Comment by dlinder
12 years ago
When your opponent uses Navy submarines to tap undersea cables right under the Soviets' noses, you probably shouldn't trust your leased fiber with unencrypted data. This interception could occur where undersea cables make landfall without any datacenter antics.
you probably shouldn't trust your leased fiber with unencrypted data.
Or even your own fiber (Google owns tens of thousands of miles of it). There's nothing to prevent the black-hat guys from digging down to a cable in the middle of nowhere and installing an optical tap. Especially if they did it before commissioning, after which signal levels would start being monitored.
>Google owns tens of thousands of miles of it
If this haven't already I imagine they will be hiring security forces to patrol and inspect.
Even still, field techs, in lonely outposts, are easier targets than tech that are part of an onsite team.
I've seen no indication that Google considers the NSA any sort of opponent.
I think they do now. There has to be some sort of sense of personal professionalism of the many highly qualified security experts working at Google, that is hurt by the revelations that the NSA basically fucked them over and drew a slide with a smiley face on it about how they fucked them over.
Could not believe the fucking smiley face. That's their attitude towards privacy.
It's strange to drawn a nose on a smiley...
Then again, plausible deniability. Google is of less use to the NSA if they have fewer customers.
http://www.washingtonpost.com/business/technology/google-enc...
“It’s an arms race,” said Eric Grosse, vice president for security engineering at Google, based in Mountain View, Calif. “We see these government agencies as among the most skilled players in this game.”
With governments around the world (see Brazil and India) now banning Google products for official government use, I can imagine overall usage of Google products will decline outside of the U.S.
This is a threat to Google's international business. They have a vested financial interest in reducing the hacking against their systems.
Why would NSA agents go through all the trouble of tapping cables when they could probably just gain employment at Google and do whatever they want. I don't think encryption would make a difference here.
There's greater risk of facing problems of all sorts when you have rogue agents on the inside (what if they get found out? how will that be met by news journals? people who find out about it? the trust dynamics between CEOs and government agencies that request access in a legal way, when needed?).
The risk of things going wrong when you're tapping cables is much less pronounced as far as I can see.
Anyone care to comment on FBs Max Kelly, head of security flip-flop employment between FB and NSA?
How can that guy be trusted with anything?
http://www.dailymail.co.uk/news/article-2347047/Former-Faceb...
I'm not sure why you think that's so easy to do. You need a person who:
1. Has the technical credentials and interviewing skills to get hired at Google (not easy). 2. Has a security clearance. 3. Wants to be a spy. 4. Can get themselves assigned to the team working on datacenter interconnects. 5. Can set up a tap on the interconnect without getting caught.
That sounds both hard and expensive to me.
Consider Sally Smith, our hypothetical employee. She worked for several government and military agencies for years with a concentration in data center security. She has top-secret clearance.
Before the Snowden revelations came out, I'd have strongly considered Sally Smith to be a good fit for a position dealing with data center security. Who wouldn't have?! Years of experience at high levels securing data centers? Letters from generals and senior government officials attesting to her qualifications? Sign me up right away!
Post-Snowden, I'd start believing that Sally Smith is far more likely to be Sally Spook, an active NSA employee experienced in data center infiltration and with an impeccable cover story.
The only thing that keeps Sally Spook away from our data centers is Google's hiring processes & internal security, and is that really enough to stop a determined adversary with all the advantages of the NSA? I doubt it.
3 replies →
Finding such a person would be difficult (but not impossible) for you or for me, but conditional probabilities work heavily in the NSA's favor. They have thousands of in-house people already satisfying 1, 2, and 3. 5 can be perfected by a team and taught to any of those thousands of people and 4 can be achieved with resume tweaking and, at most, a few repeat trials.
It's the same reason why security through obscurity doesn't work: if you chain together 5 obfuscation layers that each keep out 80% of competent hackers, in total they probably keep out 85% or 90% of competent hackers if you're lucky, but certainly not 99.99%, because everyone who bypasses the first layer has a much higher probability of having the skills to bypass the other layers as well.
Take those requirements in reverse and apply them to an already employed NSA person -- then send them out to apply for jobs as an asset.
there is also very easy other way around - "ask for help" [to fight terror and defend Motherland, err... USSR wording, today in the US it is "Homeland"] an existing Google employee.
From their perspective, why not tackle the additional attack vectors?
As for the internal mole, I'd imagine that any such individual's role would be highly focused. They'd be used to tackle specific target information rather than the wholesale siphoning tapped cables would provide. Aside from the simple logistic issues with the sheer amount of data they're tapping, I can't imagine how anyone could be in a physical position to do so across the entire Google network without tripping at least <i>one</i> internal safeguard?
For bulk collection, the taps enable surveillance without the possibility of detection unless the NSA screws the proverbial pooch. And if there's one thing history can tell us, it's that surveillance agencies will spend obscene amounts of money in pursuit of that undetectability. From the Project Azorian with the Glomar Explorer to the Berlin tunnels in Operation Gold, the Cold War alone proves the point.
Apparently unconstrained by resources, they decided to attack from multiple angles.