A couple days ago the new information had been revealed by Snowden and we learned that NSA was able to intercept un-encrypted traffic between Google, Yahoo, … data centers. Several Google engineers responded with “F..k NSA” comments. Guys, you’ve got it wrong!
First, let’s settle one important thing: I believe that NSA (or any other government agency) should be controlled, monitored and audited by us (the public) through our elected representatives. The recent disclosures by Snowden and others show that Congress failed to do their job either by approving NSA’s wide spread data collection programs or by demonstrating the in-ability to control NSA. We simply should vote them out in the next election.
The important thing to understand about this story is that the NSA “hack” became possible because of bad assumptions made by Google engineering and security teams about the safety of the link between Google’s data centers. It’s actually quite common for software engineers and computer security guys to downplay the risks associated with physical security. However, the bad guys will try every option including physical break in or coming into a Pilates class with a malware on a flash drive. Your security is only as strong as your weakest link and attackers will not be breaking a locked door if there is an open window on the side.
However, even bigger security issue with the Google’s decision to do not encrypt internal traffic is the total ignorance for the other attack vectors. If NSA was able to get to the traffic, then would Google employees be able to read this un-encrypted traffic as well? I bet it was possible. Given the Google’s size and the sensitivity of the information we share with Google (email, chat, …), it is hard to explain the ignorance shown by Google’s security guys. This is not a question of technology and the Google’s move to encrypt the traffic now shows that it is possible to do. It was a security failure at Google and NSA is only half-guilty here.
Now we can go back to the “F..k NSA” comments from Google engineers. Guys, you’ve got it wrong! Don’t blame the messenger. You’ve failed and you should admit that there is a problem that needs to be fixed. It could have been NSA who got your internal traffic, or a rogue employee, or just a criminal. Just shut up: you’ve failed and the best you can do is to learn from it.
Google itself is actually doing the right thing by implementing appropriate security measures to protect users’ data. The other great thing Google can do is to release to the public the security incident report that I am sure they prepared internally. This would allow everyone to better understand what went wrong and learn from it.
This post started as a discussion on HN.