back to article NSA, UK hacked Yahoo! and Google data center interconnects – report

British and US intelligence agencies managed to tap into the connections between data centers run by Yahoo! and Google, and in one month this year slurped 181,280,466 records, including metadata and the contents of communications, according to new documents from Edward Snowden. A report dated January 9, 2013, from NSA’s …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Trollface

    The curtain raises.

    Figures it would be Brits showing a bad influence...again! Pfft...the British are such a pain in the ass.

    If the U.S.A. would just stop communications with the British, we wouldn't be corrupt! But nooooo, we have to be guilty by association.

    ;-)

    Hating America Is A Crime !

    1. cracked

      Re: The curtain raises.

      I'm not sure whether to agree with you, or not?

      As far as I can see, your inteligence agency is analysing data collected by GCHQ on "persons located outside of the USA". It would appear the tapped data links are in the UK (but that's only appear ... GCHQ could be collecting it from anywhere)

      (Hello El Reg ... this is not an NSA story ... this is a GCHQ story ... isn't it? Yes it is ...)

      So there's no need to get upset: Your lot aren't doing much wrong here, that I can see (assuming you don't think spying on "foriegn nationals" - or at least persons located outside the US ... maybe - is wrong).

      Secondly: I don't think the wording/quotes are very clear? (Not blaming El Reg):

      I think Google-Google traffic and Yahoo-Yahoo traffic is being intercepted; not traffic between Google and Yahoo?

      I think, somewhere, there will be a cartoon for the Yahoo network, like the one presented for Google (such as it is).

      Overall: I remain amazed at the level of amazement (not here, so much) about something which was - from the inception of the internet/web - so very (very, very, very) predictable.

      1. Anonymous Coward
        Anonymous Coward

        Re: "a cartoon for the Yahoo network"

        Is it the same, but with exclamation marks everywhere instead of the smiley?

        1. cracked
          Black Helicopters

          Re: "a cartoon for the Yahoo network"

          (I'll up vote you in a moment)

          Say it is the same ...

          If data between google's "front end servers" in the UK and the replicated UK servers(s) for their gmail/docs/maps (whatever) was unencrypted, then the fault is really with complementary pony riders. You can hardly blame GCHQ, they should/would be fired for missing that opportunity.

          Whatever you can or cannot expect, over in the good ol' us of a - with your amendments and wotnot - you can't (really, honestly!) expect the same to be true in dear old blighty.

          I can't really come up with a plausible reason why Google would unencrypt data sent to them and then forward it on to Yahoo. I can see why they might have "private" connections with yahoo, but not why they would pass on deliberately unencrypted data (but presumably pass on the same type of data encrypted to everyone else).

          And Google's statement doesn't mention Yahoo. Just that they are outraged. And while - if I were a complimentary pony rider - I might be a bit miffed a bit of traffic between Google and Yahoo had been snooped on; I'd be outraged if it was potentially any/all "internal" traffic.

          But anyway, the real story is ... If this were true, it would imply SSL isn't/wasn't cracked. Or why bother "hacking" this length of "vibre optic cable" that is in a colo facility, somewhere? So obviously this is just counter inteligence, by you know who, framing google for their evil ways and fooling us all into continuing to trust in that gold key icon in our browsers. ;-)

      2. tom dial Silver badge

        Re: The curtain raises.

        Indeed, this seems much the same, in principle, as was the case when a good deal of communication was sent by radio and microwave links or a handful of undersea cables, and governments (and other interested parties) could, and doubtless did, capture and analyze the traffic. Much of the difference is that both the traffic and the capability to grab and analyze it have increased by 6 -9 orders of magnitude (maybe more).

  2. Anonymous Coward
    Anonymous Coward

    WOW

    "You can't have your privacy violated if you don’t know your privacy is violated, right?" ®

    A man who pulicly admits that his views are straight out of George Orwell's books.

    Like fucking hell... is he elected? Or appointed? Who the fuck elected/appointed someone who thinks like that?

    1. Don Jefe
      Unhappy

      Re: WOW

      Representative Rogers (I refuse to call him Mr. Rogers and sully Fred's good name) is elected by the public for his role as a Representative and elected to the committee in private. Members of Congress are nominated for committees based on a combination of seniority and financial contributions to their party; where value of contributions are more important than seniority (really).

      Idiot Members of Congress like him are elected, and reelected, because the majority of US don't bother to vote and of those that do only about 15% of them research anything beyond party affiliation and even then about half of voters don't know who they voted for or who represents them in Congress. It's all really fucking stupid and we deserve all the shit we get dealt because only a minority care about politics beyond what it means for themselves and or 'voting for their fathers party'.

      1. Jamie Jones Silver badge

        Re: WOW

        " Idiot Members of Congress like him are elected, and reelected,because the majority of US don't bother to vote and of those that do only about 15% of them research anything beyond party affiliation and even then about half of voters don't know who they voted for or who represents them in Congress. It's all really fucking stupid and we deserve all the shit we get dealt because only a minority care about politics beyond what it means for themselves and or 'voting for their fathers party'."

        Don, it's basically the same in the UK too. I heard once that more people voted in "Big Brother " (ironic, given the programme name) than the elections at the time.

        Looking on the the bright side, I now feel closer to you and your fellow countrymen - we both have governments that are paranoid and insecure little shits that really don't give a crap about the people they are meant to *serve*

    2. Irony Deficient

      Re: WOW

      obnoxiousGit, Representative Mike Rogers has been elected to consecutive two-year terms of office since 2000 by the voters of Michigan’s 8th congressional district, which is centered on Lansing, Michigan’s capital. He is ex-FBI. I don’t know how long this view of his has been known to his voting constituency, but his opponents now have a year until the next election to make sure that the voters there are aware of it.

      1. Anonymous Coward
        Anonymous Coward

        @IronyDeficient 02:10

        The problem with "making voters there aware" of his views is that gerrymandering in most states renders extremist views irrelevant. The party in power in a state at census time will carve up districts to favor themselves, and want to make them lopsided so they have safe districts, and if possible even more lopsided for the opposition (try to 'waste' as many of their votes as possible by making them as close to 100% for the other party as they can)

        Computers have rendered this practice even more obscene than it already was, and is one of the primary reasons why the US is so polarized politically now. Because you have few districts that are split roughly 50/50 between the parties, even in states/areas where that's the case, the extremists win primaries and their extremist views don't keep them from winning the general election as would normally be the case districts not creating to be unfair.

        Some states like mine have fair systems with impartial bipartisan committees charged with creating districts and being forced to keep to existing boundary lines where possible (county lines, city boundaries, etc.) Even better would be a computer program designed to do this - sort of the opposite of the programs they use now which can use voter registration and polling data and go block by block in all directions to maximize their goal.

        The only way to make change happen here would be state by state. Only they have the power to fix this. But their party brethren in Washington would fight hard against this because it would hurt their chances of reelection, and if you piss off them you might lose money for your county versus the guy in the next county over that wants to keep the current unfair gerrymandering scheme in place.

        1. Irony Deficient

          the art of gerrymandering

          DougS, even after the most recent Congressional redistricting, which took effect with last year’s elections, Michigan’s 8th congressional district is nearly 50/50; that’s why I suggested the possibility of Rogers’ opponents making his quote widely known within his district.

    3. James 51
      FAIL

      Re: WOW

      The answer to his question is "Of course it is you louse.".

    4. Anonymous Coward
      Anonymous Coward

      Re: WOW

      Barack Obama. Or was that not obvious enough for you?

  3. Graham Marsden
    Big Brother

    " We are outraged...

    "...at the lengths to which the government seems to have gone to intercept data from our private fiber networks" ... that's our territory and we don't want anyone else trying to muscle in on our Data Troughing.

    Said the Google Spokesman.

  4. Graham Marsden
    Facepalm

    "You can't have your privacy violated if you don’t know your privacy is violated, right?"

    Sure! And if I steal something from you and you don't notice, you haven't been robbed!

    1. Anonymous Coward
      Anonymous Coward

      Re: "You can't have your privacy violated if you don’t know your privacy is violated, right?"

      The playground level linguistic contortions these sad clowns perform are exactly the type that, were they done in person, would give me an overwhelming urge to do something uncharacteristically violent on the spur of the moment. It's not just what they do, it's the smug, self congratulatory way they do it that makes it grate all the more.

      I wonder if they feel so fucking smug after Snowden? Wankers.

      1. Anonymous Coward
        Anonymous Coward

        Re: "You can't have your privacy violated if you don’t know your privacy is violated, right?"

        Until you realize they're EXPECTING it. They let you make the first punch, which they block and they proceed to hit you with pepper spray. You end up in agony and more than likely in handcuffs, and he can point to witnesses proving he acted in self-defence.

        See, they're only idiots in oratory. When it comes to political savvy, they're all sharks.

        1. Roo

          Re: "You can't have your privacy violated if you don’t know your privacy is violated, right?"

          "Until you realize they're EXPECTING it. They let you make the first punch, which they block and they proceed to hit you with pepper spray. You end up in agony and more than likely in handcuffs, and he can point to witnesses proving he acted in self-defence."

          And therein lies the rub.

          If you want to change these things it looks as though talking isn't enough, a simple punch on the nose won't make a difference either. As far as legal routes are concerned you are stuffed as well, because the justice system simply won't consider prosecuting these goons - and in the rare event something is deemed to be illegal the laws are changed or evidence simply lost/ignored.

          At present there are no legitimate avenues for citizens to address this stuff, breaking the law seems to be the only way anyone can get HM Gov to pay attention. This should bother the government because this kind of scenario has a habit of developing into rebellions & civil wars.

    2. Richard Boyce
      FAIL

      Re: "You can't have your privacy violated if you don’t know your privacy is violated, right?"

      Oh, what a tangled web we weave

      When first we practise to deceive!

      Give the guy a break, he's not used to committing perjury.

    3. Robert Helpmann?? Silver badge
      Childcatcher

      Re: "You can't have your privacy violated if you don’t know your privacy is violated, right?"

      ...if I steal something from you and you don't notice...

      The analogy I thought of involved roofies and date rape, but yours works, too.

    4. M7S

      Re: "You can't have your privacy violated if you don’t know your privacy is violated, right?"

      Working in the City, I feel a better comparison would be to those who never knew they were paying for things like PPI on which they could usually never be eligible to make a successful claim. Chickens coming home to roost there, hopefully in his field they will as well.

      I'm all for properly resourced security, tempered by proper regulation and oversight, perhaps derived from a fantastic constitution such as the Americans have. I just wish they'd observe it properly. If not, perhaps we might be allowed to borrow it.

  5. mraak
    Coat

    I could be pissed easily

    But I just don't care any more. This looks like a giant comedy, what the f*** can they do with all that data of mine? They're gathering so much noise and garbage let them swim in it, f****** idiots.

    1. Schultz Silver badge
      Stop

      "They're gathering so much noise and garbage"

      And in that garbage they will have enough inconvenient or incriminating stuff to ruin the career of an inconvenient politician, to incriminate and blackmail any businessman or to embarrass any annoying citizen. All of this without apparent transparency, oversight, or democratic checks and balances. Just taking some email/call/text snippets out of context may be enough to make you look thoroughly bad (and maybe unfit for a job). Even worse, once they have you hacked they can add that little extra to make you look positively criminal.

      It does sound quite scary to me -- the tools are reminiscent of communist Russia or Nazi Germany. In those societies, the limitless spying was used systematically to suppress political dissent. In the US we don't hear about systematic suppression but once the tools are in place, somebody will find a use for them.

      1. John Smith 19 Gold badge
        Unhappy

        Re: "They're gathering so much noise and garbage"

        "It does sound quite scary to me -- the tools are reminiscent of communist Russia or Nazi Germany. "

        Actually they are much better.

        But still made by IBM.

        "In the US we don't hear about systematic suppression but once the tools are in place, somebody will find a use for them."

        To mis quote Mikey boy. "How can you say you are being systematically oppressed if you never hear about it?"

      2. mraak

        Re: "They're gathering so much noise and garbage"

        >>Even worse, once they have you hacked they can add that little extra to make you look positively criminal.

        All great concerns, but I don't frankly give a shit. If they (political factions) want to use it against each other let them use it, and let them mutually annihilate each other. I'll make sure they can't do any harm to me with the data they have. All I need to do is stop using Gmail and Chrome, and 98% problem solved.

      3. Soap Distant

        Re: "They're gathering so much noise and garbage"

        "They're gathering so much noise and garbage"

        Exactly. I'm more of a cock-up vs conspiracy type, I believe they have way more data than they can make sense of. My worry would be the false positives they'll generate and waste resource on. I'm not gonna donate any saucepans to charity any time soon.

        SD

  6. Denarius Silver badge
    Thumb Down

    @mraak you miss point

    everyone is guilty, the question is of what. Standard plod modus operandi in intterogation. The more data, the more false positive associations. The merkins claim ability to track 80+ degrees of separation. How reliable for justice can that be ?

  7. Carlo Graziani

    You Missed The Real Story

    Come on, aren't you paying attention? The story isn't that the NSA is slurping social data from telecom company locations, that's old news. We've known that since 2006, when Mark Klein, the ATT whistleblower, told the world about the secret colo rooms that NSA was setting up at telecom offices. We now also know about FISA-ordered bulk metadata subpoenas, which are undoubtedly the tip of a deeper traffic inspection iceberg.

    The real story here is the comment next to that smiley face: "SSL added and removed here". Is that for real? If so, how the hell are they doing that? That protocol is supposed to defend against Man-In-The-Middle attacks. You'd need widespread compromises of cert authorities, or _additional_ compromises of DNS infrastructure, or a hell of a cryptanalytic breakthrough. Any of the above would constitute a much more important story than this fluff.

    The Reg is supposed to be paying attention to this stuff. Don't you care enough to dig a bit?

    1. Anonymous Coward
      Anonymous Coward

      Re: You Missed The Real Story

      I thought the same at first, but I think it might refer to a point Google/Yahoo remove the SSL, hence the quote from Google:

      “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,"

    2. Don Jefe

      Re: You Missed The Real Story

      The certification authorities are almost certainly compromised and have been, likely since day one. It's one thing to protect private data from thieves and competitors, but it is highly unlikely any reasonably powerful government would allow potential 'enemies of the State' (that's everyone) to transmit unbreakable coded messages on a mass scale using government subsidized infrastructure.

      The rub is that outside of the IT industry, almost no one knows what a certificate authority is or that such things even exist. The governments have an advantage there because everything about certificates is the exact opposite of 'exciting headline' material. Even if mainstream news outlets talked it up people would stop paying attention the minute a baby fell out of some celebrity. As is the often the case, very important things aren't flashy and the public will blissfully ignore them.

      1. Marketing Hack Silver badge

        Re: You Missed The Real Story

        Yes, the NSA is saying that it's method here is to intercept the data by tapping data moving on fiber-optic links BETWEEN Google/Yahoo! datacenters. That data is not encrypted, so the GCHQ just goes hog wild.

        And addressing the article's point about why the NSA would do this. A) because they are supporting their BFFs at the GCHQ B) Because the data that GCHQ is hoovering up is OUTSIDE the U.S., and is therefore not subject to FISA legislation and is free game since it is "foreign intelligence" under existing Presidential executive orders that the NSA operates under. C) The GCHQ doesn't have to give a damn about FISA or intercepting data on Americans D) The NSA can say that they were going after foreign intelligence, and if Yahoo! or Google are replicating American citizens data using international fiber-optic links and data centers, well, that is Sunnyvale's and Mountain View's fault.

        P.S.--Mike Rogers is a very dangerous person. He ought to be nowhere near a constitutional office with that attitude. Note that I am not saying he's an idiot or anything. I wish that was the case, but I think he's probably pretty intelligent, if really warped. I hope that he get's primaried (safe Republican district probably, so chances of him being unseated by a Democrat are low) and removed by an actual small-government conservative.

      2. Anonymous Coward
        Anonymous Coward

        very important things aren't flashy and the public will blissfully ignore them

        @ Don Jefe

        Depressingly true unfortunately, the end result being you get the government you deserve.

        (not you personally, obviously).

      3. Matt Bryant Silver badge
        Facepalm

        Re: Don Jefe Re: You Missed The Real Story

        "The certification authorities are almost certainly compromised and have been, likely since day one....." Sorry to interrupt your paranoid dribblings, but what the slide shows is that Google did not encrypt or even secure with SSL the links between Google DCs in the back-end, because they assumed their private networks were secure. SSL was only used for customer-facing links. That means Google was sending everything in clear text down intercontinental cables, what GCHQ did was tap those cables for the NSA. Now, what is that standard bleat the sheeple like about how it's the owner's fault if his system gets hacked because he didn't secure it "enough"? LOL!

        1. Don Jefe

          Re: Don Jefe You Missed The Real Story

          I realize someone as wise and worldly as yourself probably hasn't seen a hand drawn diagram since you were granted the power of Visio, but if you look at the drawing again the central graphic fucking says SSL removed/restored. Right there. Right there on the drawing. Has its own call outs and everything.

          A good place to start with any diagram is with the information that's written on it. If you don't start there you don't need the diagram, you can just rant and make shit up without it. In other words RTFD (read the fucking diagram).

          1. ratfox Silver badge

            @Don Jefe

            The diagram does not say removed/restored, it says added and removed.

            This is because SSL is supposed to provide security on the Internet, where your data transits through semi random routing point you do not trust. That is the left part of the diagram. The right part of the diagram is Google's private infrastructure, where SSL is not needed. Google only recently realized that encryption is also necessary on its private infrastructure, but they are certainly not using SSL for this, but probably their own private encryption which may be both more powerful and simpler than SSL, because they can taylor it to their needs, and they don't need to wait for every browser out there to implement it, as they own both ends.

            The central linking point between the two network is not where the NSA dastardly messes with SSL certificates because the protocol is broken; it is the point where Google removes the SSL (when going left to right) or adds the SSL (right to left) because it does not make sense to use SSL on the private infrastructure…

            Just explaining, since, you know, you obviously can read diagrams but you apparently have trouble understanding the information.

            1. cracked

              Re: @Don Jefe

              Correct, I would imagine.

              However, that might make it seem like good ol' Google isn't ... culpable - Let's not let them off the hook quite that easily ;-)

              While I know it is/was all coloured balls, 50s style cafeterias, Segways and happy hippies doing no evil; you might have hoped that any data Google presented as encrypted-during-transmission, that passed through a cable housed outside of their property, would stay encrypted while it did so ... apparently not.

              Well done lads and lasses ... as naive as you so often sounded (happily, I don't remember reading about complimentary ponies for staff, or there'd've been a stampede through that door they've just shut ... maybe/hopefully)

            2. Jamie Jones Silver badge
              Black Helicopters

              Re: @Don Jefe

              Exactly.

              I took the smiley face to mean "haha, they encrypt internet traffic here, but we don't care as we get it off the internal network".

              I'm not a guru when it comes to cryptographic certificates, but am I correct in saying that the most secure certificate (assuming you trust the signer) is a self-signed certificate?

              I realise that browsers warn against these because they don't follow a chain-of-trust, so the browser can't detect if a MITM is occurring, but it's kind of ironic they do warn for these only, if you assume the spooks have access to the root keys!

          2. Matt Bryant Silver badge
            FAIL

            Re: Blonde Jefe Re: Don Jefe You Missed The Real Story

            That's blonde as on airhead. RTFD? Okey, let's go through it once again. On the left you have Google's kamikaze customers, happily giving all their private data to Google. On the right is the analytical systems and storage that Google uses to mine that data in any way it likes. In between is the GFE, where communication with the PUBLIC side has SSL added, and then as it passes the data to the GOOGLE side the SSL bits are removed (because Google didn't think it needed them on their internal, private networks). The internal links span several DCs in different countries, all linked by cables that GCHQ has tapped. No SSL (and no other encryption) of the coms between servers on the GOOGLE side makes it easy for the GCHQ chaps to rape it at will (the clue was the legend "Traffic in clear text here"). Sorry, would you like me to redraw the diagram in crayon for you? If you're having trouble finding one I'm sure we can find you a responsible adult to help you with the long words and techie bits.

            1. cracked

              Re: Blonde Jefe Don Jefe You Missed The Real Story

              Horrifically, for systems designers everywhere, that's what it reads like. I'm outraged (honestly!).

              Complimentary pony riding airheads want [redacted] with a brick. Hard. Repeatedly.

              ... Or GCHQ/NSA want complimenting on their phys-ops ;-)

    3. tom dial Silver badge

      Re: You Missed The Real Story

      It seems fairly evident from the diagram that Google is adding and removing the SSL at its "premise" routers. If NSA/GCHQ have access to those through a split fiber in the carrier's territory, they have access to the plaintexts. I thing Occam's razor applies here. It may be possible that they "borrowed" Google's private certificate, or deduced it from the the public parts, but the simplest answer also is the most plausible. It also is supported by Google's statement that they will be encrypting internal transfers as soon as possible.

      1. tom dial Silver badge

        Re: You Missed The Real Story

        It occurs to me on further reflection how astonishing it is that designers who presumably are technologically competent failed to encrypt all links that were not within their direct physical control. The DoD, often and often incorrectly written off as technological boobs, has been encrypting transfers among its data centers for years - and that's on the unclassified network.

        1. Matt Bryant Silver badge
          Boffin

          Re: Tom Dial Re: You Missed The Real Story

          "..... astonishing it is that designers who presumably are technologically competent failed to encrypt all links that were not within their direct physical control....." Well, not to be too hard on the Umpahlumpahs, it's quite common in the industry. People see the words "private" and "secure" in relation to wide-area links or hosted servers and take it at face value. I always tell them, if it's not your switch or your server under your control then it's not private, no matter what they tell you, so encrypt the data.

          1. cracked
            Unhappy

            Re: Tom Dial You Missed The Real Story

            I agree entirely. If it isn't in your pocket - and switched off, with the battery taken out - you don't know where it's been nor where it is going.

            However (again) let's not let google (and yahoo ... and - as you say and as I appreciate - a sh1t ton of other systems and system designers) off the hook.

            When setting up his gMail account, on his smartphone, Billy Smith ticked the Require SSL checkbox - Little did Billy know* that google's promise of protecting his data from snooping - while it whizzed back and forth from his phone - was only good for some of the journey.

            * I appreciate Billy should have known ... but then like 10% of the world's population, Billy uses Facebook and so can't really be blamed for being a bit simple.

            Just because everyone else is rubbish at systems design - and especially when you are one of the most high profile, high powered and wealthy IT firms on the planet - doesn't mean you can just patch it together with celotape and go back to admiring the size of your advertising revenue.

            If google wasn't proclaiming itself "outraged" I would be saying it's a myth put about by the powers that be. But because they are outraged, they must know that such snooping was possible, because of their rubbish systems design (however commonplace it is).

            I put more thought into my BBC Micro Pontoon game for my (no qualification) course in BASIC programming than that.

            Rubbish and naive ... like red riding hoods, a classic combination.

            And I am (still) somewhat disappointed in the website claiming to Bite Off Hands - This isn't another NSA, oh who cares story. This is a google bashing story and El Reg usually isn't that shy :-(

            1. Matt Bryant Silver badge
              Devil

              Re: cracked Re: Tom Dial You Missed The Real Story

              ".....like 10% of the world's population, Billy uses Facebook and so can't really be blamed for being a bit simple...." Hehe, if the Anonyputzs really wanted to screw the system they should have each created a hundred fake Facebook accounts, each linked to a fake gmail account, then posted junk about how they like chocolate-coated sardines whilst watching architecture documentaries in their Doc Martens and tutus - the Google analytical would be well warped! I'm sure it wouldn't take much imagination or a very big bot farm to automate a constant stream of crud data into the Google engine.

    4. Anonymous Coward
      Anonymous Coward

      Re: You Missed The Real Story

      SSL has been been broken for years

    5. Jamie Jones Silver badge

      Re: You Missed The Real Story

      " The real story here is the comment next to that smiley face: "SSL added and removed here". Is that for real? If so, how the hell are they doing that? That protocol is supposed to defend against Man-In-The-Middle attacks. You'd need widespread compromises of cert authorities, or _additional_ compromises of DNS infrastructure, or a hell of a cryptanalytic breakthrough. Any of the above would constitute amuch more important story than this fluff."

      You are wrong, but actually, you've hit on something - the exact opposite to your point.

      The smiley is placed at the point where google decrypts/encrypts the data between the internet and its own private network - no man-in-the-middle attack here (As I posted earlier, I think the smiley was done to say 'haha, they may encode stuff here, but we simply grab it from the unencrypted side")

      Now, I think it's pretty much assumed that the spooks have access to at least some of the root-cert keys.

      There has also been a lot of speculation about what other successes they may have had at breaking encryption.

      I think the real story that seems to have been missed is the fact they are making an effort to get at harder to tap links - if they had truely cracked TLS, they would simply jusy tap the much easier to access internet side of the connection.

      (Yes, I realise that I've simplistically ignored the processing power aspect of it, but I think the point is still somewhat valid)

  8. jake Silver badge

    My only question is ...

    ... given that this has been fairly common knowledge for about a quarter decade in security circles (see: United Kingdom – United States of America Agreement), why all the angst now?

    Makes no sense. At all.

    Gut feeling: the Dems & the Reps have both shot themselves in the foot by over escalating political bickering, and either the Greens or another Independent is going to win the next General Election, in about a year. For you brits, that would be the Monster Raving Loony Party.

    If I'm right, gawd/ess help us all ...

    1. Schultz Silver badge
      FAIL

      jake: "fairly common knowledge for about a quarter decade"

      What the h*ll does the knowledge of somebody else have to do with my understanding of what's right or wrong? It was common knowledge among select groups that the Nazi Germans gassed the jews. It was common knowledge that the Stasi spied and suppressed dissidents.

      Please turn on your brain before spewing Meta-arguments.

      1. jake Silver badge

        @Shultz (was:Re: jake: "fairly common knowledge for about a quarter decade")

        Using existing tools without understanding them makes you safe from your lack of knowledge of said tools? Really? There are no do-overs on the world stage.

        Kids these days. Honestly, I feel sorry for them. It's gonna get ugly.

    2. Titus Technophobe

      @Jake … My answer is …

      ‘Dems & Reps … shotgun foot engagement … Greens/Indie victors’

      Now then, now then, so I have heard it said that the problem with American Politics is that you have the Republicans (Conservatives/Tories/Whigs etc) and then you have the Democratic Party who are more like emm, also Conservatives, Tories, Whigs etc.

      It has been suggested that what the US really needs is a Labour Party. This would provide … ooo hang on… Tony Blair, Gordon Brown, Scratch that one, if you are right ‘Gawd/ess help us all ….’

    3. Anonymous Coward
      Anonymous Coward

      Re: My only question is ...

      jake - "My only question is ...

      ... given that this has been fairly common knowledge for about a quarter decade in security circles (see: United Kingdom – United States of America Agreement), why all the angst now?"

      So ... where's your link to an article from 25 years back that says the NSA/GCHQ are monitoring communication between Google's data centres .... ?

      1. jake Silver badge

        @AC 13:09 (was: Re: My only question is ...)

        Again, see: United Kingdom – United States of America Agreement

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC 13:09 (was: My only question is ...)

          Again, see: where's your link to ... ?

        2. Anonymous Coward
          Anonymous Coward

          Re: @AC 13:09 (was: My only question is ...)

          From wikipedia about the United Kingdom – United States of America Agreement;

          "Due to its status as a secret treaty, its existence was not known to the Prime Minister of Australia until 1973,[11] and it was not disclosed to the public until 2005.[10] On 25 June 2010, for the first time in history, the full text of the agreement was publicly released by Britain's National Archives"

          So let's try again - how has this "been fairly common knowledge for about a quarter decade in security circles (see: United Kingdom – United States of America Agreement)"?

          2010 is 3 years back, 2005 was 8 years back, where were you reading about the NSA/GCHQ monitoring communication between Google's data centres 25 years ago?

          1. jake Silver badge

            Re: @AC 13:09 (was: My only question is ...)

            25 years ago (1988, if you are math(s) impaired) was before Gopher, much less HTTP. I could probably find a modern link to old commentary, but I'm not here to do your detective work.

            Has nothing to do with the newbie gootards, who are clearly clueless about security (the idiots using it are far worse). Has to do with with what "the authorities" have been doing for a very, very long time when it comes to networked communications.

            Also, note I said "security circles", not "the common or garden working stiff, who doesn't actually know what the word `protocol` means".

            Suggestion: Search your local Usenet or Fido archive, then get back to me.

            But I'll throw you a bone:

            http://en.wikipedia.org/wiki/ECHALON#cite_note-7

            1. This post has been deleted by its author

  9. Anonymous Coward
    Anonymous Coward

    different how?

    Currently there is a court case in the UK where some newspaper editors are in trouble because their (now closed) newspaper hacked people's phones to get stories... no-one cared about celebs, but when a kid who was kidnapped and murdered came up on the list of people who were hacked, there was outrage and now a court case.

    How is hacking someone's private comms for a news story illegal but hiding under "national security" its totally ok?

    1. Marketing Hack Silver badge
      Unhappy

      Re: different how?

      @Jeremy 3:

      Because our political overlords have given their spook minions a get-out-of-jail-free card. So spies can act the fool, regardless of how much damage it does to privacy, freedom of expression and real security....

      1. Matt Bryant Silver badge
        Stop

        Re: Marketing Whacko Re: different how?

        "....regardless of how much damage it does to privacy, freedom of expression and real security...." You were doing so well, right up until you added that paranoid bleat on the end. Firstly, EVERYTHING you give to Google you also give them the right to trawl through, analyse and keep for EVER (even after you want it deleted). Secondly, please do demonstrate any damage? It seems the number of bleating sheeple is staying worryingly high and your collective dumbness is being readily displayed without a hint of repression.

        1. Marketing Hack Silver badge
          FAIL

          @Matt Bryant

          A) I don't give much data to Facebook (no identifying friends pics, post few pics, don't log in to locations, don't share mobile number). I give even less info to Google.

          B) There is a big difference between participating in a free voluntary service that I can stop working with and government surveillance which I am forced to fund through my taxes and can legally compel my participation if I have data they think they need.

    2. tom dial Silver badge

      Re: different how?

      1. Government officials, in their official capacity, often are allowed to do things that citizens acting privately (including government officials when acting privately) are not. Today's New York Times published a story this morning about the Putnam County District Attorney who participated actively in a friend's criminal defense, which was being handled by the DA in Westchester County. The participation appears not to be turning out well for him.

      2. The NSA and GCHQ have not, as far as I have seen reported, actually published the data they collected or even looked at most of it, while those being prosecuted seem to have done so.

  10. Gray
    Facepalm

    Thus does the cat piss itself

    Going by Representative Rogers' rule, one's privacy is not violated if one is not aware that one's privacy is being violated,so if then a medical practitioner were to anesthetize Rogers' wife and sexually molest her, and she was unconscious and unaware of the act, then by his own logic she has not, in fact, been molested!

    The good Congressman has stated, when the tree falls in the forest and no one is there to hear it, there is no sound produced! That's an interesting twist of physics. Schrodinger's cat must be pissing itself.

    Don't look at me that way ... he actually said it, and he is a ranking member of the U.S. Government, and therefore it must be true! So by the principle of absurd reduction, as long as NSA and GCHQ keep their activities secret and their practices remain unknown, no one is violated.

    1. Jamie Jones Silver badge
      Facepalm

      Re: Thus does the cat piss itself

      And by extension, a peeping Tom is only committing a crime if he/she is caught!

  11. Anonymous Coward
    Anonymous Coward

    Operation Ivy Bells, circa 1971, US submarine used to place recording device on a Soviet undersea communications cable in the Sea of Okhotsk (location considered by the Soviets to be well and truely out-of-bounds to any international vessel, let alone a US sub).

    Divers then had to periodically retrieve the recording tapes from the device and install new ones. (Documented in a book called "Blind Mans Bluff" amongst other places.)

    I ncredible stuff for the time...

    These are the lengths the Intelligence community will go to in an effort to interecpt communications...

    1. Don Jefe

      That's why we built the USS Jimmy Carter (SSN-23), so it would be easier to fiddle with other people's undersea cables. You can just park it on the cable and work in the dry. Yay technology, I guess...

      1. Solmyr ibn Wali Barad

        H&S department approves.

  12. Evil Auditor Silver badge
    Stop

    Who's surprised?

    "...which is why we have continued to extend encryption across more and more Google services and links" I am especially grateful about the forced use of ssl in Google Search or Maps. Since our entry server opens each and every encrypted connection and decrypts it again it's all fucking slow. I usually don't care about someone snooping on my searches. But I'd like to have the option to use ssl.

    Seriously, is someone here really surprised about the spooks snooping on Google et al? The intelligence services have been walking in and out at Microsoft, Cisco, etc for years. Hard to imagine they would cold-shoulder one of the largest sources of personalised data. Google+, Gmail, Calender, search results (ie surf behaviour), etc and all linked together and to an individual. That's Eldatarado, the wet dream of every spook.

    But, should it be like that? The virtual 1984? NO, ffs.

  13. Anonymous Coward
    Anonymous Coward

    Freedom is overrated

    Why can't people just be happy that the American and British security people are doing their job protecting us from the enemies of civilisation (ie Greenpeace, various religions and other similarly idiotic organisations)

  14. Anonymous Coward
    Anonymous Coward

    An excess of Guardian readers in here

    With their damned organic tomatoes

  15. incloud

    Why NSA also needs access to US servers' real-time data

    It is not surprising that NSA/GCHQ would want to gain access to traffic directed at Google's (and others') servers. The PRISM program gives them access to stored data e.g. contents of gmail emails etc. but an important aspect of these traffic flows is that they contain persistent cookies.

    The main fibre links may be tapped but the spooks need a way to extract streams of packets going to or from targeted individuals. They need a persistent common identifier present in the packets so they can thread them together. It is difficult to use IP addresses for this because they are often temporary and shared. For example IPv4 addresses are often only tied to a particular home for a few days, and even then are being shared by every computer user in a family using the NAT protocols. Similarly IPv6 addresses often have anonymous addresses via auto configuration, and this will probably become more common.

    Cookies used by Google Analytics, Doubleclick, Yahoo etc. exist in most packets directed at their servers, are specific to each browser/device and last for years. Because elements addressing content held on these servers exist on most web sites, for instance Google Analytics tracker tags exists on over 70% of the most popular 100,000 websites, every visit to them will create a cascade of packets directed at the third-party servers, and NSA/GCHQ can get a cloned copy of these.

    These cookies provide are far more reliable and permanent way to track each individual's web activity.

    1. cracked
      Black Helicopters

      Re: Why NSA also needs access to US servers' real-time data

      Too many black helicopters, I think. They aren't looking at everyone.

      I would imagine this data is used as the 'Post has been informed it is used.

      1. To scan for and collect information from/to/about Persons of Interest - Here your cookies would be useful (if the perp wasn't logged into Google/Yahoo at the time searches and so forth were made, anyway). Google Analytics is interesting here, if it uses longterm persistent cookies to track individual users (and who doesn't believe it does!?)

      2. A quick and dirty trawl for a variety of keywords to (try to) detect new Persons of Interest (and again, cookies might help, if a suspect user was identified)

      Just another couple of other random thoughts ...

      "buffer wiped after use". Yeah, because that makes it all so much ... better ... not that they would copy any data-of-interest (or potential interest ... oh heck, just all data) to somewhere else first, obviously.

      The amount and scope of the data collected and sifted is phenomenal; assuming the system works, hats off to the spooks, that's some system ;-)

    2. Jamie Jones Silver badge

      Re: Why NSA also needs access to US servers' real-time data

      " It is not surprising that NSA/GCHQ wouldwant to gain access to traffic directed at Google's (and others') servers. The PRISM program gives them access to stored data e.g. contents of gmail emails etc. but an important aspect of these traffic flows is that they contain persistent cookies."

      Whilst that is a good point , this expose deals with the tapping of the 'private' links between data-centres.

      Would cookies etc. still be present then?

      The fact that the users connection is actively decrypted at point of entry implies to me that googles network in this case is not used simply to forward-on connections, but more in an internal inter-site client/server role between the 2 google sides - e.g. sql select/update/insert queries, data replication etc.

  16. This post has been deleted by its author

  17. Anonymous Coward
    Anonymous Coward

    SSL Sucks Obviously

    Time to reexamine every single aspect of "official" encryption and how it us used.

    1. Jamie Jones Silver badge

      Re: SSL Sucks Obviously

      Hmmmm. The British weather often sucks.

      Politicians usually suck, too.

      And how about those petrol prices, eh?

      What? Relevancy? Just as relevant as a comment about SSL failing on an article talking about clear-text links being breached.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020