list of things>..".
The law considers divulging secrets as espionage because loose lips sink ships: using the espionage act to prosecute anyone posing a threat to national security is the easiest (and practical) way to make a danger harmless.
The main issue with defining espionage like this is the logical confusion that creates in people: quoting Daniel Ellsberg "the current state of whistleblowing prosecutions under the Espionage Act makes a truly fair trial wholly unavailable to an American who has exposed classified wrongdoing".
It's not my job to rule if someone is a whistleblower, a spy, or someone who protests against things he deems wrong through the disclosure of classified material.
What I know is that the US law is bad because it does not distinguish between "someone who sold secrets to a foreign power" and "someone who divulged classified information": these are fundamentally different (illegal) things.
The whole situation gets worse when anybody gets to read stuff like "5. FBI told plaintiff they could not afford another Snowden" and "6. FBI steal plaintiff's cell phone and passport" (https://imgur.com/RMJk7QC).
It's ironic that the onion is "ciadotgov + 4SJW + __ ".
I do have an interesting story about going through the beginning of the recuitment process for a multi-letter agency within the 5 eye sphere (Australia), but I'm not sure I want to post it. It involved asking me point blank at the beginning of a face to face interview at their HQ saying to me "soo...what have you hacked?" along with other weirdness.
The year before I completed an aptitude test which predominantly focused on abstract reasoning. It was a strange experience and part of me wants to discuss it in a responsible/de-identified sort of way, but on the other hand, the take-away I got from the experience itself is kind of holding me back from following through with that desire to discuss it....I'm not sure if what I just wrote makes any sense to me now that I just typed it out.
It was still an interesting experience though which did have a positive impact on my life.
How does one store links like this? You'd need a bookmark file, which would sort of give the game away, I'd have thought. How do you make sure you notice when you visit a URL with the same readable prefix?