Google States Unequivocally It Was 'Attacked' By The Chinese... And By The United States

from the with-friends-like-these dept

Among the biggest revelations made by the Snowden documents so far was of course the fact that in addition to negotiating with companies like Yahoo and Google for user data via the front door (PRISM), the NSA was also busy covertly hacking into the links between company data centers for good measure (trust is the cornerstone of any good relationship, you know). The moves pretty clearly pissed off Google engineers, who swore at the agency and immediately began speeding up the already-underway process of encrypting traffic flowing between data centers.

Speaking at South By Southwest, Google's Eric Schmidt for the first time (that I'm aware of) unequivocally stated that what the NSA did wasn't just surveillance or your garden variety hack -- it was a direct attack on one of the United States' most successful companies:
"The solution to this is to encrypt data at multiple points of source. We had already been doing this, but we accelerated our activities," he said. "We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s… We were attacked by the Chinese in 2010, we were attacked by the NSA in 2013. These are facts."
You're the executive chairman of one of the most powerful, wealthy companies in the world and you're "pretty sure" Google's internal networks are secure? Somehow I doubt that's the case, given the fact that most of us forget we're already working off of antiquated information provided by Snowden, and the NSA could have developed an unknown number of additional attack vectors since then. There's only so much that the cat and mouse game of security can accomplish without the kind of meaningful intelligence oversight the United States government has made very clear they're entirely disinterested in.

Last fall Schmidt stated that Google had briefly considered moving servers outside of the United States to avoid the NSA before the logistical nightmare (and likely futility given NSA's reach and the even greater lack of oversight) of that concept had time to sink in. The reality is that no matter the endless analysis and constant promises of both companies and industry, we'll probably have to wait until the next whistle blower emerges before we have any accurate, current idea of just how little privacy we currently possess.

Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    BentFranklin (profile), Mar 10th, 2014 @ 10:15am

    I'm satisfied with "pretty sure." It means they've done everything reasonable they can think of, but they are smart enough, and humble enough, to know there may be things they do not know.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Violynne (profile), Mar 10th, 2014 @ 10:25am

    Now, if only we can stop being attacked by Google, the world's internet becomes a better place.

    I think it's pretty damn ballsy for a CEO to chastise the NSA when the company he runs is doing the same thing.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Michael, Mar 10th, 2014 @ 10:26am

    I would be shocked if the NSA did not have people working inside Google in an attempt to maintain access at this point.

    It is a really sad state of affairs when the most significant security risk technology companies have is their own government.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 10:28am

    Re:

    I'm reasonably sure that Google isn't hacking into other companies network traffic to raid their data center information.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 10:33am

    There isn't a way to be absolutely sure you're secure, at least until you're suffering a breach and someone is proving that you aren't. Being secure is a moving target; there is no shortage of work required to keep up with the latest known threats (emphasis on known.)

    Outrage/dissatisfaction over saying 'pretty sure' is tilting at windmills and shows a lack of understanding on the subject matter.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 10:39am

    This post feels like it's grasping a little.
    "pretty sure" - we've done all we can but are open to the idea that NSA may have other means we're not aware of.

    "one of the most powerful, wealthy companies in the world" and they hire some of the most knowledgeable and talented engineers and security experts in the world. They hardened their network.

    Hard to whip up the outrage on a bit of good news.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 10:43am

    Re:

    stop using google. problem solved

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    pixelpusher220 (profile), Mar 10th, 2014 @ 10:43am

    Re:

    Yep, my thoughts exactly. Too often we get PR spin of 'completely secure' when everybody knows it's not.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 10:44am

    Re: Re:

    sorry. that was meant for the previous comment, but works just as well for yours

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Baldaur Regis (profile), Mar 10th, 2014 @ 10:53am

    Re:

    Agreed. I wonder, will historians look back at computer science before 2010 and marvel at the 'charming naivete' of engineers, and will this period be known as the start of the weaponization of one the most collaborative disciplines?

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    Dark Helmet (profile), Mar 10th, 2014 @ 10:56am

    Google States

    THEY HAVE THEIR OWN COUNTRY NOW?!?!?! OOTB WAS RIGHT! AHHHHHHHHH!!

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 11:01am

    A House divided....

    Countdown to revolution?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Mark Wing, Mar 10th, 2014 @ 11:03am

    In Russia, servers attack you.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    madasahatter (profile), Mar 10th, 2014 @ 11:04am

    Re:

    Google is using data provided to them by searches, clicks on ads, etc. Also, you are free to not use Google services, block ads, etc. And Google will not harass you, listen to your phone calls, etc.

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    BentFranklin (profile), Mar 10th, 2014 @ 11:06am

    Re:

    Agreed. The scenario goes like this:

    "Hey there Sanjay, that's a nice H1 visa you've got there. It would be a shame is something were to happen to it. Why don't you do us a favor and insert this innocuous-looking off-by-one bug into the next build."

    By the way, it's my opinion it's quite possible this is happening to voting machines as well. Or even likely, given what we've learned of NSA's depravity.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 11:28am

    Re:

    Google isn't a government.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    That Anonymous Coward (profile), Mar 10th, 2014 @ 11:30am

    I guess Google has things they don't want people to know.

     

    reply to this | link to this | view in thread ]

  18.  
    icon
    Namel3ss (profile), Mar 10th, 2014 @ 12:03pm

    Re: Re:

    Also, Google can't break down your door and haul you off to "federal pound-me-in-the-ass prison" if they don't like what you say/do online or elsewhere.

    (kudos if you know where that quote is from)

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 12:07pm

    Re:

    Good security is expensive, and Google is all about profits. I imagine they are only going as far as they they consider to be "cost effective".

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Colin, Mar 10th, 2014 @ 12:16pm

    Re: Re: Re:

    I didn't, but I googled it!

    (And am now ashamed that I didn't remember it.)

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Jack, Mar 10th, 2014 @ 12:41pm

    Re:

    As every keynote speaker at every InfoSec conference seems to say "There are those whose data has been breached and those who don't yet know their data has been breached."

     

    reply to this | link to this | view in thread ]

  22.  
    icon
    John Fenderson (profile), Mar 10th, 2014 @ 12:49pm

    Re:

    This. If he had said they were "absolutely sure," then I would be calling them fools or liars. You can never be absolutely sure.

     

    reply to this | link to this | view in thread ]

  23.  
    icon
    John Fenderson (profile), Mar 10th, 2014 @ 12:53pm

    Re: Re:

    Security engineers before 2010 were not "charmingly naive". They were (are are) often ignored because their solutions necessarily increase costs and hassle.

    Also, the weaponization you speak of was well under way long before 2010. Well before the 21st century even. All competent security engineers know their history and are aware of this.

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    John Fenderson (profile), Mar 10th, 2014 @ 12:56pm

    Re:

    "if only we can stop being attacked by Google"

    For all its faults, I have never heard of a single instance of Google attacking anybody at all. The closest was their bypassing of Safari security controls -- which was certainly bad, but nothing even on the same planet as what the various governments are doing.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 1:10pm

    "We’re pretty sure right now that the information that’s inside of Google is safe from any government’s prying eyes, including the US government’s…"

    Well, until they get a national security letter with a gag order, anyway. They've locked the windows, but the government can still use the door.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 1:31pm

    Google has made it's attempt at securing it's data. As long as it is inside the US, it will never be able to promise security.

    Since it would not be able to promise security outside the US, I see little difference between then and now, encryption or not.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    John Fenderson (profile), Mar 10th, 2014 @ 1:55pm

    Re:

    " As long as it is inside the US, it will never be able to promise security. "

    Whether or not it's in the US doesn't enter into it. Nobody can promise security as an absolute. And nobody should -- a false sense of security is more dangerous than having no security and knowing it.

     

    reply to this | link to this | view in thread ]

  28.  
    icon
    Baldaur Regis (profile), Mar 10th, 2014 @ 1:56pm

    Re: Re: Re:

    Oh, to be sure, and no doubt a security engineer would never make the call to send unencrypted data between centers. But software engineers would - at least, until very recently.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    tracker1 (profile), Mar 10th, 2014 @ 2:28pm

    It depends

    I think it depends on the communications channels... up until fairly recently, the telecom companies providing the data connections between sites were relatively well trusted. Today, that is not the case.

    Sometimes pragmatism outweighs absolute security... ex: if you use say scrypt for a popular website's user passwords, it could lead to an increased vector for DDOS attack. Vs. something slightly lesser (or lesser settings for scrypt) which would be "good enough" for today/tomorrow, but maybe not in 5 years.

     

    reply to this | link to this | view in thread ]

  30.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 2:31pm

    Re: Re: Re:

    Training day?

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    That One Guy (profile), Mar 10th, 2014 @ 3:13pm

    Re: Re:

    By the way, it's my opinion it's quite possible this is happening to voting machines as well. Or even likely, given what we've learned of NSA's depravity.

    Eh, seems to be more effort than they'd bother with or need. With how much data they scoop up on everyone, if they want to influence an election, just 'let slip' a few embarrassing facts, or put that character assassination part of the agency to work whipping up outrage against the enemy of the one they want elected.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 3:44pm

    Re: Re: Re:

    Control the machine and you can control the vote counts, which is likely more effective and quiet way of getting the right overall outcome, make sure of the desired outcome in marginal seats.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    John Fenderson (profile), Mar 10th, 2014 @ 3:49pm

    Re: Re: Re: Re:

    "But software engineers would"

    Not if they were security engineers. They aren't mutually exclusive groups, and if you've hired software engineers who are not security people to do security things, then you're doing it completely wrong.

    If that's what's happened, it's totally unfair to blame the engineers who were tasked with something they were unqualified to do.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 5:11pm

    Re: Re:

    The only secure machine is one which is powered off, encased in concrete, and left at the bottom of the Marianas trench.

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 7:46pm

    Re: Re: Re:

    nsa will just commision a new darpa project

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    Baldaur Regis (profile), Mar 10th, 2014 @ 8:43pm

    Re: Re: Re: Re: Re:

    I'm not making my point well today, but it's a point that should be stressed.

    The NSA and other spy agencies deliberately perverted the collaborative nature of connected computing by short-circuiting the trusts built into the systems - trusts which are a reflection of the attitudes within the minds of the programmers.

    Are these attitudes naive? Only in the very narrow sense of thinking that an ideal engineering solution is the one that's straight ahead ('charmingly naive' is how a front-office guy once characterized a young programmer I knew, who asked the perfectly logical question, "This is an integration problem with Company X's software. Why don't we call up the guys over at Company X and just ask them how they're working on it?").

    Once trust is gone - trust in one's own government, trust in other programmers - what will replace it? I see the unfolding events around Snowden's revelations as a watershed moment, a moment when some of the collaborative spirit that made the internet possible has been killed off, leaving the world a darker place.

     

    reply to this | link to this | view in thread ]

  37.  
    identicon
    Anonymous Coward, Mar 10th, 2014 @ 10:48pm

    Google said that NSA does not equal USA.

    Which is a lie.

     

    reply to this | link to this | view in thread ]

  38.  
    icon
    Violynne (profile), Mar 11th, 2014 @ 3:55am

    Re: Re:

    So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?

    A company doesn't have to hack anything, just like the NSA hasn't hacked anything. Did any of you not read the reports from the "attacks" the NSA did at all?

    Remember a few years ago Google came under fire from grabbing WiFi signals during its street view sweeps?

    The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it.

    Where the line gets blurred: review Google analytics and realize just how intrusive this little snippet of code is used across the entire internet.

    It's rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing.

    It is, after all, just "meta data".

    And for the record: this has nothing to do with using Google services. You can't visit most websites without Google's intervention, including this very site.

    Read the source code, people.

    And the funniest thing of all: this is being done without most people understanding how Google Analytics works.

    So call me cynical to take the words from a CEO whose company does the same damn things, minus the hacking (which everyone knows happens outside of the Chinese and US government).

    You can bet Anonymous also tries to gain access to Google. Anyone want to umbrella the group so the headline's more scary?

    Goodness.

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Mar 11th, 2014 @ 8:33am

    Re: Re: Re:

    Office Space and I didn't have to google it.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    John Fenderson (profile), Mar 11th, 2014 @ 9:33am

    Re: Re: Re:

    Well, first, this article is about actual hacking, not passive Metadata" collection. But onward anyway...

    "So, you think this absolves Google from doing the exact same meta data collecting of users around the globe?"

    Google is not doing the exact same thing as the NSA. Google is only collecting the data that you are giving them. The NSA is collecting all the data. It's a rather large difference in kind.

    "A company doesn't have to hack anything, just like the NSA hasn't hacked anything"

    The NSA has confirmed that they've hacked quite a lot, and that a huge portion of their data collection comes form these hacks.

    "The NSA did exactly this, but rather than with WiFi, it used open transmissions between servers. There was nothing to hack. Anyone can do it."

    This is simply incorrect. I think you don't understand what the NSA did here.

    "It's rather baffling most of you chastise what the government is doing while completely giving a free pass to companies doing the exact same thing"

    I don't know why this is so baffling. In the case of the NSA, you're forced into it and that information is being used in ways that can seriously harm you. In the case of Google, you're not being forced into it and that information is being used to seriously annoy you. Until it's sold to the NSA, of course.

    The two agencies are not doing "the exact same thing".

    "You can't visit most websites without Google's intervention, including this very site."

    Nonsense. Of course you can. I do it every day. I can't think of a single website I go to that require Google.

     

    reply to this | link to this | view in thread ]

  41.  
    identicon
    Steve D., Mar 11th, 2014 @ 11:57pm

    If it's encrypted it can be decrypted...

    Even if data between Google servers is encrypted, at some point it has to be decrypted...

    We know the NSA is not above gaining secret physical access to computers - so they would simply copy the operating system drive from a server, take it back to base and debug it to find the decryption key/protocol.

    From there on it's just a matter of them running all of Google's network data their copy of the decrypter routine before storing/processing it.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Advertisement
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Techdirt Reading List
Advertisement
Recent Stories
Advertisement
Support Techdirt - Get Great Stuff!

Close

Email This

This feature is only available to registered users. Register or sign in to use it.