NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge

from the muscular dept

Early on with the Snowden documents there had been significant disagreement over the kind of "access" the NSA had to systems at the various big tech companies -- all of which denied the kind of "direct access" that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others' servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they're not subtle with their code names, are they?).
The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.
There's even this wacky hand-drawn diagram:
There's some evidence that Google figured this out earlier. You may remember that there were reports back in September that Google had been scrambling to encrypt the information flowing between data centers, which is exactly where the NSA hit them. It looks like someone at Google figured out what the NSA was likely doing soon after the original Snowden news broke. Not surprisingly, people at these companies are not happy about this news. When the reporters spoke to "two engineers with close ties to Google," they note that the engineers "exploded in profanity" and urged the reporters to publish that drawing above to expose the NSA.

Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:
According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.
It also appears that the way that the NSA is claiming this is "legal" is by only breaking into the Yahoo and Google datacenters that are outside the US, where there's significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 -- which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program -- which explains the "not under this program" language they often use around questions on 215 and 702 data collections.

The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA's Keith Alexander) about "cybersecurity" attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    dennis deems, Oct 30th, 2013 @ 10:09am

    :^)

    The smiley face on the diagram is just perfect, isn't it? The banality of evil.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:11am

    "The real question, now, is what Google and Yahoo do in response to this....they should also sue the US government."

    I'm curious how effective the CFAA could be in this case. Wouldn't it be the idea law to slap the NSA with?

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Wally (profile), Oct 30th, 2013 @ 10:18am

    So this is why the comments were broken for so long...yeah, not surprised...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:20am

    Mike you have it wrong...

    Since Google didn't know about it, it didn't happen. Just ask Mike Rogers. He'll tell you.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:24am

    Re: Mike you have it wrong...

    And I suppose the engineers that "exploded in profanity" weren't complaining about anything either.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    silverscarcat (profile), Oct 30th, 2013 @ 10:27am

    Re: Mike you have it wrong...

    Except that they DO know about it, so it DID happen.

     

    reply to this | link to this | view in thread ]

  7. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Oct 30th, 2013 @ 10:27am

    Mere PR that helps corporate co-conspirators escape blame.

    As my theory goes, and there's no real evidence to contrary. But meanwhile, as ever, Mike ignores Google putting spy centers off shore:

    "A second mystery barge has been discovered - this one docked in Maine, thousands of miles away from the ship spotted in San Fransisco Bay that has set the tech world abuzz. [Except for Techdirt!]
    ...
    A 2009 patent filed by Google shows a water-borne data center"

    http://www.dailymail.co.uk/news/article-2479299/Second-floating-Google-data-center-spotted-Ma ine.html

    And remember kids, barges can be outside national borders, and effectively under no legal restrictions.


    Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations! All "free", courtesy of other corporations!

    06:27:31[h-730-4]

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    blue in the face, Oct 30th, 2013 @ 10:36am

    Piratical Lies!

    More piratical lies from Captain Mike, the corporate apologist. Everyone knows that google is knowingly spying for the government, that Google secretly runs the NSA, and are more powerful, and dangerous, than the illuminati, freemasons, and lizard people combined.

     

    reply to this | link to this | view in thread ]

  9. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Oct 30th, 2013 @ 10:42am

    Finally, someone that gets it. I have been trying to use other blogs to promote my ideas about the evil google. Can you believe they try to optimize the ads I see to be relevent to my interests.

    A thought has occured! (i know I don't think very often), but I should start my own blog about the evils of google, instead of attacking people who are interested in other issues.

    Thanks again Techdirt, I have leared so much from you. I hope you all visit my new blog about evil google.

    And remember kids, I'm not very smart, but I am consistent.


    Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.

    06:37:31[h-730-2]

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    The Groove Tiger (profile), Oct 30th, 2013 @ 10:44am

    Re: Mere PR that helps corporate co-conspirators escape blame.

    This is the most diverting / distracting piece yet from your NSA series. You just fade out NSA / DHS and focus on Google.

    I don't see any good purpose that this serves. You are beating up on the original victim. If they're craven, try to brace them, but the slant you give this is just plain wrong.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:46am

    ENCRYPT ALL THE THINGS!

    This is what IPSEC was supposed to stop. Use it. Encrypt the links between your datacenters. Encrypt the links between your racks. Encrypt the links between your servers. Encrypt the links between your desktops. Heck, encrypt the link between the motherboard and the disks (full disk encryption), just for the giggles.

    The threat model has changed. It used to be that NSA-level attackers were outside the threat model. Well, now they are inside the threat model. And the great thing is that if you can defend against them, you can defend against almost anyone.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:47am

    Re:

    to promote my ideas about the evil google

    So no facts, just your IDEA.

     

    reply to this | link to this | view in thread ]

  13. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Oct 30th, 2013 @ 10:50am

    Re: Re:

    Yeah, sorry, Im not big on facts. I just like to make a lot of noise.

    Google wants you to know you're under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.

    06:57:31[h-720-2]

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    PopeyeLePoteaux, Oct 30th, 2013 @ 10:52am

    Re:

    "I should start my own blog about the evils of google"

    Please do! I need something asinine/funny to read, and only you could deliver something like that, please be sure you share the link. Thanks in advance.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    Violynne (profile), Oct 30th, 2013 @ 10:52am

    Before I forget, thank you, Google, for simplifying our lives by creating a single sign on, making it so much easier for the NSA to access all of our Google options.

    /sarcasm directed at the stupidity of all this

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:57am

    Re:

    The line about not being smart kind of says it all...

    People might actually respond instead of reporting if you any sort of intelligent discussion would occur. The most that this community would ever get is a glorified street corner shouter trying to bring people to their cause without listening to anything being told to them.

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 10:57am

    Re: Re: Mike you have it wrong...

    Oh they know about it NOW, just like we know about a bunch of the other stuff the NSA has been doing over the last 10 years. But apparently according to Rogers, if you don't know about it WHEN IT HAPPENS, it never happened even if you find out about it later and are pissed off about it.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Chronno S. Trigger (profile), Oct 30th, 2013 @ 11:00am

    Re: Re:

    That is not the real Blue. Blue isn't that obvious with his lies. Not saying that the real Blue isn't lying, just saying his comments are worded in a way that lets you think he actually believes the crap he's spouting.

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 11:16am

    Re: Mere PR that helps corporate co-conspirators escape blame.

    I know you aren't from the UK but the whole world knows that only complete morons read the daily fail.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 11:17am

    The problem is actually much worse

    During my career, I've done quite a few penetration studies/security assessments. And one of the things that becomes obvious in short order is that there's no such thing as "one backdoor". Only amateurish and inexperienced attackers do that: the ones who are serious plant multiple backdoors, because they know that one might be deliberately or accidentally shut down.

    The NSA is neither amateurish or inexperienced. So: where are the OTHER backdoors into these services?

    A second thing that becomes obvious is that secondary attackers love backdoors. Their problem reduces from "how can I attack this service and put a backdoor in it?" to "how can I exploit the backdoors that are already there?" So one of the effects of this is that the NSA dramatically reduced the security of both these services. We now have to ask whether anybody else out there helped themselves to the NSA-installed backdoors, when, how, what they got, etc.

    Finally, a third observation: I doubt the NSA stopped here. Why should they? There's no oversight and they have piles of money. Why not backdoor Reddit? Slashdot? Redstate? Dailykos? Boingboing? AOL? Hotmail? Stanford? Harvard? Where's the downside? Every operation of sufficient size and popularity is likely a target.

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Brazenly Anonymous, Oct 30th, 2013 @ 11:38am

    Re: ENCRYPT ALL THE THINGS!

    Just be sure to use open source encryption providers and check your encryption keys against large zeroed ranges.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:01pm

    Re: Mere PR that helps corporate co-conspirators escape blame.

    Not more than a few hours ago you were telling us the corporate co-conspirators were 'victims!' PICK A SIDE AND STICK WITH IT!

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:11pm

    "collection"

    Page 2 of the WINDSTOP doc seems to use "collect[ion]" to refer to the copying of yahoo emails to spook-controlled media, rather than to the act of eyeballing it. One is almost tempted to suggest that the claim that "collect" means "look" was bullshit.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:26pm

    Re:

    You're assuming, like a rational person, that laws should be applied equally and fairly. The world is not in any way, shape or form, rational. It is a clusterfuck of morons, asshats and lunatics.

    In addition, you're arguing for the prosecution of NSA staff who have already broken the Geneva Convention and committed acts of war in order to collect this data.

    This is a big flashing light to Google to get the hell out of the US, possibly also nuking lobbying groups on their way out of the US. Perhaps they can go to Iran and say to them, "Here, have a bunch of US Governmental secrets!" Each, naturally, carefully selected to do as much political harm to the US Congress as possible.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:28pm

    Re: "collection"

    Of course it is! Why do you need to look at it when you can have Five Eyes on it elsewhere to send you the tl;dr?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:28pm

    Re: Re: Re: Mike you have it wrong...

    I wonder if it is the same logic Obama uses when Merkel gave him a hissy fit...

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 12:38pm

    Re: Re: Re: Re: Mike you have it wrong...

    Obama may be a lot of things but THAT dumb is not one of them. To actually not only come up with that concept but actually let the words come out of your mouth on camera during a Congressional hearing takes a special level of stupid.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    scotts13 (profile), Oct 30th, 2013 @ 1:52pm

    Re: Encrypt all things

    (Puts on naive good citizen hat) Wouldn't it be more efficient to simply curtail the NSA surveillance, instead of encrypting everything on gods green earth? After all, we live in a democracy, right? (Takes off stupid hat)

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    Khaim (profile), Oct 30th, 2013 @ 2:56pm

    Re: Other services

    This kind of network attack only really affects major players like Google. Sites like Slashdot or Dailykos or Harvard are either single-homed (all in one datacenter), or communicate through known insecure lines.

    The reason this attack was so effective against Google is that Google owns the fiber connecting its major datacenters. So Google assumed those links were inherently secure, and didn't encrypt the traffic. Clearly this was wrong. To Google's credit, they started encrypting these links earlier this year.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 3:12pm

    Re: Re: Other services

    I see your point, but: having worked for multiple universities and Fortune 100 companies, and having conducted penetration studies against same, I can attest that there are plenty of places where they can be subjected to the same intrusion. Whether it's a disused data closet or a fiber tunnel that runs past the chemistry building, there are all kinds of places to put in passive taps -- provided one has a budget, training, and skill.

    Yes, being single-homed helps. Yes, having a single data center helps. But these aren't panaceas. The NSA has already demonstrated a rapacious appetite for EVERYTHING and thus it's only a matter of time until they turn their attention elsewhere. My guess is that this happened a long time ago.

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Oct 30th, 2013 @ 4:16pm

    Re: Re: Encrypt all things

    There are other countries and other intelligence agencies, and the conduits these fibers run in are hardly impenetrable (judging by how often networks are taken out by errant backhoes). It was negligent of Google to be transferring private customer data without encryption, and I'm surprised there's no real outrage over that. We've known networks are untrustworthy since the 90s, even if we didn't quite know the extent of it.

    We do need to stop the spying, but we should still encrypt. I'm hoping the recent leaks will at least reduce the cost of encryption (and that hardware crypto accelerators aren't backdoored). It's fairly efficient when done in hardware; AES, in particular, was designed to be efficient in both hardware and software.

     

    reply to this | link to this | view in thread ]

  32.  
    icon
    Rapnel (profile), Oct 30th, 2013 @ 8:18pm

    Re: Re:

    You guys got woo ooshed
    I think it's funn eee
    Cuz blue's so poo pee
    and I do Blue's mum eee
    So I'm the dad eee
    It is so sad leee
    I watch Blue gig ehl
    and google mad leee

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Oct 31st, 2013 @ 2:56am

    Re: Re: Re: Encrypt all things

    > It was negligent of Google to be transferring private customer data without encryption, and I'm surprised there's no real outrage over that.

    There is no real outrage because EVERYONE DOES IT. By working to encrypt their internal links, Google is already way ahead of the crowd.

     

    reply to this | link to this | view in thread ]

  34.  
    icon
    McGreed (profile), Oct 31st, 2013 @ 2:59am

    Re:

    That's is actually the biggest problem and advantage with Google service, that you only need one login to get access to several sites and services. However that also means that only ONE of those sites needs to have a hole and they have access to the whole node.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This