NSA tapping Google & Yahoo cloud-servers worldwide, per Snowden docs

A while ago I asked, “Are Google and Microsoft arms of the State” and part of the NSA? The answer is yes, of course, just like GE, Lockheed and Booz Allen. (And never forget, the NSA is a part of the Pentagon, and not some White House agency.)

There’s even more evidence of that today, thanks to Edward Snowden, Barton Gellman and Ashkan Soltani, the latter two writing at the Washington Post. (To skip to what you can do, click here.)

Here’s Gellman and Soltani (my emphasis and some reparagraphing):

NSA infiltrates links to Yahoo, Google data centers worldwide, Snowden documents say

The National Security Agency has secretly broken into the main communications links that connect Yahoo and Google data centers around the world, according to documents obtained from former NSA contractor Edward Snowden and interviews with knowledgeable officials.

By tapping those links, the agency has positioned itself to collect at will from among hundreds of millions of user accounts, many of them belonging to Americans. The NSA does not keep everything it collects, but it keeps a lot.

The NSA’s principal tool to exploit the data links is a project called MUSCULAR, operated jointly with the agency’s British counterpart, GCHQ. From undisclosed interception points, the NSA and GCHQ are copying entire data flows across fiber-optic cables that carry information between the data centers of the Silicon Valley giants.

The infiltration is especially striking because the NSA, under a separate program known as PRISM, has front-door access to Google and Yahoo user accounts through a court-approved process. The MUSCULAR project appears to be an unusually aggressive use of NSA tradecraft against flagship American companies.

I can’t print the whole thing, though I’d like to. Do click through. I can print the slide that goes with it though.

NSA slide showing penetration of The Cloud at Google

NSA slide showing penetration of the Cloud at Google

This is from Edward Snowden’s cache. It’s labeled “Google Cloud Exploitation.”

Note to Mr. & Ms. “I’m not a terrorist” America. Do you store anything on the Cloud? Anything you’d care not to have pawed through? Remember, it’s not just terror they’re looking for. Like most of the world, NSA contractors are looking for porn as well. Think they’re finding it? Think those private (curated) collections of theirs are making the rounds?

What makes this “legal”?

What makes this legal is that it takes place overseas, away from American laws and jurisdiction (or so they seem to think).

Intercepting communications overseas has clear advantages for the NSA, with looser restrictions and less oversight. NSA documents about the effort refer directly to “full take,” “bulk access” and “high volume” operations on Yahoo and Google networks. Such large-scale collection of Internet content would be illegal in the United States, but the operations take place overseas, where the NSA is allowed to presume that anyone using a foreign data link is a foreigner.

“Allowed to presume” has “permission to steal” written all over it. This is the State at work, in all its public-private glory. This is what “collect it all” means in practice. Think Obama will stop this? Think he wants to?

Welcome to the new normal.

What you can do

There are three very powerful things you can do:

1. Get yourself — and your company — off of the Cloud as soon as you go to work. I mean it. Anyone’s Cloud. There’s an excellent business reason for doing this.

The U.S. government is engaged in widespread industrial spying and information trading. As a wise man said (though not about NSA spying), if you’re not the customer, you’re the product.

2. Refuse to buy Google and Yahoo’s protestations of innocence and outrage.

Ask yourself this: If the revelations were never made public, and if Google or Yahoo were offered juicy government contracts as payback, what would they do — complain or go along?

Then ask this: If Google and Yahoo knew about this all along, would they admit the truth today, or lie?

They may be guilty or innocent. You will never know. But they are outraged. And what outrages them is the revelation and the damage to their brand. They spent millions creating the myth of the google, one of the good guys, your friendly chaperon to the future of your entertainment dreams — the google who loves you and wants you to be happy (as long as you pay at the counter).

But they don’t love you. At the very top (where most of the money goes), you’re just a source of loot, just like you’re a source of loot to Sheldon Adelson, despite how gorgeous The Venetian Hotel is. The Venetian is not a sign of anyone’s love for you, and neither is Android.

Google and Yahoo are not the good guys and they never were; they’re billionaire-controlled companies, just like GE, just like Lockheed, run by the rich for their own power and glory. (I’ll have more about the rich soon. They are not pretty people.)

3. Spread doubt about their innocence among every one of your friends. Why? The only way to punish them for acting as the vacuum cleaner for the NSA is to take away their business and their brand. Go for it. Let them prove their innocence, not be presumed to have it.

This stuff can be stopped, but it will take citizen action, citizen outrage, and a citizen-inflicted price for their behavior. The time for asking, or whining, is long past. You can make them pay that price, if you choose to. But you have to choose to.

UPDATE: Humorist Matt Filipowicz has a good “righteous rant” about this NSA-Google story on his podcast. I’ve embedded the full show below, but you can scrub to the NSA rant at 7:05. Nicely done:

Feel free to listen to the whole show. The first guest (at 14:30) is executive director of TruthoutMaya Schenwar, who discusses the story of her sister giving birth in prison.

The second guest (at 37:05) is Lee Fang, one of the best investigative reporters working today. He looks at for-hire academics carrying right-wing water by testifying (for pay) at congressional hearings. Amazing story. Enjoy.

GP

To follow or send links: @Gaius_Publius


Gaius Publius is a professional writer living on the West Coast of the United States. Click here for more. Follow him on Twitter @Gaius_Publius and Facebook.

Share This Post

  • https://www.youtube.com/watch?v=0ar-y810wS8 Nate

    Very well stated.

  • GaiusPublius

    If you’re new to this thread, or rereading comments, be sure to scan for comments by Myrddin. This stuff is his area of expertise. For example, here:

    http://americablog.com/2013/10/nsa-tapping-google-yahoo-servers-worldwide-per-snowden-docs.html#comment-1104481132

    There are quite a few of Myrddin’s comment sprinkled throughout and all are worth your attention.

    GP

  • Badgerite

    Well, if they did this particular part without even informing the companies involved or the FISA Court ( which I can’t believe would have signed off on this- a presumption of foreign contact due to foreign location is only a presumption and once there is reason to know otherwise cannot justify collection or retention unless there was mingling with foreign communication in storage – and any American communication held in storage would still fall under the NSA and legal guidelines requiring an individual warrant once it is known you are dealing with an American or American company and one would think a warrant would have had to have been served to the companies informing them of the collection) then that may be in the cards for sure. IF! But these are the people who found and killed Osama Bin Ladin and many of his henchman. Not me. Not you. Certainly not Snowden or Greenwald. I have a proper regard. What’s more, any snooping they did which as I understand it was part of Poindexter’s grand vision of an early warning system to find, through perusal of digital communications, a pattern of digital signals that always precede a terrorist strike. A precursor of sorts. Like keeping track of who buys large amounts of a chemical precursor for a bomb. By definition, it would have to involve large amounts of metadata. Unlike China, they are not interested in the actual communications so much as signs of a digital pattern that can forewarn of an attack. Now, his grand vision may very well be a load of crap. There are stories of graph points that add up to an incomprehensible ‘hairball’ and as seen on a BAG ( Big Ass Graph). But their purpose was and is terrorism. Not ‘porn’ or invasion of privacy or political control or a police state, etc.. as is so breathlessly stated at this blog. If we were anywhere near a ‘police state’, most of the people commenting on this blog would have ‘disappeared’ by now. I appreciate actual information. I don’t appreciate stupid.

  • MyrddinWilt

    They backdoored one random number generator, the backdoor was spotted immediately and almost nobody ever used it because it is very slow.

    There are some standards that they may have sabotaged successfully. The US government has obstructed changes to PKIX infrastructure claiming that they would require major changes on their part. But the civil industry just changed the standards making venue from IETF to CABForum and made the fixes regardless of the IETF requirements.

  • MyrddinWilt

    Naja,

    Protecting government data has been their responsibility since the agency was started. They wrote the colored books in the 80s. If there only goal was breaking stuff then the civil industry would have never had anything to do with them.

  • MyrddinWilt

    Alexander has been fired. Clapper has been fired (but this is not yet public). The careers of the top brass of the NSA have been ended.

    I have never seen a covert op where the top brass sacrifice their careers for a deception. And the idea that US generals would do that is just plain silly.

  • trinu

    Its resources are vast, but not unlimited. They’re humans, not gods (no matter how much Keith Alexander may fancy himself as a god), and thus, they’re subject to the same principles of mathematics and laws of physics as the rest of us. Notice even in the diagram, they’re not breaking the encryption, they’re finding places where the information is transmitted unencrypted.

  • http://www.americablog.com/ Naja pallida

    Protecting the federal government’s information systems wasn’t under their purview until 2008. Domestic spying has been going on longer than that. Before that, signals intelligence was their primary job.

    Their cryptographic expertise is entirely dependent on the amount of money they throw at it, and only limited by their focus – which seems to be quite narrowed on giving the whole nation colonoscopies right now. If they started running into encryption they couldn’t deal with on a regular basis, they’d automatically assume that was a sign of something they should know, and just allocate more money to decrypting it. We’re talking with an agency with basically no oversight, and basically unlimited resources to devour to accomplish its goals.

  • http://www.americablog.com/ Naja pallida

    It’s not really that the data itself was compromised, that’s a huge technological hurdle that I know is the sort of thing that is generally never jumped until it is commercially necessary… but it’s that they want to claim they didn’t know it was happening, or that they couldn’t do anything about it. It seems highly unlikely that they couldn’t have known someone was intercepting ridiculous amounts of data from their networks. So that really only leaves three options: Either they’re incompetent, and have no idea what’s going on with their own bandwidth and data storage. Or they were complicit, and actively helped the NSA not only access the data, but also kept that they were doing it a secret. Or they were forced to do it against their will, and yet didn’t feel any responsibility to protect the data of their customers, or find a way to warn them to protect themselves. No matter which answer is the case, it should give their customers a significant pause.

  • MyrddinWilt

    No, that is wrong.

    The NSA’s primary job was to protect the US government information systems from foreign attack.

    They have completely failed in that mission, in fact they have forgotten that was their mission. They failed to learn any lessons from the Bradley Manning disclosures and allowed a 29 year old with a low ranking security clearance access to their crown jewels.

    As for their cryptanalysis skills, we don’t have any evidence that they can break any current algorithms other than RC4 and possibly SHA1 which are both considered to be unacceptably weak at this point. The attacks are almost certainly through key manipulation of some sort.

    They might be able to break 1024 bit RSA but they certainly can’t do that without some cost. If we switch to using ephemeral Diffie Hellman on every communication we can probably increase their work factor by four or five orders of magnitude. Instead of one key per site, one key per communication.

  • Badgerite

    Ok. As some people seem to think.

  • MyrddinWilt

    This does not appear to be the case. The reason I am not blogging at the moment is that I am up to my eyeballs in NSA generated crap. I have been making my comments very public, including calling for Alexander and Clapper to be fired before that was fashionable.

    It is clear that at least some of the claims being made in the documents are untrue in any meaningful sense. Yes they did manage to compromise a NIST random number generator specification. But that particular attempt was spotted by Neil Ferguson back in 2006 and Bruce Schneier blogged about it at the time (they wrote a book together).

    RSA is not an NSA standard and back in the day they spent a lot of time and effort trying to stop it getting out. There is quite definitely not an NSA backdoor in RSA. It is possible that they have broken the algorithm, but that would be another issue completely. The area where we are now worried is in a scheme called elliptic curve cryptography and there is a possibility that they might have played with the standard curves. So we are going to have to dump half the curves we use.

    AES was the winner of a NIST competition, but it is not an NSA design and the NIST version of AES has not been weakened as some have claimed. It is a symmetric cipher and so if there is a backdoor it uses a mathematical technique completely unknown in the public art and quite possibly requires a whole branch of mathematics that is known only to the NSA.

  • MyrddinWilt

    The links between the data centers are very very high speed. Until recently there was no crypto hardware that could keep up. Not for any price.

    It is also not clear what the data being intercepted was or which feeds inside Google are encrypted.

    Google announced that they were encrypting the links several months ago when the PRISM news hit. More importantly, CISCO is now on notice that its fastest routers have to have link encryption at the highest speeds. That is now going to have to be baked into the silicon to make the sale.

    There are many moving parts here and it is important not to get hung up in what Bruce Schneier calls the NSA shell game of acronyms. PRISM turns out to have been a pretty small scale program that involved placing warranted intercepts. We know that because the budget is too small to have been anything else. There was a big problem in PRISM: the military has no business doing civil law enforcement. But it appears to have been legal. Tapping the links between Google’s foreign data centers is a far bigger deal.

    There is a lot more going to be coming out. Greenwald isn’t done yet.

  • http://adgitadiaries.com/ karmanot

    yep

  • ezpz

    Two words: Michael Hastings

  • http://www.rebeccamorn.com/mind BeccaM

    I think no such thing.

  • http://www.americablog.com/ Naja pallida

    Seems to me that any protest innocence from Google, Microsoft or Yahoo, that they had no idea the NSA was intruding upon their servers is tantamount to an admission of incompetence. Their entire business model is predicated upon the premise that they offer data integrity and security. If they can’t guarantee that, then they’re completely useless to anyone who cares about their personal information.

  • Badgerite

    You know, there are people with bad intentions in the world. And they don’t all reside in the NSA as you seem to think.

  • Indigo

    That could happen again but I was hoping it wouldn’t surface so soon. The Church would welcome either system, of course, as long as freedom of choice becomes a mute point. Feudalism would have the advantage of justifying private wealth acquired through the misery of the many while classic fascism targets a small group to repress for the mediocre comfort of the many. If I’ve got that right?

  • Badgerite

    It’s a scenario. God knows Snowden sure got away with a boatload of shit.
    But I have seen this movie before. It is a slide. And what does the slide mean? Is it a proposal? In existence now? It doesn’t really tell me anything except that that may be something they are doing or simply something they considered. I would want more documentation than a ‘slide’. And I would want more detail as to how this would impact American citizens and businesses. I also don’t know that American communications that pass through the cloud, even if the cloud is overseas, are beyond the protections of the Fourth Amendment. as he states. If they are not actively seeking to communicate with a foreign person or power, then I don’t believe it would be, just because the information would be stored abroad. There is no communication. Goggle is an American company and an American citizen using their cloud service is not communicating with a foreign power or person just because their cloud service stores the information abroad. Plus I would want to hear the NSA’s side of it first and the opinions of independent and impartial tech people.
    Additionally, I am a little tired of the ‘sky is falling’, hysterical , ‘we live in a police state’ tone. Because we manifestly do not live in a police state and I don’t think we are anywhere near it.
    He brought up the porn. I didn’t Yes, that was an abuse. But it was not the worst abuse I have ever heard of The real affront is that they were doing this to service people. On the other hand. I can’t think of too much more boring than doing what these analysts have to do. I’m sure most of the work they do leads nowhere or to dead ends. In that context I don’t believe that their actions involve someone who wants to harm someone and feels they have the power so why not. I think it is more like, I’m bored and who’s gonna know and it won’t really harm anyone. etc. I’m not excusing it. I’m saying I don’t think it will lead to a police state or the people eavesdropped on actually suffering from it. Especially so, since ( I might be wrong but it is my impression) this probably went on during the Bush years when there was less oversight.

  • http://adgitadiaries.com/ karmanot

    The exception to the rule would be classic fascism.

  • jomicur

    Our government regards its own citizens–all of them–as potential enemies. Why would anyone else on the planet be regarded in a friendlier way?

  • http://www.rebeccamorn.com/mind BeccaM

    …all but the most sophisticated military-grade encryption.

    Which they’ve ensured remains out of the hands of civilians, of course.

  • http://www.americablog.com/ Naja pallida

    Not that I would ever want to defend Beck’s lunacy, but he’s not entirely wrong about OnStar. It can technically be used to disable any vehicle equipped with it, at any time. It can also be used to eavesdrop on any conversation in the car. As well, they keep extensive records of the GPS, so could technically tell law enforcement (or anyone they decide to sell the information to) everywhere that car has traveled. They have also admitted they can do any of this stuff, even if you choose to cancel the paid service. It’s crazy stuff that by only a small miracle hasn’t been thoroughly abused thus far.

  • http://poodyheads.wordpress.com/ zorbear

    Absolutely…
    :-|

  • nicho

    They already know how to do that. They can even make it look like a plane crash or an auto accident.

  • http://www.americablog.com/ Naja pallida

    That’s the difference between dumping billions of dollars into the NSA, and going for the lowest bidder to set up the ACA website. Imagine how awesome health care reform could be if we reversed their priority in our discourse, along with their funding.

  • http://www.americablog.com/ Naja pallida

    The NSA’s primary job (before they decided that knowing everyone’s porn preferences was important) was cryptanalysis. There is no reason at all to assume that they can’t easily decrypt all but the most sophisticated military-grade encryption.

  • trinu

    My understanding of it is that they backdoored the elliptic curve
    random number generator (and forced the NIST to endorse it), not AES, in
    which case the solution is to use a different random number generator.
    I don’t know about their abilities to break RSA but I would guess that
    they may be close to being able to break 1024-bit RSA, but not
    4096-bit (I have no idea about 2048-bit). In any event, if you don’t
    trust AES you could use Camellia instead. With that said I’ve never understood the buzz behind cloud computing. They’ve been trying to get us to believe that running software on someone else’s server as opposed to our own computer is somehow an advantage.

  • http://www.rebeccamorn.com/mind BeccaM

    Yep. We humans are fallible and prone to corruption, especially when there’s no accountability.

  • http://www.rebeccamorn.com/mind BeccaM

    We think properly implemented encryption can stop the NSA from accessing content.

    But, as it turns out, they’ve had a hand in crippling NIST, RSA, and AES standards, and apparently compromised the Key Provisioning Service.

    I mean, you can encrypt all you like, but if they have a backdoor to your computer, they can just read anything they like before you encrypt it. Or capture the keys and hashes you’re using.

    For the last decade, the NSA has apparently been doing everything in its power to ensure there is no such thing as ‘properly implemented encryption.’

  • milli2

    I remember catching a segment of Glenn Beck on the radio one day – he was railing against the Onstar technology that allows police to slow down your vehicle when its stolen, etc. Immediately after that rant, he goes seamlessly into a plug for a cloud-based storage company. If only Onstar advertised with him, he’d have been fine with it.

  • trinu

    In a worst case scenario, access to your medical records would tell them all they need to know about how to kill dissidents and make it look like natural causes.

  • trinu

    The priorities of course are the love interests and romantic rivals of NSA/GCHQ employees.

  • http://www.rebeccamorn.com/mind BeccaM

    Power once acquired is never given away willingly.

  • http://www.rebeccamorn.com/mind BeccaM

    It’s a question of priorities, of course. We’ve long since crossed the Rubicon where the acquisition and consolidation of power has taken priority over the well-being of the citizenry.

    And, judging from world reactions, over diplomatic sense. I mean, it’s one thing to pay attention to what world leaders are saying. It’s another bone-headed move entirely to spy on them as if every one of them is an enemy.

  • trinu

    Perhaps I’m nitpicking, but properly implemented encryption can stop even the NSA from accessing the content, but the two major weaknesses are: the average person doesn’t know how to properly use encryption, and even if you do encrypt it you can only hide some, not all of the metadata.

  • http://www.rebeccamorn.com/mind BeccaM

    I think the point is the usual ‘pro-surveillance’ arguments presume heavily that the people doing it are 100% incorruptible and professional. That they’d never browse through your ‘naughty’ photos just for shits and giggles, wouldn’t share them around the office.

    But they did exactly this, except instead of photos, it was phone calls. From our servicemen and -women overseas, looking to do a little phone-nooky with their lovers, wives, or husbands.

    The huge confusion in all this is this idea “they will only riffle through my online stuff and activities if I’m a ‘target.’” These panty-sniffers have already proven that once they have the power to look at anything, anywhere — they will. Just because they can. Because doing so is a heady rush of power and authority that not all can resist.

    As for the business angle, let’s suppose you have sensitive intellectual property docs stored on a Cloud service. You think because you’ve encrypted them, they’re safe. Nope — the NSA can crack ‘em wide open, and look here, there’s an under-vetted sub-contractor analyst going through a messy, expensive divorce…and this fellow with the Cantonese accent who claims to be from Pasadena has said he’ll pay a boatload of money just for a chance to see those specifications.

    This all isn’t a question of being arrested for porn. It’s about spying for spying’s sake and the utter abrogation of any right to privacy or freedom from unreasonable searches. Added to the fact that power corrupts — it always has and always will.

  • nicho

    They have the ability to spy on everyone everywhere (for our protection, of course), but they couldn’t keep track of a couple of douchebag amateurs who were repeatedly pointed out to them and who ended up blowing up a couple of hundred people in Boston.

  • nicho

    The DHS “needs” to know when you open a bank account or take out a mortgage. Why not healthcare too?

  • jomicur

    The old saw about “sauce for the goose” springs to mind.

  • Badgerite

    “They are looking for Porn”? Seriously! And why is the Department of Defense looking for porn? I’m just curious as to your answer. So these programs are all about catching people who are watching porn? That is you explanation of the world and the NSA?
    Have they arrested you yet? No? Gee I wonder why not? Aren’t you the kind of person they would target. And yet there you are, on the internet, attacking the NSA, etc and no one is showing up at your door. Interesting.

  • ezpz

    Somewhat related, does anyone know why Dept of Homeland Security needs access to our info when apply for healthcare? I was reminded of this from the Sebelius hearings yesterday; when you apply, the healthcare dot gov website has to communicate everything to HHS, CMS, insurance companies, and Dept of Homeland Security! Why? (not a rhetorical question)

  • http://blogvader.tumblr.com/ Blogvader

    The ironic thing is that both Yahoo and Google have been complicit in turning over records to the government on peoples’ use of websites, and now they’re offended that they themselves are being spied on?

  • jomicur

    So let me get this straight. The United States government has the technical expertise to spy on, in essence, everyone on the planet, but they lack the ability to create a functional website for providing healthcare to the American people. Have I got that right? I know it’s a vain hope that Barry might ever drop all this surveillance rubbish in favor of actually helping ordinary American citizens, but it is a nice thought. I can dream, can’t I?

  • http://heimaey.us/ heimaey

    I agree. This is no shock at all. One fell swoop of the pen and away went our freedom and our rights. It’s unfortunate that Obama extended this.

  • Bill_Perdue

    Feudal system is probably correct for what they want. Jack London’s The Iron Heel and Sinclair Lewis’s It Can’t Happen Here are two major dystopian novels that give the Koch Brothers wet dreams.

  • Indigo

    I can’t speak for everyone but I expected this as soon as the Patriot Act was passed. It reverses everything including the Magna Carta along with our venerable but vulnerable Masonic Constitution.

  • Indigo

    Realistically, you can’t establish a feudal system without disenfranchising the social support system. As I pointed out earlier, an industrial-military complex does whatever it takes to remain in power.

  • Indigo

    Oops! I was day-dreaming. My bad! :-)

  • nicho

    Probably Cuba. Right now, it’s more democratic than the US.

  • http://heimaey.us/ heimaey

    What did everyone suspect would happen with the patriot act?

  • Bill_Perdue

    Exactly correct. Google and Yahoo are not the aggrieved parties in this case. They’re accomplices.

    The Obama regime, in spite of the denials of its supporters are putting the finishing touches on the creation of a police state based on torture (Chelsea Manning), the abrogation of the Bill of Rights (NDAA, FISA, Paytriot Act), massive internal spying, jailing with out trial and extrajudicial government murders of citizens, including racist murders of people like Anwar al-Aulaqi, Samir
    Khan, ‘Abd al-Rahman Anwar al-Aulaqi and Jude Mohammed without benefit of a trial.

    All this is occurring at a time when Social Security and Medicare are in the initial stages of being dismantled, when working people, our unions and our standard of living are being looted to make the rich richer and when harsh austerity measures of all kinds are on the table.

  • Bill_Perdue

    What functional democracy are you referring to.

  • Indigo

    Seriously? People store their porn collection in the Cloud? Oh, my! What are they thinking? Gaud invented external hard drives and flash drives for that sort of thing as well as for that cache of interesting .doc and .pdf formatted white papers.

    At the sober level, though, what else should we expect from the industrial-military complex as it struggles to keep itself independent of a functional democracy of peacemakers?

  • jarradcvh059

    my Aunty Lyla just got a stunning yellow Mitsubishi Eclipse
    Convertible by working from a computer. pop over to these guys J­a­m­2­0­.­ℂ­o­m

© 2014 AMERICAblog News. All rights reserved. · Entries RSS