Google States Unequivocally It Was 'Attacked' By The Chinese… And By The United States
from the with-friends-like-these dept
Among the biggest revelations made by the Snowden documents so far was of course the fact that in addition to negotiating with companies like Yahoo and Google for user data via the front door (PRISM), the NSA was also busy covertly hacking into the links between company data centers for good measure (trust is the cornerstone of any good relationship, you know). The moves pretty clearly pissed off Google engineers, who swore at the agency and immediately began speeding up the already-underway process of encrypting traffic flowing between data centers.
Speaking at South By Southwest, Google’s Eric Schmidt for the first time (that I’m aware of) unequivocally stated that what the NSA did wasn’t just surveillance or your garden variety hack — it was a direct attack on one of the United States’ most successful companies:
“The solution to this is to encrypt data at multiple points of source. We had already been doing this, but we accelerated our activities,” he said. “We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s… We were attacked by the Chinese in 2010, we were attacked by the NSA in 2013. These are facts.”
You’re the executive chairman of one of the most powerful, wealthy companies in the world and you’re “pretty sure” Google’s internal networks are secure? Somehow I doubt that’s the case, given the fact that most of us forget we’re already working off of antiquated information provided by Snowden, and the NSA could have developed an unknown number of additional attack vectors since then. There’s only so much that the cat and mouse game of security can accomplish without the kind of meaningful intelligence oversight the United States government has made very clear they’re entirely disinterested in.
Last fall Schmidt stated that Google had briefly considered moving servers outside of the United States to avoid the NSA before the logistical nightmare (and likely futility given NSA’s reach and the even greater lack of oversight) of that concept had time to sink in. The reality is that no matter the endless analysis and constant promises of both companies and industry, we’ll probably have to wait until the next whistle blower emerges before we have any accurate, current idea of just how little privacy we currently possess.
Filed Under: china, edward snowden, eric schmidt, nsa, prism, sxsw
Companies: google
Comments on “Google States Unequivocally It Was 'Attacked' By The Chinese… And By The United States”
I’m satisfied with “pretty sure.” It means they’ve done everything reasonable they can think of, but they are smart enough, and humble enough, to know there may be things they do not know.
Re: Re:
Yep, my thoughts exactly. Too often we get PR spin of ‘completely secure’ when everybody knows it’s not.
Re: Re:
Agreed. I wonder, will historians look back at computer science before 2010 and marvel at the ‘charming naivete’ of engineers, and will this period be known as the start of the weaponization of one the most collaborative disciplines?
Re: Re: Re:
Security engineers before 2010 were not “charmingly naive”. They were (are are) often ignored because their solutions necessarily increase costs and hassle.
Also, the weaponization you speak of was well under way long before 2010. Well before the 21st century even. All competent security engineers know their history and are aware of this.
Re: Re: Re: Re:
Oh, to be sure, and no doubt a security engineer would never make the call to send unencrypted data between centers. But software engineers would – at least, until very recently.
Re: Re: Re:2 It depends
I think it depends on the communications channels… up until fairly recently, the telecom companies providing the data connections between sites were relatively well trusted. Today, that is not the case.
Sometimes pragmatism outweighs absolute security… ex: if you use say scrypt for a popular website’s user passwords, it could lead to an increased vector for DDOS attack. Vs. something slightly lesser (or lesser settings for scrypt) which would be “good enough” for today/tomorrow, but maybe not in 5 years.
Re: Re: Re:2 Re:
“But software engineers would”
Not if they were security engineers. They aren’t mutually exclusive groups, and if you’ve hired software engineers who are not security people to do security things, then you’re doing it completely wrong.
If that’s what’s happened, it’s totally unfair to blame the engineers who were tasked with something they were unqualified to do.
Re: Re: Re:3 Re:
I’m not making my point well today, but it’s a point that should be stressed.
The NSA and other spy agencies deliberately perverted the collaborative nature of connected computing by short-circuiting the trusts built into the systems – trusts which are a reflection of the attitudes within the minds of the programmers.
Are these attitudes naive? Only in the very narrow sense of thinking that an ideal engineering solution is the one that’s straight ahead (‘charmingly naive’ is how a front-office guy once characterized a young programmer I knew, who asked the perfectly logical question, “This is an integration problem with Company X’s software. Why don’t we call up the guys over at Company X and just ask them how they’re working on it?”).
Once trust is gone – trust in one’s own government, trust in other programmers – what will replace it? I see the unfolding events around Snowden’s revelations as a watershed moment, a moment when some of the collaborative spirit that made the internet possible has been killed off, leaving the world a darker place.
Re: Re:
Good security is expensive, and Google is all about profits. I imagine they are only going as far as they they consider to be “cost effective”.
Re: Re:
This. If he had said they were “absolutely sure,” then I would be calling them fools or liars. You can never be absolutely sure.
Now, if only we can stop being attacked by Google, the world’s internet becomes a better place.
I think it’s pretty damn ballsy for a CEO to chastise the NSA when the company he runs is doing the same thing.
Re: Re:
I’m reasonably sure that Google isn’t hacking into other companies network traffic to raid their data center information.
Re: Re: Re:
So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?
A company doesn’t have to hack anything, just like the NSA hasn’t hacked anything. Did any of you not read the reports from the “attacks” the NSA did at all?
Remember a few years ago Google came under fire from grabbing WiFi signals during its street view sweeps?
The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.
Where the line gets blurred: review Google analytics and realize just how intrusive this little snippet of code is used across the entire internet.
It’s rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing.
It is, after all, just “meta data”.
And for the record: this has nothing to do with using Google services. You can’t visit most websites without Google’s intervention, including this very site.
Read the source code, people.
And the funniest thing of all: this is being done without most people understanding how Google Analytics works.
So call me cynical to take the words from a CEO whose company does the same damn things, minus the hacking (which everyone knows happens outside of the Chinese and US government).
You can bet Anonymous also tries to gain access to Google. Anyone want to umbrella the group so the headline’s more scary?
Goodness.
Re: Re: Re: Re:
Well, first, this article is about actual hacking, not passive Metadata” collection. But onward anyway…
“So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?”
Google is not doing the exact same thing as the NSA. Google is only collecting the data that you are giving them. The NSA is collecting all the data. It’s a rather large difference in kind.
“A company doesn’t have to hack anything, just like the NSA hasn’t hacked anything”
The NSA has confirmed that they’ve hacked quite a lot, and that a huge portion of their data collection comes form these hacks.
“The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.”
This is simply incorrect. I think you don’t understand what the NSA did here.
“It’s rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing”
I don’t know why this is so baffling. In the case of the NSA, you’re forced into it and that information is being used in ways that can seriously harm you. In the case of Google, you’re not being forced into it and that information is being used to seriously annoy you. Until it’s sold to the NSA, of course.
The two agencies are not doing “the exact same thing”.
“You can’t visit most websites without Google’s intervention, including this very site.”
Nonsense. Of course you can. I do it every day. I can’t think of a single website I go to that require Google.
Re: Re:
Google is using data provided to them by searches, clicks on ads, etc. Also, you are free to not use Google services, block ads, etc. And Google will not harass you, listen to your phone calls, etc.
Re: Re: Re:
Also, Google can’t break down your door and haul you off to “federal pound-me-in-the-ass prison” if they don’t like what you say/do online or elsewhere.
(kudos if you know where that quote is from)
Re: Re: Re: Re:
I didn’t, but I googled it!
(And am now ashamed that I didn’t remember it.)
Re: Re: Re: Re:
Training day?
Re: Re: Re: Re:
Office Space and I didn’t have to google it.
Re: Re:
Google isn’t a government.
Re: Re:
“if only we can stop being attacked by Google”
For all its faults, I have never heard of a single instance of Google attacking anybody at all. The closest was their bypassing of Safari security controls — which was certainly bad, but nothing even on the same planet as what the various governments are doing.
I would be shocked if the NSA did not have people working inside Google in an attempt to maintain access at this point.
It is a really sad state of affairs when the most significant security risk technology companies have is their own government.
Re: Re:
stop using google. problem solved
Re: Re: Re:
sorry. that was meant for the previous comment, but works just as well for yours
Re: Re:
Agreed. The scenario goes like this:
“Hey there Sanjay, that’s a nice H1 visa you’ve got there. It would be a shame is something were to happen to it. Why don’t you do us a favor and insert this innocuous-looking off-by-one bug into the next build.”
By the way, it’s my opinion it’s quite possible this is happening to voting machines as well. Or even likely, given what we’ve learned of NSA’s depravity.
Re: Re: Re:
By the way, it’s my opinion it’s quite possible this is happening to voting machines as well. Or even likely, given what we’ve learned of NSA’s depravity.
Eh, seems to be more effort than they’d bother with or need. With how much data they scoop up on everyone, if they want to influence an election, just ‘let slip’ a few embarrassing facts, or put that character assassination part of the agency to work whipping up outrage against the enemy of the one they want elected.
Re: Re: Re: Re:
Control the machine and you can control the vote counts, which is likely more effective and quiet way of getting the right overall outcome, make sure of the desired outcome in marginal seats.
There isn’t a way to be absolutely sure you’re secure, at least until you’re suffering a breach and someone is proving that you aren’t. Being secure is a moving target; there is no shortage of work required to keep up with the latest known threats (emphasis on known.)
Outrage/dissatisfaction over saying ‘pretty sure’ is tilting at windmills and shows a lack of understanding on the subject matter.
Re: Re:
As every keynote speaker at every InfoSec conference seems to say “There are those whose data has been breached and those who don’t yet know their data has been breached.”
This post feels like it’s grasping a little.
“pretty sure” – we’ve done all we can but are open to the idea that NSA may have other means we’re not aware of.
“one of the most powerful, wealthy companies in the world” and they hire some of the most knowledgeable and talented engineers and security experts in the world. They hardened their network.
Hard to whip up the outrage on a bit of good news.
Google States
THEY HAVE THEIR OWN COUNTRY NOW?!?!?! OOTB WAS RIGHT! AHHHHHHHHH!!
A House divided....
Countdown to revolution?
In Russia, servers attack you.
I guess Google has things they don’t want people to know.
“We?re pretty sure right now that the information that?s inside of Google is safe from any government?s prying eyes, including the US government?s?”
Well, until they get a national security letter with a gag order, anyway. They’ve locked the windows, but the government can still use the door.
Google has made it’s attempt at securing it’s data. As long as it is inside the US, it will never be able to promise security.
Since it would not be able to promise security outside the US, I see little difference between then and now, encryption or not.
Re: Re:
” As long as it is inside the US, it will never be able to promise security. “
Whether or not it’s in the US doesn’t enter into it. Nobody can promise security as an absolute. And nobody should — a false sense of security is more dangerous than having no security and knowing it.
Re: Re: Re:
The only secure machine is one which is powered off, encased in concrete, and left at the bottom of the Marianas trench.
Re: Re: Re: Re:
nsa will just commision a new darpa project
Google said that NSA does not equal USA.
Which is a lie.
If it's encrypted it can be decrypted...
Even if data between Google servers is encrypted, at some point it has to be decrypted…
We know the NSA is not above gaining secret physical access to computers – so they would simply copy the operating system drive from a server, take it back to base and debug it to find the decryption key/protocol.
From there on it’s just a matter of them running all of Google’s network data their copy of the decrypter routine before storing/processing it.