Google engineers rage at NSA

Summary:Google cryptography engineers explain their anger at the NSA for violating security systems they built to stop criminals.

Google engineers are taking to their Google+ pages to vent their fury at the NSA for the violation of their back-end security systems committed by the NSA .

It started with Brandon Downey who dropped an F-bomb on the agency shortly after the Washington Post reported on how the NSA had tapped into the internal traffic between Google's data centers.

Downey was joined yesterday by Mike Hearn. Hearn says he worked for over two years on the system that the NSA subverted.

A Google blog on that system, written by Hearn in February of this year, explains how spammers had begun to hijack Google accounts in order to send spam from them, increasing the odds that the spam would get through filters. The system he describes is called "risk-based authentication" in some security circles:

Every time you sign in to Google, whether via your web browser once a month or an email program that checks for new mail every five minutes, our system performs a complex risk analysis to determine how likely it is that the sign-in really comes from you. In fact, there are more than 120 variables that can factor into how a decision is made.

If a sign-in is deemed suspicious or risky for some reason—maybe it’s coming from a country oceans away from your last sign-in—we ask some simple questions about your account. For example, we may ask for the phone number associated with your account, or for the answer to your security question. These questions are normally hard for a hijacker to solve, but are easy for the real owner. Using security measures like these, we've dramatically reduced the number of compromised accounts by 99.7 percent since the peak of these hijacking attempts in 2011.

And indeed, an accompanying graph of legitimate accounts blocked for spamming over time shows that the number dropped to near-zero early in 2012.

The NSA broke into this system by tapping the connections between Google data centers. Because it was considered internal to Google, it was unencrypted, even though it passed through public facilities. The traffic is now all encrypted, blocking off this particular avenue of attack.

You can tell from these posts and from others, like Justin Schuh's, that these guys aren't Tea Party or Occupy types. They really do want to make systems that secure users and cooperate, through proper procedure, with law enforcement. They know that there's a lot of real crime committed on their systems and they need to fight it. The NSA's subterfuge makes this job harder.

Topics: Security, Google, Government : UK, Government : US

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.