NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge

from the muscular dept

Early on with the Snowden documents there had been significant disagreement over the kind of “access” the NSA had to systems at the various big tech companies — all of which denied the kind of “direct access” that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others’ servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they’re not subtle with their code names, are they?).

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

There’s even this wacky hand-drawn diagram:

There’s some evidence that Google figured this out earlier. You may remember that there were reports back in September that Google had been scrambling to encrypt the information flowing between data centers, which is exactly where the NSA hit them. It looks like someone at Google figured out what the NSA was likely doing soon after the original Snowden news broke. Not surprisingly, people at these companies are not happy about this news. When the reporters spoke to “two engineers with close ties to Google,” they note that the engineers “exploded in profanity” and urged the reporters to publish that drawing above to expose the NSA.

Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

It also appears that the way that the NSA is claiming this is “legal” is by only breaking into the Yahoo and Google datacenters that are outside the US, where there’s significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 — which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program — which explains the “not under this program” language they often use around questions on 215 and 702 data collections.

The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA’s Keith Alexander) about “cybersecurity” attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.

Filed Under: , , , , , ,
Companies: google, yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge”

Subscribe: RSS Leave a comment


You’re assuming, like a rational person, that laws should be applied equally and fairly. The world is not in any way, shape or form, rational. It is a clusterfuck of morons, asshats and lunatics.

In addition, you’re arguing for the prosecution of NSA staff who have already broken the Geneva Convention and committed acts of war in order to collect this data.

This is a big flashing light to Google to get the hell out of the US, possibly also nuking lobbying groups on their way out of the US. Perhaps they can go to Iran and say to them, “Here, have a bunch of US Governmental secrets!” Each, naturally, carefully selected to do as much political harm to the US Congress as possible.


Re: Re: Mike you have it wrong...

Oh they know about it NOW, just like we know about a bunch of the other stuff the NSA has been doing over the last 10 years. But apparently according to Rogers, if you don’t know about it WHEN IT HAPPENS, it never happened even if you find out about it later and are pissed off about it.


Mere PR that helps corporate co-conspirators escape blame.

As my theory goes, and there’s no real evidence to contrary. But meanwhile, as ever, Mike ignores Google putting spy centers off shore:

“A second mystery barge has been discovered – this one docked in Maine, thousands of miles away from the ship spotted in San Fransisco Bay that has set the tech world abuzz. [Except for Techdirt!]

A 2009 patent filed by Google shows a water-borne data center”


And remember kids, barges can be outside national borders, and effectively under no legal restrictions.

Google wants you to know you’re under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations! All “free”, courtesy of other corporations!


The Groove Tigersays:

Re: Mere PR that helps corporate co-conspirators escape blame.

This is the most diverting / distracting piece yet from your NSA series. You just fade out NSA / DHS and focus on Google.

I don’t see any good purpose that this serves. You are beating up on the original victim. If they’re craven, try to brace them, but the slant you give this is just plain wrong.


Finally, someone that gets it. I have been trying to use other blogs to promote my ideas about the evil google. Can you believe they try to optimize the ads I see to be relevent to my interests.

A thought has occured! (i know I don’t think very often), but I should start my own blog about the evils of google, instead of attacking people who are interested in other issues.

Thanks again Techdirt, I have leared so much from you. I hope you all visit my new blog about evil google.

And remember kids, I’m not very smart, but I am consistent.

Google wants you to know you’re under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.




This is what IPSEC was supposed to stop. Use it. Encrypt the links between your datacenters. Encrypt the links between your racks. Encrypt the links between your servers. Encrypt the links between your desktops. Heck, encrypt the link between the motherboard and the disks (full disk encryption), just for the giggles.

The threat model has changed. It used to be that NSA-level attackers were outside the threat model. Well, now they are inside the threat model. And the great thing is that if you can defend against them, you can defend against almost anyone.


The problem is actually much worse

During my career, I’ve done quite a few penetration studies/security assessments. And one of the things that becomes obvious in short order is that there’s no such thing as “one backdoor”. Only amateurish and inexperienced attackers do that: the ones who are serious plant multiple backdoors, because they know that one might be deliberately or accidentally shut down.

The NSA is neither amateurish or inexperienced. So: where are the OTHER backdoors into these services?

A second thing that becomes obvious is that secondary attackers love backdoors. Their problem reduces from “how can I attack this service and put a backdoor in it?” to “how can I exploit the backdoors that are already there?” So one of the effects of this is that the NSA dramatically reduced the security of both these services. We now have to ask whether anybody else out there helped themselves to the NSA-installed backdoors, when, how, what they got, etc.

Finally, a third observation: I doubt the NSA stopped here. Why should they? There’s no oversight and they have piles of money. Why not backdoor Reddit? Slashdot? Redstate? Dailykos? Boingboing? AOL? Hotmail? Stanford? Harvard? Where’s the downside? Every operation of sufficient size and popularity is likely a target.


Re: Other services

This kind of network attack only really affects major players like Google. Sites like Slashdot or Dailykos or Harvard are either single-homed (all in one datacenter), or communicate through known insecure lines.

The reason this attack was so effective against Google is that Google owns the fiber connecting its major datacenters. So Google assumed those links were inherently secure, and didn’t encrypt the traffic. Clearly this was wrong. To Google’s credit, they started encrypting these links earlier this year.


Re: Re: Other services

I see your point, but: having worked for multiple universities and Fortune 100 companies, and having conducted penetration studies against same, I can attest that there are plenty of places where they can be subjected to the same intrusion. Whether it’s a disused data closet or a fiber tunnel that runs past the chemistry building, there are all kinds of places to put in passive taps — provided one has a budget, training, and skill.

Yes, being single-homed helps. Yes, having a single data center helps. But these aren’t panaceas. The NSA has already demonstrated a rapacious appetite for EVERYTHING and thus it’s only a matter of time until they turn their attention elsewhere. My guess is that this happened a long time ago.


Re: Re: Encrypt all things

There are other countries and other intelligence agencies, and the conduits these fibers run in are hardly impenetrable (judging by how often networks are taken out by errant backhoes). It was negligent of Google to be transferring private customer data without encryption, and I’m surprised there’s no real outrage over that. We’ve known networks are untrustworthy since the 90s, even if we didn’t quite know the extent of it.

We do need to stop the spying, but we should still encrypt. I’m hoping the recent leaks will at least reduce the cost of encryption (and that hardware crypto accelerators aren’t backdoored). It’s fairly efficient when done in hardware; AES, in particular, was designed to be efficient in both hardware and software.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it