return to table of content

Ex-Google engineer charged with stealing trade secrets

billy99k
61 replies
2d3h

This doesn't surprise me. I knew someone that intentionally graduated with a specific major, so they could get a job in that industry and send trade secrets/IP back to China. The purpose was to create a competing company.

It didn't work out for them that well. They couldn't last more than 6 months at any one company and I think eventually gave up and went back home.

krisoft
18 replies
1d18h

It didn't work out for them that well. They couldn't last more than 6 months at any one company

I don’t understand what you are saying here. How many months does one need to stay to hover up the trade secrets / IP? In software engineering you get access to the repos on day one, but even in other industries I guess what you don’t have access to after 6 months you won’t have access to realistically ever.

eventually gave up and went back home

But according to what you said that was their plan all along. So in what sense did it not “work out for them”?

outworlder
5 replies
1d18h

In software engineering you get access to the repos on day one

Some repositories needed to do your work, sure. Not necessarily all, and the more interesting work may not be available to just anyone who joins.

If it's a company like Google, you may not even end up at the group you interviewed for.

roland35
2 replies
1d18h

I would be very careful doing that at Google. Even if just about anything is accessible, I imagine most access is logged. If you are downloading everything not related to your job it could raise some alarms!

htrp
1 replies
1d18h

Didn't stop Anthony Levandowski

kirubakaran
0 replies
1d18h

Presidential pardon is the one weird trick that employers hate, when you steal IP and get caught

ohyes
0 replies
1d16h

I think the subtext here is that the “spy” in question was not the sharpest tool in the shed.

You need some level of intelligence and knowledge to know what is worth stealing and what to do with it.

Getting a major with the sole purpose of industrial espionage and then telling people about it indicates a lot about the person in question.

krisoft
0 replies
1d17h

Yeah, yeah. I’m not saying it is easy business. What I am saying is that “bouncing around many companies in a quick succession and then leaving for their home country” is exactly the pattern one would exhibit with that plan. If one would want to show that their plan didn’t work out then one would be talking about other things. For example that they only got junior jobs with no access to the code/secrets, or that they were only hired in fields outside of their interest, etc etc.

alsetmusic
5 replies
1d16h

I have a strong distrust for authority, but even I would report espionage and IP theft of this sort. Downloading a movie doesn't bother me. Running a site for others to download movies doesn't bother me. But being a snake to go defraud a company to steal the hard work of others so your own illicit company can turn a profit off said labor by others irks me. Do your own R&D.

Did you ever consider doing raising a red flag? If so, why did or didn't you?

twentythree
2 replies
1d15h

Running a site for others to download movies doesn't bother me.

being a snake to go defraud a company to steal the hard work of others so your own illicit company can turn a profit off said labor by others irks me.

I'm sorry, I really don't understand this. What part of the second statement doesn't apply to the first?

nowandlater
1 replies
1d14h

You give it away for free instead.

shotnothing
0 replies
1d9h

ad revenue

xattt
1 replies
1d15h

If anything is going to unite two groups of people who are “naturally” on opposite sides of a political spectrum, it’s going to be stopping treasonous activities.

I airquote naturally because it’s obvious that foreign interference is at play, based on the laissez-faire attitude towards this sort of thing by some groups.

IG_Semmelweiss
0 replies
1d3h

Correct. The left and the right may be at loggerheads about the best way to manage america.

Yet, the vast majority of both camps still think of themselves as american. Neither group will take kindly for others to present themselves as american, to then proceed steal from other americans for the benefit of non-americans.

We are all part of the same macro-tribe after all.

al_borland
3 replies
1d17h

Short of downloading literally everything and sending it back to a team, it's possible he didn't know enough after 6 months (while also trying to maintain his actual job) to get anything of value.

I've been at my company for almost 20 years. I have a lot of access, but if I was told, "go find some trade secrets." LOL, not a chance. The haystack is far too big and I don't even know what I'm looking for. Someone who has been at the company 6 months barely knows where the bathrooms are.

rightbyte
0 replies
1d17h

My prior employer was really worried about source code leaks.

I was more like, giving the direct competitor the code would more be like industrial sabotage for their sake. What could they possibly do with it. They would waste fte years dechiffering it instead of doing something useful.

But nah, rather keep your own engineers in the dark about secret plans and road maps.

I worked out quite well though, since the engineers did their thing withoit knowing what the higher ups wanted.

krisoft
0 replies
1d17h

I've been at my company for almost 20 years. I have a lot of access, but if I was told, "go find some trade secrets." LOL, not a chance.

Because it is not your intention to do so. Think about how one can live a whole life locking and unlocking locks without ever accidentally lock-picking one. Yet they can be picked, and often quite easily if that is your goal.

If you are serious about it you don’t just bumble around randomly until a trade secret hits you on the head. You can ask yourself: what can that company do nobody else can? You can even ask this question before joining a company and thus selecting the right target and the right position to get access to it.

dsq
0 replies
1d11h

If you are an agent of a rival company or govt there may alreay be a "best practices" rulebook for stealing IP, a set of established procedures.

fragmede
0 replies
1d16h

If you're going to steal secrets, do it slowly, don't pull a Levandowski and copy everything in a noticable way so that security gets alerted, at which point it may take you forever to exfiltrate data.

DinaCoder99
0 replies
1d15h

I don’t understand what you are saying here. How many months does one need to stay to hover up the trade secrets / IP?

Presumably the more valuable the IP, the harder it is to access.

mupuff1234
15 replies
2d3h

Did that person just go around disclosing their plan?

alephnerd
9 replies
2d3h

Having seen something like this happen once, what probably happened was the person OP is referring to was trying to get IP in order to start their own private sector startup, and probably get some seed funding from a regional government (eg. Beijing and Hangzhou did this in the 2000s to jumpstart their tech industry)

It's similar to the Israeli program in the 90s (who's name I'm blanking out on EDIT: Yozma I before it was privatized) because just like China in the 2000s-early 2010s, there wasn't a notable private sector VC industry yet.

maayank
8 replies
2d2h

It's similar to the Israeli program in the 90s (who's name I'm blanking out on EDIT: Yozma) because just like China in the 2000s-early 2010s, there wasn't a notable private sector VC industry yet.

Quite an allegation... any reference to them sponsoring/encouraging stealing IP or am I misreading and you simply meant it's a government sponsored startup accelerator program?

alephnerd
7 replies
2d2h

It's not really that damaging.

Israel never recognized American software or pharmaceutical patents, and most countries do some form of Industrial Espionage (France is fairly notable in the space as well [4]).

The wildest cases tended to be back in the 1990s, when Israel was trying to build a domestic armament industry, notably by stealing American IP and selling it to the Chinese [0][1][2][3] (most modern Chinese weapons systems today are based on that IP transfer in the 1990s).

This largely ended by the mid-late 2000s when the Israeli tech industry was much more established, and Ehud Barak (edit: Olmert - mixed up his surname and the Barak middle scandal) getting arrested on corruption charges, heralding the end of Israel's Wild West days in the tech industry.

Also, Tiannammen Era sanctions from the 1990s forced Israel defense companies to pivot to India, which doesn't allow vendors to sell SKUs to India which Pakistan and China have access to, and would leverage French and Israeli SKUs based on American designs.

I highly recommend reading this GAO report from the 90s [3]

[0] - https://www.jstor.org/stable/2538128

[1] - https://www.nytimes.com/1993/10/12/world/israel-selling-chin...

[2] - https://www.jstor.org/stable/1149008

[3] - https://www.gao.gov/assets/t-osi-92-6.pdf

[4] - https://www.politico.com/story/2014/05/france-intellectual-p...

greatpatton
4 replies
2d1h

Funny that you mention France when the USA is #1 in the world for corporate spying. Having been involved in western Europe for deal where US competitor were given "advantage", USA spying was always number one concern over all other countries (and this is how counter spying agencies brief companies) as it had more direct economic damage and is more difficult to identify than Chinese spying.

Few examples just for Airbus every few years you get report of US spying: * https://www.dw.com/en/airbus-fires-16-over-suspected-german-... * https://edition.cnn.com/video/news/2015/05/01/airbus-spying....

alephnerd
3 replies
2d1h

The American government will spy, but will not explicitly spy to provide IP directly to a private company like Boeing or Lockheed, as this enters felony level corruption territory due to the Procurement Integrity Act, Federal Acquisition Streamlining Act, and the Federal Acquisition Regulation.

The main difference is DGSE would explicitly attempt to steal American IP and then provide it to Thales or Dassault.

greatpatton
1 replies
1d21h

They may not provide direct R&D details but they will provide direct information about offers price, negotiation status etc. This is part of the Snowden leaks that people seems to have completely forgotten.

https://wikileaks.org/nsa-france/spyorder/#spyorder2

alephnerd
0 replies
1d21h

IANAL but Competitive Intel around pricing and SKUs isn't IP except in certain cases.

If they were, just about every single private sector company globally would be guilty of IP infringement, let alone Public-Private Partnerships like the ones I mentioned.

ramblenode
0 replies
1d18h

Intelligence agencies often have their own interpretation of the law, which coincidentally allows them to do what they want.

And if you don't like that, you can sue them in the special intelligence court where the evidence cannot be revealed, the proceedings are secret, and the judges are very unbiased.

maayank
1 replies
2d2h

Did you mean Ehud Olmert? I don’t believe Ehud Barak was ever arrested.

Also, not to nitpick, but would appreciate publicly accessible articles… from the abstracts I can only assume these are summaries made in the 90s of pre-90s shenanigans

EDIT: saw now the edits with 3-4, will look at when I have time (thanks!)

alephnerd
0 replies
2d2h

Ehud Olmert

Yep. Brainfarted and merged Olmert and the Barak missles corruption case

summaries made in the 90s of pre-90s shenanigans

Hence why I wrote "the Israeli program in the 90s".

It's significantly less egregious nowadays (imo de facto non-existent due to how integrated the Israeli innovation system is with the American system now and how simplified FDI is in Israel compared to the 80s-90s)

appreciate publicly accessible articles

Internet based news wasn't really a thing until the post-Netscape era.

All you're stuck with are archives of print news or government articles, especially because this kind of behavior largely ended by the 2000s.

EDIT: saw now the edits with 3-4, will look at when I have time (thanks!)

No problem! And like I mentioned before, most countries do this in some form to help domestic champions (eg. India and Pharma IP, France and Defense IP, socialist era Israel and Defense IP, 1970s-80s Japan and electronics IP, China and Defense+Software IP).

If a country allows almost 100% FDI, there's no reason for industrial espionage in that specific sector because foreign champions become integrated with domestic ones. Hence why Israeli and Indian companies don't steal hardware designs anymore because most Americans companies have design centers there that are closely integrated with domestic champions.

reaperman
4 replies
2d3h

I think if someone actually had government handlers asking them to do this, most of those people wouldn't blab about it to their school chums. But there's a subset of people with grandiose delusions / general behavior problems who feel a compulsion to tell everyone about their grand plans/machinations to become rich and powerful.

djtango
1 replies
2d3h

Reminds me of that scene from Silicon Valley where Jian Yang has a bunch of new startup ideas on his whiteboard

ecoquant
0 replies
1d7h

I think you are underestimating how tough it would be to be playing James Bond and not tell anyone.

You wouldn't have to be a delusional braggart to want to tell a friend this. Most spies are not going to be as much of a compartmentalized lunatic like Robert Hanssen or someone at that level.

alephnerd
0 replies
2d2h

someone actually had government handlers

It most likely wasn't a Handler/MSS type espionage.

It was most likely trying to grab IP to found a domestic competitor, and raise a Seed round from local government accelerators like those Beijing and Hangzhou have.

atonse
13 replies
2d3h

Hmmm that seems like a clear cut case to report to the FBI. Yeah, assuming that they were walking around telling people about it.

kjkjadksj
12 replies
2d3h

The FBI gets more credible reports than it has the labor to investigate. Not to mention in this example no crime even yet occurred.

atonse
6 replies
2d2h

I agree with the spirit of your statement that no crime has occurred. But this isn't a case where someone just expressed a vague interest in a related topic of national security, but their specific intent to steal secrets and give them to an adversary. And then go ahead and interview at certain companies with that intent.

This would be like someone specifically (not vaguely) stating their intent to commit a violent crime and then spend months preparing for it. Yeah, law enforcement, please definitely follow up on that one.

snotrockets
5 replies
2d2h

Trade secrets aren’t national security.

jandrewrogers
2 replies
2d2h

They definitely can be. In the US there are many different ways in which they can overlap as a matter of law. There are myriad frameworks similar to ITAR that place a national security interest on trade secrets or block public disclosure e.g. patents (which effectively turns them into trade secrets).

Your average web dev probably isn’t familiar but navigating this is a routine consideration in deep tech.

snotrockets
1 replies
1d23h

Real, and quasi-real national security projects require more stringent background checks than the ones unnecessarily used in most "average web dev" [sic] recruitment processes, and some come with citizenship requirements. I know, because that's one of the reasons I don't work on such projects.

ofc, like in any security-related field, many are LARPing instead of practicing, and that's a different issue.

jandrewrogers
0 replies
1d19h

It is more nuanced than this. A startup is virtually never a "national security project" even if they end up involved in an actual national security project. The kinds of background checks startups do are the same as any other company in any industry. It has nothing to do with national security. There are many things that can factor into a citizenship constraint depending on the type of business.

A "real" national security background check requires support and sponsorship from a national government, and governments don't provide that casually to anyone that asks. If a startup finds themselves with national security customers, there is no requirement for the startup to go full-on Secret Squirrel but governments will calibrate their trust in the startup by how seriously the startup takes security and how diligent they are when vetting employees. It does not involve everyone getting a security clearance, which would not be possible anyway if the startup works with multiple national governments.

I find the opposite situation is more common in practice: startups that find themselves in the national security space are often naive about what constitutes a baseline level of security, vetting their employees, and the pervasiveness and character of espionage programs.

It is important to recognize that national security considerations are starting to affect startups that never go anywhere near national security customers due to escalating concerns and increased rigor around software supply chains. You may not have an interest in national security but national security may take an interest in you. This has ramifications for many software business models.

zihotki
0 replies
2d1h

They are indeed separate concepts but they may be both true. ASML can be a good example

JumpCrisscross
3 replies
2d2h

in this example no crime even yet occurred

Interviewing for a job with the prior stated intent of pilfering their IP is fraudulent.

snotrockets
1 replies
2d2h

Let the employer file civil case then.

JumpCrisscross
0 replies
2d2h

Let the employer file civil case then

The IP theft is a private concern. The national security implications are public. What OP describes seems worth criminal investigation.

powersnail
0 replies
1d17h

Is it?

I mean obviously if the said person did pilfer, or attempted to pilfer, it would be illegal.

But is there any law against interviewing for a job, while having a prior statement of intending to pilfer? Or in a more general sense, interviewing for a position while previously saying that they intend to breach the contract?

I'd imagine that there could only be ground for a lawsuit if 1) a contract has been signed, and 2) the stated activity has at least been attempted.

nova22033
0 replies
1d3h

Not to mention in this example no crime even yet occurred.

OP...you should definitely report this to the FBI.

If you try to hire a hitman, the FBI will definitely investigate even though no crime has been committed.

riku_iki
5 replies
1d19h

get a job in that industry and send trade secrets

so, is there a clear line between: steal trade secret, and applied learned experience in new company the way everyone does?

pfannkuchen
2 replies
1d18h

If they are intentionally finding information that is outside the scope of their own role and then exporting the information itself as opposed to actually learning it then that would be clearly stealing trade secrets. Of course there are some lesser actions that would be in a gray area.

dylan604
1 replies
1d18h

intentionally finding information that is outside the scope of their own role

some call that a positive initiative. cross training between departments or some such corp speak is used so people can "fill in" or just have a better understanding of the other departments so you can possibly work better with each other or come up with novel solutions for someone else.

companies that silo everyone off and prevent open discussion between groups are horrible places to work. ask Oppenheimer.

pfannkuchen
0 replies
1d17h

intentionally finding information that is outside the scope of their own role AND THEN exporting the information itself
paulddraper
0 replies
1d14h

so, is there a clear line between: steal trade secret, and applied learned experience in new company the way everyone does?

There may be some grey, but copying information in writing is pretty clearly over the line.

lmm
0 replies
1d18h

No. Ultimately courts have to make judgements.

baka367
4 replies
1d15h

Repositories are rarely worth much.

Sure, some algorithms there might save you some time, but its often the design and the data where the money lies (what this guy focused on).

Clone google's repo and you'll likely struggle forever to get anything of substance running on a rando vm/docker/etc. not to mention about spinning the entire stack with interconnected services, certificates, shitty code, and layers upon layers of hacking that can only be resolved by relying on the tribal knowledge on whomever built the darn thing.

Compared to that - detailed design docs, a team of motivated Chinese dudes/ettes with some monetary support from the local party, and you can have a close-enough copy running natively on the Alibaba cloud in a few months.

xyzzyz
1 replies
1d14h

Source code repo is like a very extremely detailed doc. You might not be able to actually easily run it due to all of the dependencies etc, but with couple of weeks of reading, you should be able to tease back out the high level design.

avidiax
0 replies
1d13h

I've done enough code archaeology to say that looking at the code to understand the design is a good way to understand that the two halves of the bridge didn't mate up, but there was a deadline, so...

The design from a design doc can be replicated at almost any company. The actual code is specific to the company and their exact stack.

The company's business position is similarly hard to duplicate. You can understand a company's current capital, customers and money flows. Your new company has to either outcompete for those same flows or create or capture alternative flows, and do this with different capital. Having, say, the entire source code for FedEx doesn't make it easy to launch a competitor. It's practically irrelevant compared to the network of capital investments, corporate goodwill and contracts, etc.

paulddraper
0 replies
1d14h

There's probably some deep science AI-type stuff.

Or maybe useful for security exploits.

fragmede
0 replies
1d13h

A copy of Google3 would take an outsider eons to replicate Borg for any of it to run on.

advisedwang
0 replies
1d13h

Did they tell you that, did you hear it second hand, or figure it out yourself?

feverzsj
50 replies
2d4h

So he was already CEO/CTO of 2 China companies while still working in google. And these information are publicly available right after he registering them. Seems a management disaster of google.

Thorrez
31 replies
2d4h

You expect Google to scan the database of companies in every country continuously to see if employees are executives of them? How would this handle different people who have the same name?

Disclosure: I work at Google.

unsupp0rted
8 replies
2d4h

You expect Google to scan the database of companies in every country continuously to see if employees are executives of them?

Um, yes? That’s among the least invasive and cheapest due diligence they could do.

ithkuil
6 replies
2d3h

Perhaps just perhaps the task is a bit harder than what you make it sound like

Instances of people sharing the same name are far more common in china than elsewhere. For example there are more than 30 thousand people called "Wang Wei".

The fact is complicated by the fact that the writing systems are different and transliteration errors are commonplace.

unsupp0rted
4 replies
2d3h

How many people named Wang Wei in any given year become the officers of companies?

Google could even automate this with an email, opting into which would be a requirement for any senior employee handling the kind of information the US government cares about.

"A person sharing your name has registered a company in China, as of 2024-03-07. To affirm that you are not related to this person, please click this link. If you were this person, please reply to this email for next steps."

Edit: obviously, criminals don't mark the "yes I'm a criminal box" on forms. That's not the purpose it's there to serve.

yellow_lead
0 replies
2d3h

"Yes, I am not this person"

phew

theGnuMe
0 replies
1d23h

I think it is quite difficult to find out the officers of Chinese companies. There was the big wall street stock scandal a few years ago with respect to Chinese listings on US exchanges.

fooker
0 replies
2d3h

If you are guilty of a much more serious crime, saying you're not related to this person or ignoring the email won't add much to your guilt.

Thorrez
0 replies
1d5h

opting into which would be a requirement for any senior employee

According to the article, he was a junior employee.

Edit: obviously, criminals don't mark the "yes I'm a criminal box" on forms. That's not the purpose it's there to serve.

What purpose would it serve? Would it have prevented this case?

seanmcdirmid
0 replies
2d1h

To add to that, I don't think Google (or any American company) would ask for foreign ID numbers. Your SSN can be used for a background check in the USA, but not in China.

fooker
0 replies
2d3h

Every problem is easy and cheap until you think about how to do it.

eganist
8 replies
2d4h

You expect Google to scan the database of companies in every country continuously to see if employees are executives of them? How would this handle different people who have the same name?

Disclosure: I work at Google.

It's Google. Not a mom and pop shop, not a startup, not even a large bank. It's a massive conglomerate who's entire business model revolves around data.

So yes. And same-name conflicts can be handled case by case.

siva7
4 replies
2d2h

I'm not aware of any corp doing this and why should they? There are as many valid reasons registering a company without affecting your employment.

hilux
2 replies
1d10h

When you apply to Google, they ask what other employment you have, IP you own, etc. Many companies do some variation of this, but I believe Google is one of the most restrictive on its employees.

siva7
0 replies
1d6h

Sure, if it's an employment that's standard procedure in every company i ever applied to ask/rule out if you would be employed by another company after start date. I was rather operating under the assumption when you're not employed / the owner but the ex-googler seems to have been an employee in a rivaling business in both cases which would have clearly violated his contract with google.

Thorrez
0 replies
1d5h

But this person would just lie and say no. The application isn't a lie detector.

edandersen
0 replies
1d18h

Big 4 do this routinely to check for conflict of interest as a result of audit regs.

seanmcdirmid
0 replies
2d1h

And how are they going to access Chinese databases that they are not allowed to access? It's Google, not the CIA. I wouldn't be surprised if all of that information was covered under China's broad state secrets law.

paulddraper
0 replies
1d14h

And same-name conflicts can be handled case by case.

...unless they're Chinese.

Thorrez
0 replies
2d3h

And same-name conflicts can be handled case by case.

How? Several times I've had to contact someone within Google whose name I know, but when I go to look up the person's email, there are multiple employees with that name. This is just within Google. Think of within an entire country.

zettabomb
3 replies
2d4h

Not for nothing but plenty of other companies do pretty much just this, for example in defense. Surely Google of all companies should be able to do a simple search like that on a regular basis.

redkoala
2 replies
2d3h

In highly regulated national security impacting industries like defense, that makes sense. Google has not developed that rigor yet, although it's becoming obvious that their business has high national security implications now.

zettabomb
1 replies
2d3h

I don't think Google has ever had rigor, in anything except possible things which directly affect uptime. It seems to be a systematic problem - look at their history with chat apps for example. Great for hackers - both ones working for Google and ones working for other governments, apparently.

leoh
0 replies
1d13h

Not sure why this was downvoted but there is a lot of evidence to support this statement, despite the way Google is perceived

xienze
2 replies
2d4h

Presumably for such a high profile position a simple um, Google of the person, checking LinkedIn, or a standard background check would reveal this.

shagie
1 replies
2d3h

Within weeks of the theft starting, prosecutors say, Ding was offered the position of chief technology officer at an early-stage technology company in China that touted its use of AI technology and that offered him a monthly salary of about $14,800, plus an annual bonus and company stock. The indictment says Ding traveled to China and participated in investor meetings at the company and sought to raise capital for it.

He also separately founded and served as chief executive of a China-based startup company that aspired to train “large AI models powered by supercomputing chips,” the indictment said.

These events happened after the person was hired.

This would suggest performing background checks with some frequency - presumably at least once a month - in order to catch the events promptly.

shagie
0 replies
2d1h

Prosecutors say Ding did not disclose either affiliation to Google, which described him Wednesday as a junior employee.

... and not just of high profile or senior developers, but all of the junior developers too.

renegade-otter
1 replies
2d3h

The Google hiring process can take months. They have time to haze people with Leetcode but no time to do a good vet of a person who may be a high risk security threat.

Thorrez
0 replies
1d5h

How would Google have detected this before hiring him? It doesn't sound like he started working at the other companies until after he started at Google.

spywaregorilla
0 replies
2d3h

They could try Googling it

htrp
0 replies
1d18h

Google already apparently logs every network packet on the internal network (including DPI), so I imagine scanning corporate registrations can't be that much worse.

ActionHank
0 replies
2d3h

So I've worked at a few places, none nearly as fancy as Google. Not a single one would have had files being uploaded to personal cloud storage from a work device go unnoticed. That was the red flag, at that point they should've been monitoring actively.

2devnull
0 replies
2d3h

“showing that another employee had scanned Ding’s access badge at the Google building in the U.S. where he worked to make it look like Ding was there during times when he was actually in China”

Google can’t secure itself. That’s been true for years. It’s an enterprise held together by monopoly power, lobbying and low interest rates.

jajko
11 replies
2d4h

What is Article 7 of the Chinese Intelligence law?

Article seven says in part that “All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.

And that's just a nice wording to make it official, russians don't have anything similar yet they keep bribing small and big people all around the world to often perform literal treason of their home country, and quite a few do so for petty sums. Your Chinese relatives can also be just sentenced ie for made up drug trafficking to execution and subsequent organ harvest if say sending them to 're-education' camp won't convince you.

Anybody having Chinese citizenship and any position of power or access to secret stuff should be treated as potential threat and evaluated continuously. Or just not hired. If they are actually serious about such a work they should give up their nationality, if they can't then they are risky. Its a serious stuff by no means, but this is how China plays so literally everybody around the globe has to adjust or suffer subsequent consequences.

physPop
8 replies
2d3h

They can't "give up their nationality". Chinese government's position is that once Chinese always Chinese, and emmigrating doesn't affect that. They will still come after your family on mainland. Or use their "local police" forces stationed in most western countries to harass you in your new location.

alephnerd
4 replies
2d3h

They can't "give up their nationality"

You can, but it's a fucking pain in the ass, and when Zero COVID kicked in, the Chinese Embassies and Consulates stopped processing anything.

seanmcdirmid
3 replies
2d1h

Its a formality they can ignore though. At least they have recent precedence with that Swedish bookseller who was abducted in Thailand a decade or so back.

alephnerd
2 replies
2d1h

I mean, you historically could ignore it, but it's changed since the anti-corruption purge began in 2016.

Imo there's no reason to poke that bear anymore - a lot of bad practices that were common 10 years ago are not tolerated anymore (though sadly, a lot of good practices have also started getting cracked down, like domestic criticism)

Edit: you're talking about Gui Minhai. Ok yea that's fair.

seanmcdirmid
1 replies
2d1h

I would place money on China in 2024 being worse at rule of law, not better, than in 2016. They granted defacto citizenship to that snowboarder, for example, even though there is no way she qualified under the text of its own law (China doesn't allow for dual citizenship...unless convenient). That was 2022.

It has been downhill since Xi took charge, but yet, he was able to use accusations of corruption to purge his competition. The things that have improved are mostly public order (like prostitution being much less visible than it was).

alephnerd
0 replies
2d1h

I agree with ya!

A lot of the crackdown was performative, but silver lining is that at least some bastards got punished as they deserve (albeit by equally reprehensible bastards).

Sort of a broken clock is right twice kinda situation.

thatfrenchguy
1 replies
2d1h

Do you not know any first generation Chinese Americans to say such inaccurate statements? This is incredibly inaccurate, naturalized citizens are treated as foreigners by the PRC.

resolutebat
0 replies
1d13h

Only when it's convenient to the PRC to do so. When it isn't, they're Chinese:

https://en.wikipedia.org/wiki/Gui_Minhai

Who, after being kidnapped, conveniently and totes voluntarily applied to have his Chinese citizenship reinstated.

2devnull
0 replies
2d3h

“ use their "local police" forces stationed in most western countries to harass”

Totally under appreciated point. It’s not “over there” anymore, the CCP have a strong and growing presence in the Bay Area now. Penetration into the FBI will take longer than google or local law enforcement but it is inevitable.

simpletone
0 replies
1d17h

Your Chinese relatives can also be just sentenced ie for made up drug trafficking to execution and subsequent organ harvest if say sending them to 're-education' camp won't convince you.

Oh god, this nonsense again. Why would they have to target their relatives when the 'ccp' has their police all over world?

Anybody having Chinese citizenship and any position of power or access to secret stuff should be treated as potential threat and evaluated continuously.

Sure. But everyone should be treated as potential threat.

What's with eastern europeans like you spreading so much garbage propaganda online? Here, reddit, youtube, etc. And it's the same bullshit over and over.

ithkuil
0 replies
2d3h

Giving up citizenship doesn't solve the problem of retaliation against family

Waterluvian
2 replies
2d4h

Not agreeing or disagreeing, but what’s the remedy? To regularly scour sources for information on tens of thousands of employees and parse actionable meaning from the data?

Maybe someone can make a horrible start-up that does this as a service.

nonethewiser
0 replies
2d3h

Not agreeing or disagreeing, but what’s the remedy? To regularly scour sources for information on tens of thousands of employees and parse actionable meaning from the data? Maybe someone can make a horrible start-up that does this as a service.

If a colleague new about it and reported it then that should lead to action 100% of the time. The question is if that happened or not.

catchnear4321
0 replies
2d4h

making vast amounts of scraped data accessible, almost like search.

you’re right, the big names probably can’t handle that on their own.

tppiotrowski
1 replies
1d16h

Are you prohibited from owning a company or acting as the CEO of a company while employed by Google?

resolutebat
0 replies
1d13h

You're supposed to declare anything that's a potential conflict of interest, and Google is large enough to have a lot of interests. So if you're moonlighting as an Uber driver, Google's probably cool with it (at least if Waymo is not in your hood); if you're moonlighting trying to build the next Uber for X, Google probably would not be.

ilickpoolalgae
0 replies
2d2h

I used to work at a Chinese tech company. I hear that it's pretty common to use aliases, instead of your real name, due to anti-compete clauses when you switch between companies. Even if a company had the ability to do background checks, like you mentioned, it'd be pretty hard to automate if the practice is commonplace.

ttul
16 replies
2d2h

If any of you get this far down, one thing that caught my eye is that Google said they had analyzed this guy’s network traffic after locking his laptop, confirming various things. If you work at a large company like Google, every packet on their employee access network is recorded and indexed for forensic purposes.

This is not something Google would talk about publicly, but it’s standard practice in any company that is a serious target for sophisticated cyberespionage to spend a great deal on specialized equipment that can log all network traffic at scale.

alephnerd
10 replies
2d2h

It's SOP in all companies, not just those facing sophisticated threat actors - there's a reason EDRs like Crowdstrike and SentinelOne are massive players now.

deelowe
3 replies
1d18h

I've never been exposed to that side of things but always wondered do certain levels datamine this information? For example, do they get reports on user activity during the day... A pareto of employee activity perhaps by userid? I mean, why wouldn't they?

leetcrew
0 replies
1d17h

why would they? if we're talking about sophisticated espionage, that's more of a job for infosec. if we're talking about AFK time, being secretive defeats the purpose.

flextheruler
0 replies
1d16h

I’ve done this sort of work and my anecdotal experience was it is mostly used to flag blacklisted activities from occurring on the computer spanning things like porn and gambling sites to administrative privileges, but also to modify what level of access these computers had for interacting with different infrastructure between silos.

You could use the data to identify activity levels or behavior patterns of the people using the device but it would cost a ton more money and a larger team to do that plus the other responsibilities we had simultaneously.

My experience is also not with employee owned devices so in my mind there’s nothing wrong with doing it’s agreed to and is imperative to their function as an employees especially with HIPPA concerned.

I think there was some BYOD stuff that was starting at one point and we had to run an emulator on their personal devices so the programs we run to collect logs were sandboxed from their regular phones.

Nerada
0 replies
1d13h

Essentially you hook up all your log sources to a User and Entity Behaviour Analytics (UEBA) platform, it comes up with a model of "normal" behaviour, and flags users for investigation when they start acting outside of those norms (or things you want to explicitly flag on).

No data egress for 6 months, then 20GBs of outbound traffic? Someone's getting notified to take a look and see what that was and where you sent it. You only authenticate against one host on the network, and suddenly you're hitting thousands of hosts? Someone's getting notified to investigate, &c.

opello
1 replies
1d14h

It absolutely has to be more nuanced than "there's exabytes of pcaps somewhere" because cloning repositories, pushing branches, backups, these things would basically end up being nasty amplification attacks against the ability to store this data. And block dedupe can work for some storage loads, but it's not solving this problem, especially when that git clone came over ssh or https.

Data from employee devices all being captured and stored? That seems plausible. All data on the corporate network? Less so to my naive mind. I'd love to hear exactly how that works and what kind of retention exists for it.

What seems far more likely is that there's a rules engine that can see all the traffic and makes a decision about if it trips an event to be logged or looks strange enough to be captured (along with some amount of surrounding context, if possible).

bongodongobob
0 replies
1d12h

Yeah you plug holes so you don't have to audit everything. Disable USB ports, alert on large file transfers, audit file access and device logins, no access to local network shares off-site, etc. That's probably good enough for 99% of the world.

Capturing all network traffic is absurd and I doubt that's even a thing. You'd need a department the size of the existing company to be able to manage and do anything meaningful with it. Maybe if you had a super secure jump box you could consider monitoring all the traffic on that, but there are much much easier ways to audit behavior than network traffic. Monitor the devices instead.

bongodongobob
1 replies
1d15h

As someone who has worked at companies, it sure as fuck is not. Unless you are a very valuable company or you make money with data/software, ain't nobody got time for that.

fomine3
0 replies
1d11h

Yeah, install EDR for satisfaction and forget.

NooneAtAll3
1 replies
1d18h

what does EDR mean?

rrdharan
0 replies
1d17h

Endpoint Detection and Response

orochimaaru
4 replies
1d15h

This is standard practice in all big companies. Everything is tracked and recorded. If you want to say something to a colleague that you don’t want management to know - use your personal phone and talk at a coffee shop or bar in person.

kshacker
2 replies
1d12h

Asking for a friend :) On VPN at home, using my work laptop, I happen to browse some non-decent content, more than once, maybe routinely. Is that all tracked or do VPNs have routing to use VPN only for company network, and leave NSFW be handled by my ISP? Or even if is going via ISP and not company network, are the companies usually able to track what all sites I visit

Not a Google employee BTW, but work for a company that I am reasonably sure does monitor their network.

toast0
0 replies
1d12h

Depends on the VPN config if it's everything, or just company resources. Split tunnelling seems uncommon from my experience with corp VPNs...

But if you're on work equipment, they likely have corp spyware looking at all your browsing even if you're not on vpn. Shop for fans or whatever you need to do on personal equipment.

orochimaaru
0 replies
1d5h

Is he on the corporate network on his work vpn? If so, this is recorded. You have to go via corporate proxies and use corporate dns. That’s easily trackable.

If he’s installed something like mullvad on his work laptop and he’s able to tunnel out from the corporate network, he’s probably safe from the content but has broken policy on unauthorized software, the intent of which can be malicious.

They won’t care in general. But if they want to get rid of him they’ll have the info ready.

resolutebat
0 replies
1d13h

It's indeed safe to assume everything is tracked and recorded and can be found if they bother to look for it, but a random line manager is not going to have access to any of it.

breakingcups
6 replies
2d4h

Incredible that he got pardoned.

therobot24
5 replies
2d3h

it's because he could afford it

barbazoo
4 replies
2d1h

Assuming you’re talking about money, how does one pay for a pardon?

blackhawkC17
3 replies
2d1h

He didn’t pay. But Peter Thiel and Palmer Luckey (two big Republican donors) recommended him to the Trump team for a pardon, and Trump obliged.

barbazoo
2 replies
2d

Ok, however, I still don't see "it's because he could afford it".

paulddraper
0 replies
1d14h

Not all affordances are cash.

dylan604
0 replies
1d18h

If you can't afford it, you're not hanging out with the likes of Thiel or Lucky. Just having money grants you access to certain circles even if you're not having to spend the money for that access, or it allows you to buy tickets to events with those people.

bigcat12345678
1 replies
2d4h

It's doubly awkward that this guy apparently doesn't know or underestimate Google's determination to trace employee' access.

flakiness
0 replies
1d22h

That determination got stronger after this incident.

lfmunoz4
9 replies
1d19h

Wonder if any Americans go to Chinese tech companies to steal secrets or if there is just nothing there to steal.

xeonmc
2 replies
1d19h

The secrets are which secrets had been stolen.

tivert
1 replies
1d18h

The secrets are which secrets had been stolen.

The Chinese probably have secrets worth stealing about solar panel production. They've pretty much driven everyone else out of business.

mr_toad
1 replies
1d17h

How many Americans go to work in China at all?

dagw
0 replies
1d6h

Lots, but generally to work at the Chinese offices of their US employer.

curt15
1 replies
1d16h

Wouldn't Americans find life behind the GFW pretty suffocating?

leoh
0 replies
1d13h

VPNs

hnfong
0 replies
1d13h

The CIA can basically tap into any network they want. Why take a big risk grooming an intern to join Huawei when you can just get what you want with the tap of a button?

Legend2440
0 replies
1d18h

I would be frankly disappointed if our government and tech companies are not doing the same.

throw393200
3 replies
1d13h

There have been a lot of falsely accused "spies" recently like Xiaoxing Xi, Sherry Chen, and Anming Hu.

All charges were eventually dropped.

I wonder what will happen with this case.

hilux
0 replies
1d10h

Wi Tu Lo. That one was totally bogus.

hayst4ck
0 replies
23h57m

Without an idea of how many cases were not dropped, it's hard to understand how valid what I feel you are implying is. There will always be false positives, so the existence of false positives is not surprising. It's upsetting and those people are owed reparations, but it wouldn't be unexpected.

Without any context it implies that the US is going on nationality motivated witch hunts, which might be true, particularly in the Trump era, but I also would be astonished if China did not have significant penetration into academia and American companies.

We know based on China's cyber operations that they are particularly interested in industrial secrets.

Given the existence of Chinese police operating on US soil, I doubt the characterization of witch hunts. I've read more than one compelling case of Chinese operatives courting IP theft too, including hearing one on NPR, which isn't exactly a conservative mouthpiece. China openly used organized crime to attempt to put down protests in Hong Kong in 2019. China has a history of arbitrarily arresting foreigners.

We’ve now reached the point where the FBI is opening a new China-related counterintelligence case about every 10 hours. Of the nearly 5,000 active FBI counterintelligence cases currently underway across the country, almost half are related to China. -- FBI director Christopher Wray, July 2020
everydecade
0 replies
1d11h

Wen Ho Lee

_cs2017_
3 replies
1d16h

Interesting.

The guy copied source code via copy paste... And it seems, also regular Google documents.

He was already caught uploading secret stuff, quit Google and bought a ticket to go to China, and was arrested only because he delayed the trip by a few weeks which was enough time for Google to discover more violations and contact the FBI.

Google didn't contact the FBI until they learned of older violations. Which begs the question: what triggered that: the fact that the earlier documents were more secret, more numerous, or the fact that the guy lied about destroying all previously downloaded data?

HeyLaughingBoy
2 replies
1d15h

Reminds me of the time I quit my job at a large corp and my boss advised me to not do any large downloads in the days just before I left because "IT has tools to scan for that and they might think you're trying to take secrets with you."

Guess this guy didn't get the memo.

hilux
1 replies
1d10h

Good boss!

whiplash451
0 replies
1d10h

I don't want to discount his kindness, but I guess he was also trying to prevent some mess for himself.

Being the direct manager in these situations is a hell of a ride no matter what your involvement is.

prepend
7 replies
1d18h

It’s interesting to me that google doesn’t do a security clearance review on its engineers.

I’ve had a security clearance in the past and there’s no way a foreign national passes. I got questioned significantly about a family member who was a citizen of another country.

I wonder if it’s just a matter of time.

mvdtnz
5 replies
1d18h

Is it your contention that Google should never hire anyone born outside of USA or without USA citizenship? Do you realise how much of their workforce that would preclude?

prepend
0 replies
22h52m

It precludes a great many people.

In my example, the US won’t grant security clearance to a foreign national. Even if you are a permanent resident, you don’t get clearance without citizenship.

jpk2f2
0 replies
1d17h

Of course not. However there should certainly be a risk assessment with regards to citizens of foreign countries known to steal IP or otherwise perform hostile actions.

calculatte
0 replies
1d13h

How many software engineers were laid off in the US over the past year? Shortage of talent is not the issue.

c2occnw
0 replies
1d17h

Presumably it would only be required to work on extremely sensitive projects with national security implications (no idea if that applies in this case).

2OEH8eoCRo0
0 replies
1d17h

without USA citizenship

For jobs in the US, yes.

shagie
0 replies
1d17h

Within weeks of the theft starting, prosecutors say, Ding was offered the position of chief technology officer at an early-stage technology company in China that touted its use of AI technology and that offered him a monthly salary of about $14,800, plus an annual bonus and company stock. The indictment says Ding traveled to China and participated in investor meetings at the company and sought to raise capital for it.

He also separately founded and served as chief executive of a China-based startup company that aspired to train “large AI models powered by supercomputing chips,” the indictment said.

Prosecutors say Ding did not disclose either affiliation to Google, which described him Wednesday as a junior employee.

---

They likely did... he did these things after joining Google as a junior employee.

https://www.eeoc.gov/national-origin-discrimination

Discriminating against a national origin is illegal as it is a protected class.

Unless the material is classified under ITAR ( https://en.wikipedia.org/wiki/International_Traffic_in_Arms_... ) there is no reason to do a security clearance review of a junior developer with a valid work visa.

jeffbee
7 replies
2d3h

The opsec of the people who eventually get indicted is always terrible. If you wanted to exfiltrate source code or docs, why the heck would you use the victim's own cloud storage product? You would just point a camera at your display and scroll through the desired materials, or use HDMI capture, or something along those lines.

diggan
3 replies
2d3h

Survivorship bias in action? The only ones we hear about are the ones who are sloppy enough to get caught. The people who know how to not get caught, doesn't get caught so we never hear about them.

trollerator23
1 replies
1d13h

Exactly. We only know about the terrible ones.

ecoquant
0 replies
1d7h

It also reminds me of stories I have read of drug mules that it makes no sense how they think they wouldn't be caught using the methods they were using.

The twist of the story though is they were duped themselves. They were setup to get caught as a decoy while the real crime took place.

flextheruler
0 replies
1d16h

Definitely. We’re certainly not living in a world where we catch more of these people than we don’t.

paulddraper
0 replies
1d14h

The opsec of the people who eventually get indicted is always terrible

By definition....

Yes

mr_toad
0 replies
1d17h

Pen and paper can work too.

everfrustrated
0 replies
2d2h

Possibly they thought it would appear as their business-as-usual Google related traffic flows.

Rather than say, some tor IP address which would stick out.

ironyman
5 replies
2d4h

Good time to post this article again: https://www.lesswrong.com/posts/z4MDDwwnWKnv2ZzdK/the-agi-ra...

China understands there is a real risk of the US gaining an absolute advantage in A[G]I development. It shouldn't surprise anyone that they will use all kinds of 'greyzone methods' to bridge this gap.

Dr_Birdbrain
3 replies
2d4h

Skimming through it I was confused.

- No homegrown semiconductor industry: isn’t the recent hand-wringing over the new Huawei chips proof of the opposite?

- No interest in training LLMs? Is that true? I thought Baidu was already on it?

In fact at every major AI conferences, Chinese R&D groups like Baidu and Ant group are major participants (and sponsors). I am talking about conferences like NeurIPS and AAAI, which both happened in the past few months.

EDIT: the comments of that article are also confused by that article, lol. Is there a joke that is going over our collective heads?

Twirrim
1 replies
2d3h

There's also a lot of research papers in AI coming out of Chinese universities.

rayval
0 replies
2d2h

Also I have seen some papers on Arxiv from FAANG companies that have a half-dozen or more co-authors, and almost all of those authors have Chinese names.

CuriouslyC
0 replies
2d3h

They're major participants and sponsors because they're definitely behind, and they're trying to rectify that.

nextworddev
0 replies
2d4h

This article should decouple 1) capacity to develop AGI versus 2) desire.

wg0
4 replies
2d2h

What exactly sterling secrets looks like? Suppose I work on a video streaming service. Spent 8 years. Now I know in and out of it. The ffmpeg the queues the buckets the meta data and what not.

Someone hires me. I build a steaming service. But this time I'm much more polished and faster.

Is this stealing too?

pradn
0 replies
1d13h

No, that would be your government or employer preventing you from using your specialized skills to earn a living. In theory, a competitor can hire you for your skills - but your new employer will make it clear they are "only hiring you for your skills, not your proprietary knowledge". I've see that clause even as a junior employee.

noslenwerdna
0 replies
2d

Definitely downloading and uploading company documents to people outside the company counts as stealing...

lupire
0 replies
2d2h

There is not exact definition. Real world is messy.

bredren
0 replies
1d19h

As a sibling comment mentions, it depends.

If you want to learn more, there is a thing called clean-room development which is a process used to reduce the legal risk of copyright and intellectual property violations.

ein0p
4 replies
1d14h

The guy was allegedly stealing all that using Google Drive. I find such moronic behavior really hard to believe. Literally, there’s no illusion of privacy at Google while using company hardware, let alone company services. This has become quite clear after the Levandowsky fiasco - some of the things disclosed there were surprisingly invasive far in excess of what you’d normally expect

hnburnsy
2 replies
1d14h

He was white washing the documents via Apple Notes and it worked initially. From the indictment I posted here...

In total, DING uploaded more than 500 unique files containing Google Confidential Information, including the trade secrets alleged in Counts One through Four. DING exfiltrated these files by copying data from the Google source files into the Apple Notes application on his Google-issued MacBook laptop. DING then converted the Apple Notes into PDF files and uploaded them from the Google network into DING Account 1. This method helped DING evade immediate detection.
ein0p
1 replies
1d12h

> This method helped DING evade immediate detection

Evidently not. It just shows that the guy is not a foreign intelligence operative - a professional could easily operate there for years undetected with fairly basic opsec. That said, aside from things like hardware designs and perhaps certain model weights, I struggle to think of anything at Google that anyone would want that’s not already on GitHub.

bigcat12345678
0 replies
1d7h

I struggle to think of anything at Google that anyone would want that’s not already on GitHub.

It was this person's ploy to pretend there is extremely valuable IPs in the docs he illegally obtained.

It just shows that this person indeed was clueless about large-scale engineering. I.e., stealing all of the code wont give any org the capability to do large-scale engineering. It most likely would cripple the org, as the foreign objects act as poison.

The ideal trick is to pretend that he possess the secret.

resolutebat
0 replies
1d13h

The guy wasn't exactly subtle about things:

Officials also reviewed surveillance footage showing that another employee had scanned Ding’s access badge at the Google building in the U.S. where he worked to make it look like Ding was there during times when he was actually in China, the indictment says.
martin1975
3 replies
1d15h

Just hire Chinese engineers who were born/raised here. It would meet the DEI quota and decrease the chance of industrial espionage. No guarantees, but I think this would help.

kajecounterhack
1 replies
1d11h

…so you mean hire Americans.

Also, pretty sure there are no DEI quotas for Asian men.

boohoowangle
0 replies
19h32m

No, he doesn't mean Americans. He meant Chinese engineers like Irish or German engineers who were born and raised here.

hilux
0 replies
1d10h

Chinese and Indian men do not count towards any DEI quota in tech!!

yellow_lead
2 replies
2d3h

I find it funny how Google is presenting this. These statements don't really mesh well.

“We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets,” Google spokesman Jose Castaneda said in a statement.

Ding [..] began uploading hundreds of files into a personal Google Cloud account two years ago.

He resigned from Google last Dec. 26. Three days later, Google officials learned that he had presented as CEO of one of the Chinese companies at an investor conference in Beijing.
vasco
1 replies
2d2h

We have strict safeguards to prevent the theft of our confidential commercial information and trade secrets

This is just something companies have to say to keep their certifications / audits valid and not get sued by shareholders. In the end any system is leakable if workers really want to.

agitator
0 replies
1d16h

It's also to be defensible in court. If an opposing party can make the valid argument that "They leave the doors wide open and scatter IP willy-nilly, why wouldn't the IP get leaked?" it makes it harder to argue "Person X stole information when it was obvious that there was an expectation of secrecy"

thescriptkiddie
1 replies
1d14h

How can you "steal" a trade secret? Isn't the whole idea that you forgo any legal protection of the secret so that you don't have to disclose its nature, as you would have to with a patent?

anonuser123456
0 replies
1d14h

No. Trade secrets are intellectual property that have legal protection.

https://www.law.cornell.edu/uscode/text/18/1832

What a trade secret lacks in protection is the monopoly granted by a patent.

NicoJuicy
0 replies
2d3h

Welp. Infra secrets for deep mind too and access.

jjmarr
0 replies
1d5h

Within weeks of the theft starting, prosecutors say, Ding was offered the position of chief technology officer at an early-stage technology company in China that touted its use of AI technology and that offered him a monthly salary of about $14,800, plus an annual bonus and company stock.

Crime doesn't pay. That's a pretty lackluster bribe for a mid-career AI expert. I wonder if there's more behind it.

greatgib
0 replies
1d10h

Imagine leaving a Google position and risking a 10 years sentence for the reward of a "monthly salary of about $14,800" job.

axpy906
0 replies
2d3h

The title is “ Ex-Google engineer charged with stealing AI trade secrets while working with Chinese companies”

alexnewman
0 replies
1d14h

Disinfo is how you keep secrets.