I'm sure the auditing and control is more than enough to stop your average creeper employee from reading normal people's inboxes, but I very much doubt that it's enough to stop a very smart, very determined spy from doing the same. At the end of the day, someone has root, and that guy can do pretty much anything.
I'm confident that Google is doing a better job than pretty much anyone else, but this problem is a more or less unsolvable one.
Edited to add that another interesting idea is that the people who man the DC's are actually pretty sparse (relatively few people for a lot of servers) so it's not inconceivable that one could trigger a failure on an important box, take down a replica of the figure's mailbox, swap out the drive for RMA and then do a quick copy. I bet this would be easy.
I guess my point is that no level of internal controls at any company can actually stop a determined government. If that were true, governments, which are much more paranoid than tech companies, would have eradicated spying a long time ago.
> At the end of the day, someone has root, and that guy can do pretty much anything.
I do not disagree with your overall assessment, but this is not strictly true. Most good real-world security schemes don't follow the 'root is God'-model of Unix, and for good reason. It's perfectly possible to design a system where each operation performed by a "superuser" must be validated, or at least logged.
Do you have details of China's hack that show Google as being stupid in security, or does being compromised by a nation famous for hacking prove incompetence. Seriously, with the amount of value stored inside Google's computers, it seems like they are doing a pretty good job with their security systems.
Well not properly securing the system the us law enforcement used to legaly get info from google - that should have been locked down properly with hardware cypto gear so that it could only talk one way to approved system in the FBI or better still via an air gap.
Its blindingly obvious to any one with even a basic knowledge of computer security best practice.
Can you be more specific. From your post I am assuming that China hacked into Google by using a direct line the FBI has into Google's servers. Even assuming such a link exists (which I do not), 'hardware crypto gear' is still a far way away from a complete secure system. And it seems like an air gap would also inhibit the intended functionality of the system.
Security is hard, and it is even harder when any device on the internet is intended to be able to work with the system, and it is even harder when you operate one of the most valuable networks in the world.
And systems used by your TLA's to handle law enforcement access are not available to "any device on the internet"
As I said they should be set up to only talk over a private circuit to one other end point and also have proper hardware crypto gear that is external to the systems.
separating the extraction of data and applying the decoding probably should have been done on separate systems.
Google has a massively distributed global storage infrastructure. Pulling one hard drive would get you a millionth of a million people's gmail accounts, along with a sea of other unrelated crap.
I'm confident that Google is doing a better job than pretty much anyone else, but this problem is a more or less unsolvable one.
Edited to add that another interesting idea is that the people who man the DC's are actually pretty sparse (relatively few people for a lot of servers) so it's not inconceivable that one could trigger a failure on an important box, take down a replica of the figure's mailbox, swap out the drive for RMA and then do a quick copy. I bet this would be easy.
I guess my point is that no level of internal controls at any company can actually stop a determined government. If that were true, governments, which are much more paranoid than tech companies, would have eradicated spying a long time ago.