The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case. (I’d love to get more detail on exactly what the participants were told they were getting paid for, but I’d be surprised if they did not know their actions were being monitored.)
The accusation that it’s wiretapping if one party in the communication channel is actively breaking the encryption (even with a tool provided by a third party) seems tenuous to me, but IANAL. If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API?
I hope they were upfront about what they were collecting. The article didn’t show what the consent screen was before installing the proxy.
> Note this is a new case, different from the one that TechCrunch also covered in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines.
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
All the best/most effective hacks involve convincing someone to download something they shouldn't that lets you sidestep security.
This article is about Onavo Protect[1], “Free VPN + Data Manager”, which was not paying anyone. There was a separate program where Facebook paid teenagers money to install their Facebook Research VPN through their enterprise distribution channel, bypassing the App Store and its rules, so that paid version was even more invasive.[2]
So no, this Onavo bullshit isn’t defensible at all.
[1] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...
[2] https://techcrunch.com/2019/01/29/facebook-project-atlas/?re...
> Note this is different to what TechCrunch had revealed in 2019 in which Facebook were paying teenagers to gather data on usage habits. That resulted in the Onavo app being pulled from the app stores and fines. With the new MITM information revealed: what is currently unclear is if all app users had their traffic "intercepted" or just a subset of users.
So this seems to be new information about the Onavo Android app, but it’s not clear to me if the “install cert” button described was exactly the implementation of the previously reported research cert, or a new vector where people other than market research participants were MiTM’d. The analysis is just a bunch of circumstantial observations that _it is possible_ FB was doing more skeezy stuff than was previously known. But nothing here is incompatible with the previously reported stuff being all that happened, AFAICT.
The TechCrunch article clearly states that Onavo was the method they used to get the FB Research cert onto devices. (Presumably they distributed a different build of Onavo with their enterprise distribution channel), it quotes:
> “We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
This sounds to me that there was one Onavo research program, but who knows, we have multiple project codenames.
The app was available on both the Google Play and Apple App stores for anyone to download.
> The way most of the writeups make it sound is that it’s some sort of hack, but this doesn’t seem to be the case.
It could be that you are confused with a previous case. From the blog post:
> The wiretapping claim is new and perhaps not to be confused with the prior controversy and litigation: In 2023, two subsidiaries of Facebook was ordered to pay a total of $20M by the Australian Federal Court for "engaging in conduct liable to mislead in breach of the Australian Consumer Law", according to the ACCC ... Facebook had shutdown Onavo in 2019 after an investigation revealed they had been paying teenagers to use the app to track them. Also that year, Apple went as far as to revoke Facebook's developer program certificates, sending a clear message.
> If this is wiretapping, is it also wiretapping for me to use a local SSL proxy to decrypt and analyze traffic to a service’s API
If by "local" on your own network/machine with your own traffic then obviously no.
The one that I wonder about a lot is this: there are two (non-deprecated) types of webview you can use in iOS: WKWebview and SFSafariViewController. They’re intended for very different uses.
When you tap on a link in the Facebook app they should use SFSafariViewController. It’s private (app code has no visibility into it), it shares cookies with Safari, it’s literally intended for “load some external web content within the context of this app”
Instead, FB still uses WKWebView. With that you can inject arbitrary JS into any page you want. Track navigations, resources loaded, the works. Given the revelations we’ve seen in this article and many others I shudder to imagine what FB is doing with those capabilities. They’re probably tracking user behavior on external sites down to every tap on every pixel. It seems insane to think they might be tracking every username and password entered in their in-app webviews but they have the technical capability to. And do we really trust that they wouldn’t?
This is not a wiretapping case. The claims are all for violations of the Sherman Act. Plaintiffs' attorneys _incidentally_ found evidence during discovery that Facebook may have breached the Wiretap Act. There are no wiretapping claims. It is an antitrust case.
Does the DMCA not have enough teeth for something on this scale? Maybe an issue of standing or provable-damages? Did the plaintiffs forget about it? Curious and confused.
https://qz.com/1145669/googles-true-origin-partly-lies-in-ci...
Cars now come with Google services / Android baked into the damn infotainment system, with no possible way to pull it out. What could possibly go wrong with an advertising company seeing everywhere you go, and everyone who rides in your car?
For example on a Ford, you can literally pull the fuse for the GSM modem. On a GM, you can pull the antenna from OnStar, and put a resister there in replacement... thus rendering it unable to communicate to home base.
This doesn't solve everything, but it at least stops the immediate phone home.
Apple, Google, Facebook, Twitter, Alexa, they are a gold mine for agencies, but even news sites, movie studios, and YouTubers. This is why they've been after Tik Tok for so long, they know how useful that app / network is.
There has to be a court precedent that criminalized sniffing network traffic on the customer’s side.
Should be one of those many cases involving wiretapping for banking info.
It is about intent versus capability set that CFAA does poorly with differentiation in court.
I can imagine e.g. security risks involving sensor data exfiltration where accelerometers and gyroscopes etc are monitored to infer audio information. By covertly relaying and processing the collected data externally it would be possible to reconstruct sensitive information without direct access to the device's microphone.
It's not unlikely that they pull off something like that.
Meta and other pernicious companies and government bodies are probably employing many more, even worse and much simpler eavesdropping techniques in the wild.
prompt to install a VPN config
Fuck yourself, Facebook.
Meta has Washington in their pocket so this will never leave civil court. The penalty will be less than the money made, meaning somebody gets a bonus for being creative.
edit: the problem, obviously, is that this app tricked the non-technical people into installing/trusting the root CA for malicious purposes. Clearly this was malware.
https://web.archive.org/web/20141214193908/https://twitter.c...
The real problem here is the complete absence of any kind of ethics. It sounds like the kind of place where if you consider ethics to be a blocker you'd be laughed out of the room, or fired. Corporate culture is to chase profit above anything else. It's especially bad in software, though, as so many people don't even seem to think about the ethical implications of their actions ever.
Or converted, by making them take actions so that "if we go down you're going down with us."
Organized crime works that way too, come to think of it. They may call it "loyalty", but it really means "give us a way to coerce you into compliance."
And this doesn't even touch upon Instagram.
I guess that they pay too much and employ too much of our industry, greatly reducing criticism because we all have a friend who has worked at Meta or we may even have applied ourselves at some point. Whereas we don't know anyone who has been at e.g. Anduril at the likes.
I think that’s what contributes to things like Myanmar and other countries hate speech proliferation. When you don’t care about how your product is used, and can focus on just the technical aspect, you lose any sense of responsibility.
Conversely, we’ve hired many ex meta people, and they’ve always almost all unanimously said how much they NOW like having pride in the products they create, after jumping ship.
Imho it’s an issue of top down culture from Zuckerberg, and previously Thiel.
Having said that, since WKWebView is just a view that can be customized visually, nothing can stop someone to create a WKWebView-wrapping view controller that looks exactly like the "safe" Safari one anyway.
- https://krausefx.com/blog/ios-privacy-instagram-and-facebook... - https://krausefx.com/blog/announcing-inappbrowsercom-see-wha...
10 million installs on Android, according to AndroidRank[1]. What we don't know (yet) is what % of those installs had the FB competitor traffic MITM'd.
[1] https://www.androidrank.org/application/onavo_protect_from_f...
- they’ve had a long history of trying to undermine privacy to extend profits. From stuff like in the article, to tracking pixels, alleged ghost accounts, and fighting anything that hampers tracking. Of the companies you listed, only Google has any crossover, but doesn’t come anywhere near as close.
- they’re irresponsible with the effects of their algorithm to amplify hate speech. None of your other companies have anything like that.
- they are dishonest in their marketing. Almost all their Quest ads and feature reveals use concept visualization to deceive users for example on what is possible. Mark often speaks in double speak when addressing issues. Double speak isn’t unique to them but they definitely take dishonest advertising to the limit versus the other companies on your list.
I know Meta are having a popularity renaissance with their open weight (not open source) models in this AI cycle, as is Mark with his his recent PR blitz to reinvent his image.
However I think they’re culturally the only one of your companies listed who lack a moral core to their work. I think culture is top down, and both Zuckerberg and Thiel have instilled a culture of “success at all costs” for the way Meta operates.
The other companies on your list are definitely capitalist too, but have some sense of responsibility with their output.
Twitter is arguably worse - especially after Musk's takeover.
This is still contributing to their monopoly. WhatsApp's monopoly is growing and they've even blatantly started to copy the competition: Telegram.
Disagreeing publicly does nothing if I'm the one empowering my opposition in the first place.
Of course it does. It does spread the word. That’s important.
You can be an activist and have a real life. You can despise Meta but have acquaintances on WhatsApp you can’t or don’t want to move. You can be an anticapitalist and still agree to join a group of friends inviting you to McDonalds. You can be an ecologist and have a car because you live somewhere without car free infrastructures.
You have the right to be critical of your own life while still acknowledging you can’t control everything.
Having WhatsApp may be wrong for you but it may be less wrong than leaving your friends groups.
The company is called Meta nowadays, so that also explains why you don’t see much news about Facebook.
The fact Apple and Microsoft services both work in China shows they are a little more trustworthy.
Yes. It's a good opportunity for an ambitious state attorney general to prosecute Facebook, of course.
pithy "because they have all the monies" replies not wanted.
It’s not really spelled out clearly in the article, but this was a specific program where people had to choose to opt-in in exchange for compensation.
This wasn’t simply Facebook hijacking random people’s traffic because they accepted the ToS or used the Facebook app
Not defending the program, but it’s not what a lot of comments are assuming.
As seen by the "Protect America Act" of 2007[0], the government will retroactively cover their own ass and your companies' ass if deemed important enough to the intelligence apparatus. There isn't a chance in hell that Meta would be brought criminal charges for wiretapping.
0: https://en.wikipedia.org/wiki/Protect_America_Act_of_2007
As coincidence would have it, this is the perfect alibi provided by a snake oil "cybersecurity" app by one of the world's largest companies.
Every tech company that has promulgated the lie that a VPN operated by a third party provides added security is indirectly responsible for this. Funneling all your traffic through a shady intermediary does no such thing, and in fact often does the opposite.
This relates to a much bigger problem of courts upholding contracts even when nobody actually believes they represent an informed and voluntary agreement.
We aren't quite at the Looney-Tunes step of enforcing extra clauses that were hidden in invisibly small print, but things are drifting in that direction.
See also: https://www.law.cornell.edu/wex/adhesion_contract_(contract_...
To answer your specific question, this isn't okay. Both the government and large corporations have been given way too much power and we really have no hope of making any meaningful change until the people reclaim this power and put those in charge out on their ass.
The real issue is the NUX, which doesn't look like it made the data collection clear to users.
The situation in this article is completely different.
As is pointed out in the article, I would presume that Google saw the threat from allowing an app to install and trust a root CA as well, and removed the ability for a "one click" install of a root CA:
"KeyChain.createInstallIntent() stopped working in Android 7 (Nougat). A user would have to manually install the certificate. It would no longer be possible to have Facebook's CA cert installed directly in the app."
HSTS causes your browser to pin the first cert that it sees (from sites opting in to this scheme), so nobody (even the legitimate operator) can swap it out before it expires.
https://en.m.wikipedia.org/wiki/HTTP_Strict_Transport_Securi...
And specifically to the scenario in OP, app clients these days do not use the OS cert store, they will ship a single well-known server cert and only accept that one. This doesn’t help with your Firefox usecase though.
Edit: Not excusing Facebook here, but feel like this whole thing is in a weird grey area. It is like getting paid to have a Nielsen box monitoring your TV and then complaining when you find out it also knew what you watched on your DVD player.
Despite being hard-up I don't think the vast majority of these low-income individuals would agree to being so egregiously wiretapped and data mined for future political ads on youtube or bundled into some other product without better compensation.
I do know that this is done - in fact worked at a pretty major smartphone manufacturer and never logged in to any personal account on work devices. It was pretty obvious by even just looking at the security info on chrome/firefox that the certificate used was a root signed by the company itself. I used to shout at the top of my lungs to my friends, that hey, _this_ is how your information is vulnerable to the corporate overlords, but I guess they weren't as paranoid as I.
The first thing I checked when moving to my next employer was if they were intercepting SSL traffic like this. (They weren't - they used Falcon)
The comparison with VPNs doesn't hold either, because for all their faults VPNs do not decrypt traffic going through them.
Buying used/old doesn't work here, at least not for long. Lots of salt on the roads, cars older than 8 to 10 years are rust covered, and it doesn't help components either.
Not to mention, if everyone bought used, there'd be no used cars to buy.
https://www.law.com/corpcounsel/2024/01/26/feds-warn-compani...
Just curious, did the ethics of their prior projects ever come up during the interview? I think I would have a problem hiring someone who worked on a product despite having ethical misgivings about how the product affected end users. Unless they could explain the extenuating circumstances that forced them to work on that product (sick family to care for, work visa being held hostage, and so on). If their response was simply, "I made metric X go up and got paid Y to do it," I don't think I could hire them in good conscience.
Most of them just bury their heads in the sand and say that the negative effects weren’t made known to them, and they started looking for new work after they found out. Short of interrogating them, you can’t really suss out of its true.
Instead we ask what they’d do in hypothetical scenarios around our own products.
https://www.businessinsider.com/free-speech-censorship-elon-...
https://restofworld.org/2023/twitter-blocked-access-punjab-a...
etc.
If friends can't install another app to talk to you, maybe they don't really wanna keep in touch.
When I moved to Telegram I told family and friends where I'd be and they all installed Telegram and actually liked it so they stayed.
It's been 3 years now and I haven't touched WhatsApp.
My words have no value if I can't even follow them. Cognitive dissonance comes cheap, but we can all try to be a bit better than that.
Interestingly, your assumption works the other way too : If you can't install another app (one you don't want), maybe you don't really wanna keep in touch.
I prefer to see it from the other side : I value my friend more than which app they want to use. I do encourage my friends to use Signal but I can't force them.
> When I moved to Telegram I told family and friends where I'd be and they all installed Telegram and actually liked it so they stayed.
Same. And now I realize that Telegram is just a little less shitty than WhatsApp and that it doesn't even do E2E by default and I have no more willpower to migrate everyone on Signal.
> It's been 3 years now and I haven't touched WhatsApp.
Looks like you weren't as pure as me 3 years ago since I never touched WhatsApp until 3 months ago. And you know why ? I've been integrated into a new group of friends which was on WhatsApp. The thing is, making your current friends migrate to another app is difficult. But you can't know where your future friends will be and you will not be able to make them use your app and making new friendships is hard enough in life that I'm not going to filter them by the app they use.
Oh and I have the magic power to be able to use the 3 apps on my phone ! And with Beeper, it's now a superpower.
Anyway, FWIW, I find this messaging apps situation totally pathetic. If it was me, we should all be using an open and decentralized messaging protocol where everybody can own its own data. But since I can't convince all my friends to reach me via e-mail or Matrix, I will suffer the shitty apps and will do my best to use Signal as much as possible (but Signal is shitty in my eyes too since it's centralized).
How so?
> The fact Apple and Microsoft services both work in China shows they are a little more trustworthy.
Absolutely not. Companies apply different policies in different countries they operate in. This tells you nothing more than those companies came to a mutually beneficial agreement with the Chinese Communist Party.
Doesn't help if you're worried about a trusted CA issuing a cert for your domain without your approval though. Certificate transparency helps a bit with that; Chrome requires certs issued with a not before after april 30, 2018 to be in CT logs[1], so at least you'll be able to know a certificate was issued for your domain. If that happens, you can ask the CA/Browser forum to investigate and there's a good chance the CA will get kicked out if there's not a good explaination of what happened. That's not perfect but it's better than without CT when you could only know about an unauthorized cert if you managed to see it.
[1] I think max validity was two years back then, so all current certs need logs
If you lie to someone to get them to sign an agreement, that agreement is voided in nearly any sane jurisdiction on the planet.
Do you have further insights or references on what was the "trigger condition"? This is a new case, separate to the previous litigation related to the VPN app.
[0] https://apkpure.com/onavo-protect-from-facebook/com.onavo.sp...
I believe you might be referring to what happened in 2019? [1] This is a separate issue. [2]
I do clarify this in the blog post, although it might be better to move the relevant text near the introduction rather then in the middle of the post.
EDIT: I have also added a remark to the post that it is not clear if all users were MITM'd or just a subset
[1] https://techcrunch.com/2019/01/29/facebook-project-atlas/
[2] https://techcrunch.com/2024/03/26/facebook-secret-project-sn...
1) Onavo was a (free?) VPN app acquired by FB in 2014. Facebook used it to collect “market research data.” People chose to download this, but thought it was a security product.
2) At some point (it looks like 2016?) they launched an iOS app called Research, using the same tech, which required users to install a certificate meant for internal Facebook employees. They paid these users to monitor their traffic.
Are you saying that the MITM was happening for users of (1) or (2) or both?
For those wondering:
P2P OTR E2EE == Peer to Peer, Off The Record, End to End Encryption
Non-CA TOFU SSH == Non-Certificate Authority, Trust On First Use, Secure SHellNo, it was already well-known way back in 2018, which is why that piece of shit app was withdrawn from App Store in the first place. Facebook’s enterprise account later got suspended in 2019 for distributing the paid piece of shit through enterprise MDM.
https://www.bitdefender.com/blog/hotforsecurity/facebook-pul...
https://www.wsj.com/articles/facebook-to-remove-data-securit...
Edit: Typo.
btw, I can add my crypto wallet to my bio so you can pay up if you'd like /s
Excusing people’s ethics because of money makes it worse not better IMO. Especially in the context of tech where there are plenty of well paying jobs that don’t make money through increased misery.
> Try to show another way, but you stayin' in the dope game
> Now tell me, what's a mother to do?
> Bein' real don't appeal to the brother in you
> You gotta operate the easy way
> "I made a G today" But you made it in a sleazy way
> Sellin' crack to the kids.
> "I gotta get paid," well hey—
> but that's the way it is.
(Tupac - Changes)
https://www.theonion.com/cias-facebook-program-dramatically-...
Besides which, using someone else's computer with an expectation of privacy is the wrong expectation.
they have to watch for data exfiltration and attempts to download malware, etc.
don't use a corporate device for anything you don't want work to see.
use your own. that's not a hard ask.
As written, that means they can secretly enable the camera and microphone to surveil my house, supposedly to check the usage (or non-usage) of the hardware.
Surely that's very "wrong", if not also illegal in most places. Not everything about or near the hardware is fair game.
I wrote one sentence about how "there are ways for companies to go too far", which I think is pretty dang uncontroversial and trivially-true. However that user replied with what is clearly a disagreement, with corporate justifications and placing sole responsibility on employees to avoid the hardware.
This leads to two competing options:
(A) They simply can't imagine any scenario where a company might "go too far" and be at fault.
(B) Their stance is much milder, but for some reason they are replying to a straw-man argument that isn't what I actually wrote.
Of those two ambiguities, I went with (A), but if you think (B) is a more-charitable reading...
No, they shouldn't be flicking on your laptop camera or mic remotely, as these are pretty obviously violations of your privacy.
Like I wouldn't work on this project, but I have US citizenship. In college I slept over at some of my Indian friends' apartments and often they had like 8-12 guys sleeping in one bedroom, it was just a bunch of mattresses all laid together with no specific sleeping arrangement. Generally they made a giant pot of stew/daal/whatever once a week and ate the same thing for every meal all week, some even long after graduating with PhD's and getting low-tier visa-mill jobs. This was not a T10 school, our international students rarely came from wealthy families. One of my Saudi classmates came from a poor family in a remote village near the Iraq border and brushed his teeth with a twig from the Salvadora persica tree.
I couldn't really blame them if they didn't have another good option readily available.
- Fertiliser ban decimates Sri Lankan crops as government popularity ebbs
> https://www.reuters.com/markets/commodities/fertiliser-ban-d...
>> Maybe you're on H1B and if you get let go you have to go back to Sri Lanka...
I mean that's there too, but in this case, the guy who ran this spyware op was a former IDF turned chief of Facebook in Israel, later promoted to CISO for all of Meta.
Otherwise you'd be essentially saying "Hey look out, the guy who ran this op was an Israeli" (because nearly every male Israeli serves in the IDF).
Facebook hired and retained engineers over its entire company history by offering enormous amounts of stock. They successfully demonstrated there are a lot of engineers willing to build unethical products when offered 2-3x their previous salary.
imagine all of the times in history where this type of enabling of behavior reached an extreme, and now ask yourself where do you draw the line.
are you really asking me to enjoy the growing consequences of corporate overreach in the name of data, and all the sketchy ass, unethical, and invasive work all these foreign engineers are getting paid ridiculous salaries to propogate, and feel good about being held hostage because said engineers.. don't have a home.
so we are supposed to enable them to wreck mine (ours)?
No, we’re supposed to attack it from a different direction. Whether these people are H1B or outsourced overseas, U.S. corporations will always be able to find people in desperate enough situations (civil war-torn country with a literal famine going on). We can absolutely blame and shame the engineers who have other options for sustenance and medicine for their families, but if you want to solve this problem, it can only be solved through the legislative and executive branches.
I know people who have worked for adtech, gambling and HFT industries who now try to convince younger devs to avoid them. I personally worked briefly for a private prison corp, and I feel dirty and remorseful that I had anything to do with that industry.
It's certainly a complicated subject, but I think in general companies are really good, especially big ones, at getting people to work on things they might not be comfortable with otherwise. This thread has been talking the extremes like immigration status, but there are all kinds of subtle pressures as well. Some people might not believe they have the political capital to outright refuse a project (especially a pet project of the CEO) vs choose to accept and try to nudge the project onto more solid footing. And I suspect many engineers are terrified of being labelled as not a team player, which aids in the creation of group think, but makes it very difficult to foster a healthy culture of discussion that would bring forward the serious concerns of this work. And there is almost always some room of uncertainty as the last convincer... is it unethical to work on the project if the consumer is fully informed and offers consent to the invasion of privacy?
If there is an extreme where it's justifiable, for any reasonable engineer to accept the project, then it get's really muddy on where exactly the line is, and when it should be drawn.
I also suspect many of us envision ourselves having much more fortitude than we really do as well, imagining the heroic efforts we'd put in to changing a companies mind from a bad idea... where the more likely outcome for most of us is to fall silently into the background.
I can count on one hand though the number of devs I've worked with that saw coding as anything more than a 9-5 grind and would have spoken up if asked to do something shady.
I've only been in a similar situation once. I could barely sleep at night for a week before I finally told them that I couldn't do it. In my situation I would have taken a financial hit if they decided to let me go, but my wife works and I have savings and there was no immediate threat, and it still was a difficult decision.
The truth is that in the US we do have some very expensive social safety nets, and it always comes back to the morals of the individual. You can rationalize just about anything against all kinds situations, but in the end we are talking about someone morally corrupt, or morally steadfast.
Dont justify the injustifiable.
Instead Judge character in the hard times and use that opportunity elevate the heroes that do the right thing im the face of adversity.
Example: engineers blamed is the title in [1].
[1] https://www.nbcnews.com/business/autos/vw-scandal-top-u-s-ex...
But one of the worst things about the software was all the bugs. Silent failures so we couldn't tell what was happening, if it was a software problem or if our loved one was being prevented from communicating with us. The messaging and video call system failed us at some crucial moments and created a lot of emotional stress.
In fact I think this is part of the awful business model -- cut costs even if it hurts people.
Bad software can really make the lives of incarcerated people much worse. So if you were able to do a decent job on that software, whether it was prison telecom or internal tools for a prison contractor, you may have still had a more positive impact than you think, despite the broader business model being totally evil.
It's weird that such a data point was the final straw, but eventually these small details build up and the whole edifice comes crashing down.
It's especially tragic as the company seemed to be full of talented, intelligent and nice people. Such seems to be the typical makeup of faceless evil.
Anyone know the best way to pull an image off a locked-down Android tablet? I have a prison tablet here and I want to see what is inside the APKs.
Sounds like getting to feel good after grabbing the bag. Particularly the first three considering how much they pay (even moreso if the gambling was crypto related).
> everyone I personally know has quit and lived with the regret.
Quit for a significantly lower wage job? Or quit in 2021 when they could trivially get another job likely with a raise?
I sound aggressive but these are serious, not rhetorical, questions. I don't know your friends, maybe they're the real deal, in which case massive kudos to them, I'm very happy to see others doing the same and I wish more were like us. But "living with the regret" is empty words if meaningful sacrifices haven't been made to atone for those sins.
FWIF, I left a job that paid more than twice what I'm able to get anywhere else without moving across the globe, for ethics reasons. And the industry wasn't as bad as the ones you've named besides HFT, which is imo pretty average when it comes to societal negative externalities for a tech company.
Good thing they're less Fascist and more upstanding & liberal, yeah? https://www.nytimes.com/interactive/2014/09/12/world/middlee...
> every male Israeli serves in the IDF
Shame on them if they continue to be associated with an institution found guilty by the International courts of occupation, torture, sexual assault, dispossession, crimes against humanity.
https://x.com/wattheactualfuq/status/1818340892651975052 / https://ghostarchive.org/archive/sx6lC
The burden is not mine or anyone else's.
Their manager was promoted to c-suite for running a covert worldwide spyware op (that also informed the company's M&A strategy). I'd reserve most of my blame on corporate culture that incentivized & rewarded such orgs and its management.
People regularly justify things that are not justified. When there's a lot of pressure, rationalizing is very easy. It's not even easy to realize that something is being rationalized.
I'm not justifying the unjustifiable. I'm saying that a person doesn't have be morally "bankrupt" to do something bad. Condemning people as morally bankrupt without taking into account extenuating circumstances is certainly not justified.