nanog mailing list archives
Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic
From: "Mark Foster" <blakjak () blakjak net>
Date: Sat, 2 Nov 2013 07:44:07 +1300
On Sat, November 2, 2013 6:44 am, David Miller wrote:
On 11/01/2013 01:08 PM, Gary Buhrmaster wrote:On Fri, Nov 1, 2013 at 4:43 AM, Anthony Junk <anthonyrjunk () gmail com> wrote: ...It seems as if both Yahoo and Google assumed that since they were private circuits that they didn't have to encrypt.I actually cannot see them assuming that. Google and Yahoo engineers are smart, and taping fibres has been well known for, well, "forever". I can see them making a business decision that the costs would be excessive to mitigate against taping(*) that would be allowed under the laws in any event. Gary (*) "A" mitigation was run the fibre through your own pressured pipe which you monitored for loss of pressure, so that even a "hot tap" on the pipe itself would possibly be detected (and there are countermeasures to countermeasures to countermeasures of the various methods). And even then, you had to have a someone walk the path from time to time to verify its integrity. And I am pretty sure there is even an NSA/DOD doc on the requirements/implementation to do those mitigations.Given what we now know about the breadth of the NSA operations, and the likelihood that this is still only the tip of the iceberg - would anyone still point to NSA guidance on avoiding monitoring with any sort of confidence? There has always been cognitive dissonance in the dual roles of the NSA: 1. The NSA monitors. 2. The NSA provides guidance on how to avoid being monitored. Conflict?
I don't think so. The folks who actually do it, are the ones who are going to best know how to avoid it. Plenty of TV shows bear this out. :-) I think that failure to encrypt inter-DC traffic that is on dark fibre is simply on the presumption that corporations are seeking to protect their links from the actions of 'unauthorised' people. The telco theyre contracting presumably have some sort of privacy agreement with them. No-one else is supposed to be able to get on the wire. A risk assessment pre-Snowdon probably didn't make the performance hits, costs, etc of high-speed rateable encryption, worthwhile - but the paradigm has shifted. The government is using 'authorisation' to get access to that dark fibre link (presumably) and that authority is at the heart of the problem. When reviewing your risk assessment around the presence (or not) of encryption on your inter-site links, also consider whether the methods of encryption available to the private sector havn't also been cracked by the NSA etc. They had the 'golden standard' for crypto, but one has to wonder whether that standard includes an undocumented backdoor... Mark.
Current thread:
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic, (continued)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Michael Still (Oct 31)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Jimmy Hess (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Randy Bush (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Jorge Amodio (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Michael Still (Oct 31)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Niels Bakker (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic George Herbert (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Gary Buhrmaster (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic David Miller (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic berry (Nov 01)
- Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic Mark Foster (Nov 01)