Definitely. They could, targets were using it, they were known to tap backhaul microwaves/satellites, their own guideance in high-assurance side was using link encryptors between sites, its in their commercial recommendations (NIPSOM Industrial Security Manual), and so on. Everything in the world to make you think somebody was tapping your line and that they might.
So, some groups that were wise went ahead and deployed link encryptors. Black programs, follow NIPSOM and SAP supplements, sure as hell used link encryptors so good [1] we can't buy them because... national security. I sure as hell used end-to-end crypto and VPN's for anything significant. Google and Facebook... treasure troves of PII and I.P.... didn't for reasons I can't imagine. Result was they got intercepted in bulk by something that's been a known risk for 20+ years. Take NSA out of picture and they should've still thought the lines might get tapped by crooks or foreign spooks.
So, yes, Snowden leaks mostly just taught us what we already knew in greater detail. People ignored it then, some ignore it now, and yeah problems happened.
Google's datacenter-to-datacenter links probably weren't going over the public internet, so they didn't feel the need to protect against man-in-the-middle attacks on physical lines that they owned. If you connected two computers to each other with a cross-over cable, would you feel the need to encrypt all communications between them, just in case?
I'm sure that's what they thought. It's so common it's in textbooks. As in, any point-to-point line running outside two buildings through public land and a third party network owned by sneaky, Tier 1 types could never result in eavesdropping by anyone with physical or logical access. It was ridiculous claim when I read it and wasnt doing INFOSEC at the time. Horrendously stupid. There were already link encryptors on market for those exact lines for a reason. A good one in this case.
Far as your contrived example, yes I did recommend Layer 2 or 3 encryption, authentication, and monitoring between all nodes for a variety of benefits. It was also in Red Book (Orange Book for networking) as a high-assurance security requirement due to malicious hosts or tapped lines. All the times I eavesdropped on and screwed with Intranets fully justified it. Moreover, reading the Security Monkey later showed he handled a situation where an intruder did a physical splice of the line into a nearby building for his attacks. Just more evidence.
So, yes, security must be applied to every layer inside of and around endpoints, networks, and more. The risk you mentioned, minus crossover part, resulted in numerous hacks in the real world that my methods and 80's era methods would've stopped. In a PCI form factor, too, as DiamondTEK secure LAN did exactly that.
> If you connected two computers to each other with a cross-over cable, would you feel the need to encrypt all communications between them, just in case?
If I cared about privacy and I couldn't control physical access to the cable? Yes, of course.
The core infrastructure security people at Google didn't know it, from what I understand. Maybe they're all incompetent; maybe they were lying; or maybe the knowledge (not rumour or suspicion) wasn't as pervasive as you say it was.
I had no idea. I'm not downplaying Snowden. The guy is 100% a hero in my eyes. But, to claim we in tech community were all like "I have no idea this was happening" is completely bogus.
It was also very easy to dismiss us as conspiracy theorists. And indeed we were. The Snowden revelations are useful as a way of saying "we predicted the state was engaging in mass surveillance and they denied it while they continued the program". That is immensely useful for the future.
I agree. I agree in a specific way: people were always thinking that anything with a significant chunk of people would've been revealed by a bunch of them. There's probably thousands involved in everything in the Snowden leaks from government to private industry. About biggest stuff, only one or two people talked while the rest worked in secret by the thousands to make it happen for around 10 years.
That's one hell of a counter to the bullshit I keep hearing that nothing secret or evil could happen if it's 2 or more government people.
This stuff has been going on, and widely discussed, for over a decade. But no one really cared or understood the full scope until Snowden's slapped everyone across the face with it.
Yeah I know about the AT&T splitters mentioned in the footnotes. But the Snowden leak was a lot bigger than that. Did 0xCMP know that the NSA was recording the full contents of every cell phone call in the Bahamas and keeping them around for at least 30 days?
This 100%. Snowden was so important because he brought this stuff mainstream. But, let's be completely clear that it was already mostly known in bits and pieces and many leaders in tech had already been sounding the alarms.
I am in no way downplaying Snowden or what he prompted everyone to do, but everyone knew it was happening. They just weren't motivated or felt no one else cared.
Its kind of like trying to get people to use PGP for normal communications: You understand why, and they might too, but they don't care enough. So it doesn't get done.
"Its kind of like trying to get people to use PGP for normal communications: You understand why, and they might too, but they don't care enough. So it doesn't get done."
Good example. I've seen harder to use tools with little benefit adopted by enterprises because management forced it. The simplest version of encrypted email and storage often was ignored for just apathy.
That archive link doesn't reference Google at all, or non-consenting data feeds from internal networks of friendly companies.
I too knew about that whistleblower before Snowden. I didn't know about Google intranet being compromised, or things like hostile code uploaded to hard disk controllers, or data exfiltration via compromised in-transit routers, etc.
