NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge

from the muscular dept

Early on with the Snowden documents there had been significant disagreement over the kind of “access” the NSA had to systems at the various big tech companies — all of which denied the kind of “direct access” that was being reported (unlike the telcos which have more or less confirmed going above and beyond to give the NSA everything it wants by tapping directly into the backbone). Back in September, one of the released docs showed how the NSA, with help from GCHQ, appeared to be conducting man in the middle attacks on Google and others’ servers. The latest report, from Bart Gellman and Ashkan Soltani at the Washington Post, uses some more Snowden docs to show how the NSA secretly infiltrates servers from Yahoo and Google without their knowledge, under a program called MUSCULAR (they’re not subtle with their code names, are they?).

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

There’s even this wacky hand-drawn diagram:

There’s some evidence that Google figured this out earlier. You may remember that there were reports back in September that Google had been scrambling to encrypt the information flowing between data centers, which is exactly where the NSA hit them. It looks like someone at Google figured out what the NSA was likely doing soon after the original Snowden news broke. Not surprisingly, people at these companies are not happy about this news. When the reporters spoke to “two engineers with close ties to Google,” they note that the engineers “exploded in profanity” and urged the reporters to publish that drawing above to expose the NSA.

Either way, attacking the information flow appears to have been fairly effective for the NSA to spy on an awful lot of information, often on Americans:

According to a top secret accounting dated Jan. 9, 2013, NSA’s acquisitions directorate sends millions of records every day from Yahoo and Google internal networks to data warehouses at the agency’s Fort Meade headquarters. In the preceding 30 days, the report said, field collectors had processed and sent back 181,280,466 new records — ranging from “metadata,” which would indicate who sent or received e-mails and when, to content such as text, audio and video.

It also appears that the way that the NSA is claiming this is “legal” is by only breaking into the Yahoo and Google datacenters that are outside the US, where there’s significantly less oversight. That is, rather than being under Section 215 of the PATRIOT Act (the metadata collection of phone calls) or Section 702 of the FAA (PRISM and the tapping of the internet backbone from US telcos), this is done under Executive Order 12333 — which some (especially Marcy Wheeler) have been claiming is where attention should really be paid. This latest report certainly suggests that the NSA is routing a lot of its snooping via this program — which explains the “not under this program” language they often use around questions on 215 and 702 data collections.

The real question, now, is what Google and Yahoo do in response to this. They should continue (obviously) encrypting those weak points (and, really, everything), but they should also sue the US government. For all the talk (often from the NSA’s Keith Alexander) about “cybersecurity” attacks on big internet companies, who knew that the biggest infiltrators were probably the NSA itself.

Filed Under: , , , , , ,
Companies: google, yahoo

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Breaks Into Yahoo And Google's Data Centers Without Their Knowledge”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

You’re assuming, like a rational person, that laws should be applied equally and fairly. The world is not in any way, shape or form, rational. It is a clusterfuck of morons, asshats and lunatics.

In addition, you’re arguing for the prosecution of NSA staff who have already broken the Geneva Convention and committed acts of war in order to collect this data.

This is a big flashing light to Google to get the hell out of the US, possibly also nuking lobbying groups on their way out of the US. Perhaps they can go to Iran and say to them, “Here, have a bunch of US Governmental secrets!” Each, naturally, carefully selected to do as much political harm to the US Congress as possible.

Anonymous Coward says:

Re: Re: Mike you have it wrong...

Oh they know about it NOW, just like we know about a bunch of the other stuff the NSA has been doing over the last 10 years. But apparently according to Rogers, if you don’t know about it WHEN IT HAPPENS, it never happened even if you find out about it later and are pissed off about it.

out_of_the_blue says:

Mere PR that helps corporate co-conspirators escape blame.

As my theory goes, and there’s no real evidence to contrary. But meanwhile, as ever, Mike ignores Google putting spy centers off shore:

“A second mystery barge has been discovered – this one docked in Maine, thousands of miles away from the ship spotted in San Fransisco Bay that has set the tech world abuzz. [Except for Techdirt!]

A 2009 patent filed by Google shows a water-borne data center”


And remember kids, barges can be outside national borders, and effectively under no legal restrictions.

Google wants you to know you’re under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations! All “free”, courtesy of other corporations!


The Groove Tiger (profile) says:

Re: Mere PR that helps corporate co-conspirators escape blame.

This is the most diverting / distracting piece yet from your NSA series. You just fade out NSA / DHS and focus on Google.

I don’t see any good purpose that this serves. You are beating up on the original victim. If they’re craven, try to brace them, but the slant you give this is just plain wrong.

out_of_the_blue says:

Finally, someone that gets it. I have been trying to use other blogs to promote my ideas about the evil google. Can you believe they try to optimize the ads I see to be relevent to my interests.

A thought has occured! (i know I don’t think very often), but I should start my own blog about the evils of google, instead of attacking people who are interested in other issues.

Thanks again Techdirt, I have leared so much from you. I hope you all visit my new blog about evil google.

And remember kids, I’m not very smart, but I am consistent.

Google wants you to know you’re under our ever improving state-of-the-art personalized surveillance! We learn your interests, habits, and associations and strive to deliver advertising that might be of interest to you.


Anonymous Coward says:

Re: Re:

The line about not being smart kind of says it all…

People might actually respond instead of reporting if you any sort of intelligent discussion would occur. The most that this community would ever get is a glorified street corner shouter trying to bring people to their cause without listening to anything being told to them.

Anonymous Coward says:


This is what IPSEC was supposed to stop. Use it. Encrypt the links between your datacenters. Encrypt the links between your racks. Encrypt the links between your servers. Encrypt the links between your desktops. Heck, encrypt the link between the motherboard and the disks (full disk encryption), just for the giggles.

The threat model has changed. It used to be that NSA-level attackers were outside the threat model. Well, now they are inside the threat model. And the great thing is that if you can defend against them, you can defend against almost anyone.

Anonymous Coward says:

The problem is actually much worse

During my career, I’ve done quite a few penetration studies/security assessments. And one of the things that becomes obvious in short order is that there’s no such thing as “one backdoor”. Only amateurish and inexperienced attackers do that: the ones who are serious plant multiple backdoors, because they know that one might be deliberately or accidentally shut down.

The NSA is neither amateurish or inexperienced. So: where are the OTHER backdoors into these services?

A second thing that becomes obvious is that secondary attackers love backdoors. Their problem reduces from “how can I attack this service and put a backdoor in it?” to “how can I exploit the backdoors that are already there?” So one of the effects of this is that the NSA dramatically reduced the security of both these services. We now have to ask whether anybody else out there helped themselves to the NSA-installed backdoors, when, how, what they got, etc.

Finally, a third observation: I doubt the NSA stopped here. Why should they? There’s no oversight and they have piles of money. Why not backdoor Reddit? Slashdot? Redstate? Dailykos? Boingboing? AOL? Hotmail? Stanford? Harvard? Where’s the downside? Every operation of sufficient size and popularity is likely a target.

Khaim (profile) says:

Re: Other services

This kind of network attack only really affects major players like Google. Sites like Slashdot or Dailykos or Harvard are either single-homed (all in one datacenter), or communicate through known insecure lines.

The reason this attack was so effective against Google is that Google owns the fiber connecting its major datacenters. So Google assumed those links were inherently secure, and didn’t encrypt the traffic. Clearly this was wrong. To Google’s credit, they started encrypting these links earlier this year.

Anonymous Coward says:

Re: Re: Other services

I see your point, but: having worked for multiple universities and Fortune 100 companies, and having conducted penetration studies against same, I can attest that there are plenty of places where they can be subjected to the same intrusion. Whether it’s a disused data closet or a fiber tunnel that runs past the chemistry building, there are all kinds of places to put in passive taps — provided one has a budget, training, and skill.

Yes, being single-homed helps. Yes, having a single data center helps. But these aren’t panaceas. The NSA has already demonstrated a rapacious appetite for EVERYTHING and thus it’s only a matter of time until they turn their attention elsewhere. My guess is that this happened a long time ago.

Anonymous Coward says:

Re: Encrypt all things

There are other countries and other intelligence agencies, and the conduits these fibers run in are hardly impenetrable (judging by how often networks are taken out by errant backhoes). It was negligent of Google to be transferring private customer data without encryption, and I’m surprised there’s no real outrage over that. We’ve known networks are untrustworthy since the 90s, even if we didn’t quite know the extent of it.

We do need to stop the spying, but we should still encrypt. I’m hoping the recent leaks will at least reduce the cost of encryption (and that hardware crypto accelerators aren’t backdoored). It’s fairly efficient when done in hardware; AES, in particular, was designed to be efficient in both hardware and software.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...