NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge

from the muscular dept

Wed, Oct 30th 2013 10:05am — Mike Masnick

Early on with the Snowden documents there had been significant disagreement over the kind of "access" the NSA had to systems at the various big tech companies -- all of which denied the kind of "direct access" that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others' servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they're not subtle with their code names, are they?).

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

There's even this wacky hand-drawn diagram:

There's some evidence that Google figured this out earlier. You may remember that there were reports back in September that Google had been scrambling to encrypt the information flowing between data centers, which is exactly where the NSA hit them. It looks like someone at Google figured out what the NSA was likely doing soon after the original Snowden news broke. Not surprisingly, people at these companies are not happy about this news. When the reporters spoke to "two engineers with close ties to Google," they note that the engineers "exploded in profanity" and urged the reporters to publish that drawing above to expose the NSA.

Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

It also appears that the way that the NSA is claiming this is "legal" is by only breaking into the Yahoo and Google datacenters that are outside the US, where there's significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 -- which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program -- which explains the "not under this program" language they often use around questions on 215 and 702 data collections.

The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA's Keith Alexander) about "cybersecurity" attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.

Sso Weekly Excerpt for Posting Redacted (PDF)Sso Weekly Excerpt for Posting Redacted (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data centers, encryption, executive order 12333, hacking, nsa, nsa surveillance, violations
Companies: google, yahoo

35 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

dennis deems, 30 Oct 2013 @ 10:09am

:^)
The smiley face on the diagram is just perfect, isn't it? The banality of evil.
[ link to this | view in chronology ]
Anonymous Coward, 30 Oct 2013 @ 10:11am

"The real question, now, is what Google and Yahoo do in response to this....they should also sue the US government."

I'm curious how effective the CFAA could be in this case. Wouldn't it be the idea law to slap the NSA with?
[ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 12:26pm
  
  Re:
  You're assuming, like a rational person, that laws should be applied equally and fairly. The world is not in any way, shape or form, rational. It is a clusterfuck of morons, asshats and lunatics.
  
  In addition, you're arguing for the prosecution of NSA staff who have already broken the Geneva Convention and committed acts of war in order to collect this data.
  
  This is a big flashing light to Google to get the hell out of the US, possibly also nuking lobbying groups on their way out of the US. Perhaps they can go to Iran and say to them, "Here, have a bunch of US Governmental secrets!" Each, naturally, carefully selected to do as much political harm to the US Congress as possible.
  [ link to this | view in chronology ]
Wally (profile), 30 Oct 2013 @ 10:18am

So this is why the comments were broken for so long...yeah, not surprised...
[ link to this | view in chronology ]
Anonymous Coward, 30 Oct 2013 @ 10:20am

Mike you have it wrong...
Since Google didn't know about it, it didn't happen. Just ask Mike Rogers. He'll tell you.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 10:24am
  
  Re: Mike you have it wrong...
  And I suppose the engineers that "exploded in profanity" weren't complaining about anything either.
  [ link to this | view in chronology ]
- silverscarcat (profile), 30 Oct 2013 @ 10:27am
  
  Re: Mike you have it wrong...
  Except that they DO know about it, so it DID happen.
  [ link to this | view in chronology ]
  - Anonymous Coward, 30 Oct 2013 @ 10:57am
    
    Re: Re: Mike you have it wrong...
    Oh they know about it NOW, just like we know about a bunch of the other stuff the NSA has been doing over the last 10 years. But apparently according to Rogers, if you don't know about it WHEN IT HAPPENS, it never happened even if you find out about it later and are pissed off about it.
    [ link to this | view in chronology ]
    - Anonymous Coward, 30 Oct 2013 @ 12:28pm
      
      Re: Re: Re: Mike you have it wrong...
      I wonder if it is the same logic Obama uses when Merkel gave him a hissy fit...
      [ link to this | view in chronology ]
      - Anonymous Coward, 30 Oct 2013 @ 12:38pm
        
        Re: Re: Re: Re: Mike you have it wrong...
        Obama may be a lot of things but THAT dumb is not one of them. To actually not only come up with that concept but actually let the words come out of your mouth on camera during a Congressional hearing takes a special level of stupid.
        [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 30 Oct 2013 @ 10:27am

Mere PR that helps corporate co-conspirators escape blame.
As my theory goes, and there's no real evidence to contrary. But meanwhile, as ever, Mike ignores Google putting spy centers off shore:

"A second mystery barge has been discovered - this one docked in Maine, thousands of miles away from the ship spotted in San Fransisco Bay that has set the tech world abuzz. [Except for Techdirt!]
...
A 2009 patent filed by Google shows a water-borne data center"

http://www.dailymail.co.uk/news/article-2479299/Second-floating-Google-data-center-spotted-Ma ine.html

And remember kids, barges can be outside national borders, and effectively under no legal restrictions.

Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations! All "free", courtesy of other corporations!

06:27:31[h-730-4]
[ link to this | view in chronology ]
- The Groove Tiger (profile), 30 Oct 2013 @ 10:44am
  
  Re: Mere PR that helps corporate co-conspirators escape blame.
  This is the most diverting / distracting piece yet from your NSA series. You just fade out NSA / DHS and focus on Google.
  
  I don't see any good purpose that this serves. You are beating up on the original victim. If they're craven, try to brace them, but the slant you give this is just plain wrong.
  [ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 11:16am
  
  Re: Mere PR that helps corporate co-conspirators escape blame.
  I know you aren't from the UK but the whole world knows that only complete morons read the daily fail.
  [ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 12:01pm
  
  Re: Mere PR that helps corporate co-conspirators escape blame.
  Not more than a few hours ago you were telling us the corporate co-conspirators were 'victims!' PICK A SIDE AND STICK WITH IT!
  [ link to this | view in chronology ]
blue in the face, 30 Oct 2013 @ 10:36am

Piratical Lies!
More piratical lies from Captain Mike, the corporate apologist. Everyone knows that google is knowingly spying for the government, that Google secretly runs the NSA, and are more powerful, and dangerous, than the illuminati, freemasons, and lizard people combined.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 30 Oct 2013 @ 10:42am

Finally, someone that gets it. I have been trying to use other blogs to promote my ideas about the evil google. Can you believe they try to optimize the ads I see to be relevent to my interests.

A thought has occured! (i know I don't think very often), but I should start my own blog about the evils of google, instead of attacking people who are interested in other issues.

Thanks again Techdirt, I have leared so much from you. I hope you all visit my new blog about evil google.

And remember kids, I'm not very smart, but I am consistent.

Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.

06:37:31[h-730-2]
[ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 10:47am
  
  Re:
  to promote my ideas about the evil google
  
  So no facts, just your IDEA.
  [ link to this | view in chronology ]
  - This comment has been flagged by the community. Click here to show it
    
    out_of_the_blue, 30 Oct 2013 @ 10:50am
    
    Re: Re:
    Yeah, sorry, Im not big on facts. I just like to make a lot of noise.
    
    Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.
    
    06:57:31[h-720-2]
    [ link to this | view in chronology ]
- PopeyeLePoteaux, 30 Oct 2013 @ 10:52am
  
  Re:
  "I should start my own blog about the evils of google"
  
  Please do! I need something asinine/funny to read, and only you could deliver something like that, please be sure you share the link. Thanks in advance.
  [ link to this | view in chronology ]
  - Rapnel (profile), 30 Oct 2013 @ 8:18pm
    
    Re: Re:
    You guys got woo ooshed
    I think it's funn eee
    Cuz blue's so poo pee
    and I do Blue's mum eee
    So I'm the dad eee
    It is so sad leee
    I watch Blue gig ehl
    and google mad leee
    [ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 10:57am
  
  Re:
  The line about not being smart kind of says it all...
  
  People might actually respond instead of reporting if you any sort of intelligent discussion would occur. The most that this community would ever get is a glorified street corner shouter trying to bring people to their cause without listening to anything being told to them.
  [ link to this | view in chronology ]
  - Chronno S. Trigger (profile), 30 Oct 2013 @ 11:00am
    
    Re: Re:
    That is not the real Blue. Blue isn't that obvious with his lies. Not saying that the real Blue isn't lying, just saying his comments are worded in a way that lets you think he actually believes the crap he's spouting.
    [ link to this | view in chronology ]
Anonymous Coward, 30 Oct 2013 @ 10:46am

ENCRYPT ALL THE THINGS!
This is what IPSEC was supposed to stop. Use it. Encrypt the links between your datacenters. Encrypt the links between your racks. Encrypt the links between your servers. Encrypt the links between your desktops. Heck, encrypt the link between the motherboard and the disks (full disk encryption), just for the giggles.

The threat model has changed. It used to be that NSA-level attackers were outside the threat model. Well, now they are inside the threat model. And the great thing is that if you can defend against them, you can defend against almost anyone.
[ link to this | view in chronology ]
- Brazenly Anonymous, 30 Oct 2013 @ 11:38am
  
  Re: ENCRYPT ALL THE THINGS!
  Just be sure to use open source encryption providers and check your encryption keys against large zeroed ranges.
  [ link to this | view in chronology ]
Violynne (profile), 30 Oct 2013 @ 10:52am

Before I forget, thank you, Google, for simplifying our lives by creating a single sign on, making it so much easier for the NSA to access all of our Google options.

/sarcasm directed at the stupidity of all this
[ link to this | view in chronology ]
- McGreed (profile), 31 Oct 2013 @ 2:59am
  
  Re:
  That's is actually the biggest problem and advantage with Google service, that you only need one login to get access to several sites and services. However that also means that only ONE of those sites needs to have a hole and they have access to the whole node.
  [ link to this | view in chronology ]
Anonymous Coward, 30 Oct 2013 @ 11:17am

The problem is actually much worse
During my career, I've done quite a few penetration studies/security assessments. And one of the things that becomes obvious in short order is that there's no such thing as "one backdoor". Only amateurish and inexperienced attackers do that: the ones who are serious plant multiple backdoors, because they know that one might be deliberately or accidentally shut down.

The NSA is neither amateurish or inexperienced. So: where are the OTHER backdoors into these services?

A second thing that becomes obvious is that secondary attackers love backdoors. Their problem reduces from "how can I attack this service and put a backdoor in it?" to "how can I exploit the backdoors that are already there?" So one of the effects of this is that the NSA dramatically reduced the security of both these services. We now have to ask whether anybody else out there helped themselves to the NSA-installed backdoors, when, how, what they got, etc.

Finally, a third observation: I doubt the NSA stopped here. Why should they? There's no oversight and they have piles of money. Why not backdoor Reddit? Slashdot? Redstate? Dailykos? Boingboing? AOL? Hotmail? Stanford? Harvard? Where's the downside? Every operation of sufficient size and popularity is likely a target.
[ link to this | view in chronology ]
- Khaim (profile), 30 Oct 2013 @ 2:56pm
  
  Re: Other services
  This kind of network attack only really affects major players like Google. Sites like Slashdot or Dailykos or Harvard are either single-homed (all in one datacenter), or communicate through known insecure lines.
  
  The reason this attack was so effective against Google is that Google owns the fiber connecting its major datacenters. So Google assumed those links were inherently secure, and didn't encrypt the traffic. Clearly this was wrong. To Google's credit, they started encrypting these links earlier this year.
  [ link to this | view in chronology ]
  - Anonymous Coward, 30 Oct 2013 @ 3:12pm
    
    Re: Re: Other services
    I see your point, but: having worked for multiple universities and Fortune 100 companies, and having conducted penetration studies against same, I can attest that there are plenty of places where they can be subjected to the same intrusion. Whether it's a disused data closet or a fiber tunnel that runs past the chemistry building, there are all kinds of places to put in passive taps -- provided one has a budget, training, and skill.
    
    Yes, being single-homed helps. Yes, having a single data center helps. But these aren't panaceas. The NSA has already demonstrated a rapacious appetite for EVERYTHING and thus it's only a matter of time until they turn their attention elsewhere. My guess is that this happened a long time ago.
    [ link to this | view in chronology ]
Anonymous Coward, 30 Oct 2013 @ 12:11pm

"collection"
Page 2 of the WINDSTOP doc seems to use "collect[ion]" to refer to the copying of yahoo emails to spook-controlled media, rather than to the act of eyeballing it. One is almost tempted to suggest that the claim that "collect" means "look" was bullshit.
[ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 12:28pm
  
  Re: "collection"
  Of course it is! Why do you need to look at it when you can have Five Eyes on it elsewhere to send you the tl;dr?
  [ link to this | view in chronology ]
scotts13 (profile), 30 Oct 2013 @ 1:52pm

Re: Encrypt all things
(Puts on naive good citizen hat) Wouldn't it be more efficient to simply curtail the NSA surveillance, instead of encrypting everything on gods green earth? After all, we live in a democracy, right? (Takes off stupid hat)
[ link to this | view in chronology ]
- Anonymous Coward, 30 Oct 2013 @ 4:16pm
  
  Re: Re: Encrypt all things
  There are other countries and other intelligence agencies, and the conduits these fibers run in are hardly impenetrable (judging by how often networks are taken out by errant backhoes). It was negligent of Google to be transferring private customer data without encryption, and I'm surprised there's no real outrage over that. We've known networks are untrustworthy since the 90s, even if we didn't quite know the extent of it.
  
  We do need to stop the spying, but we should still encrypt. I'm hoping the recent leaks will at least reduce the cost of encryption (and that hardware crypto accelerators aren't backdoored). It's fairly efficient when done in hardware; AES, in particular, was designed to be efficient in both hardware and software.
  [ link to this | view in chronology ]
  - Anonymous Coward, 31 Oct 2013 @ 2:56am
    
    Re: Re: Re: Encrypt all things
    > It was negligent of Google to be transferring private customer data without encryption, and I'm surprised there's no real outrage over that.
    
    There is no real outrage because EVERYONE DOES IT. By working to encrypt their internal links, Google is already way ahead of the crowd.
    [ link to this | view in chronology ]
someguy, 31 Jan 2016 @ 6:13pm

Well get this I was creating a new account on google to get a VPN and NSA hijacked the account from my firewalled and virus protected cell phone on a 'completely new sim' to post a pic of my old house.
[ link to this | view in chronology ]