NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge
from the muscular dept
Early on with the Snowden documents there had been significant disagreement over the kind of "access" the NSA had to systems at the various big tech companies -- all of which denied the kind of "direct access" that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others' servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they're not subtle with their code names, are they?).The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.There's even this wacky hand-drawn diagram:
By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:
According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.It also appears that the way that the NSA is claiming this is "legal" is by only breaking into the Yahoo and Google datacenters that are outside the US, where there's significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 -- which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program -- which explains the "not under this program" language they often use around questions on 215 and 702 data collections.
The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA's Keith Alexander) about "cybersecurity" attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data centers, encryption, executive order 12333, hacking, nsa, nsa surveillance, violations
Companies: google, yahoo
Reader Comments
Subscribe: RSS
View by: Time | Thread
:^)
[ link to this | view in chronology ]
I'm curious how effective the CFAA could be in this case. Wouldn't it be the idea law to slap the NSA with?
[ link to this | view in chronology ]
Re:
In addition, you're arguing for the prosecution of NSA staff who have already broken the Geneva Convention and committed acts of war in order to collect this data.
This is a big flashing light to Google to get the hell out of the US, possibly also nuking lobbying groups on their way out of the US. Perhaps they can go to Iran and say to them, "Here, have a bunch of US Governmental secrets!" Each, naturally, carefully selected to do as much political harm to the US Congress as possible.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Mike you have it wrong...
[ link to this | view in chronology ]
Re: Mike you have it wrong...
[ link to this | view in chronology ]
Re: Mike you have it wrong...
[ link to this | view in chronology ]
Re: Re: Mike you have it wrong...
[ link to this | view in chronology ]
Re: Re: Re: Mike you have it wrong...
[ link to this | view in chronology ]
Re: Re: Re: Re: Mike you have it wrong...
[ link to this | view in chronology ]
Mere PR that helps corporate co-conspirators escape blame.
"A second mystery barge has been discovered - this one docked in Maine, thousands of miles away from the ship spotted in San Fransisco Bay that has set the tech world abuzz. [Except for Techdirt!]
...
A 2009 patent filed by Google shows a water-borne data center"
http://www.dailymail.co.uk/news/article-2479299/Second-floating-Google-data-center-spotted-Ma ine.html
And remember kids, barges can be outside national borders, and effectively under no legal restrictions.
Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations! All "free", courtesy of other corporations!
06:27:31[h-730-4]
[ link to this | view in chronology ]
Re: Mere PR that helps corporate co-conspirators escape blame.
I don't see any good purpose that this serves. You are beating up on the original victim. If they're craven, try to brace them, but the slant you give this is just plain wrong.
[ link to this | view in chronology ]
Re: Mere PR that helps corporate co-conspirators escape blame.
[ link to this | view in chronology ]
Re: Mere PR that helps corporate co-conspirators escape blame.
[ link to this | view in chronology ]
Piratical Lies!
[ link to this | view in chronology ]
A thought has occured! (i know I don't think very often), but I should start my own blog about the evils of google, instead of attacking people who are interested in other issues.
Thanks again Techdirt, I have leared so much from you. I hope you all visit my new blog about evil google.
And remember kids, I'm not very smart, but I am consistent.
Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.
06:37:31[h-730-2]
[ link to this | view in chronology ]
Re:
So no facts, just your IDEA.
[ link to this | view in chronology ]
Re: Re:
Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.
06:57:31[h-720-2]
[ link to this | view in chronology ]
Re:
Please do! I need something asinine/funny to read, and only you could deliver something like that, please be sure you share the link. Thanks in advance.
[ link to this | view in chronology ]
Re: Re:
I think it's funn eee
Cuz blue's so poo pee
and I do Blue's mum eee
So I'm the dad eee
It is so sad leee
I watch Blue gig ehl
and google mad leee
[ link to this | view in chronology ]
Re:
People might actually respond instead of reporting if you any sort of intelligent discussion would occur. The most that this community would ever get is a glorified street corner shouter trying to bring people to their cause without listening to anything being told to them.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
ENCRYPT ALL THE THINGS!
The threat model has changed. It used to be that NSA-level attackers were outside the threat model. Well, now they are inside the threat model. And the great thing is that if you can defend against them, you can defend against almost anyone.
[ link to this | view in chronology ]
Re: ENCRYPT ALL THE THINGS!
[ link to this | view in chronology ]
/sarcasm directed at the stupidity of all this
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The problem is actually much worse
The NSA is neither amateurish or inexperienced. So: where are the OTHER backdoors into these services?
A second thing that becomes obvious is that secondary attackers love backdoors. Their problem reduces from "how can I attack this service and put a backdoor in it?" to "how can I exploit the backdoors that are already there?" So one of the effects of this is that the NSA dramatically reduced the security of both these services. We now have to ask whether anybody else out there helped themselves to the NSA-installed backdoors, when, how, what they got, etc.
Finally, a third observation: I doubt the NSA stopped here. Why should they? There's no oversight and they have piles of money. Why not backdoor Reddit? Slashdot? Redstate? Dailykos? Boingboing? AOL? Hotmail? Stanford? Harvard? Where's the downside? Every operation of sufficient size and popularity is likely a target.
[ link to this | view in chronology ]
Re: Other services
The reason this attack was so effective against Google is that Google owns the fiber connecting its major datacenters. So Google assumed those links were inherently secure, and didn't encrypt the traffic. Clearly this was wrong. To Google's credit, they started encrypting these links earlier this year.
[ link to this | view in chronology ]
Re: Re: Other services
Yes, being single-homed helps. Yes, having a single data center helps. But these aren't panaceas. The NSA has already demonstrated a rapacious appetite for EVERYTHING and thus it's only a matter of time until they turn their attention elsewhere. My guess is that this happened a long time ago.
[ link to this | view in chronology ]
"collection"
[ link to this | view in chronology ]
Re: "collection"
[ link to this | view in chronology ]
Re: Encrypt all things
[ link to this | view in chronology ]
Re: Re: Encrypt all things
We do need to stop the spying, but we should still encrypt. I'm hoping the recent leaks will at least reduce the cost of encryption (and that hardware crypto accelerators aren't backdoored). It's fairly efficient when done in hardware; AES, in particular, was designed to be efficient in both hardware and software.
[ link to this | view in chronology ]
Re: Re: Re: Encrypt all things
There is no real outrage because EVERYONE DOES IT. By working to encrypt their internal links, Google is already way ahead of the crowd.
[ link to this | view in chronology ]
[ link to this | view in chronology ]