-
Please take a moment and update your account profile. If you have an updated account profile with basic information on why you are on Air Warriors it will help other people respond to your posts. How do you update your profile you ask?
Go here:
Edit Account Details and Profile
Data as an instrument of war
- Thread starter Hair Warrior
- Start date
I'm not sure that matters. HIPAA didn't prevent the anthem hack. The Hair Warrior PII Act of 21 won't prevent this info from being stolen. Might make it a smidge harder. Also, what if a business that has your PII enters into a legit business agreement with a Chinese firm, say Amazon and Alibaba?
That said, I still don't really get what the risk is for this data being sold, stolen, etc by a nation state. Beyond the normal risks that were already there as a part of normal espionage, statecraft, etc. Sure, all Intel agencies are always going to try and figure out who the other sides spies are. So this is nothing new.
The US NATSEC China strategy has always been at odds with the US business china strategy. One sees an emerging peer competitor that's stealing all of our stuff to catch up and the other sees a market of billions of people wanting to buy stuff. US business has been slow to catch on that the cost of many business ventures at the Chinese terms have been that the Chinese have stolen gobs of proprietary data that will erode that US business's edge. But the MBAs of the world only saw dollars now and thought that the Chinese would play by established norms. Turns out parents and intellectual law only work if the other side agreed to the rules.
Hashed when stored/ encrypted at rest. Or even, hashed to a point that it becomes irretrievable when separated from the decryption key held by the user.
This happens all the time today, and would become illegal if we outlawed it. Yes, it would hurt their bottom line. But it also hurts the bottom line of chemical companies to make them properly dispose of chemical byproducts rather than just pumping it down the nearest sewer.
If you were a nation state in an all-out, regime-change-if-we-lose war with the United States, and you could on a single day track the precise current geolocation and home addresses of the top 25 ranking civilian and military officials in the DoD/CIA, their spouses, and/or children, what would you do? Keep in mind there are plenty of cutouts/proxies (e.g. MS-13) who are willing to make a quick $50k, which is only 2.0 BTC now anyway.
By the way, if anyone thinks adversaries wouldn’t cross this threshhold, or if anyone thinks there would be an international outcry against it (e.g. UN resolution) just remember that we put the top 52 Iraqi leaders on tens of thousands of playing card decks and then put million-dollar bounties on their heads, dead or alive. Less than 20 years ago.
Last edited:
This is the biggest problem. I've had some interesting conversations with mid-level execs for large corporations and tech firms and they seem to be learning that dealing with the Chinese aren't worth it in the long run. I fear it's a day late and a dollar short. Many at trying to bring manufacturing and production back to the United States or shift it to the next third world Asian nation where they can exploit the locals for cheap labor.
I think it's time we bring the tech firms into the fold like we do defense and aerospace companies and treat their products with similar controls for export/import and foreign nationals involved with development. Maybe email addresses aren't important but surely location data and IP addresses are, not to mention proprietary information.
These are our privatization chickens come home to roost. USG had very little way to change how and whom "US" companies do business with. And I say "US" because they could just as easily pull up and move to another country who doesn't want to constrain them as much. Also I don't know if you can put the same type of restrictions on technology that was developed with private funds.
Yeah, but look what happened when Google got outed as working with DoD on AI in a completely non-kinetic way. All they were (allegedly) doing was IMINT analysis, and their employees still went apeshit. Microsoft and Amazon's leadership have made some mature statements about how it's not wrong to work with the duly-elected government of a liberal democracy, but there's a not-insignificant portion of the tech industry who live in their own little left-wing filter bubble, and would flip their ever-loving shit if you tried any of that . . . especially H-1B restrictions.
And in a lot of respects, it's a futile endeavor anyway, what with the open-source movement. Linux was created by a Finn, although he's now an American citizen. Python was created by a Dutchman. Software is built on software, which is built on software. Where do you draw the lines? We're already seeing Oracle potentially throw a wrench in the works, depending on how SCOTUS rules in their Java lawsuit against Google.
Let's stop using "unbreakable crypto" or some such as a solution because history has taught us there's no such thing.
I'm pretty sure any adversary has plenty of ways of determining where the top 25 are at any given time. If that's what we're truly worried about then there are a lot of emissions we need to secure.
current bottom line is that we aren't in a shooting war with the Chinese and acting like we are puts us at an economic disadvantage. Which is where the real fight is right now.
Open source software is a huge problem here. It's great because it allows a lot of stuff to be done cheaply on a stable OS (not language, look I learned nit) but it's bad because it's all out there for everyone to know. I took a week long GTRI class on the intro to hacking and it was very illuminating. I got sat in front of a Kali box for a week and learned how to (at a very high level)use open source exploits to attack known deficiencies in software. Pretty amazing to see how accessible this stuff is.
I think there's
So don't do anything? I think that's a defeatist attitude. I guarantee we can come up with something. I'd start with visa restrictions since you could easily sell that since it helps American workers. Also, why not restrict our visas and access to certain systems, programs, data to NATO or some similar organization of countries who are supposedly allied with us. Some of those allies aren't even our good friends but that's a conversation for another day.
And speaking of tech employees, I think we will need to figure out a new way to approach hiring and retaining them. Our industrial age norms and mores regarding hiring and employee etiquette will likely need to be relaxed. There are some truly gifted programmers and hackers who would give us a serious edge but they either have drug charges, want to wear PJs and flip flops to work, or can only work their magic whilst micro-dosing DMT.
I think we're looking at open source the wrong way. It's open and everyone can see what's in it also means that WE can see what's it and know where it comes from, i.e. we will be able to search for malware deep inside the kernel or fork our own derivative software to suit our needs better. No more black boxes from Microsoft et al. with kernels that we aren't allowed to peek inside of or tamper with. Of course, this would mean talented folks working for .GOV or .MIL organizations, which is difficult.
This. What's a door for them is a door for us. Just because we don't hear about it doesn't mean that we don't have our own smart folks doing the same thing back to them. Imagine if the OMB hack turned out to have some sort of reverse attack or trojan horse against the PLA? We won't know for decades.
Yeah, I can't speak to available levers that are there for tech transfer. I'd imagine it's pretty wide open for privately owned data and tech. At some point the secret sauce is owned by the company and is there's to do what they will with it. In general you'd think that companies would want to keep the secret sauce secret since that's the money maker. But a lot of companies were willing to give a lot away to gain access to the Chinese markets. I can certainly understand the rational for wanting to limit tech transfer, just not sure how to go about it. It can be done for DOD stuff because it was all funded with our money.
I think we just need to be willing to use Big Government™ like we have in the past. They'll fight it for a little while but will eventually capitulate. Where are they going to run to? The EU will shut them down if they don't like the cut of their gib, so will the Saudis/Emirates. Russia? Not likely. China? They know better than that. We are in a unique position of being able to provide the best development environment and access to capital and labor with limited intrusion. We just ratchet our government intrusion level up from a 2 to a 5.
The US government just closed down a sizeable piece of the gun industry (bump stocks) overnight. People lost jobs and lost products, sure, but society said it wasn’t worth the risk of misuse. The US government can similarly close down the sale or transfer of user data overnight, if we so choose.
Your IMEI does not need to be connected to your home address, grocery store purchase history, and current precise geolocation. Nobody needs that data (outside of law enforcement with a warrant) and you sure as shit should be able to have some say in the matter of whether it’s sold for profit without your awareness/consent, which happens all the time today.
Tech companies might claim that user data is free speech - but that’s baloney. I would alternately claim that your private information is trademarked to you, and that selling it without your consent is infringement on your rights and constitutes piracy of your personal data (and Congress should codify it as such).
Your IMEI does not need to be connected to your home address, grocery store purchase history, and current precise geolocation. Nobody needs that data (outside of law enforcement with a warrant) and you sure as shit should be able to have some say in the matter of whether it’s sold for profit without your awareness/consent, which happens all the time today.
Tech companies might claim that user data is free speech - but that’s baloney. I would alternately claim that your private information is trademarked to you, and that selling it without your consent is infringement on your rights and constitutes piracy of your personal data (and Congress should codify it as such).
I never said it was unbreakable. But today, for user data that is currently free or low-cost, encryption would make it cost-prohibitive to crack if stolen.
Forcing companies to encrypt all user data at-rest is no different than requiring banks to have a vault and certain other security measures, as a precondition to remain FDIC-insured. Which is why every bank in America has some sort of vault. We still get occasional bank robberies, and rarely, the robber will try to gain access to the vault, but these are extremely rare and almost never successful in the long run. For personal user data, companies are currently operating like a yard sale with a shoebox sitting on a folding table - not like a bank vault that is FDIC-insured.
All it takes is Congress to mandate encryption at-rest for personal user data, and also block or restrict the sale/transfer of user data, and we’d solve >90% of the problem.
ABMD
Bullets don't fly without Supply
Sounds like you need to run for elected office, then make this your hill to die on.
"I would alternately claim that your private information is trademarked to you, and that selling it without your consent is infringement on your rights and constitutes piracy of your personal data (and Congress should codify it as such). "
Or find an attorney that would take your case to the Supreme Court, let them decide who owns your data.