
NSA infiltrates links to Yahoo, Google data centers worldwide - nqureshi
http://www.washingtonpost.com/world/national-security/nsa-infiltrates-links-to-yahoo-google-data-centers-worldwide-snowden-documents-say/2013/10/30/e51d661e-4166-11e3-8b74-d89d714ca4dd_story.html?Post+generic=%3Ftid%3Dsm_twitter_washingtonpost
======
tptacek
It's hard not to come to the conclusion that these activities were essentially
criminal. I don't see how the administration can fail to disavow them,
investigate them fully, and hold their instigators accountable. It feels like
Special Prosecutor time.

That aside, let me re-make a point I keep making:

Google had no knowledge of NSA's physical compromise of their data centers.
But still, they pushed _harder than anyone on the whole Internet_ for the
adoption of modern TLS with forward-secrecy; they are the world's foremost
deployers of ephemeral-keyed elliptic curve cryptography and of certificate
pinning, both of which ensure not only the security of the traffic running
over the network cables into their data centers, but also minimize the impact
of a compromised long-term encryption key or the compromise of the CA system
by a state actor.

Not only that, but Google launched a high-profile effort to encrypt the
communications _inside and between_ their data centers.

I hope a couple years hindsight will put the importance of Adam Langley's work
(and that of the rest of his team; he's just the best-known member of that
team) at Google into sharper relief.

~~~
bradleyjg
> It's hard not to come to the conclusion that these activities were
> essentially criminal. I don't see how the administration can fail to disavow
> them, investigate them fully, and hold their instigators accountable. It
> feels like Special Prosecutor time.

The government takes the position that their agents are almost completely
unconstrained by law when it comes to actions taken abroad aimed at non-US
persons.

Even were a court somewhere to find that this interpretation is incorrect,
there are numerous "good faith reliance" doctrines that prevent any
prosecution or even civil consequences.

The government outright tortured people for years, and nothing has come of it.
No prosecutions. No damages for victims. No cases dismissed for outrageous
government conduct. Not even very many harsh words from judges. The only
people for whom there were any consequences were the low level regular army
people who got in on the torture train without first getting official
blessing.

It'll be the same thing here. If some low level employee went out on his own
to hack into Google servers, something might come of it. But by all
appearances these programs were deliberate, planned, and vetted. In those
circumstances the bad actors have long since learned to cover their own asses.
There will be no consequences for them.

~~~
danbruc
I am at a loss for words. Arrogant, self-righteous, disrespectful, ignorant,
mendacious...nothing cuts it. It is illegal in the US but who cares about the
rest of the world? I can not remember when something similar made me that
angry as the current conduct of the US does. If I would not know better that
this would negatively affect the whole world and innocent US citizens and that
emotional reactions are usually not good - I would just cut all cables to the
US, stop all trades of oil, raw material and goods, deny US citizens to enter
any foreign country and then just do your shit over there and get happy with
it.

EDIT: Just to clarify it a bit more, I am not primarily angry because of the
spying - read my mails if it makes you happy. What really pisses me of is this
sentiment of thinking of non-US citizens as second class humans. We are not
spying at US citizens, only at this other guys across the ocean. And sadly
this sentiment is also present in part of the media coverage. Especially when
the story broke there was a lot of outrage about (accidentally) spying at US
citizens, but spying at non-US citizens and breaking foreign law in peacetime
is deemed acceptable.

~~~
allochthon
_I would just cut all cables to the US, ... deny US citizens to enter any
foreign country and then just do your shit over there and get happy with it._

Whoah, there. Your grievances are well-placed. But keep in mind that it's a
certain subset of agencies in the US government that are responsible for the
problems you're upset about, not all US citizens. As for fixing things, the
government has become literally unmanageable, and things are a mess right now.

~~~
devx
Unfortunately, not only do _a lot_ of US citizens still support such practices
(I think around 40 percent - as long as they mention "to protect you from
terrorists"), but most of the rest who _don 't_ agree with the practices,
can't be bothered to do much about it, like even calling their representative,
let alone going out and protesting.

I do believe this is very true:

> All that is necessary for evil to triumph is for good men to do nothing -
> Burke, Edmund

So, yes, I'd say _most_ Americans are responsible for this yes, by doing
nothing to stop it. So don't blame the rest of the world if they start "hating
Americans" or "hating America". You are part of it, you are responsible to
change the America you want the world to love, too.

Blaming only the government, that you probably voted in, too, does not cut it.

~~~
jganetsk
People are not going to start hating Americans. They have already been hating
Americans for hundreds of years. It started with the "degeneracy thesis" in
the 18th century, where it had been suggested by European intellectuals that
the American climate led to physically inferior animals and humans. The
reasons for hating Americans change everyday.

Hating a group of people is a completely irrational, unconstructive approach
to solving a problem. If one has anger about something, they shouldn't lash
out at group of people.

If people want Americans to change something on their behalf, for their
benefit, it needs to be from a standpoint of respect. They can start by asking
nicely.

~~~
PavlovsCat
Respect, sure. But "asking nicely"? How has that not been done already, over
and over and over?

" _Nobody in the world, nobody in history, has ever gotten their freedom by
appealing to the moral sense of the people that were oppressing them._ " \--
Assata Shakur

Even though we could argue about wether this stuff consititutes "oppression",
I think the point still applies, sadly.

~~~
jganetsk
I'm not sure what we are talking about here. The US government is oppressing
everyone... both Americans and non-Americans.

In theory, the American people are the only ones with the power to solve this
problem. This responsibility is a burden. Before going to bat, I would rather
encounter friendly encouragement than smug contempt.

~~~
PavlovsCat
For what it's worth, you have mine. Encouragament that is, not contempt.
Although I'm not convinced all Americans are yet aware of the fact that they
themselves also are at the wrong end of this gun, I'm sure the number
increases daily. And generally I don't think excluding people for what others
force on them, or even for their ignorance, or even for their hybris, really
leads anywhere. So many Americans have my support and even admiration, and
even the ones I do resent (not in a smug way though, I'm under no such
delusions I would hope), I would rather argue with, or, at worst, bitch at
(but never, ever, "ask nicely" :P), than outright shun. Letting someone simmer
in their own sauce can work with individuals, but in nations I think it always
strengthens the autocratic and warmongering elements.

------
cromwellian
Why didn't they release these documents a long time ago when everyone was
racing to judgement that Google, Yahoo, et al were secretly in cahoots with
the NSA helping to build drag-net surveillance extranet stuff for them? These
are very important revelations!

I mean, when Greenwald/Snowden/Guardian released the original PRISM
accusations, these slides would have provided a much much more important set
of evidence, instead of months of speculation and parsing of meanings of
"backdoor", "frontdoor", "side door", in the corporate communications of the
tech companies who were struggling to say "we've never heard of PRISM, da fuq
is this shit?"

Is the slow dripping out of these slides because they are trying to be
responsible in not releasing stuff that is too damaging (e.g. not trying to be
a Bradley Manning dump), or is it to preserve traffic by keeping the click-
gravy-train going?

~~~
mef
By releasing the documents in this order, they give government officials just
enough rope to hang themselves by prompting them to defend themselves by
making statements about what they do and do not do, and then releasing new
documents directly contradicting those statements.

In a weird way, it actually motivates them to tell the "whole truth" because
they don't know what documents will be released later so they don't know what
lies to tell.

~~~
cromwellian
Yea, but as collateral damage, the rope hung the tech companies and damaged
their brands by who knows how much.

~~~
selmnoo
They deserve to have their brands damaged.

They didn't do their due diligence in encrypting data going through leased
fibers -- they should have had the foresight to realize what a phenomenally
bad thing this was. They didn't, hence why I'll never trust them again.

~~~
cromwellian
Do you also blame your car company when a thief breaks into it? Do you never
trust banks again if a bank robbery happens? They were working on it, but
full-on encryption everywhere within your internal network is expensive, and
one tends to not imagine that buried dark fiber is dug up and tapped by one's
own government.

Let's say that they encrypted everything, and then you learn the NSA had
kidnapped the children of one of their network engineers and forced him to
turn over some keys. Again, whose brand deserves to be damaged here, the
company, or the immoral nation state with vast military industrial resources
at its disposal?

Why do I sometimes get the feeling that people specifically want to hate on
these companies when the real outrage should be for the government spooks.

~~~
selmnoo
What an unbelievably stupid line of thinking.

 _Kidnapped their children?_ Get a hold of yourself here. Google is a tech
company, it is a perfectly reasonable expectation that they get the big parts
of their security model right. Not encrypting data going through leased (or
even their own) fibers? Big, big mistake. NSA and US government aside, Google
dropped the ball big-time here.

> Why do I sometimes get the feeling that people specifically want to hate on
> these companies when the real outrage should be for the government spooks.

Funny you say that. Because I was pretty much a Google fanboy before all of
this happened (oh, and their recent changes wrt privacy policies). I am very
angry at the government, but that is a separate issue.

~~~
cromwellian
Security is based on threat model. The spooks have capabilities that far
exceed the threat models most companies assume from private blackhats. You
think it is obvious to assume in hindsight that the government would dig up
and tap your dark fiber, but you don't think it obvious the government would
plant spies to do in-side-the-data-center taps. Now what? Encrypt all data
between switches? The Soviets didn't think their undersea cables could be
tapped either, and no one can claim they were insufficiently paranoid.

My point is, I don't want Silicon Valley in an arms race with the US
government. The government is supposed to protect its citizens and companies,
not work to undermine them. Google is working on rolling out better security,
just like they eventually rolled out SSL everywhere before most other
companies. They are at the forefront on this, but it still takes time and
costs money. But even though they are spending time and resources on this, I
would still like the US government to cut it out.

~~~
selmnoo
I'm not getting through to you.

At the end of the day, Google lost. To a considerable extent, cloud lost.
People who were trusting Google with their data lost. What is ostensibly true
at this point at is that Google could have done _something_ to have prevented
this. All else is immaterial. Just like I would expect to lose business if I
made a mistake and had data compromised (because doing X and Y was too
difficult or too costly for me to do, because it was 'outside' my control,
because I was too inept, or whatever else), Google should expect to lose some
business the same way. If security is based on a threat model -- and it
eventually loses, it was bad security.

~~~
cromwellian
Well, it would help if you would write in a way that is not insulting and
condescending.

There's no "if" about it. All security is based on threat model, the lock on
your front door is based on the threat of the average criminal, and not
Watergate burglars. Are you guilty of bad security? Is it your fault if your
front door lock gets picked because you made assumptions about the
sophistication of your attacker?

You originally said "I'll never trust them again", but that beg's the
question, just who will you trust? Unless you are using end-to-end encryption
with everyone, there is no way to secure against NSA interception, and pretty
much all of Google's cloud competitors are actually worse in terms of deployed
security. And assuming end-to-end is secure is basically just assuming a
threat model where the NSA or Chinese government can't plant infected firmware
or hardware in your devices.

~~~
selmnoo
How about not musing out loud that people who are criticizing companies just
"want to hate on these companies", if you're entertaining the idea of not
being insulting and condescending.

Google is a company that's been leading the way to get everyone on the cloud.
It turns out what it's also been doing is making mass surveillance massively
easy due to poor security practices. One individual having bad locks is not
analogous to what is at play here. You keep suggesting that Google should get
a free pass because the adversary in this case was too sophisticated of a
player: no, that does not matter, that is an excuse. Don't give me excuses.
Google makes billions, it should simply have done a better job. Your earlier
post took issue with Google's brand being tarnished unfairly, this is what I'm
talking about to you right now, so the question of just 'who' I will trust is
not very relevant.

To answer your question anyway: basically I'm going to pull away from the
cloud as much as I can. No more google apps for me, no more gmail, no more
anything where I end up putting my personal data or my clients' data anywhere
but on my dedicated servers -- and using end-to-end encryption when any data
needs to travel out. That does not remove the possibility of getting
compromised, it just mitigates it.

~~~
cromwellian
I don't think there are many people who disagree with me that there's been a
huge amount of unwarranted snark recently. The uProxy release for example.
Don't compare that with using words like "stupid".

>no more anything where I end up putting my personal data or my clients' data
anywhere but on my dedicated servers

The probability that your servers would be compromised by actual damaging
threats (hackers, malware, viruses, botnets) is far higher than that of
Google, so I hope if your servers get hacked, you will similarly berate
yourself and not make excuses that you should have done better and spent 10x
more security than you are now. How many actual penetrations have occured of
Google infrastructure where thieves (not government) made off with actual
information that they'd put to damaging use, vs that of other smaller hosts?
Everything you do has tradeoffs.

You keep making hand wave arguments about what Google could have or should
have done, again, totally points about the threat models and historical
context. When this program started, by some accounts in 2007, the vast
majority of Web traffic wasn't even secured by HTTPS, no one was using
channel-ID or forward security, and the majority of SMTP traffic was not
protected by TLS. In fact, even today, only 50% of email traffic is TLS
protected. In 2007, fewer Google services were probably multi-datacenter
replicated as well. Encrypting the dark fiber would have been useless back
then when the front door was left unlocked.

So, let's try to imagine a hypothetical conversation of some security
engineers when new data centers got set up for replication:

Engineer #1: Dude, we should encrypt traffic on our inter-DC traffic. Engineer
#2: It's a buried dark fiber. Engineer #1: Yeah, but the NSA could dig it up
and tap it. Engineer #2: That's illegal, and besides, it's a theoretical
threat. We have a bigger _practical_ threat, right now, anyone could just tap
all front-end traffic, because most incoming user traffic is not HTTPS.

Engineer #1: You're right, let's get everyone on HTTPS first. Let's upgrade
browsers, and Chrome, with better cipher suites. Let's add Channel-ID. Let's
try to get SMTP users to use TLS.

The point isn't about excuses, it's about understanding at each point in time,
what the weakest link in the chain is. The NSA taps of your email traffic
might be worrisome, but the reality is, the Russians slurping up your credit
cards, passwords, and doing MITM's to install botnets have far greater, actual
practical damaging effects on you and your customers.

In an ideal world, everything would be secured against all possible attacks
from day one, but internet infrastructure is rarely ideal. I started on the
internet in the 80s in an era with zero encryption and where many services
didn't even have passwords. We have gradually made things more and more
secure, but getting there is going to take time. It's unfortunate that
Google's efforts to secure it's fiber didn't happen a few years earlier, but
if they did happen a few years earlier, it wouldn't have a made a difference,
because upstream attacks were far more effective back then.

------
cs702
Wow.

Years ago, I remember reading Richard Stallman's "How I do my computing"[1],
an essay in which he explains why he usually does not connect to any websites
from his own machine, downloads web pages from a headless browser running in
some server, does not have any user accounts for any web applications, does
not buy anything over the Internet ever, does not use any social networking
sites, and otherwise abstains from using the Internet like most normal human
beings.

"Jeez, that's way too paranoid," I remember thinking.

It turns out Stallman was just (far) ahead of his time -- as usual.

\--

[1] [http://stallman.org/stallman-
computing.html](http://stallman.org/stallman-computing.html)

~~~
lazyjones
> _It turns out Stallman was just (far) ahead of his time -- as usual._

Indeed, and it was always obvious if you took security seriously instead of
regarding it as a game of probabilities and trade-offs where convenience wins.

As we are being pulled very strongly towards a future where everything and
everyone is connected all the time, we should really consider such radical
approaches again and how to make them more convenient for "normal" people.

~~~
chflamplighter
"game of probabilities and trade-offs where convenience wins" that is it in a
nutshell, well said.

------
jakewalker
If that graphic - that taunting smiley face, drawn when it was assumed that no
one was watching - isn't enough to outrage the general public, I don't know
what it will take. This is not super technical - it's easily explained and
should be easily understood by the masses. And it should cause outrage.

~~~
betterunix
You know what would outrage the public? ESPN being shut down. Most people do
not actually care about their privacy. Even if everyone had the technical
chops needed to understand what has been happening, most people never spend
much time contemplating the importance of privacy rights.

~~~
dmix
> people do not actually care about their privacy

This is 100% accurate, I've attempted to aggressively promote privacy tools
well before the NSA/Snowden stuff among the people I know. They _still_ don't
care to use simple things like OTR with IM. They might use it for one week,
and switch back.

Journalists/tech sites love making this seem like the biggest deal in society
right now, but hardly the case in reality.

I'm not sure if it's an intellectual/knowledge gap (lack of technical
knowledge), laziness, lack of good design in crypto tools, or just generally
not caring about their privacy (until it becomes to hit them in the face).

~~~
betterunix
I think it is part of a more general problem: people do not spend much time
thinking about the importance of _any_ of their rights. Nobody wants to hear
that a terrorist attack was successful or that a criminal walked free for the
sake of their civil rights -- rights are abstract, terrorists and criminals
are _threats to our children_ and whatnot. Look at what people say about free
speech rights, how quickly everyone parrots the quote about shouting fire in a
crowded theater (most people have never bothered to look into the Schenck
case, they just know that one phrase). People have even managed to say that
_habeas corpus_ rights are problematic.

Privacy rights are too abstract for most people to bother with. After all,
they have nothing to hide, only criminals and terrorists would bother hiding
anything (or so the thinking goes).

~~~
dmix
It is possible our (UK/Canada/USA/etc) societies pursuit of comfort/safety has
descended into what Nietzsche calls the "last man".

> the antithesis of the imagined superior being. The last man is _tired of
> life, takes no risks, and seeks only comfort and security_.

> Nietzsche said that the society of the last man would be too barren to
> support the growth of great individuals. The last man is possible only by
> mankind's having bred an apathetic creature who has no great passion or
> commitment, who is unable to dream, who merely earns his living and keeps
> warm. The last men claim to have discovered happiness, but blink every time
> they say so.

[https://en.wikipedia.org/wiki/Last_man](https://en.wikipedia.org/wiki/Last_man)

The last man trades their rights and freedoms away for security and comfort.

~~~
nanidin
Sounds like happy/content people to me.

~~~
dmix
> The last men claim to have discovered happiness, but blink every time they
> say so.

~~~
nanidin
I guess I don't understand the blink reference

~~~
dmix
Blinking after saying something is commonly associated with being a good lie
detector. Nietzsche wrote that in the 1800s and it's still apparently
relevant:

[http://www.telegraph.co.uk/news/2589073/Liars-are-exposed-
by...](http://www.telegraph.co.uk/news/2589073/Liars-are-exposed-by-
blinking.html)

------
pvnick
Periodically, especially when a new report like this one comes out, I like to
go back and watch the original Snowden interview
([http://www.youtube.com/watch?v=5yB3n9fu-
rM](http://www.youtube.com/watch?v=5yB3n9fu-rM)) and reflect on the
differences between what we knew vs what we now know. When I first watched the
video, it brought tears to my eyes and I try to remember that so I don't get
desensitized to the magnitude of these revelations. I respect the man more and
more everyday.

------
DanielBMarkham
Meta remark, somewhat snarky: I would like to know at what point do all the
HN'ers making fun of those libertarians among us concerned with security -- I
believe over a period of months we were called "tinfoil hat types" and worse
-- come back and offer us an apology.

I am not holding my breath.

(Although it's a snarky comment, I didn't make the comment just to snark. The
point was to point out that over and over again, the folks who are concerned
about government encroachment are made fun of, put down, and lampooned to a
great degree. More often than not, these concerns turn out to be true. In most
cases this happens long after the debate has died down. This is an important
lesson from history that we all would do well to learn. This story has a lot
more facets to it than just the NSA/USA angle)

~~~
selmnoo
As someone who routinely makes fun of libertarians, let me assure you this is
not what we (or I) make fun of libertarians for. Lots of progressive-oriented
folks I know are at the forefront protesting these things. Hell, Richard
Stallman -- the man who's been all about resisting the cloud even before a lot
of us were born -- is a self-alleged Green Party affiliate.

------
matthewmcg
From the article: "Two engineers with close ties to Google exploded in
profanity when they saw the drawing."

That about sums up my reaction as well.

~~~
w_t_payne
Yup. Google got royally screwed by the NSA.

------
than
Gen. Keith Alexander, asked about it at a Bloomberg event, denied the
accusations.

"I don't know what the report is," Alexander cautioned, adding the NSA does
not "have access to Google servers, Yahoo servers." He said the NSA is "not
authorized" to do this, and instead, must "go through a court process."

[http://www.politico.com/story/2013/10/keith-alexander-nsa-
re...](http://www.politico.com/story/2013/10/keith-alexander-nsa-report-
google-yahoo-99103.html)

~~~
ceejayoz
That's a potentially perfectly accurate statement that doesn't in any way
refute the story. The leak indicates they have access to the fiber lines
between datacenters, not the servers themselves.

~~~
mpyne
Also, it's GCHQ that broke in, no?

------
gohrt
I hope that this finally convinces everyone that it doesn't matter whether
Google is "Evil" or Yahoo is more evil or whatever. What matters is that large
cloud systems are fundamentally incapable of protecting data.

Even the most goodhearted and the most talented teams can't reliably defend
against a massively funded adversary.

Secrets are for keeping, not sharing.

~~~
atonse
Well, I don't think it's that easy.

If the NSA wanted your data, they could get into your network probably easier
than they could get into Google's networks. Companies like Google have way
smarter people (and working full time) securing data than most businesses.

For us to secure our networks as much as someone like Google would, we'd have
to have a team of the best hackers around.

And by definition, the best hackers around are scarce. They're already working
for Google, etc, and X Y Z security company.

~~~
thyrsus
Not exactly. Think of this analogy: the NSA built an enormously expensive
sieve net to fish the entire Pacific Ocean (Google). While the Pacific may be
deeper and wider than your innocuous little lagoon, that lagoon probably
hasn't attracted the attention of the NSA. If you think the attention of the
NSA is going to be a problem for your dealings, hiring very expensive security
talent is necessary to your business plan.

~~~
atonse
Sure, but in that cat and mouse game between Google and the NSA, Google might
actually have a chance. From what tptacek has said above about the kind of
stuff Google's been doing (SSL with EC and perfect forward secrecy, etc),
they're actually able to make it difficult for the NSA.

Plus, in the world of "I can sift through terabytes of data in seconds" even a
little lagoon isn't too little.

------
notaddicted
I think this is of endgame for network security, I don't see a way out -- the
Sony Rootkit[1] should have been the point where I realized but it is just
sinking in for me now since the Snowden NSA leak.

Any network connected computer will be running an OS+Applications which are
typically a gigabyte or more. This is produced by companies which are beholden
to a nation state, and the companies can be coerced[2] or compelled[3] to use
the software against the user. The software is also constantly being probed
for vulnerabilities, which can also be exploited by law-enforcement / military
[4][5].

So, if you turn on auto-update you have to trust the software maker is not
being coerced by someone, or being compelled by a secret court to trojan you.
If you don't turn on auto-update you can still get trojaned by any
vulnerability. Lose-Lose.

[1] Sony Rootkit:
[http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...](http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal)

[2] Qwest CEO Nacchio's claims: [http://www.washingtonpost.com/blogs/the-
switch/wp/2013/09/30...](http://www.washingtonpost.com/blogs/the-
switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-
feels-vindicated-by-snowden-leaks/)

[3] FISA court

[4] German Govt. Trojan from 2011:
[http://www.spiegel.de/international/germany/the-world-
from-b...](http://www.spiegel.de/international/germany/the-world-from-berlin-
electronic-surveillance-scandal-hits-germany-a-790944.html)

[5] FBI's TOR trojan injection:
[http://www.wired.com/threatlevel/2013/09/freedom-hosting-
fbi...](http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/)

~~~
CamperBob2
Agreed. What's funny is we're wondering why people who still buy stuff from
Sony don't seem to get outraged about the NSA.

Nobody ever cares about this stuff until it is _way_ too late.

------
a3n
> The infiltration is especially striking because the NSA, under a separate
> program known as PRISM, has front-door access to Google and Yahoo user
> accounts through a court-approved process.

1\. Spy on whatever the hell you want without benefit of warrant.

2\. Discover something interesting.

3\. "Parallel construct" a way that the information could have been legally
obtained.

4\. Get a warrant based on the parallel construction.

5\. Profit.

~~~
toufka
It's parallel construction all the way down. Discover via extralegal, point
mass-capture in that direction, sniff out and send to 'legal' 702 or 215
databases, hint to FBI/DEA buddies, get normal warrant, and now you've got
your criminals!

In that way, killing the 702 or 215 powers really wouldn't do that much,
because they can just derive their parallel construction from elsewhere.

------
mcphilip
I don't see how the pretense that the NSA actively avoids snooping on U.S.
citizens can be seriously maintained after this revelation. It's becoming
increasingly clear that intelligence agencies want the ability to access all
data created directly or indirectly by an arbitrary cyberspace target on
demand and will shop around for the "best" (e.g. weakest link in technology
and/or legislature) nook of the net to snoop at.

------
bandushrew
This seems like a good time to remember that Google has been storing wifi
access passwords in plain text on its servers, and (presumably) passing them
between its data centers.

It can be assumed that as a consequence of google's decision to store
passwords in plaintext, the NSA now have access to every wifi access point
that has been used by an android device.

This is a _massive_ security breach. I sincerely hope google notifies android
users of the problem.

~~~
malandrew
The more I see stories like this, the more I wonder why there aren't tools out
there that complement something like 1Password, LastPass or KeyPass by
rotating passwords for all your devices programmatically. More devices should
support SSHing into them for password rotation or some API for frequent
password rotation.

e.g.

Here's the password for this router, rotate this key every X days, upon
rotation, connect to the computers of friends X, Y and Z to notify them of the
password update.

I imagine such a system would require two passwords, one to change the
password so only one device is responsible for rotation and a second to share
with others so they can access the computing resource in question.

Alternatively, every device should function with individual passwords for
every user. I still get frustrated that wifi only offers one password and
doesn't give you the option to give out one password per user. Future wifi
protocols should permit a user to try to connect to a wifi and wait until
someone approves their access. Approval could be done by visiting the routers
IP address and granting access through some form that shows which clients are
requesting access at that point in time. Furthermore, the way in which a
computer requests access to wifi could be accomplished by having that computer
submit it's SSH public key to the router.

------
jimparkins
People will no doubt come on this thread and remind everyone that of course
the government always had access - you must have been a fool not to think so.
But I just can not get over how angry it makes me. Honestly I thought that
using google products with some exploitation of the contents for advertising
was an acceptable exchange. This is just a total betrayal and I cannot believe
that the Google board is not aware of this! and if it is not it is because
they choose to be!

~~~
betterunix
This might be a good time to go back and look at what you said to all those
cypherpunks who kept talking about the need to build security into Internet
protocols from day 1. Whitefield Diffie had pointed out this problem -- that
online services could violate user privacy without any technical barriers --
in the _1970s_ and pointed to it to motivate public key cryptography.
Throughout the 90s and 00s people were saying that we should be deploying
cryptography more widely, yet these arguments were largely ignored or
dismissed.

So really, this is not about the government. Rather it is about the inherently
insecure design of today's email, IM, payment, and social networking systems.
While the cryptography research community and the hacker community have
proposed numerous solutions, few have worked to deploy such solutions. Worse,
many hackers and computer scientists have actively worked _against_ such
deployment by building businesses that are monetized _by violating user
privacy_.

Before talking about your anger, take a moment to think about what you were
saying to people 5, 10, or 20 years ago when this topic came up (I am speaking
to everyone now, not just jimparkins).

~~~
dmix
"You cannot acquire experience by making experiments. You cannot create
experience. You must undergo it." \- Albert Camus

The cypherpunk "2.0" generation is here. The adversaries are definitely way
more resourceful and ten steps ahead now. So there may be some value in
looking back with regret. But it's never too late.

~~~
pit
> But it's never too late.

Upvote for hope.

------
wyck
Is that an official document with an actual smiley face?

What ever happened to the admins / programmers standing up for what is right,
or do they just gobble down a paycheck and turn the other way?

~~~
dombili
It's not just that either. They seem to enjoy it and think that this is a
game. If you're going to violate our basic rights, at least take it seriously,
guys.

~~~
brown9-2
This presumes that those developers are building these systems to go after
"our basic rights", instead of believing that they are helping to target
terrorists and enemy states.

What gets lost in a lot of the (justifiable) NSA outrage is the fact that they
want all of this technology to enable surveillance of terrorists who use the
Internet just like ordinary Americans do. There is really no evidence so far
that this massive surveillance apparatus is being used in a widespread way to
abusively target Americans.

Being able to intercept online communication between terrorists and foreign
governments in a way that collects zero communications of Americans seems like
a really, really hard task.

~~~
swalkergibson
The terrorism threat is simply a convenient bogeyman. The probabilities of
dying in a random terrorist attack are so infinitesimally small that it is not
even worth considering. Ordinary Americans are simply too stupid to really
comprehend exactly what is happening here and subscribe to the "well, I don't
have anything to hide" type logic. The fact is that the terrorists have won.
The American public, due to indifference, is so irrationally afraid of dying
in a terrorist attack that our own government is watching our every move under
the guise of protecting us from that threat.

~~~
brown9-2
So, what types of widespread abusive things is the government doing to
American citizens with all this surveillance?

When you say "convenient bogeyman" it implies that all of this surveillance
was built with the express purpose of spying on Americans. I personally
believe that to be false, and instead that the massive and overbearing
surveillance was built because public officials are so afraid of another
massive terrorist attack because the voters are so afraid.

In other words I agree with your basic observations but not the malicious
motives.

~~~
sfx
It's a nice thought to believe there isn't malice in the government, but the
facts say otherwise. Intelligence laundering to bypass our basic legal rights
is a malicious motive[1]. Russ Tice's (NSA whistlerblower) interview talking
about all the people the NSA targeted (including our president in 2004) is
also not only malicious, but terrifying.[2] And as Bill Binney (another NSA
whisteblower) has said, we're a "turn key totalitarian state", I'm not sure
how one could think a totalitarian state could not be malicious.

[1] [https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-
intel...](https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-intelligence-
laundering) [2]
[http://en.wikipedia.org/wiki/Russ_Tice](http://en.wikipedia.org/wiki/Russ_Tice)

------
vidarh
It's kind of shocking that they haven't been encrypting all internal inter-
datacentre connections to begin with. Even if they didn't suspect NSA
snooping, there's enough companies and criminals out there that'd conceivably
have a lot of reasons to want to try to find ways to tap Googles links.

------
balabaster
You know, one thing I'm sure (hope) will come out of this is that enough
people in the public should be sufficiently outraged at this that we start
making some private sector headway in the data security race and perhaps we'll
end up with some actual secure products by companies that aren't under the
"jurisdiction" of U.S. policy, instead of those that just say they're secure
but fall flat on their face when it comes to something as trivial as an NSL or
an order for a pen register. If they were really secure, then these things
wouldn't make the slightest difference.

------
grey-area
Offtopic, but there's a problem on this site with this kind of story now. I'm
not sure if it's the flamewar detection, or flagging, or some other automated
system, but stories like this which are very popular and not remotely a
flamewar, but an interesting discussion, are disappearing off the home page
too fast in my opinion. This is a topic that will define a generation's
attitude to technology and the internet, and is particularly pertinent to
silicone valley.

Yet this morning this story went from top of the page:

14\. NSA infiltrates links to Yahoo, Google data centers worldwide
(washingtonpost.com) 1395 points by nqureshi 15 hours ago | flag | 533
comments

To behind stories like this:

12\. Java Virtual Machine in pure Node.js (github.com) 232 points by binarymax
16 hours ago | flag | 129 comments

I'd be interested to know the reason, and perhaps whatever algorithm is voting
this down could be adjusted, because it's clearly not working?

~~~
mman
Going out on a limb here because this does not make sense to me either. But
maybe this has something to do with the fact that the valley built all of the
software used to support this, quietly invested in it all in 2010 for
undisclosed amounts at least in the tens of billions and approaching or
exceeding 100 billion, and the money doesn't want it on the front page of one
of the most popular news sites?

By money i mean this money that keeps its actions shadier than the NSA:
[https://angel.co/emc](https://angel.co/emc) [https://angel.co/emc-
ventures](https://angel.co/emc-ventures)

------
mladenkovacevic
So does this suggest that Google's SSL encryption can be removed just as
easily as that smiley face implies?

If this is true my next question would be does NSA have access to the keys or
are they removing encryption in some other more technically involved way?

~~~
dragonwriter
> So does this suggest that Google's SSL encryption can be removed just as
> easily as that smiley face implies?

Well, yes, if you are Google. The removal of SSL is done by Google's own front
end servers at the boundary between the public internet and Google's own
network, and Google's own network (including its private datacenter-to-
datacenter fiber connections) are apparently not encrypted (which saves
compute overhead.)

The revelation in the article (assuming it is correct) is that the GCHQ is
taking advantage of this fact to evade Google's move to encrypt user-to-Google
connections by simply tapping Google's datacenter-to-datacenter connections
and (as well as whatever use GCHQ itself makes of the captured data) providing
the NSA the ability to provide search terms that are matched against the
captured data, with matching data fed from GCHQ to the NSA.

(This neatly also avoids any US legal limits on domestic electronic
surveillance by the NSA, since, first, the surveillance isn't conducted by the
NSA or any other US agency, and, second, its presumably not physically
conducted in the US at all.)

~~~
jrochkind1
Tell me if I understand this right: Google thought it was okay to not encrypt
that 'internal' traffic, because even when trans-continental, that traffic was
on 'private' Google fiber carrying only Google traffic, not the public
internet. It was theoretically on a network that only Google had access to.

That's why it seemed okay not to encrypt it, right? (Otherwise, I don't know
why Google would have thought it didn't have to encrypt it).

But the NSA managed to tap into this 'private' fiber anyway, perhaps with the
cooperation of the actual telecoms that run it?

Do I have that right?

~~~
dragonwriter
Essentially, that is what the article seems to indicate, except that it was
Britain's GCHQ, not the US's NSA, that did the tapping. The GCHQ, as part of
the "Five Eyes" intelligence cooperation [1], lets the NSA do searches against
the data they get from the taps.

[1]
[http://en.wikipedia.org/wiki/UKUSA_Community](http://en.wikipedia.org/wiki/UKUSA_Community)

------
tonyplee
Few people said you can't fight google with NSL or force them to do anything
because it has $50B in cash.

Easy: Just start an anti-trust investigation - a fed lawyer can drag Larry
Page and Google's top level managers into federal court every week for the
next 5-10 years. Go thru every emails about iphone, android, bing in the past,
and force monitor every single biz decision Google will try to make for the
next 10 years.

Apple, Samsung, Microsoft, Facebook would love to help out the government(s)
in this.

Larry will get so sick of it that he would think give out billions to kill
Mosquitoes in Africa/India is a lot more fun. - Remember Bill Gates?

------
adventured
Google will never do it, but they should drown the NSA in bullshit data. So
much so it literally chokes the NSA's ability to spy on Google's services.

Google is one of the few companies that could pull it off. They have $56
billion in cash and nothing to do with it apparently. They generate $12
billion in profit annually and growing.

They have more financial resources, computing power, and brain power than the
NSA does, and they're one of the few companies on earth that can say that (the
only?).

A billion a year thrown at choking the NSA with a flood of data, I'd argue,
would work extraordinarily well.

The NSA has a substantial budget (but how much spare budget?), but I don't
believe they could afford the processing and storage costs that can be
generated from a billion dollar per year effort of bogus data spewing
(particularly if Google matches it with a dramatic effort put toward
encryption R&D to multiply the cost the NSA suffers significantly more than
just basic processing & storage costs).

The NSA's grand new data center in Utah cost billions and will have taken
years to build. Google could probably force them to attempt to build a new one
every single year forever, particularly given how bloated every effort by the
government is and easy Google could generate 'infinite' volumes of data.
Google should pro-actively help Yahoo, Facebook and others out in teaming up
to drown the NSA.

The biggest threat to Google is the NSA. Google should act accordingly. Just
as they would react with financial investments to any other competitive
threat.

~~~
alan_cx
A better use of all that money would be to play the lobbying game the enemies
of freedom so effectively play.

This is the the thing I completely fail to understand. If all these huge tech
firms with all this cash really care about privacy, people, US reputation,
etc, then why are they not pouring their money in to politics like, say, the
weapons manufacturers do? Why aren't they "buying" politicians?

~~~
joeshevland
I think a more sensible use of the money would be to 'fix' the ability to buy
whatever legislation you want. Its really not a democracy any more when those
wealthy enough can buy whatever legislation they want.

~~~
alan_cx
Unfortunately I think a real sense of democracy is long gone. We are left
having the play the only game left in town. Buy your influence then,
influence.

------
nickpyett
Larry Page should step down as CEO.

It would never happen, as Google shares would drop like a bomb and give
credence to the argument that the cloud isn't secure enough, but at least it
would show that someone at Google cares.

It would create a landmark moment though; something that would spark more
debate in both the media and with American politicians.

~~~
nrmilstein
Do you have evidence that Larry Page or Google knew about this? How is the CEO
of Google stepping down an adequate reaction to a something that Google
doesn't seem to be behind?

~~~
nickpyett
I'm not putting any responsibility on Google's CEO that he didn't ask for when
he became CEO - he is ultimately responsible for the company's actions.
Leaving that amount of user data open to attack is unforgivable, regardless of
who is "behind this" or how much he knew.

Secondly, the alleged attack, however it happened, is not the reason he should
step down. Larry Page stepping down is going to be really bad for Google, he
is one of the finest entrepreneurs of our time, and a great technologist.

He should do it to send a message.

Will their ever be more evidence about what actually happened? Probably not,
but a resignation by one of the most powerful CEOs in the world will get some
serious attention in the wider debate on privacy.

But like I said, the share price probably comes first...

------
xyfer
Everyone in Silicon Valley is talking about this and the media has painted a
picture of criminal undertaking by the NSA. A lot of this is just speculation
that has been blown out of proportion. The only way the NSA could compromise
private data centers without placing moles in their respective ops teams, is
to sniff the traffic on the private DC to DC lines leased by the companies.
Assuming they did this by overpowering the ISPs, they are still left with a
ton of TCP/UDP packets which they need to reconstruct, decipher and
schematize. Although DC to DC traffic is typically not encrypted, it is often
compressed or transmitted as binary streams. There is absolutely no way they
NSA would be able to make sense of the data without reverse engineering the
innumerable communication protocols used and then using that protocol to
decipher the packets. It is a lot more feasible to force a company to hand
over data on specific users than it is to piece together user data using this
packet sniffing technique. If the NSA really is wiretapping DC-DC
communication, it's not because they are trying to build profiles on
individuals. It's likely that they are using this raw data for keyword
lookups. And, although I question its effectiveness, that is a level of
surveillance I'm comfortable with.

~~~
Renaud
I think you over-estimate the complexity of the data being exchanged between
data centres and underestimate the capabilities of these well-funded agencies
that can afford top-notch PhDs, developers, engineers, mathematicians.

The article seems clear on the fact that they are able to reconstruct the data
streams. It's not difficult to assume that most of the data-exchange protocols
used are pretty standard or at least pretty stable, for instance Google use
protobuf[1] for efficient binary exchanges, it's open source and well
documented.

Data is meant to be moved efficiently between data-centres and these companies
had no reason to add any obfuscation (if that was the case, they would have
already used encryption). There is no reason to assume that adversaries with
deep pockets would not have the technology or know-how to reverse engineer
these unprotected data communication flows.

[1]:[https://code.google.com/p/protobuf/](https://code.google.com/p/protobuf/)

------
billiam
What makes me downright angry is the vehemence with which Google's Chief Legal
officer David Drummond denounces siphoning Google's own data. Secretly take
our users' personal data, that's okay, but secretly take our data, which we
make our billions off of, now that is unamerican. Class, man. Real class.

------
jcromartie
Can anybody trust Google services anymore? It seems like it's pretty much a
no-go at this point. Even if Google hands over select data from within their
systems, it appears we cannot even trust that it makes it _that far_ without
being compromised.

Every business that can should be ditching their Google services right now.

~~~
krapp
For what, the magical service that _can 't_ compromised by the NSA if it
wants? At least Google has more resources to throw at the problem than a lot
of other companies -- but really you can't trust _anyone_.

~~~
jcromartie
> you can't trust anyone

That's become quite apparent. I just wonder if there's any solution, or if
it's a mathematical certainty that communications are insecure.

~~~
generj
Doesn't that hold true for anything not using quantum encryption?

To fully secure in communications, you need to take advantage of weird quantum
phenomenon like radioactive decay, and even then you are betting that we won't
come up with a theoretical framework capable of predicting quantum phenomenon.

~~~
krapp
You might not have to be able to predict quantum phenomena. IIRC, one of the
issues they had with the "quantum internet" thing they built in New Mexico[1]
was having to downgrade what should have been a perfectly secure connection to
an insecure classical one because it's impossible to _route_ an quantum
entangled signal.

Not that this is necessarily a weakness of quantum encryption, so much as a
suggestion that any system can't be perfectly secure. Maybe the chips have a
backdoor. Maybe a random number generator is biased. Maybe any number of
things up to and including maybe you get hit with a five dollar wrench over
the head until you give up your password. What I fear is that while the math
may be secure, the system itself can't be secured. The web was never built on
the premise that security would matter, was it? Or at the very least that the
adversary wouldn't be ones' own government. What can you do other than
fabricate your own chips, build your own compiler, compile your own os, write
your own network protocol and host a darknet (with similar self-constructed
machines) out in the woods somewhere using a one-time pad for encryption? Even
that's not enough.

[1][http://www.pcmag.com/article2/0,2817,2418657,00.asp](http://www.pcmag.com/article2/0,2817,2418657,00.asp)

------
ttt_
_“Look, NSA has platoons of lawyers and their entire job is figuring out how
to stay within the law and maximize collection by exploiting every loophole,”_

Interesting how agencies, corporations and alike have the collective maturity
of children. A grown up will say to a kid "you can't play with fire with your
friend" and the kid immediately will think "he didn't say I can't play with
fire with my other friend".

~~~
eruditely
organizations are not ma-turing complete

------
CoryG89
As a software engineer just about to graduate from college. When I see
drawings like that I just can't believe that people who know enough to draw
something like that can actually do it without feeling like they are the
definition of evil.

~~~
MichaelGG
Why is it so hard to understand that there are intelligent people that
honestly believe they're doing something that will ultimately benefit their
country? People have done far worse in the name of a country or ideal.

For people outraged over the apparent happiness of the people that tapped
Google, I imagine they've never broken a system. A breakthrough on a project
is extremely enjoyable. Finding that Google removed SSL is like testing an app
and finding it doesn't sanitize inputs it passes to a shell script as root.

~~~
anaphor
They still deserve to be skinned alive though. As feminists are fond of saying
"intent isn't magic".

~~~
robertfw
That kind of approach is just going to lead us around in a big circle, and
when we look back in fifty years we'll be just where we started

------
sage_joch
If I scroll the Reddit frontpage (without being logged in), I am not seeing
_any_ NSA stories, despite being on the top of /r/WorldNews, /r/news, etc.
Anyone know the story behind that?

~~~
krelian
It's a conspiracy of course to try and hide this information from the public.
That's the answer you were looking for, right?

~~~
brymaster
Here, I did your own research for you:

[http://www.guardian.co.uk/technology/2011/mar/17/us-spy-
oper...](http://www.guardian.co.uk/technology/2011/mar/17/us-spy-operation-
social-networks)

> Most addicted city (over 100k visits total) > Eglin Air Force Base, FL

[http://blog.reddit.com/2013/05/get-ready-for-global-
reddit-m...](http://blog.reddit.com/2013/05/get-ready-for-global-reddit-
meetup-day.html)

------
andmarios
Funny thing is how many articles have been written about Chinese crackers,
possibly funded by the Chinese government, trying to hack into big companies.

~~~
subsystem
It's also funny how all these "anonymous government sources" suddenly became
available when the subject was about someone else.

------
andy112
Can anyone explain what exactly is meant by "SSL added and removed here! :-)"?

~~~
yburnsy
The implication is that there is no SSL from the front end web server to the
back end data center, thus it is susceptible to snooping at that point.

~~~
sseveran
Yes. It would be considered a private datacenter environment. Someone with DC
access or in this case the ability to tap a closed fiber network can still
attack it. This mostly applies to state actors.

------
bm1362
"Two engineers with close ties to Google exploded in profanity when they saw
the drawing." seems hyperbolic. What does it even add to the article? Is it
used to try and establish some credibility?

I don't understand why this is shocking (the photo- not the alleged spying)?

------
Aaronontheweb
How are all of our elected officials "just finding out" about this stuff?
Bullshit!

Our congressmen, senators, and POTUS are all "as surprised as you are!"(TM)
about these allegations that keep coming out.

Obama doesn't know anything. Feinstein (who heads the Senate intelligence
committee, and is briefed on the NSA's activity) knows nothing.

What's the difference between extreme incompetence and maliciously lying? I
can't tell the difference.

~~~
devx
I would even let them get away with that argument, but if they do use that
argument, that means they should also be pissed off about these revelations,
and realize that NSA has gone fully rogue, and they need to drastically rein
in on it. At least that's the logical conclusion from their argument.

The problem is they want their cake and eat it, too. They want to get away
with it themselves, but also protect NSA and their powers. We should call them
out on their hypocrisy, and ask them to restrain NSA's powers if it's really a
surprise for them, too.

------
devx
Here, Google - show us how much you care about user privacy and security, and
join Lavabit and Silent Circle's alliance for the "Dark Mail" protocol:

[http://www.forbes.com/sites/kashmirhill/2013/10/30/lavabit-a...](http://www.forbes.com/sites/kashmirhill/2013/10/30/lavabit-
and-silent-circle-join-forces-to-make-all-email-surveillance-proof/)

Meanwhile I'll be waiting impatiently.

~~~
rhizome
Actually, the real test will be whether Google and Yahoo file amicus briefs in
Lavabit's appeal.

------
GuerraEarth
Google is so good. Such a great concept. So much fun to use. A romper room.
Such a bastion of talent and good people. Which is why this whole business is
such a crappy disappointment. A guy sitting in a renovated girl's bathroom in
London told us some time back that this was the case, that Google had dropped
its original stance against "evil," but nobody took him seriously.

------
LionRoar
Reaction of Google’s chief legal officer, David Drummond on the news. Sounds a
lot more sincere then their previous denials (which proved to be lies forced
by the law anyway).

"We have long been concerned about the possibility of this kind of snooping,
which is why we have continued to extend encryption across more and more
Google services and links, especially the links in the slide. We do not
provide any government, including the U.S. government, with access to our
systems. We are outraged at the lengths to which the government seems to have
gone to intercept data from our private fiber networks, and it underscores the
need for urgent reform." [0]

[0][http://www.washingtonpost.com/world/national-
security/google...](http://www.washingtonpost.com/world/national-
security/google-statement-on-nsa-infiltration-of-links-between-data-
centers/2013/10/30/75f3314a-41b3-11e3-a624-41d661b0bb78_story.html)

------
okadaka
SMTP (mail protocol) between providers is unencrypted anyway. So, if I send
email from gmail to ycombinator, it goes to ycombinator SMTP server
unencrypted and can be tapped by anyone with access to the wire. Still, clear
traffic between Google's own data centers is inexcusable. They are exposing my
data to more risk.

~~~
graue
I thought you were wrong about that, but when I went looking for a source, I
found out you're right. As of June, major email providers other than Google
did not support encryption for inbound emails[1]. That's disappointing.

Note there's no technical reason they couldn't. Also, Fastmail.fm, while
arguably not really a major player, is an exception, supporting encryption on
inbound emails since 2009[2].

I just verified this via [http://www.checktls.com](http://www.checktls.com). A
later blog post in 2010 says Fastmail enabled it for outbound email as well.
So mail sent from Gmail to Fastmail or vice versa is encrypted between the two
providers.

It's a start. I really thought I had read something about Microsoft enabling
this on their email service, too, but I must be misremembering. All we can do
is hope more big providers turn it on.

1\. [http://news.cnet.com/8301-13578_3-57590389-38/how-web-
mail-p...](http://news.cnet.com/8301-13578_3-57590389-38/how-web-mail-
providers-leave-door-open-for-nsa-surveillance/)

2\. [http://blog.fastmail.fm/2009/04/16/opportunistic-ssltls-
encr...](http://blog.fastmail.fm/2009/04/16/opportunistic-ssltls-encryption-
on-incoming-emails/)

------
grandalf
Aside from the indignation, I'd like to see proof that Google wasn't aware of
this stuff. My guess is that it was approved as long as there was plausible
deniability.

~~~
EricBurnett
What proof would satisfy you? It seems like you're asking for something
impossible to provide.

~~~
grandalf
I'd need to see proof that the exploit (and operation to support it) was so
sophisticated that Google reasonably could not have known.

Since Google has been complicit in a good portion of Snowden's revelations,
the burden of proof is on Google to satisfy its customers that it in fact drew
the line at the earlier revealed level of complicity rather than the most
recent one.

------
kbart
What strikes me most reading NSA related articles, that for Americans the
problem here is not the global surveillance itself, but the _domestic spying_.
Wtf? Is my anonymity and freedom less valuable just because I don't have a USA
signed piece of paper? It's a serious problem that touches _everyone_ who uses
digital communications (pretty much every human being on the word nowadays)and
such data collection should be illegal on _anyone_ unless he's under a warrant
or belongs to opposite forces during war times. I'm very sad and disappointed
that EU leaders don't have balls to stand up for this.

~~~
kyboren
I agree that non-US-citizens are endowed with the same fundamental human
rights, including the right to privacy, as US citizens.

However: 1) US citizens alone control the US government's actions, at least
indirectly and in theory. NSA's domestic spying presents a threat to our
democratic processes. NSA spying on US citizens is more dangerous than if they
spied only on non-citizens, because it provides the NSA the means to control
their ostensible masters--making any reforms to NSA's foreign surveillance
operations impossible.

2) In realpolitik terms, most Americans simply do not think or care about
foreigners. Any bill that ends NSA's authority to conduct warrantless
surveillance on foreigners is a non-starter in our current Congress. By first
ending NSA's domestic surveillance programs, we actually have a shot at
eventually ending NSA's unethical foreign dragnet surveillance programs. In
other words: baby steps.

------
ahi
It seems the rest of the world is coming to the realization that they are
merely conquered provinces in the US empire.

------
venomsnake
This degrades into comic book villain territory. Every admin and developer
professional wet dream is to be able to capture log and analyze every byte. To
have unlimited processing power and storage.

And these people lived it ...

~~~
jcromartie
> And these people lived it ...

And, as it turns out, it's completely useless.

------
Nanzikambe
It's interesting that there's been little attention paid to what this genre of
backbone/infrastructure tapping means for companies using content accelerators
(or whatever they're called).

Considering what we now know about tailored access operations, I find it hard
to imagine they've not used these abilities to subvert the auto-update
functionality of virtually every product there is out there.

Ie. client requests auto-update from front-end server, update is switched and
replaced before hitting the front-end server & being delivered.

~~~
graue
That would seem to be a harder problem for the NSA. First, it has to be an
active attack, modifying data in transit rather than merely siphoning it off —
probably tougher to cover their tracks in that case. Second, automatic updates
are presumably cryptographically signed by the publisher, so the NSA also has
to steal or crack the private signing key. Third, how do you target the
backdoored version of the software so certain groups/people get it and others
don't? CDNs don't work that way.

In the end, it seems much more practical to sneak a backdoor into the software
at the source.

~~~
Nanzikambe
Whilst I agree with your point, I think an important question to ask is
"harder compared to what exactly?"

Cracking SSL? Weaking crypto standards? Tapping undersea fiber? MITM attacks?

Given all those are used, I find it hard to believe the update vector isn't
exploited. Sure you'd need to compromise the signing key first, but that's a
single target allowing you the ability to subvert many more without the need
for any breaking & entering or social engineering alerting intending
targets/victims.

I'll take my tinfoil hat off now.

------
mathesis
USSID18 is what should be talked about regarding these violations. The sooner
people become more familiar with the laws in place to prevent this the better
the outcome for all involved.

------
kmfrk
Gonna be a very interesting fundraising season in Silicon Valley.

------
nickmolnar2
The denials over Prism never squared with the size and capability of the
system that were outlined in the documents, unless I'm missing something here.
Is it not possible that the court-ordered data releases were just one small
part of the Prism program, with MUSCULAR and others filling the data that
could not be obtained through the legal system? Prism is just the query
interface, which is not necessarily tied to one dataset.

------
grandalf
This makes the recent warning atop my personal gmail that "State sponsored
actors may be trying to access your account" particularly ironic.

------
smoyer
Would anyone else be interested in inserting a private version of a tracking
pixel into each of their e-mails, so that you'd get a list of IP addresses
where the mail was viewed back?

It would be interesting to see where mail was read versus where it is simply
passed in plain text. Crowd-sourcing anonymous data might also allow us to
determine which IP addresses belong to the NSA's systems.

~~~
nrmilstein
I doubt the NSA is foolish enough to make external requests to load images in
the emails they read.

~~~
smoyer
And yet they accidentally hired at least one contractor with a conscience!

------
tonyplee
"vice president for security engineering Eric Grosse announced that the
company is racing to encrypt the links between its data centers. "

Isn't this useless?

They can serve Google NSL and the court can force the company to release the
SSL keys for the encryptions - just like Lavabit. Google CEO/Board can not
shutdown the company like Lavabit.

What can they do, get out of USA like how they got out of China?

~~~
dragonwriter
> Isn't this useless?

No.

> They can serve Google NSL and the court can force the company to release the
> SSL keys for the encryptions - just like Lavabit.

They can't do that without Google knowing about it, knowing what data is
covered by the NSL and having the opportunity to challenge the request, or to
factor the fact of the requests and the extent of information covered by it in
evaluating Google's lobbying priorities.

> Google CEO/Board can not shutdown the company like Lavabit.

Well, it _could_ (or, at least, it could recommend that course of action to
the shareholders), but its true that Google is differently situated than
Lavabit -- specifically, Lavabit doesn't have ~$50 billion in cash it doesn't
know what to do with that it could pull from for political action to address
government policy that it felt severely threatened the way it prefers to do
business, whereas Google _does_ , which gives it options to address _known_
actions by a government agency that it doesn't like.

> What can they do, get out of USA like how they got out of China?

Well, its too big of a market for that to be a good _first_ choice, but its
not impossible. Moving the headquarters, etc., would be easy, the hard part
would be moving all their existing data centers and similar operations out of
the US.

If they wanted to do that with minimal disruption, they'd either need to build
duplicate datacenters somewhere else and switch operations to those -- or, for
less duplication, build a fleet of transport vehicles that could hold data
centers, and piece by piece transfer their existing US datacenters into those
transports.

~~~
tonyplee
BTW, a much simpler way to get the SSL keys is to send someone (or teams) to
be employed by Google. (Like another big country probably did a while back.)

Once inside, put a few webcam, physical/virtual key logger, a few line of
code, (checkin code with extra ",", "=" instead of "==" in the right place -
just like a post about Linux security Kernel hack a while back.) and the jobs
are done.

~~~
dragonwriter
> BTW, a much simpler way to get the SSL keys

SSL keys are not the target, the data is the target. SSL keys change over
time, and you still need to monitor the actual encrypted data; tapping the
data where its sent in cleartext is actually simpler, if you have the
capability to do it, than infiltrating a spy into the dev team, having them
compromise the system without being detected, getting the SSL keys, and
monitoring all the encrypted comms.

------
oh_sigh
I love how every quote from the NSA stresses that "we don't have access to
their _servers_. Fine. Let's say they don't. But that means nothing in this
context. If they can see every piece of data that is sent between servers at
various google data centers, they don't need access to the servers to gather a
ton of information

------
whyenot
As of 1:41pm PST, there is no mention of this news anywhere on the front page
of the NY Times website. There have been similar ...time lags... in the past
when covering Snowden related news at the NYT. It's a shame one of the most
important news sources in the US is so slow in their coverage, either
intentionally or not.

~~~
snowwrestler
The NY Times is not Reddit. They will check the story through their own
sources before publishing. They're not just going to repost the Washington
Post story.

They're slow on Snowden stores because they do not have direct access to the
Snowden documents, like the Guardian and WashPo do.

~~~
whyenot
Of course the NY Times are not Reddit. Why are you even bringing that up?

The AP, Fox News, NPR, PBS, CNN, LA Times, ... all have reported on the story
in the Washington Post. The NY Times has not, and that's unfortunate. It's a
major news event.

------
daemin
I get the feeling that people are outraged by this not necessarily for the
fact that spy agencies spy on everyone they can, but that they do it in such a
blatant, efficient, and all encompassing way.

I know I feel a bad gut reaction to the mass collection of data, but when you
think about it that is exactly what a country wants from its spy agency, to
know others' secrets. Hence they're doing the most optimal thing from the
countries point of view. Therefore it is just the brazen scale, the automation
of the whole operation, and the fact that it is now officially public that
gives me (and us in general) the sick feeling.

Like the breakdown of forgetting (anything on the Internet is there forever),
and the rapid dissemination of information through the social network
(Facebook status etc), an adjustment needs to be made either in us or the
system.

------
mman
Why is this on the second page of news right now? Older stories with way fewer
points are currently ranked higher. This story is 22 hours old with 1495
points. There are stories with 264 and 305 points that are older but are
currently ranked just higher than this story, moving it to the second page of
news

------
glasz
“We are outraged at the lengths to which the government seems to have gone to
intercept data from our private fiber networks, and it underscores the need
for urgent reform,” he [google's clo] said.

reform... ha!

------
treelovinhippie
There's worse leaks to come. There are hardware-based backdoors in 90+% of the
Tier1 routers. The whole Internet is basically bugged.

------
CrLf
Now wait... It isn't surprising that inside the datacenters most traffic flows
unencrypted, but not encrypting links between datacenters?

Well...

~~~
SilliMon
You can always encrypt on the client, so the Google data centers are just
pushing encrypted blobs around.

It makes like a bit more complex, but PGP can be used for mail and here's how
to protect GDrive files:
[https://news.ycombinator.com/item?id=6644888](https://news.ycombinator.com/item?id=6644888)

Remember these revelations date from a year or two ago, who knows what they're
up to now?

~~~
CrLf
You can always encrypt on the client, yes. But it is surprising that an entity
such as Google doesn't understand that links between datacenters have multiple
points out of Google's control where traffic can be intercepted.

------
tibbon
Is there anything in the world that the US Government cannot rationalize?

Are there literally no limits worldwide to their power at this point?

It is my current assumption that everything now is being logged.

------
tn13
Any institution responsible for maintaining a nations safety should be
something to be proud about, but apparently with each news NSA sounds more
like a virus.

------
monksy
That sounds like a rather interesting and large integration project that most
engineers would salivate over.

------
csandreasen
I get the feeling I'm going to take a karma hit for this, but here goes...

 _By tapping those links, the agency has positioned itself to collect at will
from hundreds of millions of user accounts, many of them belonging to
Americans. The NSA does not keep everything it collects, but it keeps a lot._

There's a problem with this. The Post goes into a good amount of detail
regarding _how_ the NSA/GCHQ is collecting, but leaves nothing but speculation
as to _who_ they're targeting or _why_. It even goes so far as to suggest that
NSA/GCHQ is targeting millions upon millions of ordinary citizens without
giving evidence to back up that assertion. I would argue that these media
outlets are doing us a disservice by not providing this information. All
they're doing is generating hype and fear. I'm scrolling through the comments
here and seeing calls for the imprisonment (or worse) of Obama administration
officials and NSA personnel based not on solid evidence that the public at
large is being spied upon, but based on our fear that the public is being
spied upon. Some hypothetical headlines as an analogy:

A: "SWAT team guns down local residents"

B: "SWAT team guns down unarmed retirement home residents"

C: "SWAT team guns down pair of local gunmen; ends killing spree"

Headline A is vague and misleading. If that was the entirety of the
information put out, the public would be outraged. If the actual story was
closer to headline B, they'd be rightfully outraged, and all trust in the
police force would be rightfully gone. The outrage wouldn't be justified if
the actual story was closer to headline C. With regards to today's story, I
don't want see something like "NSA spies on Google traffic" \- there's not
enough context. I want to see evidence showing who they're targeting and why.
If it turns out that they're spying on US Congressmen, major business
executives or just ordinary Americans with the intent to
blackmail/bribe/manipulate/etc. - that's the reason to call for these people
to stand trial. If it turns out that they're spying on the unencrypted
internet traffic of valid intelligence targets like foreign government
officials/foreign spies/terrorists/etc., what has the public gained by telling
us all how they're doing it?

The media needs to show us that there's a good reason to be afraid/outraged of
a vast, covert Orwellian apparatus, then show us how to protect ourselves
against it. Show us that the NSA is determined to undermine the public good
for its own benefit. Unless there is no vast, hidden Orwellian state. Every
Snowden document that gets released without showing evidence that the NSA is
pursuing anyone besides those it has been tasked to pursue leads me to believe
more and more that there is no such evidence, and the media is riding high on
all of this fear and outrage to gather advertising dollars.

------
MiguelJones
Are people seriously surprised? After all of the other stuff we've heard the
NSA has done, I am surprised that people are surprised by something we all but
already knew.

------
frank_boyd
Curious to see who will continue to still use their products...

~~~
mden
How would not using their products resolve the issue with the NSA? If people
switched to other providers than other providers will get accessed like
Google.

~~~
rhizome
I'm sure the NSA likes having a one-stop shop. More nodes means more leaks,
and if we've learned one thing through this, it's that the NSA would really
rather do their work without oversight, which, as we've also learned, only
happens as a result of leaks.

------
dctoedt
Test reply.

------
wissler
The writing has been on the wall about the true nature of "the cloud" for at
least 15 years. I tried to tell people, they preferred to put their faith and
trust in the major magazines, which were all propagandizing about it
constantly. Most people (including the developers who write this software)
allow themselves to be herded, and if you try to tell them what's really going
on they write you off as a crackpot.

What most people don't realize is that all the value offered by "the cloud"
can be created with much higher quality on a different architecture, one that
gives all the benefits of the cloud, but without sacrificing privacy.

------
JSno
China's Lanxiang vocational school is innocent . 蓝翔技校是清白的
[http://www.theguardian.com/technology/2011/jun/02/chinese-
sc...](http://www.theguardian.com/technology/2011/jun/02/chinese-school-
implicated-cyber-attacks)

------
andyl
Thank you Snowden.

------
misiti3780
fucking wow ..... that is all i have to say

