“We have strict controls in place to protect the security of our data centers, and we have not given access to our data centers to the NSA or to any other government agency.”
Is it generally understood that statements such as this automatically include an embedded ‘as far as we know’? Because if it isn’t, then such statements are at worst lies and at best naively worthless. And if it is, then they’re, umm, just plain worthless.
And, based on that, we have to assume that we’re going to see some interesting reactions. Obviously, the majors have already banded together to protest this NSA nonsense - albeit in a kind of pansy-assed, ‘we want to be on a committee, or working group, or something’ way. But now? Now, they’re not gonna want to play so nice. I’m 100% certain there will be the threat of further legal tests, but we have to also consider how the .gov will respond.
I would bet the feds WILL offer some tasty deals in exchange for these wealthy companies backing off.(And if they follow their usual style, all the while denying publicly that there’s a problem at all.) And those companies have to decide which way to jump. They don’t make a good team, really - they are competitors to each other. But they’ve done the usual industry workaround before - IEEE, etc. A third party action group to front it all. Thing is, it’s in OUR best interests for them to stay pissed and to feel that we will continue to support their products only as long as they behave well. And we need them! EFF and others can certainly bring suits and all. And that’s great - even better, if they all join hands and sing ‘We Shall Overcome’ while they’re kicking some Justice Dept butt.
But these companies are unbelievably wealthy. They can out-budget even the NSA. They can afford WAY more than EFF, ACLU, or any other private group. So, they can afford to challenge and lobby and produce PR in ways private citizens can’t even hope to do. We need them in this fight, and badly. So just hope and pray they are totally pissed and looking for a reckoning!
I’m kind of hoping that there’s some Google (and Yahoo etc.) engineers stalking round their data centers today with wire cutters in hand, looking for government fibre taps…
So - the whole nonsense with the super-secret data requests to these companies was never anything more than a cover for the illegal taps already in place. Really - a grand diversion. Get your warrant from the super-secret court to ask for what you already have, and keep them busy fussing about the hairy scary demands so they wouldn’t notice the taps. And it worked really, really well!
Now I have heard and read reports that the NSA has intercepted transmissions within the Google cloud. Transmissions across leased fiber between physical locations. But this sketch shows something else, as if they had compromised Google’s application front end servers, or even that they wanted to someday in the future; it is impossible to tell without the context.
I have no doubt the MUSCULAR was used to read internal Goog and Yhoo transmissions, but that is not what the picture shows.
I didn’t understand it that way at all. The drawing doesn’ t actually show the point of entry, but the description states that it was fiber between physical locations that is tapped. Those front end servers would be proxy servers, so they aren’t getting past those and taking the data from behind the front-end servers. They’d be getting their capture just before transmissions hit the proxy servers between physical locations. I suspect the drawing is a little misleading. You see one cloud bubble containing end users, and then the other containing the company’s own servers, showing those as transmitting data in unencrypted fashion. And, it makes some sense, since the company has not seen any need (until now) to protect its data from itself.
But where the drawing shows a bunch of different servers, I believe the intent was to show server farms,which would likely be located in various physical locations - which would usually make good sense, since that arrange protects backups from power failures or other disasters at any one location - i.e., protecting both their own business and their end users simultaneously. That would typically be regarded as just plain good planning, and decent systems architecture. The only thing they missed was the possibility of physical taps on their lines between locations. And they would not have suspected such a breach under ordinary circumstances, because NSA was hassling them with those funky FSA warrants. It’s not easy to tap a fiber line - you have to gain direct access to it, and that is usually not available to your average hacker. So, we can assume they not only are illegally stealing data, but committed some specific crimes in order to gain access to the hardware carrying that data.
Most immediately, the companies’ll be encrypting between locations now - but that alone won’t end it, and it’s gonna take a few hours to set it up.
This one is by far the most offensive. and just intensely stupid, move on the NSA’s own part. We knew they played offshore games, where the Brits would gank data for the US, and the US would gank for the Brits data, and they could each cover for the other. This one is all domestic, and all them. The best they could have hoped for was that they wouldn’t get caught until those who operate it were safely retired and out of the line of fire. And, the setup would have involved ATT&T or Sprint, whichever is /are the backbone providers involved - and how they each try to explain that away and make excuses is going to be some real theatre, for sure. Because, this level of crime against this many citizens committed by any single entity is a whole new low.