[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic



On Fri, Nov 1, 2013 at 4:01 PM, Masataka Ohta <
mohta at necom830.hpcl.titech.ac.jp> wrote:

> Anthony Junk wrote:
>
> > It seems as if both Yahoo and Google assumed that since they were
> > private circuits that they didn't have to encrypt.
>
> According to Snowden, there are government agents at key
> positions for managing security.
>
> When they declare the private circuits are secure, no one
> else in the companies can argue against.
>
> Unless they are fired and all the backdoors installed by
> them are removed, neither Yahoo and Google are secure.
>

This is probably not entirely true, however...

There is certainly enough in the Snowden docs to render this a valid
question, and there is enough to assume some truth to the statement.

Anyone familiar with secure organizations will realize this as the internal
witch hunt problem.  You now have serious reason to believe that you have
been compromised.  If security needs to be absolute, then the degree of
response needed to succeed at attaining that will require very serious
vetting of all the staff, of the nature of what national security
organizations do (background checks, polygraphs, detailed personal
histories, intrusive random monitoring of employee actions in and outside
the office, etc).

Most of "us" will not put up with that.  However, most of "us" also desire
reasonably secure services (both those of us who work for those services,
and those of us who use them).

The prior default setting was to assume there was nobody trying hard enough
to penetrate those services that the internal witch hunt degree of internal
security was necessary.  It was "reasonable" to hope that someone with
nation-state / superpower level resources was not actively Trying To Get
In.  Now that's not a safe assumption.

The NSA has just put the entire profession in a horrible bind.  By going
beyond the foggy-but-legally-documented FISA warrant activities into active
hostile actions against US providers we have to wonder about what degree of
paranoia is necessary.

Do we now just stick our heads back in the sand?  Identify key security
groups with override authority within our organizations, vet them and
monitor them like the CIA and NSA vet and monitor their employees?  Try to
establish that level of review of all our staffs?

Bruce Schneier has tiptoed around this some, but the thread from his blog
last week of "How do we know we can trust Bruce" is terrifying when we have
to consider applying that question to everyone on this list (and who should
be on this list).


-- 
-george william herbert
george.herbert at gmail.com