[david_mitchell]

> Tellingly, Google's security efforts were also a top-down reaction to a major security incident.

What was that? All I can think of is when the chinese stole their source code but the response to that would presumably be more about managing who has access to what internally than improving the security of their user facing products.

edit: to be clear I'm thinking of the time they had code stolen by a chinese employee in their china office, presumably on request of the govt.

[mtgx]

Yes, I think that was the first event that pushed Google to focus much more on security. The second one was of course in the summer of Snowden, when Google found out NSA had full access to its network. Since then it has taken quite a few measures to improve security and now it treats its own network as the "untrusted Internet".

https://www.usenix.org/conference/lisa13/enterprise-architec...

Unfortunately, other than the default full disk encryption it's pushing on Android 6+ devices, I'm not really seeing Google push client-side encryption anymore. I wonder if it even wants the E2E email extension to be fully developed anymore. And even though it should be quite trivial for Google to adopt Signal's text and voice encryption in Hangouts, I doubt it has any intention of ever doing that.

[tptacek]

Cite a source that demonstrates that NSA had full access to Google's network, please.

[paganel]

Not the OP, but stuff like this showed up all over the Intenet just after news of the Snowden leak (http://www.theverge.com/2013/6/6/4403868/nsa-fbi-mine-data-a...):

> The US National Security Agency and Federal Bureau of Investigation have been harvesting data such as audio, video, photographs, emails, and documents from the internal servers of nine major technology companies, according to a leaked 41-slide security presentation obtained by The Washington Post and The Guardian.

Google is in that list. Granted, this did not demonstrate full access to all of Google's internal communications, but the category of "audio, video, photographs, emails, and documents" is broad and damaging enough that it doesn't really matter if NSA had full access or not.

And yes, I know that Google and all the other major companies vigorously denied any back doors, but as people were saying at the time on this very forum they didn't have any other realistic or legal choices. The President of the United States himself was saying things like: "You can't have 100% security, and also then have 100% privacy and zero inconvenience", which, if you were a smart enough CEO, was a very good hint about what to do and say in the heat of the moment.

[GauntletWizard]

[1] shows a full packet capture of a google-internal RPC transaction. As a xoogler familiar with the product in question, I can tell you that that packet had no business being on an external link; That was only sent datacenter to datacenter. I was in a conference war-room shortly after this dropped, and the universal reaction was "Fuck."

[1] http://apps.washingtonpost.com/g/page/world/what-yahoo-and-g...

[kyrra]

Not the GP, but [0]. The NSA didn't have access to all of Google's data. The NSA had reportedly tapped the inter-datacenter fiber (and that the data on those lines was unencrypted).

[0] http://arstechnica.com/tech-policy/2013/10/new-docs-show-nsa...

[tedunangst]

I generally agree with you about claims regarding full (root) access to Google's servers, but in this case it's a weaker claim about the network. One might quibble whether tapping without injection counts as full access, but that's a reasonable claim without too much hyperbole. Maybe the NSA didn't have hooks into every switch, but Google's network design also meant a lot of data was flowing beyond the boundaries of any one physical site.