Thank god there were no Russians or Iranians. /s
Many of the DPRK workers operate out of Russia (and China.)
It takes that level of verification to become a security guard or a school bus driver. Anybody in computer security should be doing this.
[1] https://www.sterlingcheck.com/services/fingerprinting/
[2] https://www.aamva.org/technology/systems/verification-system...
I live in China, a supposedly autocratic country and one with universal ID, and even companies here don't take fingerprints. ID will be shown when you are officially onboard. I can't say for all, but for most companies (at least the ones without the need for a security clearance), requiring ID at interview will be seen as a red flag, and requiring fingerprint would probably be put on social media and name shamed, if not straight up reported to the authorities.
Not that I’d do it. The paradox that security for a firm means zero privacy for me is too much to bear these days.
Again, I can't say for all, and I'm sure there are certain companies and positions which require such measures, but I could not imagine requiring fingerprints (or even ID during interview) to be acceptable in most cases.
It’s pretty common in finance, government and human services. Amazon is very aggressive with this - contractors in their facilities get regular background checks.
Usually the employee goes to a third party run by a company like Idemia to collect the biometric. I can’t imagine not collecting the ID information of perspective employees - that’s just asking for fraud.
I don't know what the equivalent in the US is, but https://www.fbi.gov/how-we-can-help-you/more-fbi-services-an... seems similar enough.
I'd trust an FBI report more than taking their fingerprints and the like.
(The current SF-86 only wants your residence addresses for the last 10 years. Used to be "List all residences from birth".)
You're in a much more authoritarian country, and that would be using your non-universal, national ID. How do you authenticate someone coming in from overseas?
Answer: your authoritarian government doesn't let them in, or authenticates them for you in a joint process with your HR department.
Btw, I am nitpicking here, but by universal I meant used across the whole country, i.e. national.
I would call the on-site interview and/or minimal background check "the most pareto frontier thing you can do."
Verify their ID in person, issue their laptop etc in person, make sure someone who interviewed them is there to meet and greet them (and attest that it's the same person they talked to.)
If you can at least do a final interview in person also, then that's even better.
This is more tricky with remote-only jobs or worse, "gigs" where you don't even meet people. But also, I would've expected open source to be "infiltrated" a lot more than it has, since that's very much anonymous internet culture... but also a culture of code reviews and the like.
I run outsourcing agency, we work with US clients and have seen lots of fake applications (different degree of sophistication), so far we have either rejected them right away, or we were able to filter them during (remote) interviews.
Local knowledge, too. If they claim to be from Krakow, get someone from there to chat to them. If you hear frantic typing, they're imposters.
That's oddly specific. Any famous examples?
https://www.bellingcat.com/news/americas/2022/06/16/the-braz... The Brazilian Candidate: The Studious Cover Identity of an Alleged Russian Spy
Maybe also Pablo González Yagüe aka Pavel Alekseyevich Rubtsov.
> "The candidate did not speak Serbian, despite graduating from the University of Kragujevac, in Serbia."
I rolled out these level of controls at a big company and got push back from the sales team -- they needed access to generate leads. do demos on the spot, etc. Was a hard fight and I lost.
(context: https://www.cnbc.com/2025/04/16/former-cisa-chief-krebs-leav... )
Under U.S. Code Title 18, the penalty is death, or not less than five years' imprisonment (with a minimum fine of $10,000, if not sentenced to death). Any person convicted of treason against the United States also forfeits the right to hold public office in the United States.
“No person shall be convicted of Treason unless on the Testimony of two Witnesses to the same overt Act, or on Confession in open Court.”
Cramer v United States being an interesting example. ‘As the Court explained: “A citizen intellectually or emotionally may favor the enemy and harbor sympathies or convictions disloyal to this country’s policy or interest, but, so long as he commits no act of aid and comfort to the enemy, there is no treason. On the other hand, a citizen may take actions which do aid and comfort the enemy—making a speech critical of the government or opposing its measures, profiteering, striking in defense plants or essential work, and the hundred other things which impair our cohesion and diminish our strength—but if there is no adherence to the enemy in this, if there is no intent to betray, there is no treason.” In other words, the Constitution requires both concrete action and an intent to betray the nation before a citizen can be convicted of treason; expressing traitorous thoughts or intentions alone does not suffice.’
In way that is--ultimately--very real and practical, the words continue to matter while people assert they matter.
It's difficult, but we should avoid crossing from cynicism to defeatism.
They absolutely matter without a shadow of a doubt.
Which is why the current situation is so frustratingly ridiculous.
Unfortunately the current DPRUS administration doesn't seem to care what the constitution says. They happily ran over the due process requirements set in the 5th amendment and openly ignored a court ordering something to be done to rectify that.
For the time being at least, any protection “guaranteed” by the constitution can not be relied upon if it goes against the wishes of a certain few.
Capability based operating systems can be made secure. Data diodes are a proven strategy to allow remote monitoring without the possibility of ingress of control. Between those two tools, you have a chance of useable and secure computing in the modern age, even against advanced threats.
Yeah... I feel like Cassandra, but here we are. You've been warned, yet again.
I agree about capability-based security, but strictly speaking, the capabilities of current OS are just primitive, i.e. checking file permissions. What capability checks do you mean?
My understanding is that the biggest threat is not capability checking, but capability escalation, i.e. bypassing checks, and hardware hacking, e.g. spectre/meltdown-type attacks that can read arbitrary memory.
Combining these 3 technologies with certain policies, e.g. 2 man rule, the hw/sw itself developed on airgap you can make it practically impossible to attack, even for nation state adversaries.
Edit to point out that these all work in 2-way configurations as well.
If an operating system can run any program you want, then it can run malware if you want. Windows, Linux and Mac OS are OSes that let you run any program you want. Android and iOS are OSes that restrict which programs you can run. Different techniques end up placing the boundary in different places but they still either limit you from running lots of nonmalware programs or they allow you to run lots of malware.
Operating systems already completely sandbox processes. Then they poke a ton of holes in the airtight hatchway because holes are useful. Suddenly it's not airtight, but at least it's useful. Then someone make a new OS with a holeless airtight hatchway. In time, it too will discover which holes it needs, and won't be airtight.
Something similar happens with data diodes. A reply mentions punching holes in a data diode by allowing certain limited two-way communication. Fine, but then it's not a data diode. And someone will suggest putting a data diode on one side of your not-data-diode to make it airtight again. And you'll have the problems of a data diode again.
Every system is. Security isn't a goal that is ever 'achieved', it is a continual process of mitigating risk.
But the main reason I'm responding is to thank for the TIL about data diodes https://en.wikipedia.org/wiki/Unidirectional_network which seem under-discussed and under-utilized. Only a handful of discussions on HN, most substantial (only 19 comments) from 10 years ago https://news.ycombinator.com/item?id=10213836 if I understand correctly, only used in very high security environments, but plausibly could be used in many applications that don't really need to be connected for input but could just broadcast or vice versa (many IoT devices). Thank you, thought provoking!
Cybersecurity services that operate as MSPs (the acronym variation where S is for security) hit a fundamental problem. A managed security provider becomes a bigger and juicer target since all of its clients are implied spoils. If they in turn defer-to/buy-from bigger actors up the food chain, those become juicer targets too.
This a frequent chestnut when we interview cybsersecurity company CEOs. Although it resurfaces the old "Who guards the guardians?", there is more to it. One has to actively avoid concentrating too much "power" (non-ironically a synonym of vulnerability ... heavy lies the crown) in one place, but to distribute risk by distributing responsibility for building trust relations (TFA mentions this). I expect we'll see more and more of this sort of thinking as events unfold.
I knew it was common, even standard in some playbooks, but I always underestimate the parallel black market services economy.
CyberMacGyver•9mo ago
owyn•9mo ago
ash-ali•9mo ago
mandevil•9mo ago
https://www.rsaconference.com/usa
keyle•9mo ago
hiddencost•9mo ago
(Kidding. A little.)
imiric•9mo ago
RSA was famously bribed by the NSA to make their compromised PRNG the default in their cryptography library, which shipped from 2004 to 2013. Any credibility they might've had vanished after that was publicized in the Snowden leaks.
h4ck_th3_pl4n3t•9mo ago
Kudos, made my day
saagarjha•9mo ago