Privacy

by Mike Masnick


Filed Under:
data centers, ed snowden, encryption, marissa mayer

Companies:
yahoo



Yahoo Says It Will Encrypt All Data Center Data Transfers Now Too

from the thank-ed-snowden dept

If you use Yahoo, you can now thank Ed Snowden for the fact that your data is soon going to be more secure. Last week, we noted that Microsoft still wasn't encrypting traffic on the private lines between its data centers, and that Yahoo had suggested the same thing was true, given their very vague answer when asked about it all. Google, on the other hand, had been feverishly encrypting the traffic flows since the summer. Now, Yahoo's CEO Marissa Mayer has directly addressed the issue, announcing that they're working hard to encrypt all such data transfers and that they'll have the job done by the end of March in 2014. Also, perhaps equally or more importantly, they're planning to offer users the option to encrypt all the data in and out of Yahoo by that same date. Yahoo had been a bit slower than others to really recognize the importance of encryption, but it looks like they're going all in now -- which is great to see. And, if you remaining Yahoo users out there want to thank anyone, you might want to direct that appreciation towards Ed Snowden. Without him, it's quite unlikely this would be happening right now.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 19 Nov 2013 @ 4:34am

    Why did Ladar Levinson shutter Lavabit,.. Oh that right the NSA demanded his keys under a gag order. It is up to individuals and companies to manage their own keys.

    reply to this | link to this | view in chronology ]

    • identicon
      Griff, 19 Nov 2013 @ 10:07am

      Re: Lavabit

      When the FBI asked LL for his SSL keys he refused. He was told to present himself in Washington at his cost within a week. He could not find a DC licensed lawyer he could afford in time (esp since he couldn't say before retaining the lawyer what the job entailed).

      Imagine the same scenario again but with Google.
      They'd walk into court in Washington fully armed and push back big time. And I reckon the original offer (to write code to allow SPECIFIC tapping of one user) that LL made would be what the judge would settle for.

      I honestly think Google would take this legal fight to its logical conclusion, but LL was simply not equipped to do so.


      Or maybe i'm just being naive...

      reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    identicon
    Anonymous Coward, 19 Nov 2013 @ 4:37am

    "Google, on the other hand, had been feverishly encrypting the traffic flows since the summer"

    1- You have no guarantees of that
    2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.
    3- Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?

    This is just P.R. from Google and Yahoo.

    I don't buy it.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Nov 2013 @ 5:39am

      Re:

      "you people"

      lol - cracks me up.



      "i dont buy it"

      too funny

      reply to this | link to this | view in chronology ]

    • identicon
      Alt0, 19 Nov 2013 @ 9:42am

      Re:

      1- You have no guarantees of that
      This is true, however it would be unlikely they would say that and risk being found out.

      2- Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.
      It would still of course keep out non-NSA actors!
      While I do not agree with the mass data (or even smaller scale efforts being carried out currently by the NSA I seriously doubt someone there would steal my Credit Card number and buy crap online. This will at least help keep out those that would.

      3- Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?
      During the time Yahoo was building "from the ground up" these precautions on a closed network running between their own installations did not seem necessary. Not it seems that it is and they are doing something about it.

      reply to this | link to this | view in chronology ]

    • icon
      Mike Masnick (profile), 19 Nov 2013 @ 9:58am

      Re:

      Even assuming that is true, encryption is useless if they just hand over the keys to the NSA (or whoever)...which, according to the Snowden leaks, they are more than happy to do.

      Can you point to where in the Snowden leaks to date it has said that any of these companies willingly hands over encryption keys? Because it's not there.

      Even assuming that they are encrypting data now AND that that the NSA doesn't have the keys, uh, why only start encrypting now? This should've been done from the ground up. They were caught using bad security practises, and you people are now cheering for them for plugging the hole they intentionally left there?

      Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.

      And they didn't "intentionally leave a hole." They thought, quite reasonably, that it wasn't a hole. And, when they discovered the backdoor in, they worked to shut it. That's a good thing.

      reply to this | link to this | view in chronology ]

      • icon
        ltlw0lf (profile), 19 Nov 2013 @ 10:38am

        Re: Re:

        Honestly, encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself. Yes, we can say that they should have done it in the first place, but there honestly was no reason to believe that content was at risk, since it was all internal and not directly connected to the internet.

        Not to mention it adds considerable overhead. Keeping the back-channels unencrypted reduces the bandwidth and speeds the traffic considerably. Adding encryption to anything slows it down (though that can be managed.) For most websites using back-channel connections to databases, if encryption is turned on, they run the risk of DoS if there are a high number of queries against the database, and most will turn off the encryption, especially if using local sockets/pipes, even if someone sitting on the machine can compromise these, just to keep everything smooth.

        I'd go even further on your statement that it wasn't considered a hole...Until the NSA was found to have a backdoor in their network, anyone who would have suggested that they would encrypt all their out-of-bound/back-channel comms would likely (and quite reasonably) have been fired.

        reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 19 Nov 2013 @ 4:19pm

        Re: Re:

        encrypting internal network traffic is pretty extreme. I doubt you do it at home yourself.


        I actually do this on my home network. It's not really as bad as it might sound, and the performance hit isn't noticeable.

        Of course, I'm moving a metric hit-ton less data around than an outfit like Yahoo. The larger the scale, the more of a hit something like this causes.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Nov 2013 @ 12:15am

        Re: Re:

        Actaully, if all your home computers are connected to your home's WIFI access point, most probably you're encrypting it already.

        reply to this | link to this | view in chronology ]

        • icon
          ltlw0lf (profile), 20 Nov 2013 @ 9:25am

          Re: Re: Re:

          Actaully, if all your home computers are connected to your home's WIFI access point, most probably you're encrypting it already.

          Doubtful, especially if you aren't using 802.1x and wireless separation mode. Everyone on the network has the session key and can decrypt everyone else's traffic. Only outsiders can't decrypt the traffic (unless you are using a short key, WPS, WPA 1 or WEP, in which case, they probably can.) And it isn't going to stop the NSA, who just hires your provider to give the unencrypted traffic from the backbone or compromises your switch/router to grab the traffic which is unencrypted on the wired LAN.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2013 @ 4:44am

    nothing like shutting the barn door after the horse has bolted, eh? and exactly how much resistance was put up in the first place? nowhere enough, obviously!

    reply to this | link to this | view in chronology ]

    • icon
      silverscarcat (profile), 19 Nov 2013 @ 6:04am

      Re:

      Yes, because surely nothing bad would happen by refusing the orders of the U.S. government when you can't put any specifics out.

      Right, Lavabit creator Ladar Levinson and Qwest? Surely they didn't suffer because they wouldn't play ball with the U.S. government, got funding pulled from their services and had to shut down.

      Surely that didn't happen.

      reply to this | link to this | view in chronology ]

    • identicon
      vastrightwing, 19 Nov 2013 @ 11:37am

      Re:

      You stole my thunder!

      Let's not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?

      Will they also implement a kill switch; like post:

      "We have not received a request to decrypt or otherwise remove the integrity of our encrypted channel?"

      so that if they do have to comply with a request to do so, this line of text would have to be taken down?

      I'm sorry; all the animals are out of the barn. There is no point of closing the doors now.

      reply to this | link to this | view in chronology ]

      • icon
        That One Guy (profile), 19 Nov 2013 @ 4:59pm

        Re: Re:

        Let's not forget the little problem of secret keys. Yes, what is their policy of giving the feds the keys to these new encrypted channels?

        Given the NSA went through all the trouble of tapping their data center lines directly, I'd say odds are pretty poor, as that's not the actions of a group that's been given the okay by the company to spy on such traffic, but rather a group that either did ask and was denied, or doesn't even want to ask because they think they will be denied.

        I'm sorry; all the animals are out of the barn. There is no point of closing the doors now.

        I'm confused, are you arguing for or against the NSA here?

        The thinking of 'oh they've already tapped the unencrypted data, no sense in encrypting it now' plays right into the NSA's hands, whereas encrypting, even if it's broken, at least makes them work to do so, and removes their current access.

        reply to this | link to this | view in chronology ]

  • identicon
    Capt ICE Enforcer, 19 Nov 2013 @ 4:47am

    Open Letter to Ed Snowden

    Sir,

    Thank you for your sacrifice in doing the right thing. I feel ashamed that our nation which I have spent over 18 years defending has subjected you to such treatment. When you are able to come back home, I would love to buy you a beer. Stay safe. And know that all history books will list you as a hero.

    reply to this | link to this | view in chronology ]

  • identicon
    Private Frazer, 19 Nov 2013 @ 5:48am

    But can they be trusted?

    How are we to know that they are not handing over the encryption keys to NSA/GCHQ - maybe thats why it took so long for them to say anything because they had to come an arrangement with NSA/GCHQ before announcing this.
    W're a' doomed.

    reply to this | link to this | view in chronology ]

  • icon
    OldGeezer (profile), 19 Nov 2013 @ 6:02am

    Were these data link hacks rubber stamped by the FISA court or did the NSA just feel that since they approved nearly every thing else they did they could just do whatever they wanted? If some hacker did this the computer crimes laws would put him away for life but it's OK for the government, right?

    reply to this | link to this | view in chronology ]

  • identicon
    Me, 19 Nov 2013 @ 6:11am

    "This is just P.R. from Google and Yahoo."
    __________________________________________

    While it's true that the keys can just be handed over to the NSA, encryption plays an essential role in protecting communications and data from nefarious third parties as well, to whom google/yahoo/microsoft at least aren't turning over the keys.

    Security nihilists are the absolute worst.

    reply to this | link to this | view in chronology ]

    • This comment has been flagged by the community. Click here to show it
      identicon
      out_of_the_blue, 19 Nov 2013 @ 7:03am

      Re: @ "Me" - "at least aren't turning over the keys."

      You have NO way of knowing what the mega-corporations are actually doing, how many corporations are conspiring against our privacy in the absence of anti-trust enforcement and the open fascism, and so re-inforce the AC's point which is aimed at fools who trust without any evidence at all.

      Also, from the underlines "___" as divider, you're apparently the "lots of lines" AC who was trolling me last week, and still don't know the horizontal rule tag.

      The world is being dumbed-down in ways most people are already too stupid to grasp.

      03:03:21[d-10-3] [ This is necessary to suppress the kids here from fraud of using my screen name. ]

      reply to this | link to this | view in chronology ]

      • icon
        Gwiz (profile), 19 Nov 2013 @ 7:29am

        Re: Re: @ "Me" - "at least aren't turning over the keys."

        Also, from the underlines "___" as divider, you're apparently the "lots of lines" AC who was trolling me last week, and still don't know the horizontal rule tag.


        Strictly from an aesthetics point of view, Me's addition of the short line separating the quoted text from his own is visually appealing to the eye and adds to the overall ambiance of the comment. I give it a 8.5.

        Whereas your comment with the ugly long line separating your top lines of your bullshit from the bottom lines of your bullshit offends my artistic sensibilities. I give yours a 1.0. Maybe you should put a little more effort into it.

        reply to this | link to this | view in chronology ]

  • icon
    RyanNerd (profile), 19 Nov 2013 @ 6:52am

    Running around with a tinfoil hat on

    It is my opinion that when the US stopped believing in the insane idea that RSA encryption was munitions (to prevent encryption from going overseas) the NSA had broken the encryption. Encrypt all you want -- it just means there is a delay before the NSA will have the plain text.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Nov 2013 @ 7:19am

      Re: Running around with a tinfoil hat on

      The effort that NSA has gone to to get unencrypted data suggests that RSA seriously compromises their ability to read encrypted messages. If they do have a way in, it probably costs far too much computer power to deal with bulk data gathering.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2013 @ 6:54am

    Does Snowden has a bitcoin wallet?

    http://money.cnn.com/2013/11/18/investing/bitcoin-china/index.html?hpt=hp_t5

    If he don't he should.

    reply to this | link to this | view in chronology ]

  • icon
    Nick (profile), 19 Nov 2013 @ 7:06am

    Ugh, as if Yahoo doesn't have enough on their plate, fixing the "improvement" to their mail site that has nothing but slow-downs, glitches, and complaints from day-one. Hey, let's add in encryption to it all!

    reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 19 Nov 2013 @ 8:22am

    Who?

    > If you use Yahoo, you can now thank Ed Snowden . . .

    If I use Ya Who? Who are they?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Nov 2013 @ 2:43pm

    Look we are cool too like Google, we're gonna encrypt everything.

    reply to this | link to this | view in chronology ]

  • icon
    CrazedLeper (profile), 19 Nov 2013 @ 9:15pm

    because it will look bad if it doesn't but it will, secretly but freely, give over the encryption key(s) to the NSA.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.