In Article III, Section 3 of the United States Constitution, treason is specifically limited to levying war against the U.S., or adhering to their enemies, giving them aid and comfort.

Under U.S. Code Title 18, the penalty is death, or not less than five years' imprisonment (with a minimum fine of $10,000, if not sentenced to death). Any person convicted of treason against the United States also forfeits the right to hold public office in the United States.

Wow, so if you don't fall in line with the demagoguery, you'll be thrown out, probably to be replaced with someone who does, or it'll be rinse and repeat until that happens.

Don’t expect that much courage

Now that you mention it, the article does read like curated content. I suppose a piece does not have to be directly selling anything to be an advertisement. Fluff can do just as good a job by simply making readers feel good about a brand.

The essence of the article is a topic of concern, but is expressed rather lightly in TFA. End runs around security happen at the edges. From the bottom; by undermining hardware, or code libraries, supply chains. And we're now seeing "decapitation attacks" right at the top. Our "western" security models have a weakness, with their roots in Prussian military organisation and bureaucratic technical management, by default they trust up. The whole DOGE caper (what I would call a Dr Strangelove scenario - variation of insider-threat) exposes this as actually very vulnerable.

Cybersecurity services that operate as MSPs (the acronym variation where S is for security) hit a fundamental problem. A managed security provider becomes a bigger and juicer target since all of its clients are implied spoils. If they in turn defer-to/buy-from bigger actors up the food chain, those become juicer targets too.

This a frequent chestnut when we interview cybsersecurity company CEOs. Although it resurfaces the old "Who guards the guardians?", there is more to it. One has to actively avoid concentrating too much "power" (non-ironically a synonym of vulnerability ... heavy lies the crown) in one place, but to distribute risk by distributing responsibility for building trust relations (TFA mentions this). I expect we'll see more and more of this sort of thinking as events unfold.

I haven't heard of that one. What is RSA time?

Ah, that’s why all the people in business attire are swarming around

It's an American based company, they still assume those parties are on their side.

Biggest thing you can do is just ensure you conduct at least 1 on-site interview, and make sure that interviewer is in a position to realize if the person they met is not the same one who shows up for other interviews and/or the work. Cost of a flight is nothing really compared to recruiting and hiring (and if you really are fully-remote and geographically distributed, you probably already have somebody in their metro area), on-sites used to be standard.

Just make them show up in person at least once for onboarding. They're not going to fly out from China or Russia (where they tend to be based) to do this; especially not to the US.

Verify their ID in person, issue their laptop etc in person, make sure someone who interviewed them is there to meet and greet them (and attest that it's the same person they talked to.)

If you can at least do a final interview in person also, then that's even better.

Start with a fingerprint check before you even talk to them.[1] Then ask for a REAL ID at the interview, take fingerprints again, and match with the ones from the pre-screen fingerprint check. You need to be signed up with a driver's license verification service to validate the ID.[2]

It takes that level of verification to become a security guard or a school bus driver. Anybody in computer security should be doing this.

[1] https://www.sterlingcheck.com/services/fingerprinting/

[2] https://www.aamva.org/technology/systems/verification-system...

The latest advice about spotting at least north koreans who apply under fake identities is asking them to comment on how fat Kim Jong Un is. Real north koreans could not comment on that..

The solution is just-in-time access controls, context-aware authorization for things like database access (i.e. given a justification with an approval workflow, the employee can access a user X for 2 hours). These are the guard rails against a rogue employee, by introducing friction.

I rolled out these level of controls at a big company and got push back from the sales team -- they needed access to generate leads. do demos on the spot, etc. Was a hard fight and I lost.

Some high-level advice is listed here: https://ofac.treasury.gov/media/923131/download?inline

I run outsourcing agency, we work with US clients and have seen lots of fake applications (different degree of sophistication), so far we have either rejected them right away, or we were able to filter them during (remote) interviews.

Definitely the 'regular' application procedures - check someone's ID, check their references, ideally meet them face to face, etc.

This is more tricky with remote-only jobs or worse, "gigs" where you don't even meet people. But also, I would've expected open source to be "infiltrated" a lot more than it has, since that's very much anonymous internet culture... but also a culture of code reviews and the like.

There's often red flags, such as a Polish name, graduate from a Polish university, but doesn't actually speak Polish.

Local knowledge, too. If they claim to be from Krakow, get someone from there to chat to them. If you hear frantic typing, they're imposters.

Yes there are lot of identifiers. They are improving a lot, so things are changing daily. There are certain steps to take pre hiring and post hiring. If you need help share your email and I can provide details.

The reality is a bunch of people trying to secure their insurance relationship. Useless money absorbers are running things.

Young naive and full of memes, parachuted into place from a billionaire, completely unaccountable and completely unaware of how todo anything securely.

> You just can't secure something like Windows, Linux, MacOS, because it's faulty by design.

Every system is. Security isn't a goal that is ever 'achieved', it is a continual process of mitigating risk.

This is one of those situations, like with cryptocurrencies or social media, where the old thing had certain problems for pretty fundamental reasons, and the new thing claims it won't have the same problems, but that's just because the new thing is new and hasn't gotten to the point of the problems being discovered yet.

If an operating system can run any program you want, then it can run malware if you want. Windows, Linux and Mac OS are OSes that let you run any program you want. Android and iOS are OSes that restrict which programs you can run. Different techniques end up placing the boundary in different places but they still either limit you from running lots of nonmalware programs or they allow you to run lots of malware.

Operating systems already completely sandbox processes. Then they poke a ton of holes in the airtight hatchway because holes are useful. Suddenly it's not airtight, but at least it's useful. Then someone make a new OS with a holeless airtight hatchway. In time, it too will discover which holes it needs, and won't be airtight.

Something similar happens with data diodes. A reply mentions punching holes in a data diode by allowing certain limited two-way communication. Fine, but then it's not a data diode. And someone will suggest putting a data diode on one side of your not-data-diode to make it airtight again. And you'll have the problems of a data diode again.

I tend to agree though the conventional response I'd guess also has merit: "secure" isn't binary and various mitigations deployed on non-capability-based operating systems change the economics of attack/defense and are valuable.

But the main reason I'm responding is to thank for the TIL about data diodes https://en.wikipedia.org/wiki/Unidirectional_network which seem under-discussed and under-utilized. Only a handful of discussions on HN, most substantial (only 19 comments) from 10 years ago https://news.ycombinator.com/item?id=10213836 if I understand correctly, only used in very high security environments, but plausibly could be used in many applications that don't really need to be connected for input but could just broadcast or vice versa (many IoT devices). Thank you, thought provoking!

I agree about data diodes, but how do you handle data egress? One solution is to have strict data checks on egress, but leaks are still possible. Data diodes also still suffer from the ability to inject malware that can execute DOS attacks.

I agree about capability-based security, but strictly speaking, the capabilities of current OS are just primitive, i.e. checking file permissions. What capability checks do you mean?

My understanding is that the biggest threat is not capability checking, but capability escalation, i.e. bypassing checks, and hardware hacking, e.g. spectre/meltdown-type attacks that can read arbitrary memory.

What OSes are you proposing though? You're positing a problem and warning people, but what are the alternative operating systems that implement these data diodes?

hmm but this is not really about it, it is more about how companies can be protected. It talks e.g. about shadow IT workers trying to infiltrate into the company.

Iranians have been doing it too, on an individual, sanctions-evading level rather than as a state-sponsored mission.

Many of the DPRK workers operate out of Russia (and China.)

[dead]