It's hard not to come to the conclusion that these activities were essentially criminal. I don't see how the administration can fail to disavow them, investigate them fully, and hold their instigators accountable. It feels like Special Prosecutor time.<p>That aside, let me re-make a point I keep making:<p>Google had no knowledge of NSA's physical compromise of their data centers. But still, they pushed <i>harder than anyone on the whole Internet</i> for the adoption of modern TLS with forward-secrecy; they are the world's foremost deployers of ephemeral-keyed elliptic curve cryptography and of certificate pinning, both of which ensure not only the security of the traffic running over the network cables into their data centers, but also minimize the impact of a compromised long-term encryption key or the compromise of the CA system by a state actor.<p>Not only that, but Google launched a high-profile effort to encrypt the communications <i>inside and between</i> their data centers.<p>I hope a couple years hindsight will put the importance of Adam Langley's work (and that of the rest of his team; he's just the best-known member of that team) at Google into sharper relief.
Why didn't they release these documents a long time ago when everyone was racing to judgement that Google, Yahoo, et al were secretly in cahoots with the NSA helping to build drag-net surveillance extranet stuff for them? These are very important revelations!<p>I mean, when Greenwald/Snowden/Guardian released the original PRISM accusations, these slides would have provided a much much more important set of evidence, instead of months of speculation and parsing of meanings of "backdoor", "frontdoor", "side door", in the corporate communications of the tech companies who were struggling to say "we've never heard of PRISM, da fuq is this shit?"<p>Is the slow dripping out of these slides because they are trying to be responsible in not releasing stuff that is too damaging (e.g. not trying to be a Bradley Manning dump), or is it to preserve traffic by keeping the click-gravy-train going?
Wow.<p>Years ago, I remember reading Richard Stallman's "How I do my computing"[1], an essay in which he explains why he usually does not connect to any websites from his own machine, downloads web pages from a headless browser running in some server, does not have any user accounts for any web applications, does not buy anything over the Internet ever, does not use any social networking sites, and otherwise abstains from using the Internet like most normal human beings.<p>"Jeez, that's way too paranoid," I remember thinking.<p>It turns out Stallman was just (far) ahead of his time -- as usual.<p>--<p>[1] <a href="http://stallman.org/stallman-computing.html" rel="nofollow">http://stallman.org/stallman-computing.html</a>
If that graphic - that taunting smiley face, drawn when it was assumed that no one was watching - isn't enough to outrage the general public, I don't know what it will take. This is not super technical - it's easily explained and should be easily understood by the masses. And it should cause outrage.
Periodically, especially when a new report like this one comes out, I like to go back and watch the original Snowden interview (<a href="http://www.youtube.com/watch?v=5yB3n9fu-rM" rel="nofollow">http://www.youtube.com/watch?v=5yB3n9fu-rM</a>) and reflect on the differences between what we knew vs what we now know. When I first watched the video, it brought tears to my eyes and I try to remember that so I don't get desensitized to the magnitude of these revelations. I respect the man more and more everyday.
Meta remark, somewhat snarky: I would like to know at what point do all the HN'ers making fun of those libertarians among us concerned with security -- I believe over a period of months we were called "tinfoil hat types" and worse -- come back and offer us an apology.<p>I am not holding my breath.<p>(Although it's a snarky comment, I didn't make the comment just to snark. The point was to point out that over and over again, the folks who are concerned about government encroachment are made fun of, put down, and lampooned to a great degree. More often than not, these concerns turn out to be true. In most cases this happens long after the debate has died down. This is an important lesson from history that we all would do well to learn. This story has a lot more facets to it than just the NSA/USA angle)
From the article: "Two engineers with close ties to Google exploded in profanity when they saw the drawing."<p>That about sums up my reaction as well.
Gen. Keith Alexander, asked about it at a Bloomberg event, denied the accusations.<p>"I don't know what the report is," Alexander cautioned, adding the NSA does not "have access to Google servers, Yahoo servers." He said the NSA is "not authorized" to do this, and instead, must "go through a court process."<p><a href="http://www.politico.com/story/2013/10/keith-alexander-nsa-report-google-yahoo-99103.html" rel="nofollow">http://www.politico.com/story/2013/10/keith-alexander-nsa-re...</a>
I hope that this finally convinces everyone that it doesn't matter whether Google is "Evil" or Yahoo is more evil or whatever. What matters is that large cloud systems are fundamentally incapable of protecting data.<p>Even the most goodhearted and the most talented teams can't reliably defend against a massively funded adversary.<p>Secrets are for keeping, not sharing.
I think this is of endgame for network security, I don't see a way out -- the Sony Rootkit[1] should have been the point where I realized but it is just sinking in for me now since the Snowden NSA leak.<p>Any network connected computer will be running an OS+Applications which are typically a gigabyte or more. This is produced by companies which are beholden to a nation state, and the companies can be coerced[2] or compelled[3] to use the software against the user. The software is also constantly being probed for vulnerabilities, which can also be exploited by law-enforcement / military [4][5].<p>So, if you turn on auto-update you have to trust the software maker is not being coerced by someone, or being compelled by a secret court to trojan you. If you don't turn on auto-update you can still get trojaned by any vulnerability. Lose-Lose.<p>[1] Sony Rootkit: <a href="http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal" rel="nofollow">http://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootki...</a><p>[2] Qwest CEO Nacchio's claims: <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-feels-vindicated-by-snowden-leaks/" rel="nofollow">http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30...</a><p>[3] FISA court<p>[4] German Govt. Trojan from 2011: <a href="http://www.spiegel.de/international/germany/the-world-from-berlin-electronic-surveillance-scandal-hits-germany-a-790944.html" rel="nofollow">http://www.spiegel.de/international/germany/the-world-from-b...</a><p>[5] FBI's TOR trojan injection: <a href="http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/" rel="nofollow">http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi...</a>
> The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process.<p>1. Spy on whatever the hell you want without benefit of warrant.<p>2. Discover something interesting.<p>3. "Parallel construct" a way that the information could have been legally obtained.<p>4. Get a warrant based on the parallel construction.<p>5. Profit.
I don't see how the pretense that the NSA actively avoids snooping on U.S. citizens can be seriously maintained after this revelation. It's becoming increasingly clear that intelligence agencies want the ability to access all data created directly or indirectly by an arbitrary cyberspace target on demand and will shop around for the "best" (e.g. weakest link in technology and/or legislature) nook of the net to snoop at.
This seems like a good time to remember that Google has been storing wifi access passwords in plain text on its servers, and (presumably) passing them between its data centers.<p>It can be assumed that as a consequence of google's decision to store passwords in plaintext, the NSA now have access to every wifi access point that has been used by an android device.<p>This is a <i>massive</i> security breach. I sincerely hope google notifies android users of the problem.
People will no doubt come on this thread and remind everyone that of course the government always had access - you must have been a fool not to think so. But I just can not get over how angry it makes me. Honestly I thought that using google products with some exploitation of the contents for advertising was an acceptable exchange. This is just a total betrayal and I cannot believe that the Google board is not aware of this! and if it is not it is because they choose to be!
Is that an official document with an actual smiley face?<p>What ever happened to the admins / programmers standing up for what is right, or do they just gobble down a paycheck and turn the other way?
It's kind of shocking that they haven't been encrypting all internal inter-datacentre connections to begin with. Even if they didn't suspect NSA snooping, there's enough companies and criminals out there that'd conceivably have a lot of reasons to want to try to find ways to tap Googles links.
You know, one thing I'm sure (hope) will come out of this is that enough people in the public should be sufficiently outraged at this that we start making some private sector headway in the data security race and perhaps we'll end up with some actual secure products by companies that aren't under the "jurisdiction" of U.S. policy, instead of those that just say they're secure but fall flat on their face when it comes to something as trivial as an NSL or an order for a pen register. If they were really secure, then these things wouldn't make the slightest difference.
Offtopic, but there's a problem on this site with this kind of story now. I'm not sure if it's the flamewar detection, or flagging, or some other automated system, but stories like this which are very popular and not remotely a flamewar, but an interesting discussion, are disappearing off the home page too fast in my opinion. This is a topic that will define a generation's attitude to technology and the internet, and is particularly pertinent to silicone valley.<p>Yet this morning this story went from top of the page:<p>14. NSA infiltrates links to Yahoo, Google data centers worldwide (washingtonpost.com)
1395 points by nqureshi 15 hours ago | flag | 533 comments<p>To behind stories like this:<p>12. Java Virtual Machine in pure Node.js (github.com)
232 points by binarymax 16 hours ago | flag | 129 comments<p>I'd be interested to know the reason, and perhaps whatever algorithm is voting this down could be adjusted, because it's clearly not working?
So does this suggest that Google's SSL encryption can be removed just as easily as that smiley face implies?<p>If this is true my next question would be does NSA have access to the keys or are they removing encryption in some other more technically involved way?
Few people said you can't fight google with NSL or force them to do anything because it has $50B in cash.<p>Easy: Just start an anti-trust investigation - a fed lawyer can drag Larry Page and Google's top level managers into federal court every week for the next 5-10 years. Go thru every emails about iphone, android, bing in the past, and force monitor every single biz decision Google will try to make for the next 10 years.<p>Apple, Samsung, Microsoft, Facebook would love to help out the government(s) in this.<p>Larry will get so sick of it that he would think give out billions to kill Mosquitoes in Africa/India is a lot more fun. - Remember Bill Gates?
Google will never do it, but they should drown the NSA in bullshit data. So much so it literally chokes the NSA's ability to spy on Google's services.<p>Google is one of the few companies that could pull it off. They have $56 billion in cash and nothing to do with it apparently. They generate $12 billion in profit annually and growing.<p>They have more financial resources, computing power, and brain power than the NSA does, and they're one of the few companies on earth that can say that (the only?).<p>A billion a year thrown at choking the NSA with a flood of data, I'd argue, would work extraordinarily well.<p>The NSA has a substantial budget (but how much spare budget?), but I don't believe they could afford the processing and storage costs that can be generated from a billion dollar per year effort of bogus data spewing (particularly if Google matches it with a dramatic effort put toward encryption R&D to multiply the cost the NSA suffers significantly more than just basic processing & storage costs).<p>The NSA's grand new data center in Utah cost billions and will have taken years to build. Google could probably force them to attempt to build a new one every single year forever, particularly given how bloated every effort by the government is and easy Google could generate 'infinite' volumes of data. Google should pro-actively help Yahoo, Facebook and others out in teaming up to drown the NSA.<p>The biggest threat to Google is the NSA. Google should act accordingly. Just as they would react with financial investments to any other competitive threat.
Larry Page should step down as CEO.<p>It would never happen, as Google shares would drop like a bomb and give credence to the argument that the cloud isn't secure enough, but at least it would show that someone at Google cares.<p>It would create a landmark moment though; something that would spark more debate in both the media and with American politicians.
Everyone in Silicon Valley is talking about this and the media has painted a picture of criminal undertaking by the NSA. A lot of this is just speculation that has been blown out of proportion. The only way the NSA could compromise private data centers without placing moles in their respective ops teams, is to sniff the traffic on the private DC to DC lines leased by the companies. Assuming they did this by overpowering the ISPs, they are still left with a ton of TCP/UDP packets which they need to reconstruct, decipher and schematize. Although DC to DC traffic is typically not encrypted, it is often compressed or transmitted as binary streams. There is absolutely no way they NSA would be able to make sense of the data without reverse engineering the innumerable communication protocols used and then using that protocol to decipher the packets. It is a lot more feasible to force a company to hand over data on specific users than it is to piece together user data using this packet sniffing technique. If the NSA really is wiretapping DC-DC communication, it's not because they are trying to build profiles on individuals. It's likely that they are using this raw data for keyword lookups. And, although I question its effectiveness, that is a level of surveillance I'm comfortable with.
What makes me downright angry is the vehemence with which Google's Chief Legal officer David Drummond denounces siphoning Google's own data. Secretly take our users' personal data, that's okay, but secretly take our data, which we make our billions off of, now that is unamerican. Class, man. Real class.
Can anybody trust Google services anymore? It seems like it's pretty much a no-go at this point. Even if Google hands over select data from within their systems, it appears we cannot even trust that it makes it <i>that far</i> without being compromised.<p>Every business that can should be ditching their Google services right now.
<i>“Look, NSA has platoons of lawyers and their entire job is figuring out how to stay within the law and maximize collection by exploiting every loophole,”</i><p>Interesting how agencies, corporations and alike have the collective maturity of children. A grown up will say to a kid "you can't play with fire with your friend" and the kid immediately will think "he didn't say I can't play with fire with my other friend".
As a software engineer just about to graduate from college. When I see drawings like that I just can't believe that people who know enough to draw something like that can actually do it without feeling like they are the definition of evil.
If I scroll the Reddit frontpage (without being logged in), I am not seeing <i>any</i> NSA stories, despite being on the top of /r/WorldNews, /r/news, etc. Anyone know the story behind that?
Funny thing is how many articles have been written about Chinese crackers, possibly funded by the Chinese government, trying to hack into big companies.
"Two engineers with close ties to Google exploded in profanity when they saw the drawing." seems hyperbolic. What does it even add to the article? Is it used to try and establish some credibility?<p>I don't understand why this is shocking (the photo- not the alleged spying)?
How are all of our elected officials "just finding out" about this stuff? Bullshit!<p>Our congressmen, senators, and POTUS are all "as surprised as you are!"(TM) about these allegations that keep coming out.<p>Obama doesn't know anything. Feinstein (who heads the Senate intelligence committee, and is briefed on the NSA's activity) knows nothing.<p>What's the difference between extreme incompetence and maliciously lying? I can't tell the difference.
Here, Google - show us how much you care about user privacy and security, and join Lavabit and Silent Circle's alliance for the "Dark Mail" protocol:<p><a href="http://www.forbes.com/sites/kashmirhill/2013/10/30/lavabit-and-silent-circle-join-forces-to-make-all-email-surveillance-proof/" rel="nofollow">http://www.forbes.com/sites/kashmirhill/2013/10/30/lavabit-a...</a><p>Meanwhile I'll be waiting impatiently.
Google is so good. Such a great concept. So much fun to use. A romper room. Such a bastion of talent and good people. Which is why this whole business is such a crappy disappointment. A guy sitting in a renovated girl's bathroom in London told us some time back that this was the case, that Google had dropped its original stance against "evil," but nobody took him seriously.
Reaction of Google’s chief legal officer, David Drummond on the news. Sounds a lot more sincere then their previous denials (which proved to be lies forced by the law anyway).<p>"We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide. We do not provide any government, including the U.S. government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform." [0]<p>[0]<a href="http://www.washingtonpost.com/world/national-security/google-statement-on-nsa-infiltration-of-links-between-data-centers/2013/10/30/75f3314a-41b3-11e3-a624-41d661b0bb78_story.html" rel="nofollow">http://www.washingtonpost.com/world/national-security/google...</a>
SMTP (mail protocol) between providers is unencrypted anyway. So, if I send email from gmail to ycombinator, it goes to ycombinator SMTP server unencrypted and can be tapped by anyone with access to the wire. Still, clear traffic between Google's own data centers is inexcusable. They are exposing my data to more risk.
Aside from the indignation, I'd like to see proof that Google wasn't aware of this stuff. My guess is that it was approved as long as there was plausible deniability.
What strikes me most reading NSA related articles, that for Americans the problem here is not the global surveillance itself, but the <i>domestic spying</i>. Wtf? Is my anonymity and freedom less valuable just because I don't have a USA signed piece of paper? It's a serious problem that touches <i>everyone</i> who uses digital communications (pretty much every human being on the word nowadays)and such data collection should be illegal on <i>anyone</i> unless he's under a warrant or belongs to opposite forces during war times. I'm very sad and disappointed that EU leaders don't have balls to stand up for this.
This degrades into comic book villain territory. Every admin and developer professional wet dream is to be able to capture log and analyze every byte. To have unlimited processing power and storage.<p>And these people lived it ...
It's interesting that there's been little attention paid to what this genre of backbone/infrastructure tapping means for companies using content accelerators (or whatever they're called).<p>Considering what we now know about tailored access operations, I find it hard to imagine they've not used these abilities to subvert the auto-update functionality of virtually every product there is out there.<p>Ie. client requests auto-update from front-end server, update is switched and replaced before hitting the front-end server & being delivered.
USSID18 is what should be talked about regarding these violations. The sooner people become more familiar with the laws in place to prevent this the better the outcome for all involved.
The denials over Prism never squared with the size and capability of the system that were outlined in the documents, unless I'm missing something here. Is it not possible that the court-ordered data releases were just one small part of the Prism program, with MUSCULAR and others filling the data that could not be obtained through the legal system? Prism is just the query interface, which is not necessarily tied to one dataset.
Would anyone else be interested in inserting a private version of a tracking pixel into each of their e-mails, so that you'd get a list of IP addresses where the mail was viewed back?<p>It would be interesting to see where mail was read versus where it is simply passed in plain text. Crowd-sourcing anonymous data might also allow us to determine which IP addresses belong to the NSA's systems.
"vice president for security engineering Eric Grosse announced that the company is racing to encrypt the links between its data centers. "<p>Isn't this useless?<p>They can serve Google NSL and the court can force the company to release the SSL keys for the encryptions - just like Lavabit. Google CEO/Board can not shutdown the company like Lavabit.<p>What can they do, get out of USA like how they got out of China?
I love how every quote from the NSA stresses that "we don't have access to their <i>servers</i>. Fine. Let's say they don't. But that means nothing in this context. If they can see every piece of data that is sent between servers at various google data centers, they don't need access to the servers to gather a ton of information
As of 1:41pm PST, there is no mention of this news anywhere on the front page of the NY Times website. There have been similar ...time lags... in the past when covering Snowden related news at the NYT. It's a shame one of the most important news sources in the US is so slow in their coverage, either intentionally or not.
I get the feeling that people are outraged by this not necessarily for the fact that spy agencies spy on everyone they can, but that they do it in such a blatant, efficient, and all encompassing way.<p>I know I feel a bad gut reaction to the mass collection of data, but when you think about it that is exactly what a country wants from its spy agency, to know others' secrets. Hence they're doing the most optimal thing from the countries point of view. Therefore it is just the brazen scale, the automation of the whole operation, and the fact that it is now officially public that gives me (and us in general) the sick feeling.<p>Like the breakdown of forgetting (anything on the Internet is there forever), and the rapid dissemination of information through the social network (Facebook status etc), an adjustment needs to be made either in us or the system.
Why is this on the second page of news right now? Older stories with way fewer points are currently ranked higher. This story is 22 hours old with 1495 points. There are stories with 264 and 305 points that are older but are currently ranked just higher than this story, moving it to the second page of news
“We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform,” he [google's clo] said.<p>reform... ha!
Now wait... It isn't surprising that inside the datacenters most traffic flows unencrypted, but not encrypting links between datacenters?<p>Well...
Is there anything in the world that the US Government cannot rationalize?<p>Are there literally no limits worldwide to their power at this point?<p>It is my current assumption that everything now is being logged.
Any institution responsible for maintaining a nations safety should be something to be proud about, but apparently with each news NSA sounds more like a virus.
I get the feeling I'm going to take a karma hit for this, but here goes...<p><i>By tapping those links, the agency has positioned itself to collect at will from hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.</i><p>There's a problem with this. The Post goes into a good amount of detail regarding <i>how</i> the NSA/GCHQ is collecting, but leaves nothing but speculation as to <i>who</i> they're targeting or <i>why</i>. It even goes so far as to suggest that NSA/GCHQ is targeting millions upon millions of ordinary citizens without giving evidence to back up that assertion. I would argue that these media outlets are doing us a disservice by not providing this information. All they're doing is generating hype and fear. I'm scrolling through the comments here and seeing calls for the imprisonment (or worse) of Obama administration officials and NSA personnel based not on solid evidence that the public at large is being spied upon, but based on our fear that the public is being spied upon. Some hypothetical headlines as an analogy:<p>A: "SWAT team guns down local residents"<p>B: "SWAT team guns down unarmed retirement home residents"<p>C: "SWAT team guns down pair of local gunmen; ends killing spree"<p>Headline A is vague and misleading. If that was the entirety of the information put out, the public would be outraged. If the actual story was closer to headline B, they'd be rightfully outraged, and all trust in the police force would be rightfully gone. The outrage wouldn't be justified if the actual story was closer to headline C. With regards to today's story, I don't want see something like "NSA spies on Google traffic" - there's not enough context. I want to see evidence showing who they're targeting and why. If it turns out that they're spying on US Congressmen, major business executives or just ordinary Americans with the intent to blackmail/bribe/manipulate/etc. - that's the reason to call for these people to stand trial. If it turns out that they're spying on the unencrypted internet traffic of valid intelligence targets like foreign government officials/foreign spies/terrorists/etc., what has the public gained by telling us all how they're doing it?<p>The media needs to show us that there's a good reason to be afraid/outraged of a vast, covert Orwellian apparatus, then show us how to protect ourselves against it. Show us that the NSA is determined to undermine the public good for its own benefit. Unless there is no vast, hidden Orwellian state. Every Snowden document that gets released without showing evidence that the NSA is pursuing anyone besides those it has been tasked to pursue leads me to believe more and more that there is no such evidence, and the media is riding high on all of this fear and outrage to gather advertising dollars.
Are people seriously surprised? After all of the other stuff we've heard the NSA has done, I am surprised that people are surprised by something we all but already knew.
The writing has been on the wall about the true nature of "the cloud" for at least 15 years. I tried to tell people, they preferred to put their faith and trust in the major magazines, which were all propagandizing about it constantly. Most people (including the developers who write this software) allow themselves to be herded, and if you try to tell them what's really going on they write you off as a crackpot.<p>What most people don't realize is that all the value offered by "the cloud" can be created with much higher quality on a different architecture, one that gives all the benefits of the cloud, but without sacrificing privacy.