Google States Unequivocally It Was 'Attacked' By The Chinese… And By The United States

from the with-friends-like-these dept

Among the biggest revelations made by the Snowden documents so far was of course the fact that in addition to negotiating with companies like Yahoo and Google for user data via the front door (PRISM), the NSA was also busy covertly hacking into the links between company data centers for good measure (trust is the cornerstone of any good relationship, you know). The moves pretty clearly pissed off Google engineers, who swore at the agency and immediately began speeding up the already-underway process of encrypting traffic flowing between data centers.

Speaking at South By Southwest, Google’s Eric Schmidt for the first time (that I’m aware of) unequivocally stated that what the NSA did wasn’t just surveillance or your garden variety hack — it was a direct attack on one of the United States’ most successful companies:

“The solution to this is to encrypt data at multiple points of source. We had already been doing this, but we accelerated our activities,” he said. “We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s… We were attacked by the Chinese in 2010, we were attacked by the NSA in 2013. These are facts.”

You’re the executive chairman of one of the most powerful, wealthy companies in the world and you’re “pretty sure” Google’s internal networks are secure? Somehow I doubt that’s the case, given the fact that most of us forget we’re already working off of antiquated information provided by Snowden, and the NSA could have developed an unknown number of additional attack vectors since then. There’s only so much that the cat and mouse game of security can accomplish without the kind of meaningful intelligence oversight the United States government has made very clear they’re entirely disinterested in.

Last fall Schmidt stated that Google had briefly considered moving servers outside of the United States to avoid the NSA before the logistical nightmare (and likely futility given NSA’s reach and the even greater lack of oversight) of that concept had time to sink in. The reality is that no matter the endless analysis and constant promises of both companies and industry, we’ll probably have to wait until the next whistle blower emerges before we have any accurate, current idea of just how little privacy we currently possess.

Filed Under: , , , , ,
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Google States Unequivocally It Was 'Attacked' By The Chinese… And By The United States”

Subscribe: RSS Leave a comment
41 Comments
John Fenderson (profile) says:

Re: Re: Re:

Security engineers before 2010 were not “charmingly naive”. They were (are are) often ignored because their solutions necessarily increase costs and hassle.

Also, the weaponization you speak of was well under way long before 2010. Well before the 21st century even. All competent security engineers know their history and are aware of this.

tracker1 (profile) says:

Re: Re: Re:2 It depends

I think it depends on the communications channels… up until fairly recently, the telecom companies providing the data connections between sites were relatively well trusted. Today, that is not the case.

Sometimes pragmatism outweighs absolute security… ex: if you use say scrypt for a popular website’s user passwords, it could lead to an increased vector for DDOS attack. Vs. something slightly lesser (or lesser settings for scrypt) which would be “good enough” for today/tomorrow, but maybe not in 5 years.

John Fenderson (profile) says:

Re: Re: Re:2 Re:

“But software engineers would”

Not if they were security engineers. They aren’t mutually exclusive groups, and if you’ve hired software engineers who are not security people to do security things, then you’re doing it completely wrong.

If that’s what’s happened, it’s totally unfair to blame the engineers who were tasked with something they were unqualified to do.

Baldaur Regis (profile) says:

Re: Re: Re:3 Re:

I’m not making my point well today, but it’s a point that should be stressed.

The NSA and other spy agencies deliberately perverted the collaborative nature of connected computing by short-circuiting the trusts built into the systems – trusts which are a reflection of the attitudes within the minds of the programmers.

Are these attitudes naive? Only in the very narrow sense of thinking that an ideal engineering solution is the one that’s straight ahead (‘charmingly naive’ is how a front-office guy once characterized a young programmer I knew, who asked the perfectly logical question, “This is an integration problem with Company X’s software. Why don’t we call up the guys over at Company X and just ask them how they’re working on it?”).

Once trust is gone – trust in one’s own government, trust in other programmers – what will replace it? I see the unfolding events around Snowden’s revelations as a watershed moment, a moment when some of the collaborative spirit that made the internet possible has been killed off, leaving the world a darker place.

Violynne (profile) says:

Re: Re: Re:

So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?

A company doesn’t have to hack anything, just like the NSA hasn’t hacked anything. Did any of you not read the reports from the “attacks” the NSA did at all?

Remember a few years ago Google came under fire from grabbing WiFi signals during its street view sweeps?

The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.

Where the line gets blurred: review Google analytics and realize just how intrusive this little snippet of code is used across the entire internet.

It’s rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing.

It is, after all, just “meta data”.

And for the record: this has nothing to do with using Google services. You can’t visit most websites without Google’s intervention, including this very site.

Read the source code, people.

And the funniest thing of all: this is being done without most people understanding how Google Analytics works.

So call me cynical to take the words from a CEO whose company does the same damn things, minus the hacking (which everyone knows happens outside of the Chinese and US government).

You can bet Anonymous also tries to gain access to Google. Anyone want to umbrella the group so the headline’s more scary?

Goodness.

John Fenderson (profile) says:

Re: Re: Re: Re:

Well, first, this article is about actual hacking, not passive Metadata” collection. But onward anyway…

“So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?”

Google is not doing the exact same thing as the NSA. Google is only collecting the data that you are giving them. The NSA is collecting all the data. It’s a rather large difference in kind.

“A company doesn’t have to hack anything, just like the NSA hasn’t hacked anything”

The NSA has confirmed that they’ve hacked quite a lot, and that a huge portion of their data collection comes form these hacks.

“The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.”

This is simply incorrect. I think you don’t understand what the NSA did here.

“It’s rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing”

I don’t know why this is so baffling. In the case of the NSA, you’re forced into it and that information is being used in ways that can seriously harm you. In the case of Google, you’re not being forced into it and that information is being used to seriously annoy you. Until it’s sold to the NSA, of course.

The two agencies are not doing “the exact same thing”.

“You can’t visit most websites without Google’s intervention, including this very site.”

Nonsense. Of course you can. I do it every day. I can’t think of a single website I go to that require Google.

BentFranklin (profile) says:

Re: Re:

Agreed. The scenario goes like this:

“Hey there Sanjay, that’s a nice H1 visa you’ve got there. It would be a shame is something were to happen to it. Why don’t you do us a favor and insert this innocuous-looking off-by-one bug into the next build.”

By the way, it’s my opinion it’s quite possible this is happening to voting machines as well. Or even likely, given what we’ve learned of NSA’s depravity.

That One Guy (profile) says:

Re: Re: Re:

By the way, it’s my opinion it’s quite possible this is happening to voting machines as well. Or even likely, given what we’ve learned of NSA’s depravity.

Eh, seems to be more effort than they’d bother with or need. With how much data they scoop up on everyone, if they want to influence an election, just ‘let slip’ a few embarrassing facts, or put that character assassination part of the agency to work whipping up outrage against the enemy of the one they want elected.

Anonymous Coward says:

There isn’t a way to be absolutely sure you’re secure, at least until you’re suffering a breach and someone is proving that you aren’t. Being secure is a moving target; there is no shortage of work required to keep up with the latest known threats (emphasis on known.)

Outrage/dissatisfaction over saying ‘pretty sure’ is tilting at windmills and shows a lack of understanding on the subject matter.

Anonymous Coward says:

This post feels like it’s grasping a little.
“pretty sure” – we’ve done all we can but are open to the idea that NSA may have other means we’re not aware of.

“one of the most powerful, wealthy companies in the world” and they hire some of the most knowledgeable and talented engineers and security experts in the world. They hardened their network.

Hard to whip up the outrage on a bit of good news.

Steve D. (profile) says:

If it's encrypted it can be decrypted...

Even if data between Google servers is encrypted, at some point it has to be decrypted…

We know the NSA is not above gaining secret physical access to computers – so they would simply copy the operating system drive from a server, take it back to base and debug it to find the decryption key/protocol.

From there on it’s just a matter of them running all of Google’s network data their copy of the decrypter routine before storing/processing it.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »