fuck these guys

Wed Nov 6 00:56:15 PST 2013

https://plus.google.com/+MikeHearn/posts/LW1DXJ2BK8k

Mike Hearn Shared publicly  -  Yesterday 10:30 AM #NSA

The packet capture shown in these new NSA slides shows internal database
replication traffic for the anti-hacking system I worked on for over two
years. Specifically, it shows a database recording a user login as part of
this system: 

http://googleblog.blogspot.ch/2013/02/an-update-on-our-war-against-account.html

Recently  +Brandon Downey , a colleague of mine on the Google security team,
said (after the usual disclaimers about being personal opinions and not
speaking for the firm which I repeat here) - "fuck these guys": 

https://plus.google.com/108799184931623330498/posts/SfYy8xbDWGG 

I now join him in issuing a giant Fuck You to the people who made these
slides. I am not American, I am a Brit, but it's no different - GCHQ turns
out to be even worse than the NSA. 

We designed this system to keep criminals out . There's no ambiguity here.
The warrant system with skeptical judges, paths for appeal, and rules of
evidence was built from centuries of hard won experience. When it works, it
represents as good a balance as we've got between the need to restrain the
state and the need to keep crime in check. Bypassing that system is illegal
for a good reason . 

Unfortunately we live in a world where all too often, laws are for the little
people. Nobody at GCHQ or the NSA will ever stand before a judge and answer
for this industrial-scale subversion of the judicial process. In the absence
of working law enforcement,  we therefore do what internet engineers have
always done - build more secure software. The traffic shown in the slides
below is now all encrypted and the work the NSA/GCHQ staff did on
understanding it, ruined. 

Thank you Edward Snowden. For me personally, this is the most interesting
revelation all summer.

How we know the NSA had access to internal Google and Yahoo cloud data
http://www.washingtonpost.com/blogs/the-switch/wp/2013/11/04/how-we-know-the-nsa-had-access-to-internal-google-and-yahoo-cloud-data/
732502Nico Lumma's profile photoIan Batterbee's profile photoAmber Yust's
profile photoKonrad Rudolph's profile photo 39 comments

Jeff WeissYesterday 2:46 PM+19 20 19

Until this article no one had mentioned that the intercepted traffic was on
leased fiber, not on the public internet.  That makes the cleartext
transmission seem like a less glaring error, I suppose I can see how it
wouldn't seem necessary.   In fact, anyone claiming in was necessary probably
would have been seen as paranoid until now. 

Still, encrypting data sent over the wire is not difficult.  Considering the
value of the data in question, and the number of parties who could access it
(at least two - the fiber owners and the government), it seems like a
worthwhile investment.   Lesson learned, I suppose.

Mike HearnYesterday 3:42 PM+42 3 2

I think the fact that Google uses private fiber has been well known for quite
a while actually. Just search for [google dark fiber] and you will find many
news stories discussing that, and it was mentioned off-hand in previous
stories as well (I think). 

Yes, that's pretty much it. Encryption was being worked on prior to Snowden
but it didn't seem like a high priority because there was no evidence it
would achieve anything useful, and it cost a lot of resources. Once it became
clear how badly compromised the fiber paths were, there was a crash effort to
encrypt everything. 

Re: "not difficult". I disagree. Doing end to end on the scale of Google is a
lot harder than it looks. Ignoring CPU capacity constraints, the entire thing
requires a large and complex key distribution and management infrastructure
(fortunately already present). Also lots of different protocols flow over our
wires, each one of which has to be handled.

Jeff WeissYesterday 4:15 PM+9 10 9

At Google's scale, everything is difficult.  I meant "not difficult" relative
to all the other feats they've pulled off. 

I can't say I blame them, really.  They haven't historically come across as
careless with their users' data - just the opposite in fact. 

If only the NSA manages to steal Google users' personal info, they're doing
relatively well.  There's always room for improvement.

Mike HearnYesterday 4:16 PM+18 9 8

Right, sure. Compared to some other initiatives encrypting cross-dc links
wasn't a moonshot. Self driving cars definitely rate as harder :)

John A. TamplinYesterday 4:29 PM+18 9 8

I don't know in Google's case, but when I was at an ISP before, dark fiber
meant we owned the fiber in the ground and were responsible for terminating
it with our repeaters/routers/etc.  So, to tap it would require either
compromising the equipment we owned or someone physically digging up the
fiber, inserting a tap, and putting it back.  You could conceivably detect
such a tap with TDR, but especially if this happened under the cover of a
cable cut you might just assume the tap was an imperfect splice to repair the
cut.  So, I don't think it was unreasonable to assume that dark fiber was
"safe". 

When I came to Square, it seemed over the top that even connections between
services in the same datacenter were secured with mutual auth SSL -- it
doesn't seem so excessive now.

Jeffrey YunesYesterday 5:49 PM+14 5 4

I don't think this is a "big people vs. little people" thing. I'm little,
Google's big, and we're both on the same side of this. Rather, this is a
"government vs everyone else" thing.

Andree ChristaldiYesterday 6:05 PM+4 5 4

Shocking, disgusting stuff. As you said, laws only matter to common folk, not
the state. Good work Mike. 

Laurent GaffiéYesterday 7:25 PM+1 2 1

Well said Mike, well said.

Trevor LoucksYesterday 7:57 PM+1 2 1

>From my very limited knowledge of encryption...Mike, do you think it would be
possible for Google,within the next few years, to do end to end encryption
for all its services, but not manage or store the keys? I would prefer if
everything was encrypted and decrypted locally and I stored the key how I saw
fit.  Using LastPass, hard copy paper, truecrypt container, or some other
mechanism. 

I realize this would completely obliterate any type of possible password
recovery. But man, a system like that would allow me to feel so much better
when using Gmail or Google Drive. 

I guess it would have to be offered as an option, because I don't doubt most
Google users would opt for easy usability instead of higher security. 

In the meantime I feel compelled to transfer my backups to places which offer
end to end encryption with keys that aren't stored by the service provider.

Jason BraddyYesterday 8:15 PM+6 7 6

+John A. Tamplin  It's possible to tap an optical cable without breaking it,
by bending it far enough that some of the light leaks out through a gap in
the jacket. This can be detected by looking for unexpected drops in the light
level via DOM, etc., and I believe that critical defense/intelligence network
paths do this already.

Jeff WeissYesterday 8:15 PM+1 2 1

+Trevor Loucks that would dramatically change Google's business model, since
they generally offer free services in exchange for collecting people's data. 

Most of the offerings where privacy is a concern, the best private service
wouldn't be a service at all.  It would just be software you run yourself.
Or maybe it would run on some cloud service, but the important point is that
the provider doesn't see your data or care about it, they just lease you some
computing capacity.

John A. TamplinYesterday 8:27 PM+1 2 1

+Trevor Loucks  In many cases that would mean the service couldn't operate -
for example, GMail couldn't communicate with other SMTP servers if Google
never had the decrypted message on its servers.  If you have a doc for
collaborative editing, how do multiple people get the same key?  You
certainly wouldn't have the ease of saying "share this document with the
following" and it just work. 

Besides that, decrypting in the web browser using JS is slow and prone to
other vulnerabilities.  It currently isn't practical for web-based services
to operate as you suggest.

John MardlinYesterday 8:30 PM

+Mike Hearn  Was this work  started before the most recent revelations made
it clear that this was mission critical?   

I'm sure that implementing encryption on your scale is a massive challenge,
it seems counter intuitive that it could be finalized so quickly after these
revelations, regardless of whether or not the work had been begun already. 

Follow on: do you ever wish Edward Snowden would just give you everything you
needed to know right away so this could be stopped sooner? Would you try to
reach out and encourage that moving forward? 

Thanks for taking the time to be transparent and clarify to your users, while
you're undoubtedly insanely busy.

Ian BatterbeeYesterday 8:40 PM

+John A. Tamplin   Also worked at an ISP, for us, dark fibre was simply
something where bits you shoved in one end came out the other untouched. The
dark part referred more to the fact that the packet wouldn't congest with
other people's traffic on the way, and would typically be a leased service on
someone else's CWDM or DWDM network, though it could also be simple patching
with no equipment in the way.

Stephan BealYesterday 8:51 PM

Okay, now admit it: how many of you had to google "Sisyphus" at the end of
the article? ;) (i did!)

Nicolas FischerYesterday 9:51 PM+4 5 4

These assholes think they're above the law. Fuck them! 

Let's use bitcoin to defund them.

Amber YustYesterday 9:57 PM+3 4 3

+John Mardlin  Yes, the project was started well before Snowden. The pace
just got ramped up immensely in the past year or so.

Jeff WeaverYesterday 10:57 PM+3 4 3

quite a post for bonfire day Guy would be proud :-)

Mike HearnYesterday 11:39 PM+13 4 3

Nobody knows how to build services like the ones Google provides but where
the service provider is blind to the traffic. It's not as simple as "Google
makes money off ads so they don't want to change things". 

Ad-funded services are actually a good thing from a privacy perspective! A
lot of people and media commentators don't realise this. The alternative to
advertising is direct payment by end users for a service. Unfortunately,
there are no ways to pay someone for something online anonymously. The
closest is Bitcoin but it's still very young and immature, most people can't
use it. So if the dominant paradigm for Google services was that you paid for
them, you'd pay for them with a credit card and then anonymous accounts would
be impossible, we'd always know exactly who you were. Even if we couldn't
read the message traffic, we would still know immediately and automatically
that Edward Snowden of BAH Hawaii had sent a message to Glenn Greenwald of
the Guardian, which is obviously of great interest to the NSA. You don't need
to be a genius to guess what a message from a high-clearance member of NSA
staff to a journalist might say. All you need to know is that they're
communicating at all. 

Currently though, anyone can sign up for a webmail account and provide any
bogus name they like (and people do). Neither the webmail provider nor the
advertisers know who a user really is, nor do they care. That's a pretty
decent situation to be in. 

Anyway, although I'd love it to be different, there aren't any viable
alternatives to the way cloud services operate today. These things either get
fixed legislatively, or they don't. Cryptographers are inventing lots of
really amazing technology that might one day make a truly private p2p cloud
possible, but those techniques are probably decades away from being
competitive (if they ever are).

Jeroen van Gelderen1:03 AM+3 4 3

+Mike Hearn  "These things either get fixed legislatively, or they don't." 

Then they won't. The TLAs will ignore the laws and lie about it until caught.
Then do it again.

Lauren Weinstein2:13 AM+12 3 2

I've had quite  a few people ask why I haven't seemed to be more upset
publicly about all the recent NSA and other surveillance disclosures. It's
real simple -- there has been nothing disclosed that I (and many others)
haven't assumed was going on at the hand of every capable surveillance org
around the world for decades, one way or another. This sort of behavior goes
back to the dawn of written communications -- tech has just made it easier in
some ways (by concentrating flows and making storage so cheap) and harder in
other ways (by providing means for robust encryption, when it's used). 

And recent history (that is, some decades) speaks clearly to the following.
No matter what the politicians tell you, not matter what any countries'
agencies say, there will be no substantive long-term change in these
practices. Opportunistic gathering of all data they can get their hands on
will continue, especially if it can be declared to be foreign or
international in nature and so not subject to purely domestic restrictions
(when those exist).

At the best, we can hope for a bit more oversight (at least in the short
term) and push hard for more transparency so that companies like Google can
explain to the public what really happens in terms of data demands from
government, and not be faced with when did you stop beating your wife? no-win
situations where hyperbolic, false accusations can't even be legally refuted. 

Above all from a practical standpoint, it has to be encrypt, encrypt, encrypt
-- as Google is now engaged in big time. Contrary to the assertions of the
spooks, encryption to block or degrade opportunistic mass data collection is
unlikely to significantly damage major targeted anti-terrorism efforts.  When
the agencies have something they really want to target, they can use warrants
and even user endpoint attacks to deal with most kinds of common encryption.  

But what's so important about encryption at Google scale is that by making it
significantly harder to do the mass, vacuum cleaner type surveillance, the
opportunity for governments building up enormous databases of such material
composed almost entirely of innocent parties' data can likely be curtailed in
meaningful ways.  And it's that sort of data collection that is most
potentially subject to abuse, especially retrospective abuse under some
future government quite possibly with a very different set of motives
entirely.

Jeff Weiss3:22 AM+1 2 1

+Mike Hearn in many cases it is simply not necessary to ship your personal
info to someone else to organize.  If you have a good internet connection at
home, you can just put a modest box alongside your cablemodem that is capable
of storing all your data and organizing it (with the right software, of
course).  And you would control your own privacy.  

The big missing piece is the software.  Unfortunately all the effort has been
poured into services like Google's because quite frankly, people don't know
any better.  Nobody knows the value of their data so they give it away.  I
would much rather contribute to a kickstarter for open source software to do
the same thing.  That way I know the application is working for me, not
someone else.

Ed Burnette3:31 AM

+ 1000000 from the US

Michael Schwartz3:46 AM+3 4 3

Way to go Google for stopping all the hackers (even the ones my tax dollars
are funding to spy on me!).  Thanks to the crypto geniuses of the 90's,
encryption is no longer a monopoly of the NSA. We have the power to have
privacy, and if we work on open standards and open source software, we will
also have the economies to make it ubiquitously supported by all domains on
the Internet. Thank you for your transparency on the issue! 

Watson Ladd5:42 AM

"Fuck You" is nice. Service and a court date is a lot nicer.

Henrik Sjölander6:51 AM+5 6 5

I know that Googlers work for the security to help people in all countries
for the right to privacy and spying governments, not only when it concerns
free speach. I'm confident that you at Google are working on even things like
these. That's why i like what google, and also employees like you Mike, are
doing for everyone in the world. Thanks.

Chuck McManis6:57 AM

Knowing what Brandon and the opsec team is capable of, I am sure that given
your new found understanding of the risks involved you will be up to the task
mitigating this latest attack against the infrastructure. Kind of defines APT
in a whole new way.

Marco Tedaldi7:20 AM+1 2 1

The spy services are clearly criminal organizations. And the law is quite
clear on how to handle criminal organizations and the members.

Jay Perkins7:50 AM

Today, in its world, Google is bigger than the government. It is time to
start acting like it.  Of course, advertising revenue is the milk that feeds
the Google. Governments can cut off the milk. 

Kudos to Mike for speaking out as Brit. 

Americans suddenly have a fear that speaking out against the actions of its
government will have real world  consequences. Like investigations of your
internet use and your finances. Americans have gained a fear of speaking out
since the government convinced them  that helping fight the war on "terror"
meant that they voluntarily surrender the rights and freedoms that previous
generations thought worthy of dying for, and it would somehow be patriotic,
rather than idiotic. 

Anatoliy Lisovskiy8:04 AM+1 2 1

I  heard a rumor as if in USSR some copper cables were going in pipes with
dry air, or an inert gas, under certain pressure that was constantly
monitored.

Jerome Chan8:37 AM

What is there to prevent the NSA from demanding the private keys for the
encrypting software?

Kazimierz Kurz8:43 AM

encryption, hower complicated, is the only sollution. And even if encryption
would be not very strong, it has to be done! Because even if it is easy to
breake, it rise the cost for the atacker. It is a trade game.  If You do
something, even simple, - it may work for some time...

Justin Lolofie8:44 AM

brit outrage is classy outrage ++

Brandon Downey8:46 AM+1 2 1

While I can't comment about our employer's use of encryption, but if your
concern is the compromise of current private keys revealing things about past
encrypted sessions, technologies like this can help:  

https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection

Danny Sullivan8:56 AM

As an American, I'm finding the spying revelations disgusting. We do have
laws against such warrantless tapping, and it shouldn't be allowed. 

But Google's "big people" that can go after the big people you feel will
escape these illegalities. Right now, aside from whatever private lobbying is
almost certainly going on, all Google is doing publicly is arguing for a
right to reveal number of requests you give out. 

It would be nice if Google stepped up the game. File a lawsuit against the US
government. Go after the big people. 

When Google felt China violated its security, Google pulled out of the entire
country. It seems to have a much higher tolerance for US spying -- or bottom
line, while it doesn't like it, it'll hurt the bottom line too much to do a
similar withdrawal. 

But a big fat huge legal action would be the F-You you really want, and that
many would feel only a company of Google's size could pull off. It'll be
interesting to see if the higher-ups act on your call.

Larry Gritz8:58 AM+1 2 1

I really hope this is making Google (and other companies) think hard about
their "free services in exchange for mining data and selling ads" strategy.
It's that business model that made all this surveillance easy. I'd like to
see Google offer to make us the customers rather than the advertisers, allow
us to pay for legitimately private and secure services, and as a bonus
finally stop being bombarded with ads.

Simon Zerafa9:16 AM

I wonder of having the traffic on leased fibre was really the smart move in
the end? All of the traffic on that fiber was Google's. If it had been on a
public link it would have been encrypted and far safer.

Greg Hennessy9:33 AM

If the system allows the perversion of the course of justice to such an
extent that the CEO of QWest can be indicted and jailed on 'insider' trading
charges for allegedly not co-operating with 3 letter organisations. 

One hopes that the executive leadership team @ Google have retained some
suitably capable legal  resources to deal with what is inevitably coming down
the pike. The state and it's securocrats do not like to be defied in private,
let alone in public. 

Kevin Lyda9:36 AM

+Larry Gritz  Did you not read +Mike Hearn  comment above? There is no
widespread, easy to use anonymous payment system. If you pay for your Google
services, you're traceable. If advertisers pay for your account, you are not.
This is not rocket science.