Google security engineer on NSA: "Fuck these guys"

In a heartfelt and personal blog-post, Google security engineer Brandon Downey discusses his feelings on the discovery that the NSA had tapped Google's private fiber links. In three words: "Fuck these guys." But you should read the rest, too.

Fuck these guys.

I've spent the last ten years of my life trying to keep Google's users safe and secure from the many diverse threats Google faces.

I've seen armies of machines DOS-ing Google. I've seen worms DOS'ing Google to find vulnerabilities in other people's software. I've seen criminal gangs figure out malware. I've seen spyware masquerading as toolbars so thick it breaks computers because it interferes with the other spyware.

I've even seen oppressive governments use state sponsored hacking to target dissidents.

But even though we suspected this was happening, it still makes me terribly sad. It makes me sad because I believe in America. Not in that flag-waving bullshit we've-got-our-big-trucks-and-bigger-tanks sort of way, but in the way that you can looked a good friend who has a lot of flaws, but every time you meet him, you think, "That guy still has some good ideas going on".

This is the big story in tech today

Notable Replies

  1. Even better (and more interesting) is this response from Downey's Google security colleague Mike Hearn. He reiterates "fuck these guys," and, well, here's the money quote:

    Nobody at GCHQ or the NSA will ever stand before a judge and answer for this industrial-scale subversion of the judicial process. In the absence of working law enforcement, we therefore do what internet engineers have always done - build more secure software. The traffic shown in the slides below is now all encrypted and the work the NSA/GCHQ staff did on understanding it, ruined.

    Thank you, Edward Snowden.

    So, Is Google finally growing a spine?

  2. Google is hardly innocent of the heavy NSA surveillance, though. They're nagging people to log in with their Google Accounts, in the Google Accounts they're nagging people to give up their real name and phone number, and they're logging any and all interactions and apparently keeping the logs forever, as the Petraeus case showed.

    Google is building an infrastructure that can be used to keep a detailed track of the movements of millions of people (IP address, name, search term, confidential services) and according to the Snowden files and what was revealed in the Petraeus case, they're gladly sharing these data with agencies, thus betraying the very users they're nagging to give up their real names and always be signed in to their Google Account.

    I recognize that building this surveillance infrastructure was probably not Brandon Downey's decision, but still, what would you expect? If you lie down with dogs, don't be surprised when you're bitten by fleas.

  3. teapot says:

    innocent of the heavy NSA surveillance

    You can be free from, but not innocent of other people surveilling you.

    There are fairly legitimate business reasons for the things you're saying are nefarious. They ask you to login to their services because they want that sweet, sweet user behaviour data (they are an advertising company). You don't have to give your real name to any company on the internet. Fuck their EULAs and whatever: Nothing on the net (except eshopping) has my real name.

    You can choose to put in your number if you want (and almost certainly have to for some Android 2 factor auth functions) but in reality Google added that for user security because their gmail service was becoming a target for hacks (remember Palin getting her email broken into?). Reality is that if you're using any non-encrypted email service then the NSA or many other 3 letter acronym bodies can get copies of your email and there's a pretty good chance you emailed your phone number to someone at some point.

    Google is building an infrastructure that can be used to keep a detailed track of the movements of millions of people (IP address, name, search term, confidential services)

    As are a multitude of other companies. Credit card companies have been doing it for decades. Amazon has all those details PLUS your purchase history. Facebook are just evil turds who don't even deserve a mention.

    Define "gladly". If you mean they'll abide by the idiotic patriot act you're right. What about the cases where they refuse to hand over data (which happens on a daily basis)? How do those factor into your definition of "gladly"?

    People love to rail on Google because they're a big company and for many people they keep a hell of a lot of data on you. Thing is that they're also probably doing more to protect people's data than any other single company and, unlike Facebook, their updates usually improve default security, not degrade it. Also keep in mind that you don't have to use anything they make and if you personally find their behaviour unacceptable then don't use their free stuff. It's not hard.

  4. Well, let me be more precise then.

    The best way to avoid abuse of massive concentrations of sensitive data is not to build these concentrations in the first place. Nobody forces Google to build the very extensive logs they are keeping, and if they didn't build them they couldn't turn them over to the NSA. Google are complicit in building the Orwellian surveillance society, not just victims of it.

    Google's business model used to be to show ads to go with their search results. Now, it seems to increasingly be to invade their users' privacy in order to sell advertising. With Google+ and their new unified Google account and constant nagging I don't see their behaviour as any more ethical than Facebook's.

Continue the discussion

29 more replies