
Google Security Team Member on NSA: "Fuck These Guys" - cdvonstinkpot
https://plus.google.com/+MikeHearn/posts/LW1DXJ2BK8k
======
sinak
I think it's pretty clear that we need both technical and legislative fixes to
NSA surveillance. Just one of the two isn't enough: to get be even vaguely
confident that surveillance ends, we need both. The technical fixes I can't
speak to, but the legislative ones I've been thinking about for a while. In
the last week, there have been two prominent bills announced to deal with
surveillance:

\- Bill 1: The FISA Improvements Act, from Feinstein and the Senate
Intelligence Committee. In short it legalizes most of what the NSA has been
done.

\- Bill 2: The USA FREEDOM ACT, from Sensenbrenner and Leahy, currently being
considered by the House/Senate Judiciary committees. It amends §215 of FISA to
end bulk phone metadata collection and fixes some of the problems with §702 of
the FISA Amendments Act (under which PRISM is run). But it doesn't fix §702
fully, does nothing to end BULLRUN (undermining encryption) nor the
surveillance that happens outside FISA (MUSCULAR, for example, and god knows
what else).

Obviously the Feinstein bill can't be allowed to pass. But some really big
names (ACLU, CDT) have thrown strong support behind the Freedom Act. I'm
wondering what we as the Taskforce(.is) should do. It's clear to me that it
doesn't go nearly far enough. And there's some chance that if it passes,
Congress will view this whole thing as "dealt with" and not revisit the issue
for years to come. But unfortunately the Freedom Act barely has the votes to
get out of the judiciary committee, and getting it to pass through both houses
requires a lot of momentum.

We've been working on a campaign asking folks to call and oppose Feinstein,
and potentially to support the Freedom Act. But I'm not sure if that's a right
move. Unfortunately, the public doesn't understand why privacy is important,
and Americans aren't nearly angry enough for Congress to do anything more
substantial than the Freedom Act. We might be able to push for amendments, but
it's a long shot.

tl;dr - We've got two bills in Congress. One is terrible, one is mediocre. But
we don't have the political momentum to do anything better than the mediocre
bill. What do we do? Tech advocate conundrum.

~~~
rayiner
Legislative fixes aren't going to buy you a lot, though they'll buy you
something. The fundamental problem is structural: there are a lot of things
the NSA is totally allowed to do, especially when it acts as an agency of the
executive outside of the U.S. Technologists tend to ignore national and
jurisdictional borders because networks cross those borders, but the powers of
the NSA are defined in terms of those borders. Not just statutorily, but as an
agency of the executive, Constitutionally.

For example, Mike Hearn says: "Bypassing that system is illegal for a good
reason." Illegal under whose law? Obvious things like the Wiretap Act simply
don't apply outside the U.S. And this is by design: Congress and the courts
are primarily domestic institutions. The executive, by design, has primacy
when it comes to activities outside the U.S. Maybe this design made a lot more
sense back in the day before the advent of trans-national corporations, but
it's the design we have, and we're talking Constitutional-amendment level
fixes to change that design.

Internally, you might see fixes without a Constitutional amendment. E.g. the
Supreme Court might at some point weaken the third party doctrine, which is
what makes a lot of the NSA's data collection not a violation of the 4th
amendment. But they won't touch the activities of the NSA internationally.

~~~
snowwrestler
U.S. law follows U.S. citizens around the world. For example if a U.S. citizen
rob a bank in the U.S. and then flees to the UK, when the UK police catch him,
he will be extradited and prosecuted in a U.S. court. He's not stuck into a UK
jail without a trial.

That's the minimum issue here--Google ships the data of U.S. citizens around
the world, and the NSA knows it. They are trying to play a cute game by
pretending to assume that if the GCHQ collects the data in the UK, the NSA can
safely treat it as foreign data. We need to call them on it.

~~~
rayiner
U.S. law does follow U.S. citizens around the world, but only in certain
circumstances does it apply to conduct abroad. For example, there is a law
against U.S. citizens engaging in underage sex tourism abroad. But such laws
are the exception. If you, e.g., murder someone in England, the U.S. can't
hold you accountable under American law.

Your example is a bad one, because in your example the law is broken by
conduct in the U.S. In this case, the splicing of the leased lines happened
outside of the U.S.

~~~
snowwrestler
The conduct in this case is not the fiber tapping, but the possession and use
of U.S. citizen data by the NSA. It does not matter how they gather it, their
restrictions are the same--they must limit and justify it.

~~~
rayiner
The Google+ comment objects to the fiber tapping. It doesn't say anything
about the use of U.S. citizen data, and the NSA asserts it has safeguards in
place to filter out such data from foreign taps.

------
cromwellian
It's ironic that when the Chinese attack against Google occurred, we thought
the Chinese government was the most hostile state actor threat to worry about,
but it turned out to be the US and UK government.

~~~
babar
Why do people assume the Chinese government is not able to use similar
techniques?

~~~
grey-area
China doesn't have agreements with BT, AT&T etc which allow it to tap fibre in
our countries at will. I'm sure they try some tapping, but they can't do it on
the scale that GCHQ and the NSA have been outside China.

~~~
ojbyrne
But they could easily have agreements with every chip fab to build back doors
into every piece of networking equipment.

~~~
ekianjo
That's very unlikely nobody would have noticed them by now, if it were the
case.

~~~
bhrgunatha
Do you mean - as unlikely as not spotting the weakening of encryption
standards - for example by another branch of the same government (NIST/NSA)?

~~~
astrange
Those were spotted.

~~~
kamjam
eventually.

------
lsh123
Lets start from the beginning: the NSA "hack" became possible because Google
(and its security team) made bad assumptions about the security of the
connection between Google's data centers and did not encrypt the traffic.
Basically, this is security 101: protect data at rest and protect data in
flight. So, sorry but I think the better subject for discussion would be how
badly Google screwed up, not how evil is NSA. Moreover, it is not clear if
other governments or criminals also had access to the users' data (e.g. in
Google's data centers located outside of the US). So far Google did not
produce any public post-mortem thus we have no clue how bad was the problem.

P.S. I am sure I will get smashed in the comments, so let me say right away
that NSA actions should be controlled and audited by the public (e.g. through
our representatives in Congress). I think that the biggest "evil" here are the
members of Congress who either approved NSA actions or failed to do their job
and monitor/audit NSA properly. In particular, I would point my finger at Sen.
Dianne Feinstein [D-CA] who should have been ousted from the office long time
ago.

~~~
kllrnohj
> Lets start from the beginning: the NSA "hack" became possible because Google
> (and its security team) made bad assumptions about the security of the
> connection between Google's data centers and did not encrypt the traffic.

The assumption isn't bad - it's a private network line, not a public internet
connection. Nobody else had access to that line, at least they weren't
supposed to. Splicing a fiber line is a bit outside the scope of your random
attacker. You can't blame Google for not anticipating a hostile break-in by
the government. The discussion should absolutely, 100% be directed at the NSA
here. To accept that a _private_ network connection is open season for the
government to tap is batshit insane.

> Moreover, it is not clear if other governments or criminals also had access
> to the users' data (e.g. in Google's data centers located outside of the
> US). So far Google did not produce any public post-mortem thus we have no
> clue how bad was the problem.

How is Google supposed to tell you if they themselves didn't know?

Although from the leaks it sounds like everyone is fucked thanks to the GCHQ
and the NSA getting friendly with each other.

~~~
lsh123
Well, I feel that encrypting traffic _inside_ the data center is not a bad
idea (and we do it at WePay where I serve as CSO). The reasons is that you
never know who is listening (big smile here). For example, I don't want our
system administrators to have an _easy_ way to look at the traffic: yes, it is
still possible to do but it is harder and requires some very unusual actions
that will trigger alerts everywhere.

If indeed Google does not know then it's just another sign of security
failures at the company. Nobody is perfect and security incidents do happen. A
good security will have in-depth defense and built-in monitoring/audit measure
that would at the very least allow you to determine what have happened post-
factum.

~~~
kllrnohj
> Well, I feel that encrypting traffic inside the data center is not a bad
> idea (and we do it at WePay where I serve as CSO).

Do you have your own data center building? And if you don't have your own data
center buildings, how are you guarding against physical attacks? Because just
saying "encryption" doesn't actually mean anything. Encryption isn't free, and
at Google scale that can add up. Useless encryption is just wasted power

> For example, I don't want our system administrators to have an easy way to
> look at the traffic: yes, it is still possible to do but it is harder and
> requires some very unusual actions that will trigger alerts everywhere.

That can be accomplished in many ways that don't involve encryption. And your
servers are all capable of decrypting the data at some point, so you still
have to trust your sys admins and/or have alternative systems in place as they
still have access to the unencrypted data.

> A good security will have in-depth defense and built-in monitoring/audit
> measure that would at the very least allow you to determine what have
> happened post-factum.

How, exactly, do you detect cable splicing? Much less audit said splicing? You
seem to be asking for a hell of a lot more than "good security"

~~~
lsh123
At WePay - no, we don't have our own data centers just yet. In a couple large
companies I worked before - yes (and we did encrypt the traffic as much as
possible).

Some types of encryption are pretty cheap actually. I used to use special SSL
cards in the servers 10-15 years ago but today my laptop would outperform
these cards and wouldn't even get hot :) Plus you need to remember that
relatively expensive public key encryption needs to be done only for key
exchange. After that you run block or stream cyphers and those algorithms tend
to be _really_ fast.

So far I haven't seen any evidences that there was cable splicing. Thus using
occam's razor I would assume that the hack was much simpler than that. To
detect the issue, I would start from reviewing the visitors log to the data
center (assuming there is a visitor log).

I'll re-iterate that security should be built on defense-in-depth principle.
Every single protection layer will fail or someone will go around it. The
assumption that a data center is "safe" is a bad assumption period. You have
to play "what-if" game and think for the attacker.

~~~
kllrnohj
> So far I haven't seen any evidences that there was cable splicing. Thus
> using occam's razor I would assume that the hack was much simpler than that.

What? The evidence totally points to cable splicing. What hack involves
getting all the inter-DC packets but nothing else? Obviously the machines
weren't compromised, or they wouldn't have cared about reverse-engineering the
wire protocol. So what are you proposing was hacked?

> I'll re-iterate that security should be built on defense-in-depth principle.
> Every single protection layer will fail or someone will go around it. The
> assumption that a data center is "safe" is a bad assumption period. You have
> to play "what-if" game and think for the attacker.

And I'll re-iterate that you're asking for a goddamn magical pony.

Side note, if your data center isn't safe go get a new one. Seriously. Most
DCs have tons of security to _make them safe_. That's not an assumption.

~~~
lsh123
> The evidence totally points to cable splicing.

I don't think there are any evidences at all. As far as I know, the only known
thing is that NSA was able to obtain the un-encrypted google traffic. For
example, it could have been backdoor in the router, one extra cable in the
switch, or a few other similar low-tech options.

> Most DCs have tons of security to make them safe.

Don't disagree. But this doesn't make them invincible from other attack
vectors (e.g. rogue employees). I actually heard the same argument from quite
a few people during interviews and I usually don't hire them because you have
to be paranoid to get security right :)

------
ChuckMcM
I wondered about that traffic, and getting confirmation from the source that
the only way the NSA could have it would be by tapping into the internal
network is as quite damning.

Google has the best OpSec team I've ever known, it is my hope that they close
this 'loophole' as completely as possible.

~~~
rsync
Google, and their "geniuses" in opsec, should not be given a pass at all for
this.

Even if this is a leased private line, non-Internet routed, whatever, it is
trivially easy to encrypt the communications and is absolutely a best
practice. I see this as great big egg on their face.

In fact, it's such a cock-up that one wonders if this is the plausibly
deniable ingress that they agreed to provide for the NSA, et. al

This is akin to using telnet to access your home server because you're "on
your own network". Nobody does that and I can't believe they would have
either.

~~~
res0nat0r
Tapping multi-mode dark fiber unnoticed is now considered trivially easy? I
must have missed when the bar was shifted this high.

~~~
crucifiction
You don't need to tap dark fiber for this to be poor security. They were
passing all internal data around in clear text. It would have been trivial for
any data center employee to gain significant amounts of open data this way.
Why wouldn't you have services, db connections, etc. encrypted internally? Its
certainly possible and done within many companies, it is surprising how lax
google was in their assumption that once inside the network everything is
going to be a-ok.

~~~
res0nat0r
This isn't something that is "easy" when you run one of the biggest
infrastructures in the world.

------
thex86
Appreciate Mike speaking up like this. We need more people within the industry
to speak up. Not just hackers.

(People within these companies are also hackers, but they have more effect
when they speak because they are part of a company)

~~~
justin66
I agree, but I do wonder what is going to happen when people start speaking up
to say something quite the opposite. "I don't speak for my employer, but I
think the NSA is quite awesome and I don't mind that they've been listening to
us at all." Or something to that effect.

The clash might be interesting to watch.

~~~
dpacmittal
With the increasingly alarming NSA plans being revealed, if someone thinks NSA
is doing a good job, they deserve to be fired. His thoughts and opinion
doesn't give him the rights to have public data available to governments.
This, ofcourse, assumes that he is into Security Team at some well known
company.

------
bowlofpetunias
Oh, the hypocrisy....

> "Bypassing that system is illegal for a good reason."

Yes, so is invasion of privacy. Yet Google has no problem breaking the law and
violating civil rights for profit.

> "Unfortunately we live in a world where all too often, laws are for the
> little people."

Yeah, like tax laws and privacy laws...

If you want to get on this high horse, you shouldn't be working for Google.

~~~
nodata
Erm, what? Which law did they break, and which civil rights did they violate?

~~~
CaptainZapp
Like indiscriminately and illegally sucking up WiFi data with their street
view mobiles?

Including account information and passwords on unsecured WiFi connections.

Even if the accusation of "violating laws" may be a tad hyperbolic in the
great scheme of things it's not a stretch to deem Google one of the most
hypocritical companies around.

~~~
thezilch
Except, they didn't explicitly mean to do that, stopped doing that, and paid
for the autonomous collection of trash that they threw out.

~~~
icecreampain
You are very naive if you think that Google does something by mistake (that
also happens to fit well into their Big Black Hole of Information).

~~~
raldi
I work for Google, and I can assure you, we do 100,000 things by mistake every
day.

------
SCdF
This has been asked before, but I'd love to hear from a dev (anonymously of
course) who actually helped build this NSA madness. Is it like The Cube, where
no one really knew what each piece was for? Is it that they are morally pro
the NSA's attitude toward personal and corporate privacy, or do they just not
care either way?

~~~
wmf
In _The Shadow Factory_ (written after the Klein leaks but before Snowden),
Bamford notes that a lot of surveillance equipment comes from Israel. I don't
know much about Israeli culture but it may be significantly different from the
US.

~~~
samstave
I am at the openstack conference right now. My colleague was talking in hebrew
to a lot of folks the past few days. I said to him jokingly "Where did all
these Israeli's come from that are here"

His reply: "Dude, all this shit comes out of Israel! its the whole tech/NSA
bullshit used against the palestinians!"

It was a casual comment - but very interesting in that its a foregone
conclusion that the surveillance state is just a function of the culture of
Israeli tech development.

~~~
rhizome
Highly self-aggrandizing. I think the most that can be said is that it's a
highly symbiotic relationship between .us/.il.

------
ismail
'Privacy' currently is just a facade, most people have just not realised that.
Here is an interesting fact, that joe public do not realise.

If you have a mobile phone, you can be tracked, even if there is no GPS on the
device. Besides this if the NSA chooses, they can track practically ANYONE in
the world, all they need is a mobile number. I would not be surprised if this
is actually one of the tools they have.

How?

Due to the nature of how GSM and mobile operators integrate when roaming. When
a mobile operator signs an international roaming agreement, they setup
signalling links between their switches and VLR's (Visitor Location Register).

The mobile operator in the visited country needs to authenticate you against
your home network, this happens via SS7.

Once this link is established, it is assumed to be trusted, and most operators
_DO NOT_ apply any filtering on these commands. So with a carefully crafted
SS7 command, you could request the location of a mobile subscriber, even if
they have not even attempted to join your network.

Now here is where it gets interesting, get access to send ss7 commands from an
operator with many international roaming agreements, and you can get details
on practically any subscriber. Get access to 2-4 (i.e AT&T, T-Mobile,
Vodaphone) of these massive tier1 operators, and you can get the location of
practically everyone with a mobile handset.

~~~
Raphmedia
I don't have a mobile phone.

You don't need one, really. Skype at work, landline at home. Why would I want
to talk to anyone on the go?

I go out for beers and other social activities all the time. My social life is
not suffering at all. The need of having a cellphone is a lie.

------
LiamMcCalloway
I am surprised this exerpt from Alan Rusbriger's article in the New York
Review of Books [1] hasn't made the rounds:

> "But I did have an interesting (unattributable, of course) briefing from
> someone very senior in one West Coast mega-corporation who conceded that
> neither he nor the CEO of his company had security clearance to know what
> arrangements his own organization had reached with the US government. “So,
> it’s like a company within a company?” I asked. He waved his hand
> dismissively: “I know the guy, I trust him.”

West Coast mega-corporation does not know what West Coast mega-corporation
does.

[1]
[http://www.nybooks.com/articles/archives/2013/nov/21/snowden...](http://www.nybooks.com/articles/archives/2013/nov/21/snowden-
leaks-and-public/?page=2)

------
adamnemecek
Wow, a guy working for Google said "fuck you" to the NSA. All my doubts and
worries are gone now.

~~~
Amadou
Are you being sarcastic?

For months Google's only public response was to lobby the government for
permission to release stats(?) to prove that they complied with the law - nary
a word of criticism for the law itself.

So now that Google's own autonomy has been breached by the NSA (all above-
board and legal according to the NSA's legions of loop-hole seeking lawyers)
instead of just Google's users, now they are mad?

I just made another post about how a lot of people are unable to imagine what
its like for others to be in a situation until they themselves are in the same
situation. But... I'm not so sure Google, as an organization, has fully
recognized the scope of the problem here.

~~~
adamnemecek
I was being sarcastic, yes.

~~~
Amadou
OK.

I had laugh-snort reading the discussion on that page - at one point the
original author, Mike Hearn, tries to argue that ad-based services are
actually a good thing for privacy. Does Kool-Aid have a google flavor now?

~~~
enneff
You should respond to his argument instead of accusing him of brainwashing.
The latter does nothing to advance the conversation.

~~~
Amadou
Can't. I so disbelieve in his argument that I won't sign up for G+.

Besides, as Upton Sinclair was fond of saying, "It is difficult to get a man
to understand something, when his salary depends upon his not understanding
it."

~~~
enneff
I'm suggesting you could rebut his argument here instead of just insulting his
integrity.

~~~
Amadou
I doubt he's reading this - but for you, sure...

His claim is that there aren't any viable anonymous payment systems for the
web but that advertising is semi anonymous, so that's better.

(1) There are ways to make anonymous payments on the net, I can use cash to
buy cash-cards in denominations up to $500 that work just like debit cards
online, they are even branded with Visa and/or MasterCard. Until a couple of
years ago you could buy even larger denominations but war on terror hysteria
made it illegal to do without providing ID. None of the entrenched powers
seemed to mind the new regulations all that much, which leads too...

(2) The rise of advertising as the primary source of online funding has choked
out development of alternative online payment systems in the same way that an
invasive species chokes out native species that occupy the same ecological
niche. If it weren't for companies like google we wouldn't be in the situation
we are now because a lot more work would have gone into the development of
alternative payment systems.

(3) The entire goal of modern online advertising is to identify and track
users as narrowly as possible so as to better "target" them. The more
sophisticated online advertising systems become, the less anonymous the users
become. Companies like BlueKai and hundreds of others exist to connect your
real-life identity (and associated database entries) with your online
activity. Even google does it with their real names policy for g+.

So instead of each vendor only knowing about the specific transactions they
have with you, there exist multiple databases that amalgamate all of your
transactions (online and offline) across multiple vendors into one central
record that is for sale. I'm well aware that Google thinks their user records
are super proprietary and that they would never make that data openly
available outside of Google, but (1) they are far from the only holder of such
data and many of the others see selling/renting that database as their main
source of profit, (2) sophisticated use of targeted ad-buys can indirectly
mine Google's data, it's not as easy as just buying access like you would from
a place like Experian but it is feasible under the right circumstances and (3)
who can say if Google will have a change in corporate direction tomorrow and
start selling access to all that data that they have been collecting for over
a decade?

So, in short, his claim was so blindered that it really was quite ridiculously
naive/ignorant.

~~~
enneff
Thank you for responding in a meaningful way. I appreciate it.

> There are ways to make anonymous payments on the net, I can use cash to buy
> cash-cards in denominations up to $500 that work just like debit cards
> online, they are even branded with Visa and/or MasterCard.

This still puts you at greater risk of exposure than creating a Gmail account
through an anonymizing proxy. Prepaid cards can be traced to where they are
purchased, which at least narrows your location geographically, if not the
exact location. From there the NSA could probably catch you buying it in
person by reviewing CCTV footage.

> The rise of advertising as the primary source of online funding has choked
> out development of alternative online payment systems in the same way that
> an invasive species chokes out native species that occupy the same
> ecological niche. If it weren't for companies like google we wouldn't be in
> the situation we are now because a lot more work would have gone into the
> development of alternative payment systems.

I don't really understand this point. You seem to be positing a world where
online advertising didn't become the dominant mechanism for making money on
the web, but you don't explain how this could come about. Perhaps if
"companies like Google" did not exist? But there were advertising companies
before Google and there will be long after Google is gone. Advertising is an
inextricable part of the global economy. It would take a revolution to change
that.

> So instead of each vendor only knowing about the specific transactions they
> have with you, there exist multiple databases that amalgamate all of your
> transactions (online and offline) across multiple vendors into one central
> record that is for sale.

I think this is deeply wrong and I wouldn't be working for Google if I thought
we were heading in this direction. It's not my place to comment further on
your other assertions about Google.

> So, in short, his claim was so blindered that it really was quite
> ridiculously naive/ignorant.

I don't see how your argument supports this claim. Nothing you have said would
be news to Mike, who has been thinking about all this stuff longer and more
deeply than most people. He just has a different perspective to you, that's
all.

~~~
Amadou
_This still puts you at greater risk of exposure than creating a Gmail account
through an anonymizing proxy._

I note that you've specifically gone to the most extreme case of the state
looking to track you rather than some other private entity. The NSA/FBI
looking at camera footage at the point of purchase for a cash card is just as
likely as the NSA de-anonymizing your proxy (well probably less likely given
what the NSA has been up to). However, for private databases nobody is going
to make those efforts. But what they will do (and do all the time) is cross-
reference web activity to minimize anonymity and increasing "targeting."

 _Advertising is an inextricable part of the global economy. It would take a
revolution to change that._

That's circular. My point is that the industry's overwhelming movement toward
advertising as a payment system starved out the development of alternative
payment systems, micropayments, e-cash, etc. Hell, paypal could be so much
more privacy preserving simply by not disclosing your email to the seller but
they don't make that trivial effort because they have no competition.

 _I think this is deeply wrong and I wouldn 't be working for Google if I
thought we were heading in this direction._

If you think I am specifically talking about Google, you are mistaken. Go
install Ghostery and watch how simply visiting a web page like The Verge gets
you into the databases of at least 7 different trackers other than Google. If
Mike Hearn was arguing that google should have a monopoly on advertising
because google currently doesn't deliberately share its secret stash with
anyone, then that opens up a whole different line of disagreement.

~~~
enneff
The industry moved to advertising because it works. When something more
compelling comes along, people will move to that. So far it doesn't exist, but
many people are trying.

PayPal are not a monopoly, by the way. I would not be surprised to see them
unseated from their current position in the next few years.

I do have Ghostery installed. I'm glad it exists, and wish more people would
use it so that they could see the extent of the tracking that's going on.

> If you think I am specifically talking about Google, you are mistaken.

I was responding specifically to your paragraph about Google.

~~~
Amadou
_The industry moved to advertising because it works._

That's really overly simplistic. It's a complex system and to assume that its
the best system (as Mike Hearn stated) is to ignore the fact that there are
competing interests at work and the ones who value privacy have significantly
less clout than the ones that don't.

 _PayPal are not a monopoly, by the way._

That's just wordplay. Paypal has not faced significant competitive pressure
for over a decade, if ever.

------
caycep
Here's one potential cultural snafu - my understanding is US intelligence
based almost entirely on SIGINT. I'm not sure how great we are at plain old
HUMINT, i.e. using people and relationships to get information and an overall
picture of the world.

So all the defense community was raised on SIGINT, and anything seen as a curb
on this - technical or legal, they will probably view it as some sort of
existential threat. They would then fight tooth and nail to block any sort of
reform. And the military industrial complex has quite a lot of legislative
muscle....

~~~
Nick_C
One of the outcomes of various 9/11 reviews was the realisation that HUMINT
had degraded as far as it had. The problem is that it is very expensive, both
in time and money, and it has uncertain outcomes.

The rise of technology, both its widespread use by the public and the ability
to capture it by agencies, had made SIGINT seem much more attractive in the
couple of decades prior to 9/11.

So, yes, agencies had become over-reliant on SIGINT over HUMINT, but for
understandable reasons with the benefit of hindsight. Currently, they
certainly don't view it as an existential threat and all agencies are working
to re-establish HUMINT capability, the opposite of trying to block it. The
trouble is that it is hard, really hard work.

------
thejosh
Non mobile post:
[https://plus.google.com/114798402540078632611/posts/LW1DXJ2B...](https://plus.google.com/114798402540078632611/posts/LW1DXJ2BK8k)

~~~
arkem
and here's the original "fuck these guys" post
[https://plus.google.com/108799184931623330498/posts/SfYy8xbD...](https://plus.google.com/108799184931623330498/posts/SfYy8xbDWGG)

The submitted link is Mike Hearn agreeing with and elaborating on Brandon
Downey's original thoughts on the matter.

------
rdl
I'm personally far more angry with Congress utterly failing in their oversight
role, and to some extent with the judiciary for becoming at best a rubber
stamp, than with NSA. The President (pretty much from LBJ onward, but even
farther back) is also fairly complicit in this, but that part is accelerating.

I would probably be a single-issue voter if a candidate for congress were
likely to win and was aligned with me on this issue but opposed on virtually
everything else.

One essentially-fantasy is to run for Congress directly. Unfortunately I
haven't lived my entire life to my mid-30s in trying to become a viable
political candidate, so this would be difficult. Central or Eastern WA is
probably the best bet, along with starting a 50-500 person business which
employs a lot of local people (manufacturing of some kind) and generally being
an engaged local citizen for a decade or more. But that's a long term goal.

------
poxrud
The NSA must have somebody working on the inside at google. Otherwise it would
be extremely difficult to reverse engineer the RPC protocol that was used by
google's servers to communicate between each other. Even on an unencrypted
network I can image it would be very difficult to reverse engineer the
protocol without any help.

~~~
vinkelhake
The RPC protocol is stated to be based on protocol buffers so the encoding is
known. What you would need to do to reverse engineer it is coming up with
matching message descriptions.

But, even without that piece of the puzzle, reverse engineering a protocol
that doesn't use encryption wouldn't be "extremely difficult". This is not an
indication of an inside man.

[https://developers.google.com/protocol-
buffers/docs/overview](https://developers.google.com/protocol-
buffers/docs/overview)

~~~
acqq
The only published information is how the values are encoded, not what is
encoded (the specifications aren't transported together with the data) so to
crack 1622 different protocols only involved in authorization according to the
NSA slide is not such a small task, at least if they are interested in more
than just recognizing e-mail addresses which can be found using regexps. And
just counting the protocols proves that they were indeed interested in more.

~~~
cromwellian
The screenshots of the ascii dump of the RPC calls shown in the WaPo article
show that there is tons of information to work with, besides just the email
account.

You're talking about the NSA here, an outfit which has cracked the
cryptosystems of foreign governments in a variety of foreign languages, and
even cracked a Russian one-time-pad that they had accidental;y used more than
once.

I don't think it's very hard at all for them to reverse engineer RPC
serialization that is not even encrypted if they can crack cryptosystems.

~~~
acqq
Of course it's not impossible just reverse engineering the protocols but we
now know that these guys also rightly measure their smartness by taking
shortcuts wherever they can. It would be stupid to do unnecessary work to
"rediscover" easily accessible information. The right approach is using the
internal documents describing the protocols. Shouldn't be so hard, "it's all
in the cloud."

------
pvnick
Keep in mind when considering reform by our legislature that any serious
efforts on that front will likely be undermined with blackmail made possible
by the very surveillance apparatus they are attempting to curtail [1]. I
sincerely hope that Snowden's revelations prove or at least strongly hint
towards such an assertion because until they do it's still "conspiracy
theory." Free society is in deep shit, and for the life of me, even though
I've thought about it obsessively for the past couple months now, I have no
idea what can be done about it.

[1] [http://www.boilingfrogspost.com/tag/russ-
tice/](http://www.boilingfrogspost.com/tag/russ-tice/)

------
allochthon
My feeling is that the NSA/GCHQ hack was arguably an unfortunate thing for
them to do, although somewhat predictable, once one knows of the existence of
the network topology vulnerability that was exploited. But presumably
somewhere in Google someone knew about this possibility sometime back. I
wonder whether there was an assumption that nobody would be clever enough to
figure things out, or whether security engineers were working 24/7 to fill in
the gap and just didn't get there in time.

Either way, this is a good stimulus for rolling out deeper encryption.

------
bcoates
Is information about disruptions to the US PSTN collected anywhere?

The discussion of cable tapping and the NSA's apparent taste for doing things
the expedient way instead of the legal way makes me wonder if the "vandalism"
domestic underground fiber cuts in the years after 9/11 form an interesting
pattern.

------
lazyjones
Cussing is all fine and understandable, but I missed the part where the Google
opsec team was searching for and plugging the holes the NSA is exploiting, or
switching to another carrier, or suing the NSA for illegal wiretapping.

~~~
NamTaf
The problem is that it's not the NSA doing it. It's GCHQ, in the UK.

~~~
antihero
What was the physical location of this fiber? The UK?

~~~
estel
Yes, according to the Washington Post, the interception took place in the UK.

------
cpeterso
I can understand using unencrypted network _within_ a data center (unless you
are doubly paranoid), but why wouldn't they encrypt data _between_ data
centers?

~~~
parliament32
Apparently these data centers were linked via dedicated lines -- there was no
traffic or outside access to these fiber lines. They were used solely for
communication between the two data centers (so technically still an isolated
network).

~~~
rurounijones
A pretty good example to smack in the face of all those "Just Air-gap your
distributed SCADA system!" devotees.

~~~
Daniel_Newby
Such people exist?!

~~~
gonzo
they do, sadly

------
w_t_payne
So, this is how it's gonna play out:

Over the next few years it will become more and more common for "in-flight"
data to be encrypted. As the "low-hanging fruit" starts to disappear, state-
level attackers will increasingly turn their attention from fibre to endpoint;
with a corresponding increase in the number of attacks on mobile devices,
apps, and embedded systems. This is, to put it mildly, incredibly challenging
terrain for passive defence, where complexity all-but-guarantees unknown
vulnerabilities and hidden attack vectors.

Now, I am not too sure about the ethics of active defence / networked HIPS,
(Too similar by a long shot to the sort of malevolent behaviour it is supposed
to defend against) but it might be something that we are going have to have a
look at.

------
api
"Unfortunately we live in a world where all too often, laws are for the little
people."

This is sort of the crux of it. We are degenerating into a true oligarchy
and/or gangster state in which there are two different systems of law: one for
the politically connected and one for the plebs.

------
arca_vorago
My bet, especially with the rumors of a secret google data ship, is that
google is getting ready to make a data power play.

Something along these lines:

"Look at the horrible way NSA treated our customers... We're gonna make sure
the NSA can't get our data in the future, and protect everyone's data. Come
use our services where we treat you right!"

It was always just a matter of time before a corporation had the ability to
compete in the total information awareness arena with the three letters.
Google is probably the primary candidate that has the capability, besides
MS/Apple.

Of course the three letters win on the data side, but the company wins on the
customer side. Win win. For them. Lose for us.

------
ynniv
I think that we also forget in this age of reduced crime, that it doesn't
matter whether or not something is illegal if you have no means of preventing
someone from doing it or holding them responsible when they do. We discovered
this situation not by uncovering the intrusion, but from leaked documents. The
government has a lot of employees and likes to document its operations, which
can lead to whistleblowing... organized crime has few employees, tight lips,
and doesn't offer the same protection of whistleblowers. The problem here is
not the NSA.

------
androtheos
Any data running over a leased or owned fiber between data centers should
still be encrypted. Why didn't they have a VPN between the data centers? I
don't get it and I personally think it's inexcusable. I believe I would lose
my job if I my companies data was stolen and their was something I could have
done to prevent it, and rightly so. I personally think that everyone has been
far to forgiving of companies like Google, Yahoo, Microsoft, Facebook etc...
for having done such a poor job of protecting the data we entrust to them.

------
stevenrace
They are likely both complicit in - as well as victims of - fiber tapping
given GOOG now owns the building housing one of the largest peering exchanges
on the Internet [1].

[1] 111 Eight Ave in NYC (housing Hiberia's trans-Atlantic cable, Equinox,
Deutsch Telecom, etc)

[http://www.datacenterknowledge.com/archives/2010/12/03/wsj-g...](http://www.datacenterknowledge.com/archives/2010/12/03/wsj-
google-has-bought-111-8th-avenue/)

------
acd
I think the trends has been like this and history tends to repeat it self but
in different forms. 1) Main frame - central computing 2) PC revolution -
decentralized computing 3) The cloud - central computing 4) ? Hackers invent
p2p - decentralized network corporations,government not in control of any
communication, information heavily encrypted possibly distributed using
erasure codes. Network run by friends who you can trust. Code written by
hackers

------
davidgerard
"Fuck these people" was Wikipedia's reaction to seeing the puzzle globe on the
NSA slide too. First time I've ever seen Jimmy Wales use profanity in a tweet:
[https://twitter.com/jimmy_wales/status/362626509648834560](https://twitter.com/jimmy_wales/status/362626509648834560)

------
josefresco
Global security sure is easy if you're an engineer working for a large tech
company. I say that with as much sarcasm as possible.

Day after day I see post after post around the tech web about how horrible the
actions are of the NSA but few if any propose a workable solution to balancing
both securing _and_ obscuring actions taken to protect a nation, with the
public's need for privacy and protection from abuse.

Oversight, oversight, oversight is all we hear yet nothing concrete to
describe how the US (or any nation) is supposed to provide security and keep
the enemy from monitoring the techniques and actions taken by intelligence
services.

Maybe I'm naive but I don't see a way to keep spying (something all nations do
and have done for centuries) with the public's need for complete disclosure.

------
vorce
I think it's time to also highlight the fact that people enabled the NSA to do
these things. A lot of them engineers. In some cases I'm sure the ones
building the stuff didn't or couldn't see the end goal. But I guess there have
been many who HAVE suspected or known about the use-cases of the
products/software that they have been a part of making. This scares me, it is
time that engineers take some moral responsibility. Maybe some course in
ethical decision making wouldn't hurt to include in engineering colleges?

(Note: All fields should take moral responsibility, but engineers seem to be
worse than a lot of others.)

------
frank_boyd
Well that's ok. But what really needs to happen is this to come from the top
management - and most of all, they need to ACT accordingly. Until then, all
this "fuck them" exclamations aren't worth a dime.

~~~
cromwellian
You mean like working on projects to encrypt all of their data center links,
which started, incidentally, before the Snowden revelations. Or the fact that
David Drummond and Eric Schmidt have publicly said the diplomatic equivalent
of 'fuck these guys'?

------
ksk
Well, if you read the Terms of Service that Google (and to be fair - everyone
else) makes people agree to - Google is free to sell your data to anyone they
want. So I don't know which 'Google user' is expecting their data to be
private anyway. Not to beat the 'you are the product' dead horse, but I wonder
if they were to actually start selling user data would people be in uproar?

------
badwetter
The judiciary should always have an adversarial relationship with the
Intelligence community in order to have checks and balances. I think FISA
could work with more and varied members on it's committee.

Feinstein is a joke and obviously isn't well informed on the subject matter
she's supposedly overlooking.

------
rurounijones
Given the snippet of traffic involved, can they make an educated guess which
links were compromised to get it? (It is DB replication traffic so if you know
the source DB and the dest DB then you can work out the route... in theory
anyway, with Google Complexity, who knows...)

------
tonyplee
Just simple big government(s) v.s. big company - happened over and over again
in history - remember how powerful Microsoft was in the end of the 90.

Governments don't like challenge to its power. They will find ways to control
the Jedi Council.

~~~
cinquemb
I really don't think this is that clear cut. On this thread alone, two people
have have vouched for their companies that encrypt internal traffic as
standard MO (wepay, and another larger than google [by their words]) and
considering that some mailing list chatter[0] has pointed out some interesting
dynamics (read duplicitous) on the behalf of some companies (among the remarks
on here), I wouldn't fool myself with its that simple.

As someone working on a start up now dealing with crowd-sourcing/mining data
on people/identities and leaving it public, it's very interesting to see the
dynamics play out with online services especially with ones that create the
perception of walled gardens vs those that position themselves as inherently
public and the flak (or lack thereof) they take from privacy advocates and
what not.

[0] [http://cryptome.org/2013/10/nsa-hysteria-
coverup.htm](http://cryptome.org/2013/10/nsa-hysteria-coverup.htm)

------
kriro
Where are the startups that disrupt the 1984 surveillance state? I think YC
recently ventured into nonprofits, maybe they should consider adding one
company that "furthers the cause of freedom" to each batch or something.

------
sschueller
How do we know the Chinese or someone else hasn't hacked into the NSA and is
using that data to gain access to secure systems that would otherwise be
almost impossible to break into.

Wasn't there a Google break in not so long ago?

~~~
Andrenid
Considering the track record of Governments and technology, I pretty much
assume that whatever systems the NSA (and friends) had made are so ridden with
holes that any/all people who really want access to it, already do, and that
all our (worldwide citizens) access is basically out in the open now.

If anything, I'm actually pretty impressed it has gone on this long without
seeing posts on underground forums offering access via cracked/leaked accounts
and 0days, in exchange for money. Or maybe it has?

------
znowi
It's good to see there are still people at Google with integrity and not
afraid to speak up. Sadly, they do not run things. In this environment, you
either quit or turn to the dark side.

------
puma1
Being that google probably has an unreal security, did they know the NSA got
in.. or was it a surprise after learning it from the info leak?

------
cgtyoder
This is the first time I've seen a HN article pass the 1000-point mark. Who
doesn't love someone telling the govt to eff off?

------
__matt
fuck these guys, they stole our business model!

------
ratsmack
This may put a small kink in their plans, but the NSA and GCHQ have unlimited
resources and will find another way in.

------
blparker
How does one "capture" data flowing over a private fiber channel? Does it
require a physical tap?

~~~
ForHackernews
Most likely, yes.

You can tap a fiber optic line without breaking it by bending it such a way
that light leaks out: [http://www.techrepublic.com/blog/it-security/protect-
your-ne...](http://www.techrepublic.com/blog/it-security/protect-your-network-
against-fiber-hacks/222/)

------
w_t_payne
So how long before HN gets shut down for supporting criminality and terrorism?

------
ffrryuu
There comes a time when principles are more important than life itself.

------
kgarten
afterwards they will be fu* * * * using FISA court orders ...

------
arkj
This is just crap!!! The google guys are no better.

------
jokoon
One of the few who dares thanking Snowden...

------
AsymetricCom
Lol a Brit trying to lay into an American corporation for imperialism. I
wonder why a system he "worked" on for 1 (or 2) years was so easy to subvert.
What a laugh.

------
dell1994
Oops. What a Hypocrisy? The moral righteous Google. Little People vs Big
People? Please stop. Don't do Evil still works for you guys.. I guess.

You have the resources to defend it, if you want to defend. You choose not to
in many ways.

So please dont explode in profanity several times a day.

------
theinterjection
Has it ever occurred to anyone that, just maybe, the whole NSA thing is a
cover-up to distract the attention from the fact that it's actually the
megacorporations that want to spy on you? This is a good way for Google,
Microsoft, etc. to look innocent. Let's not forget that it was us who decided
to trust these corporations with all our personal data.

~~~
AsymetricCom
This is absolutely true. DPI was used by corporations first. NSA et. al. have
to use it to stay in the game. Of course, you'll never hear this because the
multinational media decides who you root for.

