Years ago, I worked at a place that attempted this. They were so giddy about it. There wasn’t even a known leak, or, arguably, anything particularly worth leaking. They were just tickled by the idea that they could gotcha anyone who tried to leak something.
Then, as now, it strikes me as little more than sad and paranoid Tom Clancy cosplay.
I’d like to say I’ve moved on to a place with a culture of trust and faithfulness, but it doesn’t seem like anyone really trusts anyone anywhere anymore, and recent general infatuation with petty lords of chaos doesn’t seem to be helping.
So here we are, everyone fantasizing about espionage.
>it doesn’t seem like anyone really trusts anyone anywhere anymore
No offense intended, but have you considered that maybe you're just surrounded by bad people? I have a reasonable amount of trust and faith in the other people that I work with. If I needed someone to pick me up in the middle of the night from the hospital, I'd trust my coworkers as much as I would trust my wife or friends.
My company is hardly some "golden child", but it generally does right by its staff, and the staff, more or less, does right by the company. Things aren't perfect, but I would say the amount of inter-office trust is about as close as anyone would reasonably expect. Problems pop up, but with a healthy amount of addressing things head on, those problems don't rot and fester.
Need someone to be honest with you about the deadline of an upcoming project? Done.
Need to get a hold of someone off-hours on a three day weekend? Alright, as long as it's something important and time sensitive.
Need realistic feedback about a presentation you're working on. Sure.
It all revolves around mutual respect, camaraderie, and clearly defined roles. When I see an upcoming issue with an area I have nothing to do with, I don't feel the need to fix it "because no one else will", but, I also don't leave it to blow up in someone else's face either. I let the right people know, or tell my boss if I'm not sure who should be involved.
If I had to take a guess, maybe you work for one of those larger corporate type companies with lots of middle managers, office politics, etc.? I'd encourage you to look at getting away from that if it's weighing heavily on your ability to trust others. It's something that I dealt with for a length of time, and once I moved onto a smaller shop, the ability to trust and genuinely rely on others improved quite a bit.
I worked for most of my career, at an "old-fashioned" Japanese corporation, and the level of Personal Integrity in the company was phenomenal. It was not "touchy-feely" nice, but people were honest (when they were yelling at you), and weren't playing games. Everyone was focused on creating great stuff.
I just took it for granted, but that environment was a bit of a "silo." When I left that company, and started to interact with today's tech culture, it was ... quite a letdown.
It seems that most executives are fairly sketchy people, these days, and they set a culture that is mimicked by the folks that work for them.
I guess that it's always been like that, but it seems a lot worse, these days.
I started out work in a shop with a terrible, toxic work environment. Micromanaging, power-hungry, abusive management begat gossiping, uncaring, deceptive, and selfish labor... you learned to just keep your head down and let the shit slide off your shoulders like water off a duck's back. Keep your wits about you when something went behind schedule, though, because the blame game was about to get serious. I took to taking long walks on my lunch break - 28 minutes out, plan for 28 minutes back for some breathing room, because you were entitled to a 1-hour lunch break and would get shouted at for punching in and out with a 61-minute lunch hour - just to clear my head.
Now I'm at a shop that's miles better than the first. Management probably cares too much, treating labor better than a lot of parents treat their own children. Honesty and transparency are the defaults, a problem doesn't result in blame being passed around, the 5 whys are extended to 6 whys if they seem to point to "this trusted human made a human mistake." We're our vendors' favorite customer - we just got a valued salesman/apps engineer back who'd had his territory switched, he covers most of the region starting 30 minutes south of us but also negotiated a key account exception to keep us on his account. We're also one of our customers' favorite suppliers, they'll happily pay extra because they know we'll build them the Cadillac of machine tools with integrity and quality at each step of the build, and not nickel-and-dime them for support after the fact or ignore them when the machine is out of warranty.
The scary part about this, though, is that the accumulation of loyalty, trust, and social capital that's been very slowly built up over decades could be quite effectively and profitably plundered in an acquisition or by a change in the board or management. They could probably turn the screws and push profit into the stratosphere for 4-8 quarters before our abnormally low turnover turned into abnormally high turnover and customers realized that our culture had changed.
Yep, unfortunately it’s incredibly hard to put value on those intangibles.
And what’s worse, being a hard nosed asshole is expected behaviour from executives, even if it’s uncalled for or actively harmful to the company.
I knew a guy fresh out of MBA school who proudly told everyone I worked with that if they didn’t like what he asked them to do, he’d sack them. Despite the fact that these people had specific training, were good at what they did, and understood how best to do their jobs.
His attitude really made me think about the value of individuals in a company - and showed me exactly how not to do things in the future.
Fair comments. I’m not at a huge org, but I am in an industry not known for its optimism. I myself am not particularly optimistic lately. Maybe I should be!
Indeed. For example, Musk fancies himself a champion of "hard work" but what he fails to realize is that humans have not actually merged with robots yet, and we still have human needs.
If innovation and brilliant thinking are part of your brand, you actually get higher quality work, sustained over a longer period of time, if you actually back off on the whip-cracking and just give people what they need to produce great work.
You get slightly slower growth, but more area under the curve in the long run.
>For example, Musk fancies himself a champion of "hard work"
And Musk is the perfect example of "do as I say, not as I do", as he sends teams into a death march of insane hours, wherever he is, while he's shitposting on Twitter from his multi million dollar house paid for by company funds and pretending he's doing 120 hour work weeks
I think there is a middle area between being a "nice boss" and being a boss who calls out internal engineering implementation concerns (rightly or not) on Twitter. And then fire people who disagree in a response.
Hewlett and Packard were relatively low on the asshole scale, at least for their employees. [1]
Early support for company health insurance, flextime, work-from-home, free coffee breaks, decentralized decision making, etc.
See the HP Memory Project at https://www.hpmemoryproject.org for some of the stories. ("Jim Catlin's Packard Story" and Packard's 11 rules, "Bill Hewlett and the HP Medical Plan" for their anonymous payment for medical bills for an employee's premature baby, etc.)
I don’t think it’s nice or not thing but more a management strategy thing. Hard-driving can be great at extracting value from an organization but it isn’t as effective at exploring potential as other management styles.
(Thinking of how much the Artemis cost vs. total SpaceX subsidy here, but subsidies are everywhere and look suspiciously like legalised corruption and/or voter manipulation to me even when I like the thing being subsidised).
Counterpoint: open source software, of which there are many great works without anyone being forced or pressured into making it. There are many more ways of getting motivation than applying "some pressure". Indeed, people are inherently curious and motivated, but it can easily be suppressed by environmental factors. In particular "stick and carrot"-type reward systems.
For a (much more) elaborate expansion on this, see the book Drive by Daniel H. Pink.
All this musk-style motivation 101 BS is direct from the CIA's manual on domestic espionage - frustration from within.
The means define the ends. If you treat people like shit, or as morons who need BS pressure techniques, you'll get a demoralised company.
Treat people well, set them clear targets and say it without fluff when they're slacking. If you can't tell somebody they're not good enough, you cannot help them to be good enough. None of this psychobabble BS where you're constantly second-guessing in a failed attempt to retain them on the rat-race for the rest of their life. Stop building ratrace companies.
They build rat-races because they are all still rats at heart.
Endemic crisis of leadership and vision bred men who cannot think
outside the maze. No amount of climbing extended their horizons or
released them from slavery to money and the misery it brings.
> released them from slavery to money and the misery it brings
Good point. I often wonder what motivates a billionaire to keep making more money. For most it seems like ego, greed, and inability to rethink their life. I suppose they climbed so high by being relentless and not stopping. This is what makes the example of Yvon Chouinard so interesting.
The vast majority of open source done in peoples free time is unfinished and at best of limited use. The serious projects very often have payed developers. The good ones done by unpaid developers have some pressure in terms of expectations by their community or the developers put pressure on themselves to achieve some self goal.
You are quite right that open source done purely in free time usually takes much longer to be "finished" but that is more a question of the time available to spend on it than absence of pressure.
OSS projects that have paid developers often manage to avoid much of the pressure that occurs in closed source.
Some OSS projects like the kernel manage to harness companies as way of funding full time developers without giving them too much say in details or deadlines. A feature ships in Linux when it is ready and accepted by the maintainers and Linus not when some manager says it has to ship.
Of course this works far better for large projects that are essentially a "commons" like the kernel, less so for open source projects where most of the developers work for a single company.
OSS projects are also prone to leadership issues and tend to have "good ol boys" clubs. It's utlimately human nature, OSS or not. See Linus Torvals or some of the things that went on in Rust community. Also, StackOverflow mods that volunteer their free time have so many issues. Wikipedia editors and Reddit moderators. Same.
Putting a OSS lipstick isn't doing any favors to understanding the human nature and how to create a good governance model to keep people happy. I suspect this is never going to be "solved", only solved in one person's views or ideological bias.
We barely recently got decent open source computers (but not smartphones), now try to imagine a GPL car...
That said it wouldn't it be cool have some sort of open source VW Bug. Stainless steel cyberbug, EV for the people. Low tech, curb lasts whole century, ubiquitous parts.
> That said it wouldn't it be cool have some sort of open source VW Bug. Stainless steel cyberbug, EV for the people. Low tech, curb lasts whole century, ubiquitous parts.
AWS would just fork it, package it as a SaaS, give nothing back to the project and it would then slowly atrophy and cease to exist.
Exactly, which is why I am advocating precisely for giving people what they need. Some people need pressure to perform optimally, others don't. Some people need to put in 80 hours of work per week, others don't. It is simple and humane to approach it this way.
I think motivation is more important. Solving problems should be fun and engaging activity. There are always bad apples literally in every single company no matter how good or faithful their culture. So, there is no way around it.
To give Elon credit, he does try to motivate people. Sleeping on the factory floor, doing more work than his subordinates, inspiring people about grand goals and "anti-bureacratic" philosophy – all contribute to motivation. He sent out an email to Tesla employees that literally said "If a rule becomes a Dilbert joke, then change the rule".
I am trying to steelman Elon's way of governing and personally know several people at SpaceX that are not dying from overwork, but actually happy. I also have a few friends who couldn't stand SpaceX and quit within the first year.
> So here we are, everyone fantasizing about espionage.
Espionage isn't a fantasy, it's very much real. People go to jail for it all the time. The only question is to what degree might a company be affected or targeted. Taking steps to add a reasonable layer of security to attempt to protect costly IP isn't being paranoid at all. Not to mention that in some environments there are legal requirements, a prime example being aerospace.
We have had the experience of having an employee provide confidential technical information to a multi-billion dollar international competitor. The same competitor that, for as long as a year, bribed top resellers not to feature our products at industry trade shows. Business can be absolutely brutal and, yes, it can be war.
Your particular example wouldn't be deterred from the tactics that Elon says that he used, though. If it's not leaked to the public it wouldn't be seen by those that encoded an identifier into it.
If they kept the original correspondence then it would anyway. Plus this wouldn't be legally binding in a court room when Elon runs in and is like "I think the spaces match the one that I sent to this employee." That is not enough evidence to say that the employee did it when it is trivial for the ploy to be subverted by another employee just inserting a space in a random place.
Shaming tactics are orthogonal to defense, especially when the only way this succeeds is when nobody thinks the CEO is paranoid enough to try it. If anyone is leaking private memos from an Elon company now, it is trivial to disrupt this by reformatting the document and rephrasing sentences.
Employees should be responsible and have a duty to their employer. But it's important to decide if enforcement is appropriate and helpful. It hurts employee morale to be distrusted like this.
If the secrets being guarded are life or death for the company, then some extra measures may be appropriate. But if they're normal corporate "secrets" the harms of enforcement will be worse than a leak.
It’s called whitespace watermarking and seems to be one of those ideas that keeps getting re-invented. It’s used a lot, particularly in HTML where the rendering hides the identifying spaces. It can help you figure out if someone is scrapping your content.
Genius used a similar technique to check whether Google was scraping their lyrics. Apostrophes in selected song lyrics spelled out "red-handed" in morse code.
> Google blames the issue on third-party licensing partners. "The lyrics displayed in information boxes on Google Search are licensed from a variety of sources and are not scraped from sites on the web," the company said in a statement.
Non-breaking whitespace/other non-rendered characters can disrupt this type of technique. It can also be rendered moot by photograph, transcription, paraphrasing, etc...
Hell, even a re-encode/format change, or stripping of format info can moot the entire premise.
I welcome Musk to demonstrating his own psychosis/neurosis. It doesn't really speak to any fundamental cleverness.
Furthermore, were I a journalist receiving such material, I'd damn well make sure to change how I communicated it enough to neutralize attempts at such watermarking, simply because I know people are pre-disposed to such acts as he did.
In fact, if you're going for maximum Discordian Malcontent high score, and you're confident you're operating under such scrutiny, neutralize a copy you leak, then carefully orchestrate the planting of false trails to keep the spook wannabes chasing their tails, which can end up blowing back on the orchestrator for waste of resources. This works better with a larger team though where Spartacus dynamics start kicking in. Sample size 1 tends to leave sufficient metadata from neutral parties to rehome in on a common perpetrator.
This is why labor organization scares the living shit out of people like Musk, and other large holders of capital/abusive management types. Info asymmetry, fear, and disunity are some of their most potent weapons.
Wisdom tends to prevail on the side of "don't do shit somebody'd find leak worthy, and you won't have this problem".
Margaret Thatcher did this in the 80’s to help identify who was leaking cabinet documents to the press.
I recall a story about Jobs tracking down leakers in his own executive suite by telling each of them a slightly different things in private. Not sure if it worked, but it can be a very effective deterrent.
I worked with someone who would tell me very precise weird personal details (eg, “the left side of my mouth can’t taste”).
I found it odd because they weren’t really pertinent and seemed really unique that I’ve never heard of anyone else with the condition.
I suspected he did this to try to determine who they can trust when he would remark that people were liars or not trustworthy and one time a coworker told me a completely different weird detail about them.
I never got a chance to ask them about this technique before we stopped working together.
He never said not to tell anyone but he brought up several such details while we were working together. The information wasn’t really helpful for anything in that it wasn’t relevant to our work (making software).
I never revealed the info because it was said in confidence. But we weren’t really that close so it stood out to me.
My example was made up but the actual factoids were about medical issues and bodily functions. It wasn’t creepy or anything just not something I would want widely known.
Nothing is perfect and there were trade offs. This person was really smart so the stuff we made was interesting. I wouldn’t want to work in that org again but I’d gladly work with that individual.
Tyrions plot has a flaw in that it’s three versions of the same story. If two or three betray him, he won’t know and he’ll reveal to the queen that something is afoot.
If Pycelle tells Cersei Dorne and Varys says Greyjoy and Littlefinger says Vale then that’s a problem as Cersei won’t act on the information.
It also might make her suspect misinformation as there are three different values coming to her at once and she’ll have to deduce what’s more likely that all three informants are lying, or misunderstand, or Tyrion fed them bad info.
Much more likely to have three independent stories so that the traitors will be revealed even if there are multiples.
In the current scenario, if Varys and Littlefinger snitch then Tyrion won’t know because Cersei will hear Greyjoy and Vale and not reveal what she knows to Tyrion because it conflicts as Myrcella can’t be married to two different groups.
The better scenario would be something like “Myrcella marries Dorne to Pycelle; 1,000 ships sent to Westeros to Varys; I’m appointing Jaime as lord of casterly rock” then each betrayal could be known.
If Varys and Littlefinger snitch in this scenario Cersei will look into ships and casterly rock and reveal the betrayers to Tyrion.
I used to work in a laboratory where we tested pre-production cell phones (this was before the iPhone...). Different OEMs would send us sample devices with different fonts on the keypad, or with little blemishes on the keypad, or would put little subtle cosmetic changes to devices to catch leakers.
Funny when you would see devices pop up on the internet with these little things, and wonder who lost their contracts/jobs/etc/...
When Palm was creating the Pre, we had some security dude come to our lab to show us how to securely store, transport, test and inventory devices. It was crazy.
Funnily enough -- I came across a prototype Pantech device and I suspect that it's not only disguised for the carrier, but also the design and number of the Os could help trace its origin.
I remember coming across these pirated DVDs etc where they had some kind of Academy watermarks from pre release or intros that were supposed to be give aways as to the source path for smoke testing.
Fictitious or fake entries are deliberately incorrect entries in reference works such as dictionaries, encyclopedias (including Wikipedia), maps, and directories. There are more specific terms for particular kinds of fictitious entry, such as Mountweazel, trap street, paper town, phantom settlement, and nihilartikel.
In cartography, a trap street is a fictitious entry in the form of a misrepresented street on a map, often outside the area the map nominally covers, for the purpose of "trapping" potential plagiarists of the map who, if caught, would be unable to explain the inclusion of the "trap street" on their map as innocent. On maps that are not of streets, other "trap" features (such as nonexistent towns, or mountains with the wrong elevations) may be inserted or altered for the same purpose.
i wonder how many people have died or had life changing experiences, because they thought there would be a village, but found only rocks and bushes there.
The trick is actually very, very old. Mapmakers used to add very small and intentional "mistakes" to their maps so that they could identify who was copying their work (because they would copy the mistakes along with all the legit parts of the map).
This is why any reputable journalist/leaker takes the information and reproduces it prior to any dissemination (hopefully destroying the original source material).
Yes. But they'll say that anyway, even if you publish the document in full. This is why a trusted free press matters, and why authoritarians work so hard to undermine it.
yeah, the biggest case might have been Google vs genius. There are also more elaborate things done for documents with a 500 company we rolled out fonts with slightly different hinting to determine in which ring the leaks were happening.
A couple of corporations back, I got fed up with a corporate team who re-used my slides "creatively" without attribution and added the words "rabid squirrels" in white text to both the master slides and a few diagrams.
We used EMC's Team Rooms, and it was quite fun to run a full-text search across our tenant a few months later.
Reminds me of the strategy of map companies, that planted tiny errors or fictional streets in their maps, so that they can identify other map companies, that copied their work.
The following is only tangentially related, but somewhat interesting. For most of its history the USSR systematically distorted publicly available maps of the country, misplacing or omitting streets and geographical features etc. This was done as a security measure, while accurate maps were classified.
Google still does this! They seem to use some sort of generative neural net to produce fake names, descriptions, and even reviews for the trap locations.
You can report the location to Google as "bad data" and they'll delete it, but then a totally different fake location will re-appear in its place a few days later.
I worked once with a contractor who did not have a physical location for their business. They simply worked out of a minivan which they drove to wherever they were needed. But they pretended, to google, yelp, and probably others, to have a business location.
There was one of those near my house on our map when I was growing up. I though it was just a weird mistake until years later when I learned about this concept.
Also worth noting that this did not work out, because their general counsel accidentally replied all to the email, giving everyone in the company a safe copy to leak.
"Reply-all" suggests that the same mail went to a set of recipients, but doesn't the watermarking strategy require each recipient to have their own unique copy?
The "to" line is just a header and you can put whatever you want. The actual recipient is specified out of band (RCPT TO). This is how "bcc" works.
Likely the To: line is some sort of mailing list in this case. The mailing list watermarks when redelivering to everybody. The To line remains unchanged. A reply-all causes one copy to be leaked (but it might be re-watermarked, depending on configuration...) Edit: A reply further down says it was actually a forward which does seem more likely, but nothing about the original setup is impossible.
But how did recipient A get a personalised copy if the mail with that copy was sent to a list of recipients?
Edit: WP has the Tesla story with the counsel forwarding his copy to everyone in a new mail (presumably trying to be helpful?) So not a case of reply-all disease
Email round one: individually-watermarked copies are delivered to individually-addressed individuals. More elaborate systems might watermark such emails en-route, though that's ... less likely. A and B each wind up with individually-identifying copies of the email.
Email round two: A REPLIES ALL to their individually-watermarked copy of the email, delivering it to ALL employees (or some nontrivially large sample), by which B AND EVERY OTHER RECIPIENT now contains A's watermarked copy.
Email round three: B OR ANY OTHER RECIPIENT OF A's REPLY ALL can now leak A's watermarked copy of the email. Watermarking NO LONGER identifies the leaker.
But in this case recipient B must have already had that one, as they were in the reply all for recipient A. If you sent me a personalized email and send it only to me, then my reply all isn't going to give my personalized version to anyone else but you- and presumably you trust yourself not to be the leak.
Reply-All would not include any other recipient in a standard, personalised mail out - unless the "To" or "Cc" fields were manipulated to give the impression that personalised email A went to everyone equally, but I think that would probably require some custom mailserver tweaks?
Correct. Like many credulously repeated stories about Musk 1) the source for this one is Musk himself 2) the description that he gave, and that gets repeated in viral posts, is an extremely easily disproven lie.
"After a series of leaks at Tesla Motors in 2008, CEO Elon Musk reportedly sent slightly different versions of an e-mail to each employee in an attempt to reveal potential leakers. The e-mail was disguised as a request to employees to sign a new non-disclosure agreement. The plan was undermined when the company's general counsel forwarded his own unique version of the e-mail with the attached agreement. As a result, Musk's scheme was realized by employees who now had a safe copy to leak."
Guy who embedded Xbox 360 serial numbers into the Xbox 360 beta dashboard UI to identify leaked pics here - there was a big HN thread on it some years ago.
Just to point out, using extra spaces and different ascii space is basic steganography that's been used since WW1 and WW2. Elon brags about using spaces and other "Canary" techniques. Not super complicated
Elon appears to send emails in a fixed width HTML file in a lot of cases, which gives you some extra options with ascii characters on line breaks for steganography. Using a tool I wrote a decade + ago to find inserted line breaks in images - here was what I pulled out from a screenshot of Elon's email to employees from earlier today.
This was the first thing this post made me think of. You blew my mind with this back when I was a kid in school. Extremely memorable. Glad to see I’m in good company in this thread.
Ashlee Vance's biography of Musk (from a few years ago) had a fun similar story. Someone inside Tesla wrote a letter, I believe complaining about product defects, which was printed by a media outlet. Figuring that the leaker printed the letter at Tesla offices (i.e. likely didn't have a printer at home), Musk re-typed the letter in Word, found out exactly how many kilobytes a Word file with that exact text would be, then searched the printer logs for who printed a file with precisely that many KBs recently. Doing this, he found the leaker. (It's been a few years since I read the book so a couple of the details may be off, but that was the gist of the story)
The most impressive/unbelievable part of this story is that 2 Word files, created separately, ended up with the same exact file size. I'd assume with all of the Metadata they cram in that this would be unlikely.
I agree; this story is apocryphal. I was annoyed enough that I did some research into the story. Via this Atlantic article[1], I found the original Valleywag post[2] containing the letter from the employee. It's worth noting that the letter from the employee is pure text (i.e. not a scan of a letter), is only 170 words long, and has a couple of misspellings. The Valleywag post provides a paraphrasing of what the employee told them, followed by what seems to be the entire body of the email that they received.
The Musk detective work is described by Vance in a footnote:
“Musk would later discover the identity of this employee in an ingenious way. He copied the text of the letter into a Word document, checked the size of the file, sent it to a printer, and looked over the logs of printer activity to find one of the same size. He could then trace that back to the person who had printed the original file. The employee wrote a letter of apology and resigned.”
This leaves me a with more than a few questions:
1. Why would this email/letter have been printed out? It's short, informal, and did not seem to contain any corporate materials that would require access from a work computer. Surely, this would be better sent as an email from a personal computer? All I can think of is that the employee did print some kind of private company information (perhaps as proof?) to send to Valleywag. But wouldn't this mean that the print-job sizes wouldn't match since there would be printed materials not made public? It seems beyond insane to physically mail a tip to a gossip site that was built around emailed tips.
2. If this was sent as a physical letter, why would the quote in the article contain the typos? Why would they even take the time to type up the entire letter when the article summarizes every single point that the Tesla employee mentioned? Shouldn't they have taken some care to not verbatim reproduce text that could have gotten their source into trouble? I will say that the minimal journalistic standards employed by former Gawker-network sites provide convenient explanations to these questions, so these aren't particularly damning.
3. Is this really all the text that was sent to Valleywag? The quoted part of the letter provides no salutation or signature. Sending this text exactly as quoted as a physical letter seems bizarre, even for an anonymous tip.
4. Would the sizes of the files sent to the printer even match up considering the document metadata? This actually seems somewhat plausible.
5. Would the print-job really be the best way to figure out who the leaker was? In October 2008, before the letter was written, Tesla only had 363 employees[3] and may have laid off a few dozen of them before this letter was written. This employee claims to have joined in 2004. A Wired article from 2006[4] mentions a meeting of 30 Tesla employees and board members in December 2004. It seems like there are a very small number of people who could have been the potentially leaker. How many of those people were using the corporate printers the day after the mentioned all-hands meeting to print a single page document?
--------
I imagine that this story was told to present Musk as smarter than everyone else while also threatening disloyalty, which seems to be a frequent Musk bugbear. The bit about the caught employee writing a letter of apology and then resigning (amidst large-scale layoffs at Tesla in 2008!) also seems a little too cute, in a chain-email-atheist-professor-humiliated-by-freshman-Albert-Einstein kind of way.
The size of the saved word file (depending on exactly how it was saved and what version) will vary depending on how it was edited, and yeah, what metadata is there, so this seems...wrong.
they probably narrowed it down to one person and approached them with the logs and "admit and be fired or don't admit and legal (and all the bad/expensive stuff that comes with that) will be engaged to get to the bottom of it starting with you".
He searched the printer logs. Presumably when Word sends stuff to the printer, it doesn't bother with all the extraneous garbage it puts in files. Printer communication hasn't changed much in decades.
Still. He’d have to have the same normal.dot, make the same space/tab choices, same fonts, etc.
And in a large company, how many ~1 page letters get printed? What are the odds that there is only a single match in the entire company?
I take this story similar to the binary coded space story: more likely to be apocryphal and promoted to deter future leakers than true stories about catching them in the past.
I would imagine any two computers at Tesla have a very good chance of having identical normal.dot, and font can be determined by looking at the letter. For a letter, who is using tabs for anything but the start of paragraphs? Even if it's not perfect, it's unlikely to change the size of a word document (which is likely <25 kB to begin with) by a full kilobyte.
Basically all it would tell you is the number of word documents with approximately the same amount of text were printed, plus or minus about a paragraph. Letters aren't frequently printed and the contents of the leak would almost certainly limit the number of suspects to a small handful of people. It's not hard at all to believe that in a group of ~50 people and a time window of ~1 week you might only have one even close match.
Exactly this. If you know that its around 36kb, and had to be printed between two dates, the list narrows substantially. And more than likely, the printer queue or corporate compliance tools had additional functionality that made such a search trivial.
I have my own story about this: In the early 2010's I had a boss that loved to call us and check in every day. We were a remote team and he had anxiety that we were all larking off. I later learned his technique was to open the dropbox admin tools to see the location of someone before calling them. "So, BarelySapient, where are you working at today?", he'd ask in a cheerful tone. But in reality, he was testing employee truthfulness. Every call. He later fired one of my co-workers when they reported to be working from home, but dropbox reported them somewhere in the Florida keys....
... and here I'm just happy about German employee and EU data protection laws. This kind of abuse would be plainly illegal here and entitle the employee to significant compensation.
Certainly possible, but also relies on the assumption that this was done on company equipment. When leaking info under a vindictive boss I would think opsec rule #1 is avoid company equipment as much as possible. Even without a printer at home, it's quite easy to send a print job to a local office or shipping store.
Data exfiltration is an extremely dangerous risk in the world of corporate espionage, especially for a company like Tesla that is trying to be first to market with something as massive as FSD.
There is no way I would send anything to an external print shop from company equipment; they are almost certainly on top of that as well.
This has gotten me genuinely curious, I wonder what the safest way to get a document like that onto your own device is. Printing it on a work printer doesn't seem ideal, but I don't really know what the best approach is. Maybe emailing it to an outside address or sharing it as a document via Dropbox or similar? Copying to physical storage? All of those seem fairly easy to monitor as well though.
If any infosec experts feel like chiming in I'd love to learn more.
Anything done on a corporate machine needs to be assumed monitored. The paranoid approach would be to fully power off the machine, take the hard drive out, then use an independent machine to mount and read the data off that. Now, if they suspect that approach, or they suspect you personally, there will likely be evidence of your hardware tampering. But it would thwart automated mass-surveillance solutions.
Take photo of screen with phone camera, carry it home, OCR. If you're really paranoid you don't want to send the document's bytes off your system or use any unusual program (e.g. steganography) to edit them.
If you use a TLS-inspecting proxy/VPN, this will be detected. Otherwise, it depends on how much monitoring is going on, but at best they could suspect it.
> Copying to physical storage?
At my work, USB drives are disabled by MDM.
You could use transfer the files over SSH. Even if you have an MitM SSH-inspecting VPN, once the SSH channel is established, you could tunnel a second SSH connection through the established insecure SSH session.
Even then, with enough logging, you could detect that all local files were accessed sequentially which would raise a red flag.
There's nothing you can do to prevent insider espionage that wouldn't raise false positives and block legitimate work, but you could at least detect it.
It will always be a game of cat and mouse. Your protections for leaking are limited to legal whistleblower protections against retaliation, so odds are anything suggested here will potentially be traceable or suspicious, which may invite further scrutiny.
Ironically, we had an employee appear to exfiltrate data through a print shop. They almost got away with it unnoticed.
The USB stick they used to make the transfer contracted ransomware from the public terminal, which put everyone on high alert when it was next introduced into the corporate network.
It's probably not the only bit of evidence. "Hmm, it's about the same size, it was printed at about the right time and... yeah it sounds like *that* guy, let's see what else he printed - oh, nothing? Cool."
> I take this story similar to the binary coded space story: more likely to be apocryphal and promoted to deter future leakers than true stories about catching them in the past.
Or have a printer at home on stand-by for your leak press releases. If I were Musk, I would have fired him/her not for being a snitch, but for his/her sloppiness and overall carelessness and lack of discipline.
Or lying. When you are rich or famous people or in vogue socially let you get away with these stories e.g. Consider feynmans "I'm modest but look at my genius"-isms
Yeah exactly. My thought was he probably found the leaker in a much more mundane way, but being undeniably great at PR he decided to spice up the story with this little bit of detective work. It sounds so clever you want to believe it, even if it's pretty impractical(not impossible though!). You know what they say, don't let the truth get in the way of a good story.
It'd be even easier than that. Walk to the person's desk and ask them to bring up the document that they printed on ${printer} at ${time}. If he can't produce a document of the correct size, he's your guy.
What are the odds that he calculated a certain number of bytes, and exactly one other employee had sent a file to the printer that contained that number, but it was just a coincidence? If the method indeed doesn't work (as you suggest "is possible") it's impossible it would turn up a false positive, only a false negative.
It's also possible that he calculated the number of bytes, searched the logs, didn't find anything and then tweaked his numbers until something matched. And then fired that random person to make a statement and lied about how he found out who to fire.
This approach would work in isolation, but by failing to find the true leaker would result in them being empowered to leak more over time. Is there evidence that Tesla has a lot of regular leaks?
almost as good as the odds that he got something pretty close, then changed the details a bit to fit the narrative.
or, he stayed up for two days until he got it exactly to match by tweaking his approach a little at a time, and actually matched it to the right person. Honestly, he seems like he'd do this.
You wouldn't do that though, would you? You'd type the thing up, print it, see that the printer received a 4.7 KB (or whatever) doc and look for a 4-6 KB doc the week of the leak, and then you have 100 documents to go through, rather than 100000.
In general a lot of metadata is kept, but very rarely is the full print content kept (though in some organizations it may be for security review). The difficulty here is figuring what metadata is relevant, in this case size was the most important.
The OP talks about the size in kilobytes, not bytes. That will almost certainly give false positives, but if you limit the time range, it may not be that bad.
Not a bad idea for initial filtering, I think, but I doubt it would hold up in court on itself.
Agreed - the goal isn't "the KB's prove you are guilty". It's metadata which serves as a means to reduce the number of computers you need to examine with a more complex/manual search (deleted files, temporary/corrupted files, word document history, interviewing the employee, comparing the material in the document with the role/responsibilities of the employee, etc).
I think you're forgetting that he could just re-print the file once he had located which printer it was on to verify. Once verified it's the file in question, you could easily check which device sent it to the printer.
This was my first thought as well. Is the file size really that precisely deterministic from a mammoth program like Word given different dates, machines, versions, etc?
Given that Musk is not the most reliable narrator, to say the least, I'm skeptical of this story. I'm sure he sees plenty of utility in appearing omniscient to frighten potential leakers.
I think that ... certain nations ... are quite good at playing "the long game," and often have their plants hired by companies; sometimes at fairly senior/sensitive levels. They may not even start phoning home, until they have had a few promotions.
OP says he compared them in terms of KBs, if this is taken literally then he didn't check to see if they were exactly the same length. Assuming that the two word documents are actually identical except for metadata, I wouldn't expect the size discrepancy to be on the order of kilobytes.
Still a reckless way to identify the leaker, there's plenty of reasonable doubt if all they have to go on is the size of the document that was printed.
I believe the printer logs would contain the size of a Postscript-like equivalent, not the docx itself. I wonder if the story is missing the detail of submitting the new Word file to a printer and checking the size. Or he fired someone random where Word doc size == printer input size.
had the exact same thought. if anyone works in-office and has the time/capacity (don't get fired) to do this with some colleagues, it'd be a fun and interesting experiment!
id assume a billionaire heir to a diamond mine with an econ BA parsing various different models of printer logs for fifteen offices late into the evening would have discredited the quote entirely, But the cult of personality implores me to insist even Stalin himself did something similar in both Haskell and emacs.
To be really secure when leaking typed documents, I get 5 colleagues together and we whisper the leak along the line, so that many of the words are changed by the end. For each word we are randomly spaced to defeat Musk's space-based detection.
We then take the output of this and transcribe it over an old HAM radio to a friend in China. He lives on a farm, so he then dictates it to a chicken who writes it in the sand. He quickly takes a picture before the wind erases it.
He then contacts a US media publisher under the name 'Whu Lee K', and they print it as is! What a wonderful time to be alive.
Not to be a party pooper , but afaik this story didn’t happen and has actually been told for years attributed to various different people and agencies.
yeah i always thought the SOP was to take a picture of your screen with a camera. Print that out at home, manually mark/cut out the parts you don't want to leak, take another picture, print, and leak that copy.
I wonder about this stuff and expect they could also just look for a file of that exact size in bytes on work PCs or cloud storage.
I think anyone who wants to write potentially career limiting things should exercise basic common sense like not using work computers and printers, removing fingerprinting elements, etc.
In the future I expect more to do stuff like cut and paste between programs to alter the font and spacing before sharing.
Or, of course, don’t leak proprietary information. There are whisleblower protection laws for illegal material that can be revealed. But leaking random company stuff, I think leads to less info being shared by the company to employees.
I think they work out ok, I suppose. The big “whistleblowers” over the pas few years haven’t actually been whistleblowers because they leaked confidential secrets. So Reality Winner, Chesley Manning, etc were convicted independent of any whistleblower laws.
And why Snowden had to do an illegal act to reveal.
But I think these scenarios are totally different from these Twitter leaks where there’s no whistleblowing or illegal activity revealed.
On a modern computer, all copying & pasting between programs would do is just create an exact trail of what is on your computer. Copy -> Paste is not metadata free by any means.
If your final target was Notepad or similar, it should drop all the metadata. But in that case, just start with Notepad.
I don't know the truth of this specific story, but I will note that the Ashley Vance book wasn't an autobiography. I believe musk asked him not to write the book.
> Figuring that the leaker printed the letter at Tesla offices (i.e. likely didn't have a printer at home)
sounds like this was likely an internal report (which would have been printed at the office as part of one's work), which later made its way to the media, rather than some letter stealthily written and sent to the media (which would have been unlikely to be printed at the office)
Moral of the story, if you’re about to leak data, don’t use a company printer. Or, for that matter, anything that would log that leak and could be traced to you.
Like other commenters, I find it hard to believe that this actually happened.
> It's been a few years since I read the book so a couple of the details may be off, but that was the gist of the story
I read the book but did not remember that part. So, I searched it. You almost wrote verbatim. What are the chances a leaker(s) would print before leaking? Very low or none. So, that practice has very slim chances of success. The one in the tweet is a bit better. But has a escape route. Either - try to grammatically correct or paraphrase - it before leaking.
Let's say a person was aware that tracing in this manner was possible but they still needed to use the office printer. What if they wrote a letter and also added pages of other additional paragraphs. They print all those pages but only mail the one page and shred the rest. This would show a much bigger file kb-wise in the printer log and would not get caught.
I was always curious if you could search printer logs for details of who printed what at a company but never really spent much thought process on it. Clearly you can.
Maybe I'm in the minority, but I would generally assume that everybody has at least 1 printer at home. I'm also not aware of many printers that keep logs for long durations, but perhaps their shared network printers were logging to some kind of system log.
It’s higher than I expected at 70% of Americans having home printers. [0]
I expected it to be super old but there must be old people with printers.
I get annoyed when companies expect me to print stuff at home. I prefer companies to assume that no one has a home printer and plan for it by including return labels and whatnot.
I wonder how many of those printers are actually still functioning. There was a time once where you actually had to print stuff (anyone remembers MapQuest maps?), so I'm guessing there are still a lot of printers from that era collecting dust at people's homes.
I swapped over to a laser printer for that exact reason. There's still a few things a year I need to print and the laser printer stays working through the lulls where I always had issues with inkjets clogging up.
Yes, I love my laser printer. It's somewhere around 10 years old, and has printed a grand total of 99 pages. But it's still happily using the same toner it came with, while an inkjet's ink would have dried out and needed replacing countless times.
That's what I do for photo printing. I use my laser for things like maps, tickets, instructions and forms. Love using it to print out instructions for use in the shop, where I can get my greasy fingers all over the paper, and not on my nice clean instruction manual.... When I need some color photos printed, I head to the print shop.
I had an old HP printer from 2009 that I finally got rid of this year. The case was broken, the tray was falling off, and it spent years collecting dust. It still worked! Only the ink dried out. I'm curious about the reliability of printers, and how often people have to replace them.
Yea i have a printer; a decent one (laser iirc) for my wifes college papers. We've not hooked it up in years though, and offhand i'm not even sure how to use it.. that's how long it's been lol. Hell, i'm not even exactly sure where it is ..
My wife wanted a photo printer. At first I told her it was a ridiculously primitive and pointless idea, but I went along with it since I had a bonus burning a hole in my pocket
I have to admit, it turned out to be pretty cool. I hadn't used a printer in years for anything personal, and it turns out you can print professional-looking glossy photos for like 15 cents each between ink and glossy photo paper. Now we have a ton of nice family photos all over the walls, and I printed out a selfie from my WoW character when our guild killed some raid boss together and mixed it in with the other pics
My c64 has a great working dotmatrix printer. A home computer without a printer is a modern invention. I would expect if the employee had a computer they would have a printer.
Corporate networks tend to keep printer logs for extremely long durations.
Also, printers at home are incredibly useful. I'm surprised more people don't have them. Especially now that online shopping (and therefore online returns) are so much more common and require printing return labels.
I have occasion to actually need to print something about twice a year. I don't know how it is that we live such drastically different lifestyles that you find them so incredibly useful.
I print once or twice a month--return labels, random home admin (taxes or city stuff), and I prefer paper boarding passes (w/ backup on my phone) because they're less fussy for a number of reasons than the phone. I also print documents that I need to carefully read or edit, because I am easily distracted when reading/editing boring stuff on a computer and can waste too much time writing about using printers on HN.
I typically also only print 2-3 times a year as well. But those times are sensitive-ish documents (one being hard copies of my tax prep and return for my filing cabinet, even though it’s submitted electronically) and I don’t want them printed on a printer I don’t own (paranoia). (And my printer is not connected to the network, I connect via USB).
> one being hard copies of my tax prep and return for my filing cabinet
...what year is this? Like, I have some questions:
1) Why keep hard copies of documents created electronically when there are so many more redundant, more secure, and more convenient ways keep the electronic versions themselves?
2) What in God's name are you putting on your tax forms that warrants being that paranoid about who sees them?
> 2) What in God's name are you putting on your tax forms that warrants being that paranoid about who sees them?
Well, it includes social-security numbers for starters, and may also include bank account routing information (where to send the refund check, or withdraw in case of extra payment needed).
1) It's been more than once that we've seen hackers completely wipe people's digital lives? I mean, how problematic will logging in to many of these services be if Google decides to lock your account?
2) As an American example, ask Trump, he really doesn't want to release that information for one reason or another. Simply put trying to figure out other peoples security and sensitivity sensibilities is not something you have all the details on and are making vast assumptions.
> It's been more than once that we've seen hackers completely wipe people's digital lives? I mean, how problematic will logging in to many of these services be if Google decides to lock your account?
There are still much more convenient and technically superior methods than using physical paper copies if that is your concern.
> ask Trump, he really doesn't want to release that information for one reason or another.
Using "unscrupulous, if not criminal, activity" as an example in this instance doesn't seem like the best argument.
Technically superior is a very biased argument... A safe with a key is a very well established security mechanism with a pretty easily traceable chain of custody. Someone has to physically be at the location of the files to get the files.
Any digital record has a huge number of failure modes. For security you'll want to encrypt, when encrypted you'll now have another piece of data you need to secure and backup. You have to ensure the backup services are secure. If any of these become insecure how do you trace the insecure accesses? If it was accessed from overseas what do you do about it?
Criminal activity is common, but lets go with something that would be criminal in one country and not in another... This gets very messy with cloud services where some other government can request the information. With a safe you have to get the local government to sign off on a warrant.
Honestly, printers have gotten so cheap that the pain in the ass they can save when needed would make them useful to have for even that low of a volume. Printing a return label means I don't have to drive to a shipper. Your cheapest printers nowadays can scan and sometimes fax, which is useful for when legal or other requirements force you to submit a signed document. I'm not a fan of digital tickets for travel and events due to the apps being garbage and the severe consequences in case of technical problems, so these are easily printed as well.
As crappy as modern printers are, they provide an oversized amount of peace of mind for me.
None of those are significant problems in my life I guess, certainly not enough to justify even dedicating any space to a piece of electronic equipment that I will use infrequently enough to be frustrated by whatever way it has decided to not work when I do want to use it.
At least in the US, Amazon has arrangements with major shipping companies like UPS and FedEx. So if you want to return something, Amazon says "Bring the item to your local UPS store and have them scan this QR code." The QR code gives UPS the shipping information it needs.
I just did a similar return for an Ebay package, but with USPS. At least in that case there's definitely a label, it's just a matter of who prints it. You could print it yourself from an attachment on the email, or show a QR code at the post office and they'd print it.
School projects and super-handy things like being able to print coloring pages on-demand for most any topic one can think up, are probably a big part of why they're still so common. It is so damn nice to have a printer if you have kids of most any age.
I've also yet to find a superior UI to printed pages for running RPGs. Books are great, iPads are great, laptops can be OK, but for the core material you need for a given session, there's nothing in the world I know of that beats ~20-30 pages of printed notes and excerpted bits of PDF books & some randomly-generated junk from the Web for each session, so you have only expected-to-be-relevant info in it. Nothing better when you're actually at the table. I mean, you could do the same thing writing it by hand if you have very neat handwriting, but being able to mix together your own notes and e.g. NPC template-blocks, custom maps, and commercial material pulled from books, is awesome and saves tons of time when prepping. You can achieve something similar with just an iPad, but it's still slower and more awkward to actually use—though I do have other things I use tablets for at the table, that they excel at.
Err, did he find the leaker or just anybody who’d printed that file? Hypothetically one person could have printed it at work while the leaker printed it at home, right?
Would you please stop posting unsubstantive comments, e.g. snark, putdowns, and swipes? You've been doing it repeatedly and we've asked you not to, repeatedly.
No one is saying you owe billionaire CEOs better but you owe this community better if you're participating in it.
You haven't asked me repeatedly to stop doing this. It's the first time. I see far worse crap from other users all the time. It kind of looks like you're protecting paulg and elon from criticism.
You did shut my account down previously but it was determined you were mistaken.
Since you replied to most of those, I assume you saw them.
> You did shut my account down previously but it was determined you were mistaken.
We weren't mistaken. We rate limited your account correctly because you were breaking the site guidelines. I removed the rate limit because you emailed and asked us, and because at that point I looked at your recent history and it seemed your comments had been fine for a while.
When we take a rate limit off, and then an account reverts to its old guidelines-breaking habits, we put the rate limit back on. Please fix this so we don't have to. It's nothing personal—we're just trying to protect the forum from poisoning itself.
This has zero to do with protecting any famous individual from criticism—if you or anyone else doubts this, just do some comment searches using HN Search (there's a search box at bottom of each page here) and you'll soon disabuse yourself of that illusion.
~10 years ago I discovered Google doing steganography and their e-mails by accident. I was searching gmail for an e-mail message using a word I knew was definitely in the message but it was not being found. Eventually I found the e-mail and confirmed the word was definitely there. Ctrl+F and type the word, it's not found. Turned out there were random Cyrillic characters mixed through the message. Confirmed with others their messages similarly had random Cyrillic characters, but different from my own.
Always found it ironic that their own products (gmail/chrome) gave away their attempts at steganography.
What's the context of this? Were/are you a Googler and this was in internal emails? Or was this just emails Google sends to customers? (I'm choosing to assume that this isn't about random emails other people send to Gmail addresses, that Google just messes with this way.)
Yea, this was for internal communication, presumably to catch leaks. I've not worked there for 10 years now so I can't speak to whether they're still doing anything like this internally but I wouldn't be surprised.
If they actually did this, it's nice that they leaked their playbook.
Advice for future leakers:
1. Ask your co-worker to forward you that email (because you "accidentally deleted it"), and diff to your copy, so you know if your employer is cosplaying as the CIA.
2. Retype everything before leaking or leak crappy photos of documents on your screen (or better yet, both).
3. Leak to a journalist and make them promise to only describe or quote the documents you're sharing, and not sure the literal files. A lot of this CIA cosplay won't work without access to the leaked file.
Mostly not necessary these days; everyone is already expected to have a portable supercomputer with a radio, passible quality camera, microphone, and shitty text input capabilities in their pocket.
I implemented this at Go Daddy for our internal KB around 2006/7 after someone started leaking docs. It was pretty reliable, but had some interesting failure modes: not being able to search for words with transposed glyphs, excluding code listings and other things that might be copy/pasted.
I consider the removal of wine on tap extremely hardcore. Imagine rolling into the Twitter office at 10 am and not being able to fill your 2L Yeti mug with complimentary tap wine before the start of your day.
For a fella who is CEO of THREE separate companies, he sure has a lot of time on his hands to do bullshit. Maybe he should have to work from the office.
There was a lawsuit that involved stealing intellectual property in Germany. A company accused google of stealing lyrics from their page [0].
They managed to prove in court that google actually took their texts by embedding a Morse code. They used ' and ` as Morse characters in their lyrics to mark their property.
However, as far as I know, they lost the case anyway because the judge rules that the lyrics doesn't belong to the lyrics page, but to the song owner.
Microsoft used to do this. I worked in a startup with an exec a few years later and he admitted they did it. I think everyone does this. We had 10s of thousands of employees at Microsoft, and they'd send out these updates on windows status, like "the beta of the next release is coming in early January with these features". He said they could only vary it a little bit - I think it was spaces, maybe some dots, so an email to a large group would only have enough uniqueness to narrow it down to say 100 people. This must have been an old idea. I couldn't believe those reporters were naive enough to give up Reality Winner's original printout.
If you’re at a company that’s incentivized to do insider threat programs - big tech, finance, govt tech, any sort of serious funding - these tactics are commonplace.
If watermarked emails seems over the top, there are almost certainly IT security tools with extensive access running as a process on your machine for this use case too.
To be more clear - if you’re doing anything other than work stuff on your work computer, bad call. It’s almost certainly logged somehow/somewhere in the company, and just depends on if the company has the staffing to check.
With ithreat, there is someone checking who doesn’t care about your reddit use.
But, The 1-2 blend of insider threat programs having the access and wfh productivity suspicions increasing makes me think mgmt will poke under the hood in these logs beyond I-threat concerns at some point soon.
Or just paste into Notepad first and then copy from there to the destination. I find myself doing that as a quick-and-easy way to strip formatting, but it also knocks out a lot of weird characters.
Just checked and emacs running in a terminal displays the different sorts of spaces in unicode as a single space with an underline. I think that a goal for any sort of a text editor intended for programming should be to mark possibly problematic text somehow.
I was thinking about this recently, couldn't you alter one word in message to create two copies, and then basically perform binary search until you find the person?
> ... first draft of the report, I came up with an idea to make each one unique."
> "They've been doing that for years," Holmes noted. "All one must do is misplace a comma here and there. Easiest thing in the world. If the newspeople are foolish enough to print a photograph of the document, we can identify the leak."
> "Yes, sir, and the reporters who publish the leaks know that, too. They've learned not to show photographs of the documents they get from their sources, haven't they?" Ryan answered. "What I came up with was a new twist on that. Agents and Agencies has four sections. Each section has a summary paragraph. Each of those is written in a fairly dramatic fashion."
> "Yes, I noticed that," Charleston said. "Didn't read like a CIA document at all. More like one of ours. We use people to write our reports, you see, not computers. Do go on."
> "Each summary paragraph has six different versions, and the mixture of those paragraphs is unique to each numbered copy of the paper. There are over a thousand possible permutations, but only ninety-six numbered copies of the actual document. The reason the summary paragraphs are so -- well, lurid, I guess -- is to entice a reporter to quote them verbatim in the public media. If he quotes something from two or three of those paragraphs, we know which copy he saw and, therefore, who leaked it. They've got an even more refined version of the trap working now. You can do it by computer. You use a thesaurus program to shuffle through synonyms, and you can make every copy of the document totally unique."
> "... Say we send this memo to the same people who received the other memo — well, we don’t have to include anyone in this room — you’re in on it — but we’ll send copies to every one of the others. Each copy of the new memo would be exactly the same, except for one word. In each memo there would be one word not in the others. We would keep a record of the person to whom we sent the memo — and beside his name we would jot the unique word that was in his memo. Do you see what I’m driving at? When the memo goes out, the person here who is betraying us will pass it on word for word to de Vroome, isn’t that so? Your informer in de Vroome’s headquarters would learn of it and report back to you. Since no memorandum would be precisely the same as the others, because of the single word change, you’d look for the different word in the memo de Vroome received and be able to find out the person who had passed on his copy of the memo. You'd know your traitor."
Or hiding user ID in either the background of the forum playing on the alpha channel or using a special formula to hide the ID inside displayed users scores to identify who is leaking forum's info to other alliances.
Is there a mass email software that supports this? I haven't seen it.
On a separate note, I'm sure that by now he's pretty much destroyed the entire culture there. So, while many folks will hang around for now, since economy, but most are possibly thinking of leaving. In the end only the most desperate will be left there, so yeah, pretty hardcore.
The only really foolproof way is to convert the text to a bitmap and then OCR it, to ensure you aren't trapped by lookalike glpyhs or varying spaces. (OCR will generally make all spaces single, since spacing varies so widely in practice due to things like justification. It also usually makes all quotes straight since the per-font variation makes it too hard to distinguish open/close quotes.)
You can do this easily enough on MacOS simply by taking a screenshot, pasting it into Preview, selecting the text with its automatic OCR, and copying.
Of course you still need to worry about whether line lengths are varied per-recipient, or even the wording of the e-mail itself. But the above will at least take care of glyphs.
There's a rather old service to clean such copy. It's a called a printer and while it will remove spacing and other invisible characters, the process of printing onto paper hardly ever works. Despite hardware for doing so have been on market for decades.
The printer will not remove any spacing, and it will not fix word substitutions.
However it will add almost invisible markings onto the paper itself, such that the page can be linked to the actual printer, exact timestamp and username of the person who printed.
Just use a for loop in Python over all characters and ignore each char that is not in the ASCII range of letters, numbers and punctuation. Or retype by hand if you don't know Python.
if the steganography signature is unique to the user receiving the content, then you might have to diff it with someone else's to see it (otherwise, you cannot really guess where the changes are which steganographically stores your identity).
If it is the same content for all users receiving the text, then you can just retype the text (not copy/paste) into a different file. Of course, authenticity comes to question if you whistleblow by doing this.
It could be only hidden characters, but it could also be (and it most likely actually is also) a few commas instead of full stops, words like "many" replaced by "a lot of" or any other kind of substitution really.
After a series of leaks at Tesla Motors in 2008, CEO Elon Musk reportedly sent slightly different versions of an e-mail to each employee in an attempt to reveal potential leakers. The e-mail was disguised as a request to employees to sign a new non-disclosure agreement. The plan was undermined when the company's general counsel forwarded his own unique version of the e-mail with the attached agreement. As a result, Musk's scheme was realized by employees who now had a safe copy to leak.[4
Can I point out if you are going to leak something from your company you should probably be a lot smarter about it. Maybe it's me but I would be very paranoid about breaking trust with someone/company. Probably a personality thing though.
Someone working at the NSA: https://en.wikipedia.org/wiki/Reality_Winner didn't realize that each printout had a unique signature printed on it. In general be paranoid but don't expect everyone to be careful.
Even easier now major operating systems can just OCR a screenshot. Instant clip a text block and by bye white space… so long tracking spaces, good riddance.
Distributing unique, but similar documents is a pretty standard method of document control/leak detection. It was certainly not invented by Musk or anyone at Tesla.
What most (management) people don't get: The IP are the people, not the code.
Nobody wants to read and understand a large code base and there are mostly no secret, revolutionary algorithms in it. However, the developers that wrote that stuff can easily rebuild everything and most probably a better, improved version of it.
Companies: Protect your developers, not your code!
Now that this is known they'll need an approach that can survive retyping, like word choice and order. That can be defeated by rephrasing but requires even more work, and is somewhat identifying of the rephraser.
If you find a corporate document with a lot of weird sounding word choices and ordering ... it's probably just written by someone not great with the language.
This would be a good use of GPT-3: take a leaked document and rephrase it so that the original is not identifiable, while keeping the meaning the same.
As long as the leaker doesn't copy-paste the original and start replacing words. They'll have to clean up all the hidden chars and spaces too, then pull out the thesaurus as a last step.
I bet that a couple of passes through random different languages on Google Translate would keep the text comprehensible but be sufficiently nondeterministic to accomplish this in just a few clicks.
"I think that some translations from different languages in Google Translate will make the text understandable, but not clear enough to achieve this with just a few clicks."
That's genius. Watermarking with odd invisible and collation Unicode characters. The only concern is it might be easy to defeat with tools to detect Unicode confusables and invisible characters.
It warms my heart that practices we used to use in EvE Online forums to identify internet spaceship strategy leakers are now being applied more widely :)
Why do people still work at Tesla, or does this toxic behavior attract toxic employees? I guess that seems to be the case, if you read about Uber under Kalanick, or employees crying in bathrooms at Amazon.
Before that tweet the thread is talking about an email Musk sent:
> Scoop: Elon Musk just sent an email to all staff outlining "Twitter 2.0", writing it will"need to be extremely hardcore". Long hours, high intensity.
> People need to click "yes" to confirm being part of this by 5pm ET tomorrow, else they get 3 months severance. [...]
Hah, "Click here to agree to a toxic workplace, or be fired"...
Its like when they slip a note into your sneakers in the sweat shop factory begging for help.
12 year olds can be such piece of shit sometimes, cant they just be grateful they get paid 2c and got selected for the special 36 hour shift to make shoes for us?
That’s a strange take. There’s tons of reasons why people leak things to the press besides: political/ideological concerns, employees who felt jilted, people who like the attention, reporters hitting up employees for information, etc etc.
It’s also far more likely to happen at a company that is a media darling where everything it does gets documented in papers around the world.
So naturally there’s tons of outside pressure for information to leak compared to typical orgs.
3 months of severance, after a good 6+ month run of lame duck employment where the whole company didn't really do anything. I could take my time and buy a nice house out in the Midwest, then pick up an easy remote job for $100-150k
I guess it's a different story if you dumped your life savings into a down payment and now you have to keep up with an $8000 Bay Area mortgage though
Needing to be able to silently patch your vehicle's software without consumer consent or even knowledge is a tactic admission that you can't meet automotive industry software 'standards'.
Tesla has pushed the "we do it to bring amazing things to your car!"...quietly distracting people from the "...we fuck things up so often we're constantly having to patch your car" man behind the curtain.
As someone who drives a Tesla, by all means, fuck it up. Because it means it’s at least actually being worked on.
Once you’re several years into owning a car, the outdated software really starts to show. Especially on mid-2010s cars where CarPlay and Android Auto weren’t a thing, you’re held back by really old shitty software that will never be updated.
That is one thing that Tesla has, without a doubt, got right. And you can tell because most major manufacturers are also going to an OTA update system, even though it obviously costs far more in infrastructure and completely re-engineering their existing systems to support it.
> Why do people still work at Tesla, or does this toxic behavior attract toxic employees?
A lot of money, perhaps? I'm not familiar with Tesla compensation levels, but this is the only reason I can think people may have to cope with this guy.
Tesla pays 100-150K USD for new grad SWE including stock options/RSU. For AI, it’s about 150-200K.
Or you can drive 15 minutes to Google and a SWE gets 200K and AI gets 200-250K. Or “sell out” and work in quant finance for 400-500K new grad SWE as a 22 year old.
So no, people do not work at Tesla/SpaceX for the money.
I have many friends at Tesla, Neuralink, SpaceX, and they complain how little they are paid, how they have no free time, and how they hope the name brand on their resume gets them a higher paying job some day. Looks like they bought Elon’s bullshit.
> The comments I respond to are not cogent critiques. They are kneejerk mob hate bandwagoning that are anti-success, anti-progress and anti-humanity. It's sad.
What's sad is seeing every critique of Musk as "anti-success, anti-progress and anti-humanity" or some sort of derangement against him. That is just absurd.
I never said to leave him alone or that he's a hero or that he's the only one driving humanity forward or that he's perfect. Sometimes he's an asshole. Sometimes he's an idiot. He's flawed like every human.
Your childish cult-like "spaceman bad" programming and angry projection of your daddy issues says more about you than anyone.
Do you know what it's like in military organizations around the world and in history? Most men don't have a problem with authoritarian hierarchies as long as the hierarchy is justified in their view. Tech people are extremely coddled and clueless about how the rest of the world works and the moral intuitions of normal people.
"The authoritarian relation between the one who commands and the one who obeys rests neither on common reason nor on the power of the one who commands; what they have in common is the hierarchy itself, whose rightness and legitimacy both recognize and where both have their predetermined stable place."
Militaries that rely on volunteers rather than conscription absolutely don't get away with being completely authoritarian and treating regular soldiers terribly. They have to form a social contract of sorts, where people put up with some loss of autonomy in specific areas in return for other benefits like education or training, autonomy in other areas they might value more (like small team leadership), and decent service conditions. No service members tolerate regular and capricious abuse, and leaders found to do that seldom remain in post long. It's not a perfect system of course, but abusive behaviour by leadership is definitely the exception.
Issues around service conditions regularly go all the way to Congress and get resolved quickly and sometimes expensively, because the alternative is being unable to recruit or retain personnel, and that would be disastrous for a military that's already having a tough time doing both.
Let's not justify abusive leadership. There's never a need for it.
We may have it easy compared to the military, but then, we didn't join the military.
Also, militaries do have to care about what the lowest ranks think. Not only to maintain recruiting in places without conscription, but also to avoid fragging in places that do have conscription:
"""Fragging is the deliberate or attempted killing by a soldier of a fellow soldier, usually a superior. U.S. military personnel coined the word during the Vietnam War, when such killings were most often attempted with a fragmentation grenade,[2]
…
The high number of fragging incidents in the latter years of the Vietnam War was symptomatic of the unpopularity of the war with the American public and the breakdown of discipline in the U.S. Armed Forces. Documented and suspected fragging incidents totalled nearly nine hundred from 1969 to 1972.[5]""" - https://en.wikipedia.org/wiki/Fragging
While I am confident that Musk's behaviour is merely close to average USA industrial employment norms and this is just us techies being shocked by what that looks like (for example, while there are stories about Amazon running out of people interested in working there, I've not heard that about Tesla, SpaceX, TBC, or Neuralink), this latter scenario is one of the possible failure modes I foresee with actually trying to colonise Mars with Starship, as there just isn't an easy way out if/when things go wrong 40 million miles from alternative employment/governance.
I'm past 40 and I see this in my workplace. All my colleagues who work long hours are in their 20s, particularly the fresh graduates who just joined. I try to gently tell them that they can just work their 7.5 hours per day and go home like us old guys, but they seem determined to burn the candle at both ends. Ah well, they'll learn - when they burn out.
Yes, but this rebellion is against the PARENTS. Teenage kids typically seek for the new meaning and purpose in their lives, that's why so many college students join charities, or civil rights groups, or cults... And they do not join those groups as leaders, they start at the bottom.
These days the rebellion starts from kindergarten apparently. There needs to be balance between understanding and respecting tradition, and questioning it. On one end you have Iran/Taliban, on the other you have modern USA. Galileo was right, and his persecutors were right too.
We're _aware_ of that, but the past forty or so years of software development have been extremely anti-hierarchical - or the "hierarchy of one" / "benevolent dictator for life" flat structure.
Hierarchy has its own failure modes. Into the valley of death rode the six hundred ..
Then, as now, it strikes me as little more than sad and paranoid Tom Clancy cosplay.
I’d like to say I’ve moved on to a place with a culture of trust and faithfulness, but it doesn’t seem like anyone really trusts anyone anywhere anymore, and recent general infatuation with petty lords of chaos doesn’t seem to be helping.
So here we are, everyone fantasizing about espionage.