Comment by cromwellian
12 years ago
Well, it would help if you would write in a way that is not insulting and condescending.
There's no "if" about it. All security is based on threat model, the lock on your front door is based on the threat of the average criminal, and not Watergate burglars. Are you guilty of bad security? Is it your fault if your front door lock gets picked because you made assumptions about the sophistication of your attacker?
You originally said "I'll never trust them again", but that beg's the question, just who will you trust? Unless you are using end-to-end encryption with everyone, there is no way to secure against NSA interception, and pretty much all of Google's cloud competitors are actually worse in terms of deployed security. And assuming end-to-end is secure is basically just assuming a threat model where the NSA or Chinese government can't plant infected firmware or hardware in your devices.
How about not musing out loud that people who are criticizing companies just "want to hate on these companies", if you're entertaining the idea of not being insulting and condescending.
Google is a company that's been leading the way to get everyone on the cloud. It turns out what it's also been doing is making mass surveillance massively easy due to poor security practices. One individual having bad locks is not analogous to what is at play here. You keep suggesting that Google should get a free pass because the adversary in this case was too sophisticated of a player: no, that does not matter, that is an excuse. Don't give me excuses. Google makes billions, it should simply have done a better job. Your earlier post took issue with Google's brand being tarnished unfairly, this is what I'm talking about to you right now, so the question of just 'who' I will trust is not very relevant.
To answer your question anyway: basically I'm going to pull away from the cloud as much as I can. No more google apps for me, no more gmail, no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers -- and using end-to-end encryption when any data needs to travel out. That does not remove the possibility of getting compromised, it just mitigates it.
I don't think there are many people who disagree with me that there's been a huge amount of unwarranted snark recently. The uProxy release for example. Don't compare that with using words like "stupid".
>no more anything where I end up putting my personal data or my clients' data anywhere but on my dedicated servers
The probability that your servers would be compromised by actual damaging threats (hackers, malware, viruses, botnets) is far higher than that of Google, so I hope if your servers get hacked, you will similarly berate yourself and not make excuses that you should have done better and spent 10x more security than you are now. How many actual penetrations have occured of Google infrastructure where thieves (not government) made off with actual information that they'd put to damaging use, vs that of other smaller hosts? Everything you do has tradeoffs.
You keep making hand wave arguments about what Google could have or should have done, again, totally points about the threat models and historical context. When this program started, by some accounts in 2007, the vast majority of Web traffic wasn't even secured by HTTPS, no one was using channel-ID or forward security, and the majority of SMTP traffic was not protected by TLS. In fact, even today, only 50% of email traffic is TLS protected. In 2007, fewer Google services were probably multi-datacenter replicated as well. Encrypting the dark fiber would have been useless back then when the front door was left unlocked.
So, let's try to imagine a hypothetical conversation of some security engineers when new data centers got set up for replication:
Engineer #1: Dude, we should encrypt traffic on our inter-DC traffic. Engineer #2: It's a buried dark fiber. Engineer #1: Yeah, but the NSA could dig it up and tap it. Engineer #2: That's illegal, and besides, it's a theoretical threat. We have a bigger practical threat, right now, anyone could just tap all front-end traffic, because most incoming user traffic is not HTTPS.
Engineer #1: You're right, let's get everyone on HTTPS first. Let's upgrade browsers, and Chrome, with better cipher suites. Let's add Channel-ID. Let's try to get SMTP users to use TLS.
The point isn't about excuses, it's about understanding at each point in time, what the weakest link in the chain is. The NSA taps of your email traffic might be worrisome, but the reality is, the Russians slurping up your credit cards, passwords, and doing MITM's to install botnets have far greater, actual practical damaging effects on you and your customers.
In an ideal world, everything would be secured against all possible attacks from day one, but internet infrastructure is rarely ideal. I started on the internet in the 80s in an era with zero encryption and where many services didn't even have passwords. We have gradually made things more and more secure, but getting there is going to take time. It's unfortunate that Google's efforts to secure it's fiber didn't happen a few years earlier, but if they did happen a few years earlier, it wouldn't have a made a difference, because upstream attacks were far more effective back then.