Google States Unequivocally It Was 'Attacked' By The Chinese... And By The United States

from the with-friends-like-these dept

Among the biggest revelations made by the Snowden documents so far was of course the fact that in addition to negotiating with companies like Yahoo and Google for user data via the front door (PRISM), the NSA was also busy covertly hacking into the links between company data centers for good measure (trust is the cornerstone of any good relationship, you know). The moves pretty clearly pissed off Google engineers, who swore at the agency and immediately began speeding up the already-underway process of encrypting traffic flowing between data centers.

Speaking at South By Southwest, Google's Eric Schmidt for the first time (that I'm aware of) unequivocally stated that what the NSA did wasn't just surveillance or your garden variety hack -- it was a direct attack on one of the United States' most successful companies:
"The solution to this is to encrypt data at multiple points of source. We had already been doing this, but we accelerated our activities," he said. "We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s… We were attacked by the Chinese in 2010, we were attacked by the NSA in 2013. These are facts."
You're the executive chairman of one of the most powerful, wealthy companies in the world and you're "pretty sure" Google's internal networks are secure? Somehow I doubt that's the case, given the fact that most of us forget we're already working off of antiquated information provided by Snowden, and the NSA could have developed an unknown number of additional attack vectors since then. There's only so much that the cat and mouse game of security can accomplish without the kind of meaningful intelligence oversight the United States government has made very clear they're entirely disinterested in.

Last fall Schmidt stated that Google had briefly considered moving servers outside of the United States to avoid the NSA before the logistical nightmare (and likely futility given NSA's reach and the even greater lack of oversight) of that concept had time to sink in. The reality is that no matter the endless analysis and constant promises of both companies and industry, we'll probably have to wait until the next whistle blower emerges before we have any accurate, current idea of just how little privacy we currently possess.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: china, edward snowden, eric schmidt, nsa, prism, sxsw
Companies: google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    BentFranklin (profile), 10 Mar 2014 @ 10:15am

    I'm satisfied with "pretty sure." It means they've done everything reasonable they can think of, but they are smart enough, and humble enough, to know there may be things they do not know.

    link to this | view in chronology ]

    • icon
      pixelpusher220 (profile), 10 Mar 2014 @ 10:43am

      Re:

      Yep, my thoughts exactly. Too often we get PR spin of 'completely secure' when everybody knows it's not.

      link to this | view in chronology ]

    • icon
      Baldaur Regis (profile), 10 Mar 2014 @ 10:53am

      Re:

      Agreed. I wonder, will historians look back at computer science before 2010 and marvel at the 'charming naivete' of engineers, and will this period be known as the start of the weaponization of one the most collaborative disciplines?

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 10 Mar 2014 @ 12:53pm

        Re: Re:

        Security engineers before 2010 were not "charmingly naive". They were (are are) often ignored because their solutions necessarily increase costs and hassle.

        Also, the weaponization you speak of was well under way long before 2010. Well before the 21st century even. All competent security engineers know their history and are aware of this.

        link to this | view in chronology ]

        • icon
          Baldaur Regis (profile), 10 Mar 2014 @ 1:56pm

          Re: Re: Re:

          Oh, to be sure, and no doubt a security engineer would never make the call to send unencrypted data between centers. But software engineers would - at least, until very recently.

          link to this | view in chronology ]

          • icon
            tracker1 (profile), 10 Mar 2014 @ 2:28pm

            It depends

            I think it depends on the communications channels... up until fairly recently, the telecom companies providing the data connections between sites were relatively well trusted. Today, that is not the case.

            Sometimes pragmatism outweighs absolute security... ex: if you use say scrypt for a popular website's user passwords, it could lead to an increased vector for DDOS attack. Vs. something slightly lesser (or lesser settings for scrypt) which would be "good enough" for today/tomorrow, but maybe not in 5 years.

            link to this | view in chronology ]

          • icon
            John Fenderson (profile), 10 Mar 2014 @ 3:49pm

            Re: Re: Re: Re:

            "But software engineers would"

            Not if they were security engineers. They aren't mutually exclusive groups, and if you've hired software engineers who are not security people to do security things, then you're doing it completely wrong.

            If that's what's happened, it's totally unfair to blame the engineers who were tasked with something they were unqualified to do.

            link to this | view in chronology ]

            • icon
              Baldaur Regis (profile), 10 Mar 2014 @ 8:43pm

              Re: Re: Re: Re: Re:

              I'm not making my point well today, but it's a point that should be stressed.

              The NSA and other spy agencies deliberately perverted the collaborative nature of connected computing by short-circuiting the trusts built into the systems - trusts which are a reflection of the attitudes within the minds of the programmers.

              Are these attitudes naive? Only in the very narrow sense of thinking that an ideal engineering solution is the one that's straight ahead ('charmingly naive' is how a front-office guy once characterized a young programmer I knew, who asked the perfectly logical question, "This is an integration problem with Company X's software. Why don't we call up the guys over at Company X and just ask them how they're working on it?").

              Once trust is gone - trust in one's own government, trust in other programmers - what will replace it? I see the unfolding events around Snowden's revelations as a watershed moment, a moment when some of the collaborative spirit that made the internet possible has been killed off, leaving the world a darker place.

              link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2014 @ 12:07pm

      Re:

      Good security is expensive, and Google is all about profits. I imagine they are only going as far as they they consider to be "cost effective".

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Mar 2014 @ 12:49pm

      Re:

      This. If he had said they were "absolutely sure," then I would be calling them fools or liars. You can never be absolutely sure.

      link to this | view in chronology ]

  • icon
    Violynne (profile), 10 Mar 2014 @ 10:25am

    Now, if only we can stop being attacked by Google, the world's internet becomes a better place.

    I think it's pretty damn ballsy for a CEO to chastise the NSA when the company he runs is doing the same thing.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2014 @ 10:28am

      Re:

      I'm reasonably sure that Google isn't hacking into other companies network traffic to raid their data center information.

      link to this | view in chronology ]

      • icon
        Violynne (profile), 11 Mar 2014 @ 3:55am

        Re: Re:

        So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?

        A company doesn't have to hack anything, just like the NSA hasn't hacked anything. Did any of you not read the reports from the "attacks" the NSA did at all?

        Remember a few years ago Google came under fire from grabbing WiFi signals during its street view sweeps?

        The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.

        Where the line gets blurred: review Google analytics and realize just how intrusive this little snippet of code is used across the entire internet.

        It's rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing.

        It is, after all, just "meta data".

        And for the record: this has nothing to do with using Google services. You can't visit most websites without Google's intervention, including this very site.

        Read the source code, people.

        And the funniest thing of all: this is being done without most people understanding how Google Analytics works.

        So call me cynical to take the words from a CEO whose company does the same damn things, minus the hacking (which everyone knows happens outside of the Chinese and US government).

        You can bet Anonymous also tries to gain access to Google. Anyone want to umbrella the group so the headline's more scary?

        Goodness.

        link to this | view in chronology ]

        • icon
          John Fenderson (profile), 11 Mar 2014 @ 9:33am

          Re: Re: Re:

          Well, first, this article is about actual hacking, not passive Metadata" collection. But onward anyway...

          "So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?"

          Google is not doing the exact same thing as the NSA. Google is only collecting the data that you are giving them. The NSA is collecting all the data. It's a rather large difference in kind.

          "A company doesn't have to hack anything, just like the NSA hasn't hacked anything"

          The NSA has confirmed that they've hacked quite a lot, and that a huge portion of their data collection comes form these hacks.

          "The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it."

          This is simply incorrect. I think you don't understand what the NSA did here.

          "It's rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing"

          I don't know why this is so baffling. In the case of the NSA, you're forced into it and that information is being used in ways that can seriously harm you. In the case of Google, you're not being forced into it and that information is being used to seriously annoy you. Until it's sold to the NSA, of course.

          The two agencies are not doing "the exact same thing".

          "You can't visit most websites without Google's intervention, including this very site."

          Nonsense. Of course you can. I do it every day. I can't think of a single website I go to that require Google.

          link to this | view in chronology ]

    • icon
      madasahatter (profile), 10 Mar 2014 @ 11:04am

      Re:

      Google is using data provided to them by searches, clicks on ads, etc. Also, you are free to not use Google services, block ads, etc. And Google will not harass you, listen to your phone calls, etc.

      link to this | view in chronology ]

      • icon
        Namel3ss (profile), 10 Mar 2014 @ 12:03pm

        Re: Re:

        Also, Google can't break down your door and haul you off to "federal pound-me-in-the-ass prison" if they don't like what you say/do online or elsewhere.

        (kudos if you know where that quote is from)

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2014 @ 11:28am

      Re:

      Google isn't a government.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Mar 2014 @ 12:56pm

      Re:

      "if only we can stop being attacked by Google"

      For all its faults, I have never heard of a single instance of Google attacking anybody at all. The closest was their bypassing of Safari security controls -- which was certainly bad, but nothing even on the same planet as what the various governments are doing.

      link to this | view in chronology ]

  • identicon
    Michael, 10 Mar 2014 @ 10:26am

    I would be shocked if the NSA did not have people working inside Google in an attempt to maintain access at this point.

    It is a really sad state of affairs when the most significant security risk technology companies have is their own government.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Mar 2014 @ 10:43am

      Re:

      stop using google. problem solved

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Mar 2014 @ 10:44am

        Re: Re:

        sorry. that was meant for the previous comment, but works just as well for yours

        link to this | view in chronology ]

    • icon
      BentFranklin (profile), 10 Mar 2014 @ 11:06am

      Re:

      Agreed. The scenario goes like this:

      "Hey there Sanjay, that's a nice H1 visa you've got there. It would be a shame is something were to happen to it. Why don't you do us a favor and insert this innocuous-looking off-by-one bug into the next build."

      By the way, it's my opinion it's quite possible this is happening to voting machines as well. Or even likely, given what we've learned of NSA's depravity.

      link to this | view in chronology ]

      • icon
        That One Guy (profile), 10 Mar 2014 @ 3:13pm

        Re: Re:

        By the way, it's my opinion it's quite possible this is happening to voting machines as well. Or even likely, given what we've learned of NSA's depravity.

        Eh, seems to be more effort than they'd bother with or need. With how much data they scoop up on everyone, if they want to influence an election, just 'let slip' a few embarrassing facts, or put that character assassination part of the agency to work whipping up outrage against the enemy of the one they want elected.

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 10 Mar 2014 @ 3:44pm

          Re: Re: Re:

          Control the machine and you can control the vote counts, which is likely more effective and quiet way of getting the right overall outcome, make sure of the desired outcome in marginal seats.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2014 @ 10:33am

    There isn't a way to be absolutely sure you're secure, at least until you're suffering a breach and someone is proving that you aren't. Being secure is a moving target; there is no shortage of work required to keep up with the latest known threats (emphasis on known.)

    Outrage/dissatisfaction over saying 'pretty sure' is tilting at windmills and shows a lack of understanding on the subject matter.

    link to this | view in chronology ]

    • identicon
      Jack, 10 Mar 2014 @ 12:41pm

      Re:

      As every keynote speaker at every InfoSec conference seems to say "There are those whose data has been breached and those who don't yet know their data has been breached."

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2014 @ 10:39am

    This post feels like it's grasping a little.
    "pretty sure" - we've done all we can but are open to the idea that NSA may have other means we're not aware of.

    "one of the most powerful, wealthy companies in the world" and they hire some of the most knowledgeable and talented engineers and security experts in the world. They hardened their network.

    Hard to whip up the outrage on a bit of good news.

    link to this | view in chronology ]

  • icon
    Dark Helmet (profile), 10 Mar 2014 @ 10:56am

    Google States

    THEY HAVE THEIR OWN COUNTRY NOW?!?!?! OOTB WAS RIGHT! AHHHHHHHHH!!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2014 @ 11:01am

    A House divided....

    Countdown to revolution?

    link to this | view in chronology ]

  • identicon
    Mark Wing, 10 Mar 2014 @ 11:03am

    In Russia, servers attack you.

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 10 Mar 2014 @ 11:30am

    I guess Google has things they don't want people to know.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2014 @ 1:10pm

    "We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s…"

    Well, until they get a national security letter with a gag order, anyway. They've locked the windows, but the government can still use the door.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2014 @ 1:31pm

    Google has made it's attempt at securing it's data. As long as it is inside the US, it will never be able to promise security.

    Since it would not be able to promise security outside the US, I see little difference between then and now, encryption or not.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Mar 2014 @ 1:55pm

      Re:

      " As long as it is inside the US, it will never be able to promise security. "

      Whether or not it's in the US doesn't enter into it. Nobody can promise security as an absolute. And nobody should -- a false sense of security is more dangerous than having no security and knowing it.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Mar 2014 @ 5:11pm

        Re: Re:

        The only secure machine is one which is powered off, encased in concrete, and left at the bottom of the Marianas trench.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Mar 2014 @ 10:48pm

    Google said that NSA does not equal USA.

    Which is a lie.

    link to this | view in chronology ]

  • icon
    Steve D. (profile), 11 Mar 2014 @ 11:57pm

    If it's encrypted it can be decrypted...

    Even if data between Google servers is encrypted, at some point it has to be decrypted...

    We know the NSA is not above gaining secret physical access to computers - so they would simply copy the operating system drive from a server, take it back to base and debug it to find the decryption key/protocol.

    From there on it's just a matter of them running all of Google's network data their copy of the decrypter routine before storing/processing it.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.