Hacker News new | comments | ask | show | jobs | submit login
Google Security Team Member on NSA: "Fuck These Guys" (plus.google.com)
1217 points by cdvonstinkpot on Nov 6, 2013 | hide | past | web | favorite | 396 comments

I think it's pretty clear that we need both technical and legislative fixes to NSA surveillance. Just one of the two isn't enough: to get be even vaguely confident that surveillance ends, we need both. The technical fixes I can't speak to, but the legislative ones I've been thinking about for a while. In the last week, there have been two prominent bills announced to deal with surveillance:

- Bill 1: The FISA Improvements Act, from Feinstein and the Senate Intelligence Committee. In short it legalizes most of what the NSA has been done.

- Bill 2: The USA FREEDOM ACT, from Sensenbrenner and Leahy, currently being considered by the House/Senate Judiciary committees. It amends §215 of FISA to end bulk phone metadata collection and fixes some of the problems with §702 of the FISA Amendments Act (under which PRISM is run). But it doesn't fix §702 fully, does nothing to end BULLRUN (undermining encryption) nor the surveillance that happens outside FISA (MUSCULAR, for example, and god knows what else).

Obviously the Feinstein bill can't be allowed to pass. But some really big names (ACLU, CDT) have thrown strong support behind the Freedom Act. I'm wondering what we as the Taskforce(.is) should do. It's clear to me that it doesn't go nearly far enough. And there's some chance that if it passes, Congress will view this whole thing as "dealt with" and not revisit the issue for years to come. But unfortunately the Freedom Act barely has the votes to get out of the judiciary committee, and getting it to pass through both houses requires a lot of momentum.

We've been working on a campaign asking folks to call and oppose Feinstein, and potentially to support the Freedom Act. But I'm not sure if that's a right move. Unfortunately, the public doesn't understand why privacy is important, and Americans aren't nearly angry enough for Congress to do anything more substantial than the Freedom Act. We might be able to push for amendments, but it's a long shot.

tl;dr - We've got two bills in Congress. One is terrible, one is mediocre. But we don't have the political momentum to do anything better than the mediocre bill. What do we do? Tech advocate conundrum.

But it doesn't fix §702 fully, does nothing to end BULLRUN (undermining encryption)

Nor should it. Undermining the encryption used by legitimate surveillance targets and intercepting their communications is what the NSA is for. The point of legislative solutions isn't to stop having a signals intelligence agency. It's to limit that agency to spying on people it legitimately believes to be terrorists, agents of hostile foreign powers and the like.

Ok but to agree with that argument is to agree that the NSA and organizations like it are necessary. I'm still waiting for the proof that they are. Everything I see points to them compromising countless people's privacy and having nothing to show for it.

But that's the core of the problem. By the nature of what they do, their successes are never clear.

Not that this is a very robust intellectual defense, but the US is far from the only country to do this. Just two days ago the NYT had an article about Brazil spying on Americans within its borders:


If we shut down the NSA tomorrow we would be an an international disadvantage.

Can we please try not to equate a diplomat's car being followed around a city's public areas with the indiscriminate collection of private communications from every man, woman and child on the planet?

Look, my eyes are open. I'm spying on you. Everybody spies!

Difference in quantity turns into difference in quality sometimes. It is stupid to disallow taking pictures on public streets. It is not stupid to say to the government "you should not film everything on public streets 24/7 and keep it for years, because we don't want you to". Citizens are owners of the government and can set rules of what it is allowed to do.

can we please try not to equate reality with "indiscriminate collection of private communications from every man, woman and child on the planet"

I understand the line "By the nature of what they do, their successes are never clear." but I would think that will all of the bad "publicity" the NSA is receiving they would at least pull one example out where they prevented an attack. They have only release vague numbers on the number of incidents prevented and when put under a microscope they weren't a very big part of the plots they claimed to have foiled. I understand the "international disadvantage" but I don't think we can allow everything the NSA does with "Everyone else is doing it" defence.

An annual transparency report from the NSA? Good luck with that.

I doubt the NSA cares about negative publicity. Deep inside the NSA it's business as usual.

This is why my opinion is that the TLA policies and limits should be set by Congress in open debate. While their work may be secret, the limits and approach to the work should be set by the representatives of the people, publicly.

Leahy is the author of CALEA, a surveillance law that is one big reason we're in this situation to begin with. He introduced portions of the Patriot Act under the name EPPSCA a year before the Sep. 11 attacks (http://thomas.loc.gov/cgi-bin/query/R?r106:FLD001:S58859).

Leahy has sat on modest surveillance reform (requiring search warrants for email, cell phone location) for over three and a half years without advancing it to the Senate floor. One proposal he circulated a year ago included an exception allowing dozens of federal agencies to access email without a warrant (http://news.cnet.com/8301-13578_3-57552687-38/). Then, after Snowden's revelations, when the political tide was moving toward significant reform, Leahy's first instinct was to handcuff companies from challenging NSLs (http://news.cnet.com/8301-13578_3-57592778-38/).

I suspect that, after all the likely political compromises and conference committees and markups, any bill principally authored by Leahy will follow the same pattern as CALEA and the Patriot Act. One obvious solution, of course, is to avoid limiting yourself to looking at a pair of existing flawed bills and find a politician willing to back real reform.

Another solution, better for HN, is to work toward technical solutions that will work in the likely event that our esteemed leaders in Washington, D.C. get it wrong once again. Trust math, not laws.

There is no technical solution that works when the federal government can seize/inspect/hack into any computer located in the United States or in friendly countries, as well as hack into computers anywhere in the world. They can then access the decryption private keys of anyone, and thus all encryption can be defeated, along with any other means of attempting to hide information from prying eyes. If Google itself is unable to protect its own network from NSA intrusion, what makes you think anyone else is able to?

Remember, the NSA is tasked with spying on Russian, Chinese, (and everybody else's) systems, and given that the Russians and Chinese have great mathematical and computing minds, is should be assumed that the NSA is employing equally great minds in the USA in order to penetrate the military (including nuclear and biological weapons systems), government, commercial, and individual systems of these foreign powers.

That the NSA turned the sophisticated looking glass inward to spy on the citizenry, in such an insecure manner, is the problem.

The other problem is that, well, citizens of the United States can be terrorists. If the NSA is tasked with stopping terrorism, then they, of necessity, need to monitor everyone, including US citizens.

So the answer lies in the terrorism part: Everyone went bonkers wondering why the government agencies were not able to stop the Boston bombers, yet when they do try to collect information and analyze it in a manner consistent with stopping this threat, they are then denounced as violators of the Constitution.

I have a sobering proposal: We tell the NSA to not worry about terrorism.

On the other hand, we come to terms with the notion that terrorists do what they do because it does terrorize us, and we make a conscious decision that we are going to not care anymore and accept a certain amount of casualties in exchange for the government not spying on us.

We accept that 30,000 Americans die on our roads each year in car accidents. We accept that another 30,000 Americans die of gun violence every year. Could we not accept that 30,000 Americans die of terrorism related incidents every year?

I lived in France in the 1980's. We had a lot of terrorism. Bombs in malls, bombs in restaurants, bombs in the street in front of synagogues. After a while, callous as this may seem, the French just stopped caring anymore. It had become routine. Then the terrorists stopped. There was no reason for them to keep doing this, because the French would just put it on page 4 of the paper, next to the political scandal section. The police would close the street, clean up, etc.

Yes, these were tragedies for the families, but not more than the tragedies for victims of gun violence, drug overdose, and horrible car accidents that mangled the bodies of children beyond recognition.

Taking away everyone's car is not the solution to car accidents. Taking away everyone's guns, swords, pick-axes, chainsaw, power drill, kitchen knives, and banning boxing, wrestling, and martial arts is not the solution to murder. Likewise, taking away everyone's freedom is not the solution to terrorism.

Because taking away everyone's freedom's been tried before, and the human spirit of freedom asserts itself, and people die on both sides as they rebel and attempt to overthrow the oppressors.

And that is why the NSA and other agencies that spy on Americans must be muzzled.

I agree with your general premise and thesis, but the gun deaths from guns statistic, while pedantically accurate, ignores the context shown here:


Firearms were used in 19,392 suicides in the U.S. in 2010, constituting almost 62% of all gun deaths

Analogy with not using encryption?

Yeah, I'm familiar with that. Since committing suicide is against the law, then does my analogy hold?

Now using encryption or not using encryption does not matter in the context of being monitored by the NSA.

Since you've brought up the topic of poorly enforceable laws, when was the last conviction.

My reference re: not using encryption is that it is akin to suicide.

Well, if you have life insurance and you commit suicide, your beneficiaries won't be able to collect (in most cases, there are a few policies...) because suicide is against the law.

It may be the reason suicide's illegal.

Legislative fixes aren't going to buy you a lot, though they'll buy you something. The fundamental problem is structural: there are a lot of things the NSA is totally allowed to do, especially when it acts as an agency of the executive outside of the U.S. Technologists tend to ignore national and jurisdictional borders because networks cross those borders, but the powers of the NSA are defined in terms of those borders. Not just statutorily, but as an agency of the executive, Constitutionally.

For example, Mike Hearn says: "Bypassing that system is illegal for a good reason." Illegal under whose law? Obvious things like the Wiretap Act simply don't apply outside the U.S. And this is by design: Congress and the courts are primarily domestic institutions. The executive, by design, has primacy when it comes to activities outside the U.S. Maybe this design made a lot more sense back in the day before the advent of trans-national corporations, but it's the design we have, and we're talking Constitutional-amendment level fixes to change that design.

Internally, you might see fixes without a Constitutional amendment. E.g. the Supreme Court might at some point weaken the third party doctrine, which is what makes a lot of the NSA's data collection not a violation of the 4th amendment. But they won't touch the activities of the NSA internationally.

U.S. law follows U.S. citizens around the world. For example if a U.S. citizen rob a bank in the U.S. and then flees to the UK, when the UK police catch him, he will be extradited and prosecuted in a U.S. court. He's not stuck into a UK jail without a trial.

That's the minimum issue here--Google ships the data of U.S. citizens around the world, and the NSA knows it. They are trying to play a cute game by pretending to assume that if the GCHQ collects the data in the UK, the NSA can safely treat it as foreign data. We need to call them on it.

U.S. law does follow U.S. citizens around the world, but only in certain circumstances does it apply to conduct abroad. For example, there is a law against U.S. citizens engaging in underage sex tourism abroad. But such laws are the exception. If you, e.g., murder someone in England, the U.S. can't hold you accountable under American law.

Your example is a bad one, because in your example the law is broken by conduct in the U.S. In this case, the splicing of the leased lines happened outside of the U.S.

The conduct in this case is not the fiber tapping, but the possession and use of U.S. citizen data by the NSA. It does not matter how they gather it, their restrictions are the same--they must limit and justify it.

The Google+ comment objects to the fiber tapping. It doesn't say anything about the use of U.S. citizen data, and the NSA asserts it has safeguards in place to filter out such data from foreign taps.

It depends. Extradition is complicated and often has conditions, like requiring that the act was illegal both countries. Some countries will not extradite a citizen of the theirs (dual nationality comes into play here), and countries in Europe will not extradite to the usa if the death penalty is an option.

Constitution, huh?

You may have noticed it getting thrown out the window already, what with American citizens in danger of being declared "enemy combatants" and locked away indefinitely without trial, or just droned to death on the spot and all.

Then there's Mr. Snowden, enjoying his Constitutionally protected right to freedom of speech.. in Moscow.

Legal access to a document can't compel the owner of the document to hand over encryption keys. And if the existence of the document can be denied, you can't even prove it exists. This level of protection is within the reach of existing tools. Services like Google can make those tools accessible to the masses.

The law has to observe physics. You can get a court order to "compel" someone to float off the ground, but that doesn't mean it's going to happen.

Sure, there are certain things that can be achieved by technological means. My point is that when it comes to certain areas of NSA activity, you're dealing with more than just simple legislative fixes. The specific example mentioned by Mike Hearn, the NSA tapping into international leased lines, is really illustrative. Our whole government is structured around the assumption that the executive branch is supreme when it comes to activities outside the U.S. To make it illegal,[1] for the NSA to tap into foreign leased lines would require more than just legislation, it would require Congress to decide to regulate the NSA's activity abroad in the first place. And in doing so Congress would run up against separation of powers issues, because in our system, it's not really Congress's place to dictate to the President how he carries out foreign security activities.

[1] I think as it is it might be a 4th amendment violation, but it's not contrary to any statute that I'm aware of, at least not any American statute.

And in doing so Congress would run up against separation of powers issues, because in our system, it's not really Congress's place to dictate to the President how he carries out foreign security activities.

I agree with you completely, but when the political will is there, Congress can dive head first into separation of powers fights. Look at the War Powers Resolution. It's almost certainly unconstitutional in a strict sense, or at least extra-constitutional. But the Supreme Court will likely never touch it, and Presidents take its requirements seriously.

One potential avenue for limiting foreign intelligence gathering short of an amendment would be ratifying a treaty to that effect. But that seems as unlikely as any other route, since, as has been pointed out a few times, most Americans care not a lick about foreign SIGINT, and to the extent they do would like it to be as effective as possible.

Those are both excellent points. A treaty would be a good idea, but first we need a President willing to negotiate such a treaty.

That depends on the meaning of "how."

Congress can very well pass laws that dictate foreign policy: You shall/shall not bug the Germans.

Though it's dubious, Congress can also say "You shall not spend money on fiber taps. You shall have money for satellites."

The bottom line is that the Congress can get into NSA's pants as much as they want to.

Congress can very well pass laws that dictate foreign policy: You shall/shall not bug the Germans.

They can pass them, but they'd almost certainly be as unconstitutional as a law from 1944 that mandated the invasion of Calais rather than Normandy.

It is beyond even that. Even if you get legislation making illegal for the NSA to spy outside the US you also have to pass a law saying they can't receive data from the GHCQ who were the ones who tapped Google and Yahoo in Europe and then shared the data with the US.

There's no conundrum. You take what you can get, when you can get it - especially with how Washington functions today. The other big name groups recognize this. Perfect is the enemy of good here.

"But some really big names (ACLU, CDT)"

Just to point out, neither of these are actually big names to congress, or more importantly, particularly effective at getting things passed when push comes to shove.

If you want these things passed, never rely on advocacy orgs to do the work of the people.

In fact, there are many members of Congress that would be delighted to oppose whatever the ACLU is recommending (and perhaps even put out a press release announcing it!).

I'vw been thinking about this pretty hard this summer - I've been involved in some local tech activist stuff.

My take on it is as runs:

Fundamentally, what's needed here is the ability to have confidence that the intelligence system is not overstepping its bounds. The US founders' framework for building that confidence is to have multiple parts of power, whose interest is roughly aligned with countering each other. So in the case of the TLAs:

* The judicial system for warrants needs to be open. No secret courts. Cases' contents might be sealed; the existence of cases should not be. Secret courts are not new, and they have been a bad idea for a long time.

* The policies for data collection need to managed by Congress; no policy about this should set by the executive branch. The policies need to be open and debated. Should we take foreign intelligence on our own citizens?

* Comprehensive reports to Congress. I believe Zoe Lofgren cited a report that was under a page about the NSA activity. That's entirely disingenuous and disrespectful of the representatives of the people.

The other thing that needs to be done is in the polls: Legislators that seek to legalize snooping need to be replaced with ones that don't.

And finally, the thought process needs to be that there's a 4th Amendment rights protection movement and organization, which will work over a long timeframe (generations). There's no band-aid act that will fix this once and for all, this entire thing is an upswelling from overprotective and anti-risk mindsets. It comes out of deep into the roots of what's considered acceptable risk. The privacy/4th amendment movement is going to have to plan for advocating higher risks, more freedom, more liberty, combined with more laws about privacy, along with determining how to build change in mindset over time (it's called propaganda or, more politely, marketing). Privacy implications need to be worked out, discussed, brought to light in fiction, philosophy, law, debates, etc. The mindset of fear and "never again" and "risk is unacceptable" has to be broken in order to make mass surveillance a non-starter.

Worse - The reality is that privacy is going to be dead with the Internet of Things coming online. The question is, what is acceptable and legal to monitor and record? For myself, I believe that we need to have stringent personal data laws forcing deletion of consumer data unless required for a service, as well as requiring warrants for any data collection not already given to the government (i.e., irs filing).

The 2nd Amendment groups are in this for the long run. I don't see how the privacy groups can afford to do otherwise.

edit: I would enjoy discussing this with interested parties, particularly activists and activist-leaning people. My email is in my profile.

It's wrong to portray this as a trade-off between more risk or less risk. In reality it's a trade-off between two kinds of risk. Without the NSA snooping there is a higher risk of terrorist attacks, but with the NSA snooping there is more risk of attacks on democracy. Imagine j. edgar hoover or richard nixon able to use all that NSA data for illegitimate purposes. How easy would it have been to supress dissenting political opinion? The NSA database is a time bomb of political abuse just waiting to explode. Its very existence is a threat to democracy.

That's a fair point. There are an array of risks that less (or more) intelligence shifts the balance around on.

N.b., I don't really like to frame it as "attacks on democracy". That is (1) hyperbolic and (2) not obviously true. Words must be chosen very carefully in this debate (and it is a debate!) in order to not mislead or scare people away. I would argue that TLA snooping leads to the "Chilling effects" idea, where debate and discussion are chilled from freedom due to awareness of snooping. Obviously there are follow-on and side effects as well, as well as long-term risk of political persecution. But let's focus on the visible problem today without speculating on the worse potential problems.

Further point with respect to word choice and bringing the mainstream awareness up: tinfoil hatters do not speak for me, and they don't speak for the mainstream. They poison discourse by being radical and not bothering to look at conventional reality. Same for conspiracy theorists. Reasonable and respectable people can move the needle, infowars/alex jones/coast to coast types really are no ally in the effort to make this a real issue.

I'm interested in this distinction.

It seems to me fairly self-evident that actions which chill debate or discussion limit political expression and an informed electorate, thereby fundamentally impinging on democracy. Why then distinguish between 'chilling effects' and an attack on democracy?

So a dictionary defines chilling effects as the inhibition or discouragement of the exercise of your rights.

Let me frame the thought by giving an example: if I am talking with someone, I might not say a few things because, hey, the TLA might care enough to pull the record and listen in. Or we take care to communicate with GPG or something. It inhibits what we do. We can still vote; our vote actually has meaning; our votes actually change the elected officials, etc. We still can run a socialist candidate (c.f. Kshama Sawant 2013 in Seattle) and they aren't shut down via police action or other hardcore discrimination.

This is in contrast against what it could do: it could be always used to harass and discriminate against those dissenting from the Two Parties and the State. Anyone who said anything would be looked at and actions taken to shut them up and limit the expression and formation of dissent.

While the database of communication could be used against people to significantly disrupt everyone who speaks out, it is not, and in my opinion, it will take a few emergencies like 9/11 to actually alter the mindset of the US to make that acceptable. Of course, people are harassed; some people are okay with that. It doesn't mean there's general acceptance of that, and it doesn't mean everyone is harassed.

Thus I draw the distinction: people self-censoring vs. the heavy hand of an apparatchik forcing change. The first is very immediate and to-hand; it's reality today. The other is possible, possibly even probable given certain courses of events, but fear-mongering is not the best way to go; let's deal with the clear and present threat at hand- chilling of free speech, chilling of dissent, chilling of the business interests of United States citizens, (frankly, these all apply outside the US as well, and hopefully the debate within the US around privacy and data capture also places the operations of TLAs on non-US citizens & non-US soil within the public purview of the United States citizenry via their elected representatives).

Fear does work as a campaign tactic, but the reality is, fear is not something people want to work for. People are willing to work for hope (didn't we all see that in 2008?), and I really would prefer the pro-privacy, pro-4th amendment activists focus on the positives and hope of what we can do rather than performing the traditional stick of the Republicans & Democrats (vote the other way and the free work and the US will END!!!11!oneoneone). It is in hope of being not being tracked against my will, not being monitored in every phone conversation, not being advertised at without my consent that I advocate for these changes to come to pass. It is in hope that I can say thoughts and perform actions online and offline and feel the liberty of not having peeping government Toms and raucous advertisers know anything about me.

So there's my distinction and my spiel. :-)

>our vote actually has meaning; our votes actually change the elected officials, etc. We still can run a socialist candidate (c.f. Kshama Sawant 2013 in Seattle) and they aren't shut down via police action or other hardcore discrimination.

See, my theory, call me a tinfoil hatter if you will, is that we are on the brink of losing our votes. 1) Collect extensive data on any and all citizens. Any especially politically active citizens will receive extra scrutiny. Ones that are further up in local, state and federal politics will receive even more. This information will be used secretly to ensure that, besides a few outliers who are either allowed to be subversive for the sake of maintaining a smokescreen, all politicians can be controlled. Russell Tice, a prominent NSA whistleblower has alluded to exactly this process occurring under the NSA of today, as it did under J Edgar. He ominously refers to a young man who now resides in a nice white house as one of these who received extra attention. (To me, that explains a whole great deal. And think about it - one of my google searches released to the press would destroy any political career I had, and would be quite enough to turn me into someones puppet, or force me out of politics all together.)

2) With the political market cornered, to an extent, step two begins. Militarise the police. Use infiltration and subversion to delegitimise, split and turn public opinion against activists, whilst also using techniques to track and monitor the most influential ones. Again, there is evidence that the NYPD and other departments have undertaken actions like this. There is a wealth of technology to aid them - tracing FB profiles, using false cell towers, facial recognition tech combined with surveillance cameras, etc. This will have a chilling effect, as mentioned above - acitivists movements are accused of vandalism, of violence, suspect motives, etc, and are also brutally put down. Public sympathy fades, and the support for and involvement in protesting and other forms of activism begin to wither.

Congratulations, you have the makings of a great authoritarian state!

Note that nothing I referred to above is beyond the realms of possibility - in fact, please point to anything I said and I will try to dig up some solid evidence for it.

Quite simply, we are going past the point of no return. It will become progressively more difficult to have an impact on the political apparatus. At some point, it will come down to one thing: a fight.a very bloody fight. it happens every few centuries when an existing political and social order becomes stagnant, and the citizenry are pushed out of fear, hunger or anger to act. When we the people have nothing to lose, that is when things will change. It may not happen tomorrow, or next year, or next decade, maybe not even this century, but it will happen.

Couldn't agree more and this is what I have been saying.

EVERYONE has dirt on them that they wouldn't want a hypocritically moralistic press to publish to the world with the worst possible spin on.

Either Presidents get access to some scary ass shit that makes them all immediately move hard to the right when they get in office or someone shows them their phone calls to their dealer in 1986 or the abortion clinic in 1997 or an email to an illicit lover or a gay experience at college or or or.

Occams razor would suggest that with the overwhelming superiority of the USA militarily and economically that there isn't some massive scary vulnerability that requires the maintenance and expansion of the security state therefore the second posit is more likely. Dirt. Lots of it. J Edgar Hoover with access to all of your inner most thoughts. That's what a google search is after all.

How many times have you heard something or read something and done a quick google, something that out of context would be dreadful? I for example ended up following some links from Reddit and ended up on a white nationalist site (the post was taking the piss out of their idiocy), I immediately clicked away from it thinking 'fuck, if the govt were to see that' (I am on a work visa here and have essentially no 4th amendment rights when seeking entry), pretty chilling already.

Now imagine being a politician. 'Candidate goes on storefront!' But I was just curious, following an internet thread...yeah right. Racist.

/end ramble.

I understand the implications of having surveillance and using that information to ... regulate... dissent to be acceptable dissent. I completely agree that we have wound up with certain things in place that are foundational to a police & authoritarian state. However, I don't see any direct evidence of police state action; no smoking gun if you will. So I believe it's better to confine ourselves to openly known facts & working to roll back the (already very bad) truth rather than looking forward to a (worse) fork in the road.

Remember, a great number of people have to be on board with restricting the TLAs in order for effective change to happen at the national level. While YOU might not want monitoring of influential activists, others might (and probably do). So your possible future might be a wanted one for segments of the population. Confine yourselves to facts and positives and you have a stronger base to work with rather than pushing fear (no one wants fear, everyone wants hope).

Understand that I'm not denying your hypothetical future. I'm simply convinced that a narrative not focused on "what-ifs" and fear will be more successful at winning support.

I don't agree with your point that arguing what-if scenarios is a losing argument. These days there are enough actual or potential attacks on groups that someone holds dear such that a what-if argument can be constructed that will resonate with anyone. Sure, there may be some people that would want, say, the Occupy Wall Street activists monitored, and those same people would deplore the Tea Party "activists" being monitored by something like the Obama administration.

I would argue that imagining what-if scenarios and disseminating that fear are the only way to prevent us from crossing the threshold where there's no turning back. Waiting for direct evidence of a police state is a losing battle. Just take a look at what a decade of the All-Seeing-NSA-deniers have brought us? Relying on the next Snowden to bring us hard evidence about intelligence activities is a losing proposition.

> However, I don't see any direct evidence of police state action; no smoking gun if you will. So I believe it's better to confine ourselves to openly known facts & working to roll back the (already very bad) truth rather than looking forward to a (worse) fork in the road.

You didn't see any diret evidence of massive surveillance either. Yet it is quite clear it exists. All that means is you are willing to wear blindfolds. By not preparing yourself for the worst, you simply let it happen.

It may feel self-evident to you but I don't think the evidence supports that position. The US is not exactly known for its engaged electorate or educated voters. I would need to see a lot of evidence in order to convince me that things would get any worse in a surveillance state. The UK is probably farther down that road than the US at the moment and I haven't heard that they have exhibited any of the problems you are worried about.

>Without the NSA snooping there is a higher risk of terrorist attacks, but with the NSA snooping there is more risk of attacks on democracy.

Bullshit! This is the exact thing we have been demanding proof of. There is none.

Not a single event has been proven to be thwarted by these activities.

Boston? Sandy hook? Aurora? Lax? Mall?

All actual attacks, he'll they took days to ID Boston guys and even then couldn't do a decent job in tracking locating them after they found them out!

The NSA is a criminal organization. Period. Tyre is no grey or legal area here. They need to be shut down.

All of those but possibly Boston are essentially mentally ill people who went nuts - domestic attacks. The NSA is usually tasked with dealing with foreign threats. So your complaint is, by and large, mistaken. Your complaint is better directed at local police and mental health facilities.

It's almost certain that the TLAs generally tries to keep within the law as they see it, and push the boundaries as far as they can - this is the trend of the executive branch. I would expect them to have batteries of lawyers hired to find out exactly what is permissible, and then to do all of it.

It'a also entirely disingenuous to say that the TLAs have no purpose. To riff off of @leashless from Twitter - they are a reaction - an immune response - to some entities which do and did some very bad things covertly, and are now being an autoimmune disease on the host state. The truth is, 9/11 gave a rather large blank check to the industrial/ security/intelligence companies and agencies in the US, and most people were not in the mood to worry about civil liberties too much at the time. "Never again" was the refrain, and that sort of perspective removes all ability to do a cost-benefit analysis. So they expanded with that attitude and that check... then, like beauracracies do, they entrenched and began to expand power and capabilities. This is not new behavior in any bureaucracy. This sort of eventuality was, as I recall, predicted quite loudly after the Patriot Act was passed.

Don't understand why you list unthwarted attacks. The real question is how many attacks were thwarted. That is the point of disagreement.

Yeah but "higher risk of terrorist attacks" is like, what, an increase from 0.000001% to 0.0000011%?

That's the thing with Fear. It makes you stupid.

One thing that needs to be taken into account is that terrorism is responsible for very few deaths at all. Guns and cars both cause more deaths. I'd love the US to do something about guns, but are you guys having a crisis about cars?

The response is utterly disproportionate to the risk.

I don't know. What do you think they would've done to suppress dissenting political opinion?

Which is where this whole conversation goes to hell - the trailed off sentences where people assume they actually have a clue what dangers they're talking about.

Because if your problem is "oh, someone might find out about someone's mistress and tell the media..." well - the problem begins and ends with the fact that their voters turn out not to be ok with that. But they're still voters who's votes matter.

"What do you think they would've done to suppress dissenting political opinion?"

Easy. You use government power on them. You "coincidentally" hit them with an IRS audit, one that's incredibly hostile and refuses to resolve itself. You hit their business with every inspection possible, held to the most stringent of standards. Even if, and perhaps especially if, they don't own it, and you find a way to sufficiently hint to the business why exactly they're having these troubles. You have a cop follow them and nail them with every petty infraction in the book. Any government program they may be on, you inspect their compliance to the n-th degree. Layer heavy bureaucratic red tape on at every opportunity. Find ways to make them need a lawyer. Find a petty excuse to claim you suspect them of drug trafficking and inspect everything they own, which basically allows you to take everything they own, and effectively destroy or hold on to everything for years.

And that's if you have a goal of staying plausibly legal. If the mask is off for some reason, there's even more you can do. And these are just examples; if one truly took a survey of what the government could do to you without even stretching the law, I think we could produce a very thick and scary book.

Unfortunately, I don't think the capabilities of the NSA are bounded by your imagination.

So again, you just listed a big list of things which don't actually require a covert surveillance program to implement because the whole point of suppressing people is to be rather overt about doing it.

You then postulate the US government just ignoring the law altogether.

You see the pattern right? All these are things where the US government does some questionably legal, pretty highly visible stuff to you. It's not unintrusive electronic surveillance.

Or to put it another way: the Soviet government didn't start out surveilling their citizens before they just murdered all the ones who were considered dissidents. They started doing it after they needed to get better at murdering the dissidents. But the real problem, was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?

>So again, you just listed a big list of things which don't actually require a covert surveillance program to implement because the whole point of suppressing people is to be rather overt about doing it.

No, he just mentioned things that could be currently done. However, only on a small scale. To truly disrupt anyone's life like that, and to do that for thousands or millions of suspects or dissidents or what have you, you would need an equal amount of auditors, cops, and so forth.

Now, if you were to automate that schema, you would have yourself a system capable of much more. And by doing it illegally to the extant that even elected representatives are not allowed to have oversight, you could achieve a very great deal.

>was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?

Two arguments. 1) The signs are that we are eroding the legal safeguards that at least made it very difficult and very risky to do this. Now, however, dissidents (call them traitors if you will, that is your opinion) can be whisked to secure holding facilities the world over and subjected to torture, and it is technically legal. US citizens can be assassinated legallly. And now we hear that we have been watched for decades, illegally. Clapper commits perjury, but walks free. Torturers are given clemency, but Snowden is wanted for esponiage. All of this tells me that currently, our freedom is a facade, and soon even that will be able to be dispensed with.

2) You could subscribe to the view that we don't need to be murdered or dissapeared, just convinced that keeping our mouths shut and our eyes on the TV are the safest option. Pepperspraying OWS protesters, militarising the police - I can see why political engagement is dropping, and I'm sure you know who benefits from that. Hint: not us.

Hike dem goalposts. You asked what they could do with the information they illicitly obtain, and I provided an answer.

"Has the US government killed a bunch of your neighbors? Disappeared them?"

No, not yet. However, I believe there's a "there" there with the IRS scandals, which is definitely headed in that direction very, very strongly. Which is to say, it's riding your line, it crosses a lot of other more realistic lines already.

> Or to put it another way: the Soviet government didn't start out surveilling their citizens before they just murdered all the ones who were considered dissidents. They started doing it after they needed to get better at murdering the dissidents. But the real problem, was the fact the government was willing to murder dissidents. Has the US government killed a bunch of your neighbors? Disappeared them?

Your faith in human nature is disarmingly naive. Remember Hitler has been elected. What keeps a democracy alive is not the people at its head or the people that elect their rulers but the structural foundations and laws. You can't trust men. Most of these foundations and laws have already been circumvented by the NSA with the benediction of the US government. That the government seems "nice" to you doesn't matter. As soon as the rulers can disregard laws, they will.

On the legislative side, it seems that we need more transparency and the ability to curb abuses once detected. I don't really know what a working system that acts in this capacity would look like but I think it would include citizens as well as senators and congressmen. We don't really know what our government is doing and, although that might not have been an issue in the past, I feel that it's becoming an issue today as a result of everyone being spied on. If the government has nothing to fear, it has nothing to hide.

Feinstein is a villain. Time to get her out of office.

Good luck with that. She's not up for re-election until 2018, and so far as I'm aware there are no allegations of crimes of the sort that would get her expelled from the senate (in practice, looking at previous examples).

She's always been a villain. Its just that the other Senators are so much worse she looks good in comparison.

Try to find a fix for the ridiculously broken system that is the US government?

It definitely won't get fixed if all people do is bitch about how it's totally impossible to fix on internet forums.

If you can get exactly the right people to bitch about how it is impossible to fix on internet forums, then they won't be around during the planning stages and you may then be in with a chance.

Yes. It's fixable the moment the public realizes that it is within their power to fix.

How? Voting and protesting haven't worked so far.

Just because people don't vote the way you want them to doesn't mean it's not working.

Voting is not working. As far as the media is concerned, there are always going to be only two candidates, both of which are in bed with corporate lobbyists. Without every voter doing significant research on their own to make meaningful third-party voting blocs, that will not change. Money determines the primary candidates, and that money comes from the same places year after year.

The fundamental problem is not the media (for all the problems the media has and produces), it is the electoral system, as is demonstrated by the comparison with the greater number of competitive parties in all the democracies that also have profit-oriented corporate media but do not a national legislature elected by plurality or majority/runoff elections.

Italy has one of those proportional parliaments. It's not exactly a utopia.

No place is "exactly a utopia", but the issue was the media being blamed as the root cause of the partisan duopoly in the US, which is pretty clearly not the case.

OTOH, systems with greater proportionality in representation also tend to have higher public opinion of how well the local government works, which is probably not coincidental; for a good general survey, see Lijphart's Patterns of Democracy.

> systems with greater proportionality in representation also tend to have higher public opinion of how well the local government works

Maybe they tend to, but when they drew that graph, Italy is definitely an outlier. People are not at all fond of how the government works, putting it mildly!

Very proportional systems have large problems of their own too, including all the "horse trading" that goes on to form a coalition. This can and does involve a party that got, say 10%, driving a very hard bargain with the party that got 45%, giving far more relative weight to the people who voted for the 10% party.

You're right that the media is not The Problem, no argument there.

> Maybe they tend to, but when they drew that graph, Italy is definitely an outlier.

Granting that, why bring Italy up them?

> Very proportional systems have large problems of their own too, including all the "horse trading" that goes on to form a coalition.

Horse trading goes on to form a winning coalition in two-party systems, too (the major parties in electoral systems that create a two-competitive-party dynamic are, invariably, coalition parties); the difference is that, in such systems, the disporportionate power of the needed-to-win segment is less than in two-party systems, because its much easier -- because the factions are formal parties that you can negotiate with -- to swap coalition partners and form a new majority coalition if a minor partner wants too much.

(That's also, really -- outside of systems like the US where you've got an FPTP electoral system forcing pre-election coalition building -- a bigger issue in unitary parliamentary systems vs. separation of powers systems -- because having a majority coalition in parliament is a more significant issue in unitary systems whereas in separation of powers systems, ad hoc coalitions on particular issues can function in the legislature without requiring a stable "ruling" coalition in the legislature. So, if you are looking at an FPTP separation of powers system like the US, its a problem that moving to a proportionally-elected but still separation of powers system alleviates rather than making worse.)

> Granting that, why bring Italy up them?

Because I live here and it's a very good example of proportional systems not being strictly better than what we have in the US.

> swap coalition partners and form a new majority coalition if a minor partner wants too much.

Easier said than done in many cases.

Who are you, Wile E. Coyote? Just because something hasn't worked "so far" doesn't mean it needs to be abandoned. There are a shit ton of problems in our world and with our political system right now. But that's the historical norm. Even in the "good times" it's the historical norm.

Today there are so many people who have this weird belief that somehow the lack of change due to their extreme apathy is a justification for that apathy. It's not. If more people spent the time to educate themselves deeply on issues and candidates. If more people spent the effort to have legitimately worthwhile political discussions instead of merely agreeing with those who already agree with them and shouting down those who don't. If more people decided to take the risk and enter politics. Things would be a whole lot different.

Today the biggest problem isn't entrenched power structures, or gobs of money in political campaigns, or the lack of good candidates. All of those are symptoms. The biggest problem is that the primary ways that people learn about and discuss political issues are horribly broken. Most major news media outlets are horrid, only a few steps away from outright tabloid journalism. People decry fox news all the time but CNN and even the New York Times are, on the whole, little better, just different flavored output from fundamentally the same machinery. And people don't tend to realize this because every once in a while there will be something of legitimate quality that leaks through, and that event will serve as a rationalization for continuing to feed from those sources of information. These are precisely the same processes that keep people attached to religious institutions as well.

Ask yourself, how much effort do you, personally, put into researching political issues and candidates? What about your friends? Do you hold them to account for being low information voters? Do you ever have serious, non-shouting, political discussions with people who have different views than your own?

Who said I abandoned voting? I said it doesn't work in this case. I research and vote every election. But I know for the more important offices at the state and national level, the system is broken. The two party system and big money means I don't get any say in selecting who runs, the corrupt system does.

Until you realize that the public doesn't have as much money as the lobbyists.

The labor, civil rights, and environmental movements were all hugely outspent and yet changed the country and the law. Complaining about asymmetric resources is IMO a cop out and an excuse.

Of course new movements are under resourced. If it was easy to make that kind of change, it would already be done!

Who do you think the lobbyists are? Them is us.

No, them is some of us.

Example: I used to work for BigCorp. BigCorp had a PAC to which they would gently encourage employees contribute. They ran an annual contribution campaign, sent emails, made phone calls, etc. It was not mandatory, just encouraged. Many employees did so. The PAC in turn contributed to any politician who supported BigCorp.

So the net result is a bunch of people who ended up contributing to politicians who they otherwise may not have supported, and they did so out of a vague fear that doing so was important for their jobs. There was strong social pressure at work in this situation. I.e., left to themselves, these people would not have given a dime to these politicians.

The PAC in turn, spoke on behalf of these people, but only about issues that BigCorp cared about, not the issues the original donors cared about.

And that's why them is not us.

OK to clear up some muddy thinking here, there's lobbying and then there's campaign finance.

Lobbyists are unregulated employees or contractors, whose budget is only limited by the largesse of the sponsor. Its goal is to affect legislation and regulation through swaying the votes and actions of elected officials, political appointees and to a lesser extent career bureaucrats. In this regard they are limited by anti-corruption and bribery laws.

Campaign finance is a highly regulated system through which politicians amass money to fund campaign to sway the votes of the public. PACs and other organizations channel money to candidates whom they believe will be sympathetic to their causes.

Regardless, forget about the PAC money and the campaign finance. I assume BigCorp has lobbyists, and those lobbyists look out for BigCorps interests. As an employee of Big Corp, you are a beneficiary of those lobbyists.

I took the meaning of the OP to be generically 'those who pay to influence politicians', not strictly the lobbyists themselves. So although you are technically correct that there is a distinction, the spirit of the original one-line comment was that individual voters don't have the power that organized interests do. I gave a practical example in which the interests of individuals are overshadowed by leverage that an employer has over those individuals. It's a case in which a vague threat of 'hey, you want a job don't you?' turns into aggregating money into the hands of a few people who lobby (in the generic sense) politicians to support things that may be against the interests of the employees. Such is the game they play.

As to your last statement, largely it is the shareholders and executives who are the beneficiaries of the lobbying they do. You can argue that the employees are beneficiaries in the sense that they have a job, but that misses the point: the benefits of lobbying fall asymmetrically. Again, it's a leverage thing. They leverage the desire of the little guy to have a job and raise his family and in turn reap huge rewards for the shareholders. So although you can say everyone benefits and gets what they want, the result is really a distortion of power and influence.

The legislative fixes need to create an environment where the technical capabilities and safeguards put in place are considered normal, and companies are not forced to do harm to users. That's the most important part, creating an environment that sets precedence for user's rights.

If HHS Feinstein bill passes, then it should be assumed to make all surveillance legal, thus any following of her personal actions: location, where-abouts, transactions, conversations etc are fair game. We should post cameras outside her Presidio Terrace San Francisco home watching every ingress/egress action by anyone visiting the place.

You'll need to change the us constitution so that us foreigners are covered by the 4th amendment ban on warentless searches.

As a dual citizen (US, and French) am I protected by the 4th amendment, or not?

I dunno. Ask a lawyer...

Sad that one would have to ask a lawyer for something as simple as this.

We've always been spied on and we will be. Just be honest souls. And let them spy or do whatever; This talk is kinda tiring now. I'll not worry as long as there are checks in the system that someone inside is not misusing this information.

It's ironic that when the Chinese attack against Google occurred, we thought the Chinese government was the most hostile state actor threat to worry about, but it turned out to be the US and UK government.

China is a much more hostile state actor in how it would use any information it gathers up, especially to a free-enterprise company like Google.

That's quite a claim. Right now the NSA holds privileged information for millions of Americans. What happens if one of those people becomes some populist political entity. It would be trivial for the NSA to leak dirt of any kind (sexual fetishes, hangups, private emails to wife, other private things that when taken to the public would look bad, trash talking others, etc) to help discredit this person. Imagine that this person ran on a platform for cutting down the NSA or reforming the intelligence agencies. How "protected" do you think this "metadata" would be?

The Chinese wouldn't do that to me. They don't have a dog in this fight.

That's quite a claim.

US Government agencies using "dirt" to smear and/or blackmail populist political figures is a historic fact.

Exactly. See Martin Luther King Jr [0] as an example. Private information obtained through surveillance was leaked by government agencies in an attempt to discredit him.

[0] https://en.wikipedia.org/wiki/Martin_Luther_King,_Jr.#FBI_an...

I know a lot of Snowden's and Assanges' sex life and many, many personal details. I've never actively seeked out that information.

Also, the US has proven experience in smearing political characters. Heck, even John fucking Lennon had an FBI file full of personal information.

It would have also been "quite a claim" awhile back about the NSA collecting anything and everything about citizens. I don't get your comment.

They don't have a dog in that fight because you specifically chose the fight to make that true. If the same person ran on a different platform that argued for, say, boycotting or tariffing Chinese green energy products in order to build up local industries, the Chinese would care but the NSA would not.


Airbus might disagree with you there, I can't see the NSA ratting Boeing out for supplying bribes.

Ironically, at the time it would appear that the NSA was probably prohibited from spying on at least US-based Boing personnel. In fact, even today, they claim they'd be prohibited from looking at it(though not collecting it or analyzing meta data which is the whole problem) at least as far as the people involved are US Persons.

I think I see what you are getting at, but surely a trade with a foreign nation like Saudi Arabia - because the Saudi's are foreign, the NSA would have always had the remit to spy on the transaction?

I used to think much the same. These days however the unchecked secret security apparatus of the United States is a sword over the necks of it's citizens' freedom.

I'd argue that the NSA is actively destroying more american business right now by discouraging large international companies from doing business with US based technology and web companies.

Why do people assume the Chinese government is not able to use similar techniques?

China doesn't have agreements with BT, AT&T etc which allow it to tap fibre in our countries at will. I'm sure they try some tapping, but they can't do it on the scale that GCHQ and the NSA have been outside China.

The Chinese do not need any agreements to tap undersea cables and are more than capable of doing just that.

Sure, but they don't have the "home field advantage" that the NSA does, whereby much of the core internet infrastructure is housed in the US. I forget the exact number, but something like 70% of the world's internet traffic transits the US. (they mention this constantly in NSA-related articles)

But how much of the core infrastructure is made by the Chinese?

An astute question, considering the strange wifi-chips-in-irons story.

Are they? That's a very complicated thing to pull off and China isn't known for having the most advanced Navy (e.g. they can't secure their own oil tankers in the Persian Gulf) and they only have a small number of submarines.

But they could easily have agreements with every chip fab to build back doors into every piece of networking equipment.

This is exactly why Australia is very leery of letting the Chinese telecom hardware manufacturer Huawei have any of the contracts for networking hardware on the nascent National Broadband Network -- they are suspected of having ties to the Chinese government / army: https://en.wikipedia.org/wiki/Huawei#Security_concerns

My sister in law works for Huawei in Kenya. Her job (so far) has largely involved ripping out Siemens made mobile-telephony infrastructure and replacing it with Huawei-made mobile-telephony infrastructure. Such are today's instruments of empire.

That's very unlikely nobody would have noticed them by now, if it were the case.

Do you mean - as unlikely as not spotting the weakening of encryption standards - for example by another branch of the same government (NIST/NSA)?

Those were spotted.


You can packet-trace networking equipment you own.

You can't packet-trace a cloned switch port you don't know about.

So can the US.

How do you know that?

I would assume they use similar techniques within China and perhaps allied countries like North Korea and Cuba, but the US is performing wiretapping in at least the UK, Canada, Australia, and New Zealand. Also, how much non-Chinese Internet traffic passes through China?

> and perhaps allied countries like North Korea and Cuba

Nobody is more distrusting of each other than two communist countries.

Disregarding for a moment that a state can not be communist (one defining characteristic of communism being absence of state), only socialist, North Korea has long disassociated itself from communism. Since the 90s at least there has been a systematic removal of any mention of Marxism, communism and related terminology from the constitution, laws and official discourse.

Well, when you eat off the hand of the other country you don't have much choice. Nobody actually asks you if you trust or not.


I'm sure lots of botnets use China servers as well.

Why on Earth are you comparing a suppressive regime to the a western democracy?

Of course the Chinese gov is able to do so without any repercussions. The difference should be that in a democracy you can't abuse your power without repercussions.

<i>"The difference should be that in a democracy you can't abuse your power without repercussions."</i>

Do you see the irony? Western governments are abusing their powers.. and they are getting away with it. Democracy means nothing if the government doesn't hold itself accountable.

No, democracy means nothing if the people don't hold the government accountable.

Relying on the government to hold itself accountable makes democracy no different from monarchy.

Right, but as long as cable tv works and fast food restaurants are open the mass majority of people won't do anything about it.

Maybe it "should" but democracy and domestic popular opinion doesn't traditionally have a significant impact on US foreign policy. Except for big wars.

The Chinese were targeting specific journalists and critics. Presumably to harass them.

I'm not saying the US doesn't do that, but the evidence is not as clear.

Maybe you didn't notice the detainment of Greenwald's partner by the GCHQ whereby they demanded him to turn-over/destroy whatever he had.

Further, the break-in to Greenwald's residence and theft of his machine.

As well as the visit to the Guardian and destrution of machines....

The evidence is crystal.

As much as the UK government would probably love being confused for the US government, at least the visit to the Guardian and detainment of Miranda were both done by the UK.

And given how the UK government loves nothing more than to be the lapdog of the US, I have no doubts it was done entirely voluntarily.

Eagerly even, as an opportunity to show off just how extra exceedingly loyal minions they are.

Frankly, I have little doubt that the UK government participates so eagerly that just occasionally some of their US counterparts must be a little bit embarrassed on their behalf over seeing their total lack of self respect in trying to impress.

Except you know, in that case the person actually did have classified documents of an allied nation on a thumbdrive on them.

Which you know - is still illegal to have. Though it's funny how the Guardian thoroughly underreported that fact.

When I last checked, in the US, it's actually not illegal for someone without a clearance to possess classified material. This is why newspapers can print unredacted classified documents and not immediately go to jail.

It is, however illegal for someone with a clearance to mishandle classified material. "Mishandling" includes "Permitting access to classified material to non-cleared personnel.". If you mishandle classified material you may be reprimanded, have your clearance revoked, be fined, or go to jail for a very long time.

It's also illegal to traffic it across international borders, which is why what foreign spies do is prosecutable. Which is the exact thing they were doing.

Exactly my thought. Making me embarrassed to a singel fact that I live in UK, as that happened.

Good point, but the Greenwald-Snowden case is a little different. We all know the identities of the informants. The issue with the harassment of Miranda has nothing to do with espionage, it's just heavy handed.

In the case of the Chinese hackers, they were spying on reporters to discover their sources.

What they appeared to be looking for were the names of people who might have provided information to Mr. Barboza.


AFAIK we don't have evidence of similar US spying for the purpose of blackmail, harassment, etc. because my concern is whether the NSA might use its sources for those ends.

The destruction of the Guardian's laptops was about ensuring they didn't get stolen by someone else - if you read the story at the time, the spooks actually wanted the Guardian to hand the laptops over but Guardian refused and destruction was a mutually agreed way out.

Miranda's detainment, confiscation of the memory sticks etc was to be expected - as far as the UK Government is concerned he's carry stolen state secrets.

What I don't really understand is why he flew through London carrying them, I believe Madrid has more routes to South American - I wonder if he was routed so he would be picked up for massive publicity.

They weren't actually. Google lied about that. It came out later that the real reason for the Chinese hacking gmail was to see which accounts had "lawful intercept" on them so they would know if their own spies had their cover blown. If the US knew about their spies, it was assumed that they would see the US sniffing the spies gmail accounts.


> Google lied about that

Huh? There's nothing in the Post's information that would preclude both from having happened, so it's would be a stretch to call it a lie even from that article. But in fact, the original blog post[1] talks about multiple goals of the main attack, including listing the targeted attack that the GP is probably referencing as independent from the attack that "resulted in the theft of intellectual property from Google". I think it's you that's confusing incidents.

> Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

edit: ah, and the GP wasn't even talking about the gmail accounts.

[1] http://googleblog.blogspot.com/2010/01/new-approach-to-china...

I was referring to the NYT attacks,


Also, what kind of spy uses gmail? Sheesh.

Also, what kind of spy uses gmail? Sheesh.

The kind that is trying to maintain cover as a non-spy so uses the same email services as everybody else.

Sure but only an idiot uses their personal email account for work, right? Especially if your work can get you killed.

The point being made isn't that they would send sensitive data using gmail, it's that if they were compromised the NSA would most likely be reading the emails, and hacking Google would theoretically let the Chinese know if cover was blown if they could see evidence of the NSA listening in.

Of course, that means the joke's on them, because the NSA was listening to everyone...

how would you know whether NSA was listening in (for example by tapping google's links between datacenters) or not even if you successfully hack into Google's infrastructure? Not finding evidence of eavesdropping doesn't exclude that eavesdropping happened, so if that was the only purpose to hack Google, it doesn't seem worth the effort.

On the other hand if you want to read people's mail, then hacking into the provider is certainly an option.

I'm not sure I necessarily buy that explanation either, but I don't know enough of the facts of this particular story to know where it falls down or is supported.

On the other hand, we don't really know what the Chinese knew, or thought they knew, about Google and how it functioned WRT government surveillance. If they had reason to believe that Google would be cooperating with authorities and would have infrastructure in place to monitor email accounts that they could look for and identify if it was monitoring the accounts they were looking for, then this explanation makes a bit more sense.

More importantly, whats the difference between Chinese and American government when it comes to privacy?

That the US intervenes domestically and in Europe, L. America, Middle East, etc, whereas China is mostly concerned with itself.

The terrible things the Chinese government does aren't being done to you.

Those things aren't being done to most Chinese people, either. And they are being done to some Americans now, and increasingly so.

The Chinese are honest about it !

Because they have hundreds of their employees doing shifts of skript kiddie hacking over the open Internet. That is why "people assume the Chinese government is not able to use similar techniques."

no, YOU thought of China as terribly hostile. We in Europe know the deal for a very long time. It's not like there was no cold war and vietnam war and irak war and....

Why did the US jump in priority. Just because it is a problem doesn't mean it is a bigger problem.

I think US journalism is causing us to misprioritize. Everyone is talking about the NSA so everyone assumes it's the biggest problem.


The use of equivalent technology does not imply equivalent outcomes or moral standing.

At a minimum the U.S. and UK spying needs to be balanced against the fact that U.S. and UK citizens invented the core technologies of the Internet, and gave them to the world for free.

I wonder why people aren't using calling the current unpleaseantness attacks (or war).

I want them charged with unlawful access to a computer system

Gosh that would be the perfect example of poetic justice.

On the whole, I think I'd rather be spied on by an ally rather than a dictatorship.

I live in a "Western", English speaking democracy, with friendly relations with both the US and China.

Our biggest trading partner is China, and we have a free-trade agreement with the US.

Who exactly is our ally again?

As a Brazilian that had ti witness the effects of US alliance during cold war... No, hell no. With a friend like that, who needs enemies?

You had enemies in the cold war. The USSR was much, much worse.

Things US did for Brazil:

Sent aircraft carriers, ships and soldiers to help depose a democratically elected president, just because he wanted closer ties with China and wanted to do agrarian reform.

Disappeared lots of people (I don't know any personally, because I am too young, but I DO know personally lots of people that still want disappeared people back)

Spied on us (erm, that part still applies, no?).

Sabotaged our agriculture (ie: some plagues started after US agrarian engineers visited us to "help" with our agricultural technology).

Supported and funded very repressive crazy dictators that killed boatloads of people.

What the USSR did for us during the cold war: Gave us some really cool technical books in spanish (yes, our language is portuguese, but spanish is good enough), I still have a bunch of them, they are really good, somewhere around my house there is calculus books, structural engineering, and lots of other cool stuff, russian books but written in spanish, targeted at Latin America.

USSR borrowed us some scientists (Russia and Ucraine still do, by the way).

Helped our exiles, not only left wing ones, but right wing ones too.

Sold us some very interesting stuff, even if shitty sometimes (example: during the cold war Lada cars were very popular here).

Computers! (for example when some companies here tried to develop a computer compatible with the Macintosh, US government helped Apple in forcing them to stop, while Russians borrowed us some engineers and books)

Now, who were our real enemies in cold war again?

nice propaganda. cold war was about influence. the super powers would do any and everything to gain a foothold in another country. feel free to ask any polish citizen about the friendliness of Soviet Russia, they may welcome your speech with a punch in the face for the sake of those who suffered and died because their brethren spread similar idiotic notions of "the Soviets are our friends look at these free Russian texts and cars and..."

It is not a question of propaganda.

It is just that this is what happened to us in Brazil, and USA never gave any clear indication that it wants to improve its behaviour.

So, why should we trust it now, if we could never trust it in first place?

Things the US did for Europe:

Stopped us getting nuked or invaded by the USSR

Don't believe everything you watch in hollywood movies.

Hollywood movies? I suppose all the USSR missiles were imaginary? They never really invaded Czechoslovakia?

And I suppose you believe the US has single handed saved Europe from WWII, the Enigma machine was captured by the US crew of U-571 and Inglorious Bastards was fact.

The fact is reality is much more complex than your simple statement which is further skewed by Hollywood.

...that's irrelevant to what he was saying.

Are you sure they were? As far as I can tell the US has done more damage in Latin America than any USSR meddling. Stalin was really bad but the USSR was not ruled by Stalin for that long.

The US in Central America weren't angels, for sure, but I doubt if the USSR funding of left-wing groups was any better.

Stalin was a mad man on a par with Hitler, but even under later leaders it was still a repressive regime with Gulags.

>I doubt if the USSR funding of left-wing groups was any better.

When you say that you doubt it, is that code for having no idea of the impact of Soviet funding in South America, but not being willing to say that you don't know? Or is it just that you know that everything bad that the US did was to counter something even worse that the evil USSR was doing?

Missile gap?

It's code for the funding of Right Wing Groups by the US having been publicised more widely than the funding of Left Wing Groups by the USSR.

However, Cuba is a repressive dictatorship which will was funded by the USSR for many years.

Previous to that, it was a repressive dictatorship which was funded by the USA for many years...

Completely disagree with that. That is like saying you would prefer to have your own brother punch you in your face than a stranger.

It hurts a lot more because you are meant to look out for each other, not distrust and stab each others back.

Well I trust what the US does with the information more than China. It's like Tiannamen Square never happened.

You trust the US of today. That is your right and well, that is fine.

But who is to speak for tomorrow? None of us can tell what the future brings. Not me and not you. So who is to say that in ten years, when that data is still there, that the US is still worthy of your trust?

It is the future we should distrust, even if you trust the past, and the present.

A fair point. Distrust of governments is a healthy position to have.

Tiannamen Square is believed to greatly affected Chinese politics, mostly for the better. They do not like talking about it but they have done much to prevent something like that from happening again.

No way! Do you think 9/11 could have been an inside job? :-)

Lets start from the beginning: the NSA "hack" became possible because Google (and its security team) made bad assumptions about the security of the connection between Google's data centers and did not encrypt the traffic. Basically, this is security 101: protect data at rest and protect data in flight. So, sorry but I think the better subject for discussion would be how badly Google screwed up, not how evil is NSA. Moreover, it is not clear if other governments or criminals also had access to the users' data (e.g. in Google's data centers located outside of the US). So far Google did not produce any public post-mortem thus we have no clue how bad was the problem.

P.S. I am sure I will get smashed in the comments, so let me say right away that NSA actions should be controlled and audited by the public (e.g. through our representatives in Congress). I think that the biggest "evil" here are the members of Congress who either approved NSA actions or failed to do their job and monitor/audit NSA properly. In particular, I would point my finger at Sen. Dianne Feinstein [D-CA] who should have been ousted from the office long time ago.

> Lets start from the beginning: the NSA "hack" became possible because Google (and its security team) made bad assumptions about the security of the connection between Google's data centers and did not encrypt the traffic.

The assumption isn't bad - it's a private network line, not a public internet connection. Nobody else had access to that line, at least they weren't supposed to. Splicing a fiber line is a bit outside the scope of your random attacker. You can't blame Google for not anticipating a hostile break-in by the government. The discussion should absolutely, 100% be directed at the NSA here. To accept that a private network connection is open season for the government to tap is batshit insane.

> Moreover, it is not clear if other governments or criminals also had access to the users' data (e.g. in Google's data centers located outside of the US). So far Google did not produce any public post-mortem thus we have no clue how bad was the problem.

How is Google supposed to tell you if they themselves didn't know?

Although from the leaks it sounds like everyone is fucked thanks to the GCHQ and the NSA getting friendly with each other.

Well, I feel that encrypting traffic inside the data center is not a bad idea (and we do it at WePay where I serve as CSO). The reasons is that you never know who is listening (big smile here). For example, I don't want our system administrators to have an easy way to look at the traffic: yes, it is still possible to do but it is harder and requires some very unusual actions that will trigger alerts everywhere.

If indeed Google does not know then it's just another sign of security failures at the company. Nobody is perfect and security incidents do happen. A good security will have in-depth defense and built-in monitoring/audit measure that would at the very least allow you to determine what have happened post-factum.

> Well, I feel that encrypting traffic inside the data center is not a bad idea (and we do it at WePay where I serve as CSO).

Do you have your own data center building? And if you don't have your own data center buildings, how are you guarding against physical attacks? Because just saying "encryption" doesn't actually mean anything. Encryption isn't free, and at Google scale that can add up. Useless encryption is just wasted power

> For example, I don't want our system administrators to have an easy way to look at the traffic: yes, it is still possible to do but it is harder and requires some very unusual actions that will trigger alerts everywhere.

That can be accomplished in many ways that don't involve encryption. And your servers are all capable of decrypting the data at some point, so you still have to trust your sys admins and/or have alternative systems in place as they still have access to the unencrypted data.

> A good security will have in-depth defense and built-in monitoring/audit measure that would at the very least allow you to determine what have happened post-factum.

How, exactly, do you detect cable splicing? Much less audit said splicing? You seem to be asking for a hell of a lot more than "good security"

At WePay - no, we don't have our own data centers just yet. In a couple large companies I worked before - yes (and we did encrypt the traffic as much as possible).

Some types of encryption are pretty cheap actually. I used to use special SSL cards in the servers 10-15 years ago but today my laptop would outperform these cards and wouldn't even get hot :) Plus you need to remember that relatively expensive public key encryption needs to be done only for key exchange. After that you run block or stream cyphers and those algorithms tend to be really fast.

So far I haven't seen any evidences that there was cable splicing. Thus using occam's razor I would assume that the hack was much simpler than that. To detect the issue, I would start from reviewing the visitors log to the data center (assuming there is a visitor log).

I'll re-iterate that security should be built on defense-in-depth principle. Every single protection layer will fail or someone will go around it. The assumption that a data center is "safe" is a bad assumption period. You have to play "what-if" game and think for the attacker.

> So far I haven't seen any evidences that there was cable splicing. Thus using occam's razor I would assume that the hack was much simpler than that.

What? The evidence totally points to cable splicing. What hack involves getting all the inter-DC packets but nothing else? Obviously the machines weren't compromised, or they wouldn't have cared about reverse-engineering the wire protocol. So what are you proposing was hacked?

> I'll re-iterate that security should be built on defense-in-depth principle. Every single protection layer will fail or someone will go around it. The assumption that a data center is "safe" is a bad assumption period. You have to play "what-if" game and think for the attacker.

And I'll re-iterate that you're asking for a goddamn magical pony.

Side note, if your data center isn't safe go get a new one. Seriously. Most DCs have tons of security to make them safe. That's not an assumption.

> The evidence totally points to cable splicing.

I don't think there are any evidences at all. As far as I know, the only known thing is that NSA was able to obtain the un-encrypted google traffic. For example, it could have been backdoor in the router, one extra cable in the switch, or a few other similar low-tech options.

> Most DCs have tons of security to make them safe.

Don't disagree. But this doesn't make them invincible from other attack vectors (e.g. rogue employees). I actually heard the same argument from quite a few people during interviews and I usually don't hire them because you have to be paranoid to get security right :)

Seriously? If the NSA wanted to own WePay they would have even with your "security best practices". Sorry bud.

Sure. A court order would do it no problem.

Also: Having someone in your outsourced datacenter splice cables, SPAN ports, install trojaned hardware, etc etc etc...

BTW, "at least they weren't supposed to" is not a good enough argument in security :) You have to think about people who are not following the rules or your security is only protecting from a well-behaving 1st grade student.

There is no such thing as perfect security, only good enough security. At some point you have to accept risks, and the risk of physical network attacks is incredibly small compared to all the other attack vectors. Nobody was well prepared for the NSA's physical network attacks.

Everybody who cared knew that the world's governments tap every fiber they can lay their hands on. It has been discussed on HN with great regularity for years before these NSA non-revelations. Physical attacks were and are a certainty. Anybody who ignores this fact has only themselves to blame. A good argument can even be made that they deserved to be pwned as punishment for their utter fecklessness.

No, what was discussed was the NSA tapping in at ISP points, not digging up cables to splice them.

And "discussed" is not accurate. It was proposed by a few but rejected by most as paranoid.

Wait a minute... "It was proposed by a few but rejected by most as paranoid." and yet is most likely what happened? so the most in "rejected by most" were wrong. Wrong!

So when someone says: "You're just being paranoid", my reply will be: "Better paranoid than wrong."

Even a broken clock is right twice a day.

A broken clock is always unreliable.

"The assumption isn't bad - it's a private network line, not a public internet connection. Nobody else had access to that line, at least they weren't supposed to."

You don't use telnet when you access your home server(s) from your laptop ... that's basically what they were doing.

They skipped over a zero-cost, obvious best practice, and I think we should be suspicious. Either they've run that part of their network in a stunningly negligent fashion ... or this was the ingress they gave to the NSA which could be plausibly denied later.

No, it's not. Telnet sends packets in the clear over many networks controlled directly by third parties and accessible to them as an inherent part of operating their business.

This was a point-to-point cable. The only access possible was physical, by digging it up and splicing it.

Obviously that attack was possible, but arguing that this is somehow "the same kind of attack" as running tcpdump on a router to sniff packets is just insane, sorry.

Other attack vectors: rogue google employee, breakins into the data center, ...

> You can't blame Google for not anticipating a hostile break-in by the government.

"The" government? The lines were also being tapped by organized crime, China, France, etc. Google severely failed at data protection.

Would you still feel Google had screwed up if the way the US government got the data was to burglarize one of their datacenters and tap directly into the machines' CPUs and memory buses?

Yes (search for SSAE16 or SAS70). However, I would not feel the same way if US government would have used Area 51 technology to hack 4096 public key encryption. The difference from my perspective is that in "burglary" scenario (and un-encrypted traffic scenario as well) Google failed to protect against well known threats. And in the "alien technology" case Google did everything you can at the known security/technology level and the failure came from aliens (aka an "unexpected technology advances").

Basically, I think Google's decision to do not encrypt the traffic is a gross negligence and I would love to see how someone would sue Google for it.

> Basically, I think Google's decision to do not encrypt the traffic is a gross negligence and I would love to see how someone would sue Google for it.

Wow. Just wow.

I know that people don't like lawsuits. But for security to work there should be consequences for not doing security right. To give you an example, if a company X doesn't have any risks or damages from lack of security, then company X should not be investing in security to save money. However, if there is a monetary (or other) liability from a security breach, then the company X will have to make a choice and hopefully they will invest in security.

That would make sense if you had a signed contract from Google that they were encrypting their internal traffic. I don't have that and I doubt anyone else does either.

If the courts get involved it should 100% be at the hacking perpetrator, not to the victim.

Side note: Sec 702 of the FAA gives NSA complete immunity from all federal, state, and local laws, criminal prosecutions, and civil lawsuits when doing this kind of fiber tapping. "Notwithstanding" is an extremely powerful phrase. Wildcard. Trumps all other laws.

(And this is why some of us were concerned about CISPA, which uses the identical language. Note CISPA's proponents have quietly faded into the woodwork post-Snowden revelations.)

What if the government kidnapped a Google engineer (or several) and hit them with a wrench until they retrieved the data? That's a known, low-tech threat too.

Absolutely. That's why you have to have logs and regular audits to make sure that employees are not doing things that they are not supposed to do. BTW, one should consider not only kidnapping but just a "rogue" employee. For example, in the Snowden's case the NSA itself put too much trust into system administrators and did not perform audits that should have detected downloads of secure files.

In my scenario, the log maintainers and the auditors were among the people being hit with wrenches.

I can't agree with that, this was on Google's on fiber connections between their own data centers, right? And no other company with multiple data centers encrypts all traffic between them, right? (maybe you'll find a small counterexample but no big one.) So I don't think this is "security 101".

I work for a company bigger than Google, and we encrypt everything in flight between datacenters. It is security 101.

Does your company have dedicated, unshared, fibre between those datacenters?

Consider the recent passwords leak from Adobe: they stored passwords in a dedicated unshared datacenter. Does this make a good security decision to encrypt passwords instead of using a hash because nobody should have been able to access these encrypted passwords? I really don't think so.

There are problems with your analogy.

1. Data at rest (Adobe) vs data in travel (Google).

2. Software Hack vs Hardware hack

The Adobe data was sitting on a server in a datacenter, it was accessible from the internet on some level. The Google data was taken, apparently, from a dedicated, google owned, unshared link (quite likely a fibre-optic tap)

The methodologies, skill levels and required hardware for the penetrating the above two types of setup are wildly different.

I blame adobe for getting a server hacked, it happens a lot and and they ignored a lot of body of knowledge built up over the years. I do not blame Google for getting their inter-datacentre links physically compromised by a security agency of the US government.

Nor do I blame them for (incorrectly, as it turns out) deeming that an unlikely scenario and therefore giving it low priority.

I would blame them for not doing anything about it now that they know it is happening but that does not seem to be the case.

(I fully expect companies to encrypt data between datacentres if they are not on dedicated unshared links)

I hear what you are saying but I think there are similarities. In both cases there was an assumption "X is safe" and then the thinking have stopped. I've heard different version of how the data was taken from the google's link and some ideas were pretty low-tech. The data links have been compromised in the past not only by NSA (search for "Operation Ivy Bells" if you haven't heard this story before) but also by criminals or even competitors.

Yes we do. Still use encryption.

> And no other company with multiple data centers encrypts all traffic between them, right?

Indeed they do! From personal experience, Cisco was hawking its TrustSec inter-DC encryption solution five or six years ago, even over dark fibre.

If you believe the threat is a government agency splicing private, unshared fiber to capture your traffic between data centers, why in the world would you trust equipment from Cisco (who lists "Government" as one of the industries they sell to) to protect you from that?

Well I certainly understand your point, but the question was 'are big companies encrypting their inter-DC traffic' and the answer is 'yes', even if it's backdoored without their knowledge.

Google's inter-dc links are way too big for any appliance type of thing to encrypt. Like most things at Google the scale of their network is incomprehensible to most people.

> Google's inter-dc links are way too big for any appliance type of thing to encrypt

Frankly, no.

There are numerous network devices that can handle AES-256 on 10 Gbps links, as a matter of routine, whilst doing 'mundane' switching for the day job.

If you have the money there are dedicated hardware that can handle the same at 100 Gbps. IP Cores is one from memory that produces the circuitry for that. They can throw compression in there as well if you like.

Encrypting data links isn't magic. Google just didn't do it.

Those were very amusing tiny numbers you wrote in your post.

100Gbps is nothing for a company at the scale of Google. They are probably closer to 10-100Tb/s on there backbones.

You don't need appliances here as they can't handle the load, build the encryption into your application.

In addition to the numbers already posted, you can remember that Google decided to add encryption to the data links in September.

This is not true. Quoting from http://www.washingtonpost.com/business/technology/google-enc...

"Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program,"

Well, I do :) Moreover, I encrypt all the traffic even inside the same data center.

could you share which technology are you using to encrypt all the traffic?

* Mid-tier servers: standard HTTPS with nginx

* Database: SSL connections for MySQL

* Memcached, Gearmand, and other tools that don't have built-in SSL support: simple home grown message level encryption (AES256)

And of course, there are VPN tunnels between data centers in addition to the above.


> And of course, there are VPN tunnels between data centers in addition to the above.

Could you please be more specific on the VPN solution that you are using? How do you manage the shared keys? How do you make sure 'system administrators can't easily read the traffic?"

We use Cisco appliances for VPN (a few different models) and indeed there is a shared key that we have to input manually. However, after the key is entered (and configs saved) in order to decrypt the traffic one would need to print Cisco configs which is a very unusual operation that would be logged and then alerts will fire, audits will catch it, etc.

>> in order to decrypt the traffic one would need to print Cisco configs

Which could be done legally via 'Cisco Service Independent Intercept (SII)' built into IOS to comply with CALEA (Communications Assistance for Law Enforcement Act). And not so legally via user-escalation exploits within the same service.

Anyway, props for making the effort. I too am interested in your key exchange methods.

Just out of interest how do you transfer the key between datacentres for setup? Same person travels between them? PGP encrypted email? Or over the phone?

Phone is I think an obvious (and now clearly wrong choice) although maybe always suspect if you are concerned with dark fibre . The endpoint security of a device generating and transmitting the key now also being a risk. How far up the chain do you worry?

An airgapped device to generate the key and a single person travelling between datacentres seems the secure (although costly) solution. Obviously if TSA/customs remove device from them for inspection or connect it to anything it needs to be thrown away (or moved to insecure duties) and the setup process restarted.

I think public key encryption with long enough key is a pretty safe bet these days. Of course, NSA might have new non-public discoveries in math/crypto that might make public encryption obsolete. Or they might have a device form Area 51 that breaks any encryption. However, I haven't seen any evidences of this yet.

Amazon does that.

I wrote my thoughts on the subject in a blog post as well:


The moral of the story is that there is always a bigger fish.

I wondered about that traffic, and getting confirmation from the source that the only way the NSA could have it would be by tapping into the internal network is as quite damning.

Google has the best OpSec team I've ever known, it is my hope that they close this 'loophole' as completely as possible.

Closing that loophole was underway in Sept according to this article (also linked in the post)...


Google, and their "geniuses" in opsec, should not be given a pass at all for this.

Even if this is a leased private line, non-Internet routed, whatever, it is trivially easy to encrypt the communications and is absolutely a best practice. I see this as great big egg on their face.

In fact, it's such a cock-up that one wonders if this is the plausibly deniable ingress that they agreed to provide for the NSA, et. al

This is akin to using telnet to access your home server because you're "on your own network". Nobody does that and I can't believe they would have either.

You are of course entitled to your opinion, I know Brandon and I know how dedicated he is, I got to watch him and the OpSec team in action during the Chinese incursion. One of the side effects of being in the platforms group was that I had exceptional access to what was going on everywhere on Google's internal network and machines. And a lot changed after that event, both internally and externally.

I can forgive someone for thinking that if they dug trenches in the street, bought some fiber, and ran it between a couple of buildings, in a country where the rule of law was in effect, they might consider it a reasonable assumption that the fiber is laying in the street unmolested. Even if the distance is such that they can't see the entire length of the ground above the conduit.

Prior to Snowden's disclosures, it was the common belief amongst the security community that in 'safe' countries, the government in power would not subvert your infrastructure through physical access. They might do some network tricks, but not tap your fiber. In 'bad' countries counter measures were taken. And the network setup in say Russia or China was different than it was in the US and the UK. That your own government would illegally subvert your infrastructure [1] through the use of a technicality was not considered a "likely" threat [2]. Given that not it has been exploited it is rewriting a bunch of assumptions. I am not surprised in the least that they are now deploying the same hardening they use in hostile environments world wide.

[1] The NSA cannot legally tap into communications infrastructure in the US (that is the FBI's job) and when the FBI does it they need a warrant. By doing this in the UK they sidestepped those constraints.

[2] In classic vulnerability analysis you deploy your resources against both the probability and damage potential of a given threat. So for example datacenters are vulnerable to being bombed by aircraft, the probability of that is low enough that you don't defend against it, bombed by cars you put a security perimeter around the building.

No, but they should take some precaution if someone unseemly (rogue employee, hacker, etc) has network access. You don't need a NSA level fiber taps under the ocean to do packet sniffing. Passing all of their service calls, database replications/connections, etc. in clear text over the wire is just plain lazy, bad security for an operation of their scale and (supposed) sophistication. I am sure it saved them some money on server/load balancers however.

Please explain how you would "trivially" encrypt an optical line system that is capable of pushing 19TB down a single fiber (for example, http://www.advaoptical.com/en/products/technology/dwdm.aspx)

The only people who think this is "trivially easy" are people who don't have to do it.

Tapping multi-mode dark fiber unnoticed is now considered trivially easy? I must have missed when the bar was shifted this high.

You don't need to tap dark fiber for this to be poor security. They were passing all internal data around in clear text. It would have been trivial for any data center employee to gain significant amounts of open data this way. Why wouldn't you have services, db connections, etc. encrypted internally? Its certainly possible and done within many companies, it is surprising how lax google was in their assumption that once inside the network everything is going to be a-ok.

This isn't something that is "easy" when you run one of the biggest infrastructures in the world.

The fiber doesn't run straight into a Google datacenter. It's operated and managed by the company which lays the cable under the sea, which means it goes through their stations at the coast and probably through quite a bit of other non-exclusive routing hardware.

The fact that routing hardware exists means you can pretty easily tap it.

I believe my comment is pertaining to the use of the word "easily". James Bamford in The Shadow Factory was talking about how difficult this is, even for government institutions.

We still don't know if that was really a loophole or rather access given by Google (of course, they will decline that).

My personal opinion is that it's more likely that the access was given by a telecom that Google leased from than from Google itself.


Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact