The White Hat's Dilemma

I used to work for Blizzard. The Chinese government requested that we modify the WoW client so that they could intercept all chat. As far as I know, no-one said anything, including me - and Blizzard, of course, was more than happy to comply, given the size of the market and the risk of being forbidden to do business there. There were plenty of other MMOGs happy to play ball and eat that cake.<p>I didn&#x27;t say anything. It was happening to &quot;them&quot;, Chinese nationals. Not only that, but &quot;they&quot; should know better than to say sensitive things online, because even if we didn&#x27;t install the back door, I reasoned, it wouldn&#x27;t be too hard to get that data through various other means.<p>I really regret not only my participation, but not making a big stink about it. No-one did. I strongly suspect that that same system is being being used domestically, now. Clearly it was the wrong thing to do. I&#x27;ve regretted my role in that implementation for several years. I shouldn&#x27;t have participated, and I should have protested. Even if it didn&#x27;t stop it, at least the company leadership might have felt the heat. But I was a coward and I didn&#x27;t want to lose my job, didn&#x27;t want to fight a legal battle, and, like I said, it was just China spying on it&#x27;s people, which everyone knew they do anyway.<p>And who knows? The news probably would have been ignored, or, if it wasn&#x27;t, I might have been branded as a coward and a disloyal employee, betraying the people who put food on my table. And I being under 30, overpaid, over-priviledged, etc. I can hear the Fox News commentators even now. That, to me, has been the most difficult thing about Snowden, is that here&#x27;s someone who did the right thing, who revealed wrong-doing on the part of our government, and there are a lot of people who say he&#x27;s the wrongdoer, who attack him as disloyal and worse. A back door in a game used by China? Who would even care about that? And if they did, I&#x27;d just be torn to shreds, unemployable and with heaven-knows-what kind of future.<p>The reaction to Manning and Snowden, particularly the lack of strong public support, sends a strong signal that people don&#x27;t want to know. They don&#x27;t want to upset the apple cart. They don&#x27;t want to challenge the government, they don&#x27;t want to question it, not even when it&#x27;s clearly violating it&#x27;s own most important rules - the rules that, presumably, we&#x27;ve been fighting to promote these last 200 years. It seems hopeless.

Here&#x27;s an alternative vantage point, my vantage point, one I think makes these kinds of ethical quandaries easier to navigate:<p>* I&#x27;m not a &quot;white hat&quot; or a &quot;black hat&quot;<p>* I&#x27;m not deliberately involved in any kind of &quot;cyber&quot; conflict<p>* I don&#x27;t do what I do because I&#x27;m battling the forces of evil, or organized crime, or anything else<p>Instead: I do engineering. The same way a contract driver developer does, or a Rails dev. I happen to work in a particularly challenging problem domain. My work happens to have some interesting implications. But those implications are not the reason I work in the field; I work here because it allows me to grapple with compilers, number theory, low-level networking, hardware, OS kernels, and every imaginable development platform. It&#x27;s about the craft.<p>I find this vantage point, which appears amoral, makes the ethical dilemmas easier to resolve. If a company like Narus asks me to help them make a network monitoring system harder to evade, I don&#x27;t have to put that request into some ethical framework that considers the good that application might do. I just turn the work down. Same goes for the US Government; no, sorry, not interested.<p>Total respect for Alex (the &quot;white hat consulting company&quot; he founded is iSec Partners, our sister company and former archrival). I get the sense that Alex engages intentionally with these dilemmas, that he wants to be a part of something larger than himself and, I think, larger than the craft. As a result, sure, he has to live a carefully examined life, and make sure the projects he&#x27;s working on aren&#x27;t skewing his compass. I admire him for picking his way through those problems. But I&#x27;m every bit as engaged with the field as Alex is, and I&#x27;m here to tell you that you <i>don&#x27;t</i> have to get tangled up in these kinds of ethical problems if you don&#x27;t want to.

Great presentation and something that programmers in general (not just infosec) need to have a personal decision model for. Everyone should be able to make their own decision to these questions as they see fit, but the more we talk about issues like this the more we see where other people like us (who maybe were put into this position in the context of &quot;work&quot;) have decided on a stance (and the repercussions of said stance) the better off we all are. We who work on machines and not man don&#x27;t have an oath that we are taught to follow and&#x2F;or live by, and I don&#x27;t necessarily think we should. That being said, the Jr. programmer working for a small firm can encounter decisions of ethical importance as much as a black&#x2F;white&#x2F;grey&#x2F;green&#x2F;mauve hat infosec can. To me, this is the core value of what a site like HN provides and probably the main reason I read the comments on HN more than I do the articles.

My favored moral framework for most situations is the noblesse oblige: If, by chance or by choice, you have the privilege of affecting a lot of people, you now have the responsibility of supporting the most marginalized members of that group, regardless of whatever prejudice against them you may have had.<p>This is, in a lot of cases, a nearly impossible obligation to completely fulfill, but in application, it leads to both a closer examination of privilege and to moral decisions and outcomes that are progressive.

I&#x27;d say correct answer almost always is to leave quietly. Let&#x27;s leave doing immoral things to immoral people and let&#x27;s hope their employers starve due to elevated fees.<p>Also if you live in US you should always put your own safety in the first place. US justice system becomes most significant threat to capable citizens.

Slide 28. What does &quot;IR&quot; mean?

Thank you ALex for bring up these issues. I just would like to point out that ethics and morality are both normative propositions (in the sense that they are different cross culture and society). Basically what is consider desirable vs. undesirable behavior. As we all must have found out by now, what is consider desirable and undesirable that very different from place to place.<p>It would perhaps to be more constructive to consider a positive model of integrity (Positive as in positive theory in economics). In many ways we have confused morality and ethics with integrity. Integrity when distinguished in the positive model it can be apply consistently across culture, societies, groups or organization (kind like the law of gravity).<p>For those who are interested, you download the short paper by Dr. Mike Jensen on social science research network related to positive model of integrity:<p><a href="http://ssrn.com/abstract=1511274" rel="nofollow">http:&#x2F;&#x2F;ssrn.com&#x2F;abstract=1511274</a>

What letter was asked to be signed at the end?

I think it is worth thinking about the idea that whatever your particular moral framework is it should not be about &#x27;making a difference&#x27; but making the most effective difference you can. Actually if you hold something to be important you should want to do the most that you can. Exceedingly often what this means is doing something different to the majority of people. Often this goes against conventional wisdom.

I question the slide regarding trade secrets:<p>* the names are misspelled: first person is Sergey Aleynikov (not alinikov) and second person is Samarth Agarwal (not agrawal)<p>* in each circumstance, there was actual trade secret theft. That part is clear. The slide itself seems to suggest something beyond that, but they essentially took code that they wrote for their employer (and they signed contracts clearly saying that it belongs to the employers)

Does anyone have a link to a plain-text version of this that doesn&#x27;t require access to the Google spyware site?

Who is the finnish guy?

I love the Ultima 4 reference

Why do people even sign NDA&#x27;s ?

Was this talk recorded?