Data Engineer In Google Case Is Identified

theodp writes "Meet Engineer Doe. A NY Times report has identified Marius Milner as the software engineer at the center of the uproar over a Google project that used Wi-Fi sniffing Google Street View cars to collect e-mail and other personal data from potentially millions of unsuspecting people. Milner, creator of the wardriving software NetStumbler, referred questions to his lawyer. Google declined to comment. A patent search shows the USPTO awarded Google and Milner a patent in June 2011 for protecting Internet users from 'hackers and other ne'er-do-wells [who] may seek to tap into communications on a network.'"

ftfy

[girlintraining]

Data Engineer In Google Case Is Identified

Fall Guy In Google Case Is Identified.
FTFY

Re:ftfy

[girlintraining]

What kind of twisted world view do you have in which corporate employees are transformed into mindless minions that have to obey every command?

My 'twisted' world view is called 'capitalism'. And yes, if you want to stay employed, you do what the person signing your paycheck tells you to do.

As an employee, you still have moral and legal responsibilities.

Yes, the moral responsibility to keep eating, paying the rent so you can keep a roof over your head, etc. It's very easy to act all indignant that someone would choose to eat food instead of morals; It's a lot harder when you're the one choosing between keeping your job, or losing your car, house, family, etc.

In fact, the way Google works, he probably could have said "no" without consequences.

The evidence does not agree with your 'world view'. Also, although cliche, I have to say "Citation needed." You haven't claimed you work for google, nor provided any citation or information that might suggest Google is somehow above its fiduciary responsibility to its shareholders; Because before this guy got fired, the Board most certainly looked at the issue and determined one man's future was not worth Google getting raked over the coals in a PR disaster. To suggest that they would take the moral high ground on that is preposterous: All businesses react the same way to a perceived threat -- they jettison it and distance themselves from responsibility for it as quickly as possible.

I think what rather happened is that he thought this was an OK thing to do. Good for him! I hope he makes that argument stick, because I think he's right and ...

... And that'll be the last time he gets a job in this industry. What's the first thing a prospective employer does these days? Type your name into a search engine and see what it comes up with. And right there, as the #1 result for the rest of his life, will be "Caused PR disaster." Whether that's true or not is irrelevant; Future employers won't take the risk. Taking the moral high ground is not without its consequences; That is why so few people these days do it.

, in that people may come to realize that we shouldn't have useless and ineffective legal restrictions on recording publicly broadcast data.

I'm sure he'll take great comfort in raising public awareness on this very important issue, while he's asking you if you'd like fries with that.

Re:If you have something that you don't want

[SaroDarksbane]

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.

Or in this case, if you have something that you don't want anyone to know, maybe you shouldn't be broadcasting it over the airwaves to the public at large.

Just a thought.

Re:If you have something that you don't want

Neither of those analogies are appropriate, and your reaction is awfully spiteful for someone who likely wouldn't be on an unencrypted wi-fi network in the first place.

In one of your examples, you're given access to a private system with the idea that you won't mess with other.
In the other, you're tapping into a private circuit with the intent to steal data.

If anything, home routers should come pre-encrpyted, with the random default key on a sticker on the bottom, and display a warning and disclaimer for people who wish to run unencrypted wi-fi.

Someone before made the analogy about this being like having sex with the windows open, and then saying anyone who happens to stare for a few extra seconds can go fuck themselves and deserves to die. What kind of person ARE you???

Re:If you have something that you don't want

[ByOhTek]

You can't be that stupid...

If the system is open, an easily sniffable, you're an idiot for using it with stuff you don't want publically accessible.

* I don't use WiFi at home (easy enough to wire a place up, a simple weekend project).
* When I do use WiFi...
** If it is encrypted, then I will use things like email, etc. But only if they are on a secure pipe (such as https / pops / etc.). I still won't use it for anything financial.
** If it is unecrypted, then I will only do casual browsing - no stuff with user names or passwords.
* Wired is treated like secure/encrypted WiFi, except I will do financial things (if it is a network I trust)...

Remember, on the internet, paranoia is your friend because everyone IS out to get you.

Idiots

[StoneyMahoney]

I guess it would be beyond expectation for someone to tell anyone complaining their data was "stolen" that they should have been pumping it into the local atmosphere for all to read without any encryption or other basic protection.

Yeah, holding people accountable for their own idiotic actions would make too much sense. Beside, we make far too much money out of idiots who bought cool stuff with no clue how it actually works - me especially, a lot of my tech support clients use Macs.

Re:Idiots

[madmark1]

So let me see if I understand your argument. People aren't stupid, because they don't know the implications of unsecured wifi. Or put another way, people aren't stupid because they are ignorant and lazy instead? Every freakin router manual you will ever find, as part of the 'simple setup steps' tells you to change the default SSID, and turn on some sort of encryption. If they don't do that, then it sure sounds stupid to me.

Re:If you have something that you don't want

Your reasoning is along the same as "you shouldn't go out if you don't want to get stabbed". It is not reasonable suggestion.

Do you even have the ability to grasp granularity of magnitude that isn't all on or all off?

HTTPS isn't the issue here. THERE IS NO PRIVATE NETWORK ON OPEN WIFI. A secured connection, a dedicated connection from an ISP, these are PRIVATE connections. OPEN WIFI is a PUBLIC ONE.

You don't want people listening in on your phone calls? Don't have them outside in a public place, the hobos might steam your trade secrets (or whatever paranoia types like you subscribe to).
You don't want people listening in on your data? Don't transmit it on a "public" medium.

Re:If you have something that you don't want

[Medievalist]

I live in a place that has wifi where you log in with password. It is encrypted, but after logged in you can still sniff everyone else on the network. It still doesn't make it right to do so.

Likewise, your internet traffic goes unencrypted when it leaves your house. It doesn't make it right for me to plug in to that in between your house and ISP and capture that data.

HTTPS and SSH cannot be sniffed on your wifi, nor does either one "go unencrypted" when it leaves your house. Broadband providers using DOCSIS protocols also are not sniffable by your neighbors.

However, I recommend you should worry more about "is it possible" and "is it likely" rather than "is it right". Our government and the big corporations (that's redundant, I know) clearly aren't at all concerned about your ideas of right and wrong.

The big cat in the room.

Posting anonymous so this will not haunt me forever through the net (unless you are tracking me already har har).

Has anybody actually been hurt? Because, uh, I'm just asking. I'm all for privacy but I don't see anyone poring over my data in this case. So has anybody been hurt? Where is the victim?

Or are we talking about hurting the feelings of those poor electrons that used to mean something, however fleeting, before being vacuumed up by a hateful engineer?

And you know every atom whose state you have ever modified has certain inalienable rights..

I am pretty damned cynical about big corporations and those who presume to rule them, but there are plenty of white collar criminals in power in America and I have yet to see any at Google.

And for your info I think Sergey's and Larry's excellent space adventure shows me enough where those guys stand. I prefer to support Google and Man's Future In Space. The rest of the establishment, their cops and politicos and bastards who talk out the sides of their mouths, the warhawks and smack sellers, and all the self righteous fucks who turn a blind eye to killing, and the fucktards who find a moral pinnacle somewhere in there, they can all go off and fuck themselves until they die.

As for Milner? Well he is either completely innocent or a geek who has been hypnotized until robotic. Happens every day in America. There are one thousand other cases more worthy of prosecution.

Re:If you have something that you don't want

Your hate towards Marius Milner is so strong, you saw this article in the future and registered just in time to post this comment with same timestamp as the article?..

Tech(NY|LA|Cars|nicalExpert), you're so unsubtle :(

Re:If you have something that you don't want

[WaywardGeek]

But how could he not write the sniffer program? A co-worker of mine wrote a fun screen-saver. It posted each image sniffed over wifi in a random place on the background, creating a real-time collage of what people were viewing on the Internet. He wrote the program and showed it to his boss, and fortunately being at a start-up, he found it amusing. He also hacked our WEP security in a few hours with some hacker software, leading us to upgrade our protection rather than get pissed. It is the nature of good engineers to be curious, and Joe Engineer does not offend me. It's the government that scares me.

Re:If you have something that you don't want

[minerat]

I think it was stupid, but it doesn't look like it was a vast Google conspiracy to inhale as much data as possible for the takeover of the world. It looks like a stupid decision by an engineer and a layer of incompetent management.

I certainly don't condone anyone collecting WiFi data that most people expect to be private, but correct me if I'm wrong - they didn't crack WEP/WPA/hack their way into routers to obtain this data. That means it was floating free and unencrypted over the air for anyone to observe. It's shady and makes Google look bad, but technically it's not much different from receiving FM radio signals; perhaps short range walkie talkie conversations are a more apt comparison - still not illegal and not patently immoral.

Re:If you have something that you don't want

[Chrisq]

https is your friend. Seriously on any wifi network you should use https for anything secure.

MITM attacks on public wifi hotspots are mostly trivial. Yeah, keep believing that using HTTPS is securing anything.

Written by someone who obviously doesn't understand how https works. Your site URL is validated against a server-side certificate. The protocol starts with an exchange of public keys, then uses session keys for the session. This makes a man in the middle attack impossible.

Doesn't seem to be a "rogue employee"

[aclarke]

Here's a choice tidbit from the article:

Google long maintained that the engineer was solely responsible for this aspect of the project, which resulted in official investigations, some still unresolved, in more than a dozen countries. But a complete version of the F.C.C.’s report, released by Google on Saturday, has cast doubt on that explanation, saying that the engineer informed at least one superior and that seven engineers who worked on the code were all in a position to know what was going on.

The F.C.C. report also had Engineer Doe spelling out his intentions quite clearly in his initial proposal. Managers of the Street View project said they never read it.

Depicting his actions as the work of a rogue “requires putting a lot of dots together,” Mr. Milner said enigmatically Sunday before insisting again he had no comment. He said he was closely following the news reports on the issue.

If that's all to be believed, Milner reported on what he was doing, and sent it to his boss(es). They opted to "not read" the report. If at least six other engineers were in a position to know, then this sounds more like a "no, don't put this in writing or tell us what you're doing" situation than a rogue employee. If bosses aren't responsible for their employees, what are they there for?

Re:Doesn't seem to be a "rogue employee"

[girlintraining]

If bosses aren't responsible for their employees, what are they there for?

To provide individual profit without individual responsibility. Unless, of course, profit is threatened, in which case sacrificing an individual is a reasonable response. See also: The reason most people over the age of 30 are fired. I can't tell you how many times I've heard someone blubber "But I did what they asked me to..." on the way out the door. I've worked corporate jobs long enough to know that when someone asks you to do something you think might backfire, you smile, agree, and work as slowly as possible on the project while working as quickly as possible at finding another job and getting your name off the reports. Corporations will not hesitate to throw their employees under the bus -- afterall, it's not like you're unique or important... there's fifty more just like you a phone call away.

That is the raisin de etre for a corporation: Individual profit without individual responsibility.

pursue and punish where it does some good

[khipu]

If you broadcast information publicly and without sufficient encryption, the public can listen in and record it.

Apart from the question of who is right in the abstract, punishing Google or other people isn't going to deter anybody who actually wants to do you harm, since passive listening is pretty much impossible to detect. What we might restrict and punish is the use of such information, for example rebroadcasting it, using it in legal proceedings without a prior warrant, or reselling it.

The real question we should be asking is how people are punished that broadcast private information (e.g., hospitals that use unencrypted networks).

Re:pursue and punish where it does some good

[Solandri]

I tend to fall on Google's side on this (because other companies do the same thing or worse; Google only got "caught" because they did the honest thing and publicly admitted their mistake). But placing blame entirely on people who fail to encrypt their wireless is going too far in Google's favor. If I don't lock the door to my house, yeah it's my fault if I get robbed. But that doesn't make the robbery legal.

If you find a neighbor's wifi network is open, that doesn't give you carte blanche to use it and snoop their devices and data; especially in the countries where privacy laws afford some protection against that sort of snooping. This spills over into a grey area regarding data on encrypted networks. What happens if I record your encrypted wifi data, and 10 years from now computers have gotten fast enough that what was sufficient encryption at the time of the recording can be broken in a few seconds? Do I get to say "tough, you broadcast that data on public airwaves using insufficient protection; it's now mine to do with as I wish"?

Your private data has to be afforded some legal protection regardless of the amount or strength of encryption. The dividing line has to be whether the user had an expectation of privacy when transmitting that data. I think most courts would buy the argument that you don't have an expectation of privacy only on openly public networks (e.g. Starbucks). I think wifi is new enough for non-tech people that for a home network, most courts would agree the owner had an expectation of privacy even if he failed to turn encryption on.

Re:If you have something that you don't want

[jimbolauski]

So if I leave the door to my house unlocked it's OK for you to go in and take what ever you want? How much responsibility falls on the home owner? If they lock their doors and arm a security system but the system is old and easy to bypass and the thief has a bump key is it the owners fault. Google identifying open wifi while driving around is not the problem it's that they went into the network and collected data. If they sniffed any VOIP traffic then they committed a felony the only reason they have not been charged is that email and other communication are not protected under law.

Re:If you have something that you don't want

[timholman]

They didn't "go into" the network. They collected data that was floating on the airwaves around them. The proper analogy isn't with walking into an open door, but taking a photo through an open window. From the street.

Actually, it's more like putting a speaker outside your house, then playing personal information over it for anyone driving down the street to hear, and then getting angry that someone had the gall to record the audio that you were broadcasting to the world at large.

Re:If you have something that you don't want

[X0563511]

I don't think you understand how radio works. It's like sound.

Your neighbor blares his stereo? Well, you can hear his music because of that.

You blare your unencrypted data? Well, I can read it.

Re:If you have something that you don't want

[Artraze]

> It's like sound.

Which in most states is illegal to record without the consent of at least one party?

And further, I'd also mention that the Supreme Court has ruled that people have an expectation of privacy with regards to their infrared emissions, which is a much better analogy. There is a huge difference between actual sensory data which you incidentally encounter, and data that you can only receive by using a specialized piece of equipment and specifically decoding it. (Mind that even unencrypted wireless is still encoded by the protocol. You cannot make sense of the data by simply 'listening', you need to actually identify the noise, devices, packets, retransmissions, etc.)