Google States Unequivocally It Was 'Attacked' By The Chinese... And By The United States
from the with-friends-like-these dept
Among the biggest revelations made by the Snowden documents so far was of course the fact that in addition to negotiating with companies like Yahoo and Google for user data via the front door (PRISM), the NSA was also busy covertly hacking into the links between company data centers for good measure (trust is the cornerstone of any good relationship, you know). The moves pretty clearly pissed off Google engineers, who swore at the agency and immediately began speeding up the already-underway process of encrypting traffic flowing between data centers.Speaking at South By Southwest, Google's Eric Schmidt for the first time (that I'm aware of) unequivocally stated that what the NSA did wasn't just surveillance or your garden variety hack -- it was a direct attack on one of the United States' most successful companies:
"The solution to this is to encrypt data at multiple points of source. We had already been doing this, but we accelerated our activities," he said. "We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s… We were attacked by the Chinese in 2010, we were attacked by the NSA in 2013. These are facts."You're the executive chairman of one of the most powerful, wealthy companies in the world and you're "pretty sure" Google's internal networks are secure? Somehow I doubt that's the case, given the fact that most of us forget we're already working off of antiquated information provided by Snowden, and the NSA could have developed an unknown number of additional attack vectors since then. There's only so much that the cat and mouse game of security can accomplish without the kind of meaningful intelligence oversight the United States government has made very clear they're entirely disinterested in.
Last fall Schmidt stated that Google had briefly considered moving servers outside of the United States to avoid the NSA before the logistical nightmare (and likely futility given NSA's reach and the even greater lack of oversight) of that concept had time to sink in. The reality is that no matter the endless analysis and constant promises of both companies and industry, we'll probably have to wait until the next whistle blower emerges before we have any accurate, current idea of just how little privacy we currently possess.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: china, edward snowden, eric schmidt, nsa, prism, sxsw
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
I think it's pretty damn ballsy for a CEO to chastise the NSA when the company he runs is doing the same thing.
[ link to this | view in thread ]
It is a really sad state of affairs when the most significant security risk technology companies have is their own government.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Outrage/dissatisfaction over saying 'pretty sure' is tilting at windmills and shows a lack of understanding on the subject matter.
[ link to this | view in thread ]
"pretty sure" - we've done all we can but are open to the idea that NSA may have other means we're not aware of.
"one of the most powerful, wealthy companies in the world" and they hire some of the most knowledgeable and talented engineers and security experts in the world. They hardened their network.
Hard to whip up the outrage on a bit of good news.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Google States
[ link to this | view in thread ]
A House divided....
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
"Hey there Sanjay, that's a nice H1 visa you've got there. It would be a shame is something were to happen to it. Why don't you do us a favor and insert this innocuous-looking off-by-one bug into the next build."
By the way, it's my opinion it's quite possible this is happening to voting machines as well. Or even likely, given what we've learned of NSA's depravity.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re:
(kudos if you know where that quote is from)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
(And am now ashamed that I didn't remember it.)
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
Also, the weaponization you speak of was well under way long before 2010. Well before the 21st century even. All competent security engineers know their history and are aware of this.
[ link to this | view in thread ]
Re:
For all its faults, I have never heard of a single instance of Google attacking anybody at all. The closest was their bypassing of Safari security controls -- which was certainly bad, but nothing even on the same planet as what the various governments are doing.
[ link to this | view in thread ]
Well, until they get a national security letter with a gag order, anyway. They've locked the windows, but the government can still use the door.
[ link to this | view in thread ]
Since it would not be able to promise security outside the US, I see little difference between then and now, encryption or not.
[ link to this | view in thread ]
Re:
Whether or not it's in the US doesn't enter into it. Nobody can promise security as an absolute. And nobody should -- a false sense of security is more dangerous than having no security and knowing it.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
It depends
Sometimes pragmatism outweighs absolute security... ex: if you use say scrypt for a popular website's user passwords, it could lead to an increased vector for DDOS attack. Vs. something slightly lesser (or lesser settings for scrypt) which would be "good enough" for today/tomorrow, but maybe not in 5 years.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
Eh, seems to be more effort than they'd bother with or need. With how much data they scoop up on everyone, if they want to influence an election, just 'let slip' a few embarrassing facts, or put that character assassination part of the agency to work whipping up outrage against the enemy of the one they want elected.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
Not if they were security engineers. They aren't mutually exclusive groups, and if you've hired software engineers who are not security people to do security things, then you're doing it completely wrong.
If that's what's happened, it's totally unfair to blame the engineers who were tasked with something they were unqualified to do.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
The NSA and other spy agencies deliberately perverted the collaborative nature of connected computing by short-circuiting the trusts built into the systems - trusts which are a reflection of the attitudes within the minds of the programmers.
Are these attitudes naive? Only in the very narrow sense of thinking that an ideal engineering solution is the one that's straight ahead ('charmingly naive' is how a front-office guy once characterized a young programmer I knew, who asked the perfectly logical question, "This is an integration problem with Company X's software. Why don't we call up the guys over at Company X and just ask them how they're working on it?").
Once trust is gone - trust in one's own government, trust in other programmers - what will replace it? I see the unfolding events around Snowden's revelations as a watershed moment, a moment when some of the collaborative spirit that made the internet possible has been killed off, leaving the world a darker place.
[ link to this | view in thread ]
Which is a lie.
[ link to this | view in thread ]
Re: Re:
A company doesn't have to hack anything, just like the NSA hasn't hacked anything. Did any of you not read the reports from the "attacks" the NSA did at all?
Remember a few years ago Google came under fire from grabbing WiFi signals during its street view sweeps?
The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.
Where the line gets blurred: review Google analytics and realize just how intrusive this little snippet of code is used across the entire internet.
It's rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing.
It is, after all, just "meta data".
And for the record: this has nothing to do with using Google services. You can't visit most websites without Google's intervention, including this very site.
Read the source code, people.
And the funniest thing of all: this is being done without most people understanding how Google Analytics works.
So call me cynical to take the words from a CEO whose company does the same damn things, minus the hacking (which everyone knows happens outside of the Chinese and US government).
You can bet Anonymous also tries to gain access to Google. Anyone want to umbrella the group so the headline's more scary?
Goodness.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
"So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?"
Google is not doing the exact same thing as the NSA. Google is only collecting the data that you are giving them. The NSA is collecting all the data. It's a rather large difference in kind.
"A company doesn't have to hack anything, just like the NSA hasn't hacked anything"
The NSA has confirmed that they've hacked quite a lot, and that a huge portion of their data collection comes form these hacks.
"The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it."
This is simply incorrect. I think you don't understand what the NSA did here.
"It's rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing"
I don't know why this is so baffling. In the case of the NSA, you're forced into it and that information is being used in ways that can seriously harm you. In the case of Google, you're not being forced into it and that information is being used to seriously annoy you. Until it's sold to the NSA, of course.
The two agencies are not doing "the exact same thing".
"You can't visit most websites without Google's intervention, including this very site."
Nonsense. Of course you can. I do it every day. I can't think of a single website I go to that require Google.
[ link to this | view in thread ]
If it's encrypted it can be decrypted...
We know the NSA is not above gaining secret physical access to computers - so they would simply copy the operating system drive from a server, take it back to base and debug it to find the decryption key/protocol.
From there on it's just a matter of them running all of Google's network data their copy of the decrypter routine before storing/processing it.
[ link to this | view in thread ]