Slashdot Mirror
Surveillance Backdoor Enabled Chinese Gmail Attack?
Major Blud writes "CNN is running an opinion piece on their front page from security technologist Bruce Schneier, in which he suggests that 'In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.' His article is short on sources, and the common belief is that a flaw in IE was the main attack method. Has this come up elsewhere? Schneier continues, 'Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.'"
Larry & Sergey To Cash In $5.5B of Google Chips
His article is short on sources
Agreed so I visited his blog and a recent post is equally scant. He points back to another blog post with a little more but really he's just pointing out the irony of a new proposed bill outlawing Google's collaboration with China in violating human rights issues. The irony being that the US has asked for similar backdoors from Google already.
So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it. He might be a first hand expert but if so why isn't he showing and describing his conclusive evidence that the US mandated backdoor is how Chinese hackers gained entry? There's no doubt the software is less secure with a backdoor -- by definition -- but when he says:
In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.
He better be able to back it up. And he reiterates:
China's hackers subverted the access system Google put in place to comply with U.S. intercept orders.
I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence. And on top of that, he has zero accountability. In fact, he says none of this on his blog, he leaves it as an op-ed on CNN. Read it like a strange click generating opinion piece and nothing more.
I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.
My work here is dung.
a back door to a hosted email service....and this fellow is an expert? Guess he was never an admin anywhere......
The whole telecommunications industry has been in bed with the government for years. Is it niave to think that data warehouses would be approached differently?
His article has zero citations supporting his assertion. He has provided only evidence that it is possible. I'm not saying he's wrong, but this article is pure garbage.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
It is not beyond belief that Google made certain concessions to the Chinese Government. Eventually, any concession to ANY government is going to bite the company and the user in the ass. Or, in the case of the Chinese, put a lethal 9mm sized hole in the head.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
The backdoor in question is likely only available on Google's internal network. If it's guarded by VPN, this is fairly secure. Of course, there are many ways to hack into a company's internal network, as the Chinese hack demonstrates. But the law enforcement interface isn't uniquely problematic in this regard. Once you're into the internal network, there are all types of things you can do.
The real problem here is pen register taps, and it's application to email. The police can get as much "traffic analysis" information as they want without a warrant. This law enforcement interface was designed to allow easy access to this information, further invading our privacy through warrantless activities.
* All email header information other than the subject line, including the email addresses of the people to whom you send email, the email addresses of people that send to you, the time each email is sent or received, and the size of each email that is sent or received.
* Your IP (Internet Protocol) address and the IP address of other computers on the Internet that you exchange information with, with timestamp and size information.
* The communications ports and protocols used, which can be used to determine what types of communications you are sending using what types of applications.
From the EFF.
Woops!
Wrong government.
Sorry.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
As long as you do not place restrictions on your executive branch, anything can be used to facilitate a police state. If a cop has unrestricted rights to search you, your days of privacy are over.
I want to delete my account but Slashdot doesn't allow it.
The facebook master password was "Chuck Norris"...what was google's ...Steven Seagal?
Bad civic hygiene? So what, companies are supposed to tell the government "no" on their own? It's the people's responsibility to push their representatives to keep these government mandates from happening in the first place, or replace those representatives with those who do what the fuck they're told by the people they represent.
It's the epitome of shameful laziness that we (the American citizens, that is) allow our 'representatives' to do what they please while throwing up our hands and saying, "oh, well, what can *I* do" then bitching about government regulations putting us in danger. With each new generation, we've become more and more complacent.
Stand up and take responsibility for your (our) government, you lazy fucks. ... and get off my lawn.
"And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state."
ORLY, Bruce? Bad civic hygiene - for sure. But surely you're aware that so-called Legal Interception (LI) facilities are there in basically all communications networks used by the masses. It's not like this Google "backdoor" is anything out of the ordinary.
And you say correctly that they are a bad thing. Although, they would not be that bad, were they used to remove corruption and organized crime. But corruption and organized crime go hand in hand with top-tier politics, and therefore have protection.
As it stands now, such systems will only be used to target politically annoying individuals and kill off any dissent against status quo (whatever it may be, choose your -ism).
All of us can already now be tracked every single day by the digital communications methods we use. It doesn't matter if you live in USA or Iran, the LI facilities are built-in. In light of that, your comment strikes me as very ignorant - you say it as if it's a new thing.
When I blogged about this the week before last, I was relying on an article in Computer World which talked about the intruders gaining access to "a system used to help Google comply with search warrants by providing data on Google users."
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence.
And how is he going to get the documentation now? Sue? The government steps in and claims state secrets, case dismissed. Ask Google for the documentation that admits they cooperated with a secret government program to spy on Americans? Bad for business and then they'd face federal criminal prosecution.
He probably has sources, but wants to protect them. Can't quote your sources, can't produce the docs, so the only option is to make the accusation and invite Google to sue him for defamation and tortious interference. He could still protect his sources and it would open Google up to discovery, something I'm sure the government isn't anxious to see happen.
We already know the telephone and cellular companies have found a way to monetize state surveillance by law enforcement, so they're not complaining. Who exactly is motivated to blab about any of this? And since Microsoft has decided to continue operating in China, one could also conclude they have back door systems as well and are more than willing to cooperate with both governments spying on their people. We assume for slightly different reasons, but how do we really know?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Seriously, it really does make a lot more sense. How could anyone at Google still be running IE 6?
--Greg (Now I just need to find something to make me feel better about our government)
ANY tech can be used to facilitate a police state.
Et tu, SpinBrush?
This is congruent with another report that mentioned
Google put its Google China staff on paid leave and
suspended their access after the incident:
http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack
A lot of evidence points into google treating it as an internal security leak .In the hacking very likely some google China employee was found to have leaked
, and is conducting an internal audit on all its China employee. It seems
Google has very good external security but is very vulnerable from inside
information that facilitate the attack. And that explain Google management's fury
as it would be a moment as shocking for them as the
“Cambridge Five” for British government .
Firstly it would mean Google can no longer count on its Chinese
employee’s loyalty when it clashes with their loyalty to China, so if
it wants to operate in China it has to continue with a tainted staff, though that
should have been expected for any corporation operating in a foreign country.
Secondly it would mean there are serious security loopholes in Google
internal management as it failed to implement a safety mechanism to
check or limit inside attack.It this is true, pile on the fact that
Google is already facing increasing privacy scrutiny in the US and
Europe,it would be a heavy blow to Google’s reputation as a whole as
it sends out the message that Google cannot be trusted with your data
IN ANY COUNTRY.
In my opinion Google failed to take care of its own fences,However ,as
Google’s genius lies in politicizing this incident
it completely shadows the question of Google’s own internal security
vulnerability, as evidenced by the blanket omitting of this question
in most of the news reports I have seen.It became a Good vs Evil in the news ,
and you cannot criticizing Good ole Google
without being grouped with the Evil Chinese Communist, can you?
That's quite a good question you have there. Should be interesting to see the rationization^H^H^H^H^H^H^H, sound reasoning behind that statement.
However, I agree with you.
I think that even for a guy who is so good at self marketing as Schneier this is a WAY too obvious attempt to grab publicity as well as sound off over his hobby topic. I'm not saying he's right or wrong (as I do not have access to facts on either side of the argument), I just think this is a diplomatic spat brought on by Google execs because they want to sell stock.
I would shut up until the politicians have stopped playing, but I think he's trying to ride the publiciy, and it makes me wonder why. Is he about to sell BT stock? :-)
Insert
How come when I type "backdoor entry" into google, I don't get any sites related to this attack, just massive amounts of material on anal sex. It's a cover up I tell you!
Monstar L
Schneier is not primarily a 'blogger,' although that may be how we most frequently encounter him. As the publisher of the renowned book "Applied Cryptography," Schneier is a recognized domain expert in the field of security.
Therefore it is possible, even likely, that Schneier has directly received information pertinent to the attack. Someone assigned to the investigation may have phoned him up to consult his opinion, if nothing else. Given the progressive techno-legal opinion he wrote, I think it is just as possible that someone from the investigation 'leaked' information to Scheneier about the use of the CALEA interface.
By the way, for those who doubt that there is a 'backdoor' to gmail, CALEA is a law which _mandates_ a law enforcement backdoor, either through manual procedures or through computational interface. It sounds like Google has implement a CALEA interface, and China used an IE6 vulnerability to hack first Google, then used the CALEA interface to monitor specific accounts.
The nice thing about using the CALEA interface is that I presume this would not give any clue to the monitored user that the account is being monitored. Logging in with the user's password, as a contrary example, updates the IP usage information displayed by gmail.
http://www.cato-at-liberty.org/2010/01/13/surveillance-secruity-and-the-google-breach/
Come-on on guys, just what do you expect from a "Blogger" hes not a real news reporter he just states whats on his mind at the time. He works in security and is writing whats on his mind, thats what bloggers are/do.No proof necessary.
Jack of all trades,master of none
Google's stance on database security is poorly documented and certainly not open. I've yet to find comprehensive peer review of their architecture security (but then they are a for profit enterprise) and need not comply like Oracle, IBM DB2, MySQL?
Numerous opportunities exist in the chain of data that Google is slurping through to build in "back doors" either deliberately or by "accident" expose data.
Somehow they "parse" accounts for words, addresses, html code, etc then use those datapoints to do statistical cross references to build the ad's. Thats elementary. However since they parse EVERYTHING in the account somehow the programmer(s) have to make design decisions on how to go about it. Is there one process per type of data. One that just looks for PDF code vs keywords? Is there one process per country with applicable rules for that country? Are the configuration tables for that process well protected and not able to be circumvented?
Google has to crack open each file, Adobe reported a breach so perhaps the attack vector was in the PDF parse/scrubber at Google.
It would be trivial "once inside the system" to set configs to just suck out everything instead of what that particular process ought looking for and tee the result over to some obscure process or table buried deep in the DB to retrieve it later by some query.
Once you found a marker to your target you'd just have to find the right DB keys they are associated with to get all the other data about them. Somehow every Google account has a primary or some other key that associates the data. No one is asking about low level DB security on this thread. Who exactly gets granted access to the primary and following keys and tables. Who has authority to restart processes? Are processes logged as to why they restarted with new values?
It's quite possible there is a way to view Google accounts outside a web-interface which is what normal people think when they hear back door. Its more sophisticated than viewing the raw dump. I suspect the intrusion proved the new horizon for security: That it ispossible to "re-assemble" most if not all the account from the database(s) if you've p0wnd the DB at a low level without the need for a backdoor to the actual account nor the Google foundational OS/netstack. The Chinese probably attacked and penetrated the DB's somehow.
I think this is the great oversight it was not just that Gmail was hacked. It is broader to say Google Accounts; gmail points to web search which is tied to Picassa, which is tied to Blogger, which is tied to youtube, etc....
All these have to be fortified at the DB level else any other measure of security is meaningless.
He is trying to raise the point that perhaps this is Google's fault, not Microsoft's. And I agree, but not for the same reasons. If Google was stupid enough to use Windows internally they deserved to be hacked. They should know better.
Even if we accept Schneier's source at his word, an "internal intercept" system which shows traffic on an account is NOT the same as a system which feeds all your details to the government. There's a difference between a system which Google employees can use to comply with government warrants (as required by CALEA) and a system directly accessible by government officials ala AT&T.
Still, if you think anything you send via email unencrypted anywhere in the Western world is safe from the US government (and, by extension, any government able to penetrate the US government), you're dreaming.
And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.
There aren't many technologies that haven't made centralized government easier.
The abacus. The Roman road.
The canal. The steam engine. The railroad. The telegraph.
The examples can be multiplied endlessly.
The geek builds these things. The state funds these things - directly or indirectly.
In the past, through land grants. Mail contracts.
Someone always finds a way to work around the liberal or conservative opposition to tech the government wants to see developed.
While the geek never quite wakes up to the fact that there is going to be another hand at the controls.
"Backdoors" into telco switches and the like should be "hardwired" to only be accessible at specific locations, by specific people, with specific reasons, with extensive logs of who saw what and when so oversight authorities (e.g. Congress, courts) can audit them.
Each switch or server should have a dedicated network port, not connected to any network except the snooper's, over which snooping is done.
Ideally, it would not be a "snooper's network" but rather a "snooper box," with an air-gap between it and the other FBI or police computers.
The military knows how to do this right. If the FBI and police departments aren't using something like this, they can take a lesson.
By the way, it's not just "telco/ISP/mail-provider backdoors" that need this, anything that gives sensitive access should be as isolated as practical. For some networks, this means complete isolation/air gap. For others, it means dedicated communication channels. For others, a traditional firewall is sufficient.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Backdoors are not secrets.
And I don't mean the SSL/TLS/PGP stuff included in your favorite email product, that comes pre-compromised from the supplier.
Minimum = stunnel and generate your own stunnel.pem
I recommend the above + encrypting the message as an attachment using Omziff 3.2, Iopus sea or Axcrypt.
Schneier's main point is that by happily enabling "lawful" surveillance through modern technology, we're obliviously entering a new world where:
- Even lawful surveillance by a democracy is abused without accountability (FBI, NSA, oversight clearly a joke, executive claiming limitless power)
- Mechanisms of lawful surveillance can be hijacked by unauthorized entities (Greece telco, GMail in China)
- Technology created by democratic-based corporations are being used by oppressive anti-democratic states (Nokia abetting Iran, Cisco & Yahoo abetting China, etc.)
- Even in a freedom-loving democracy our individual privacy is an endangered species with zero protection, as we leave electronic trails everywhere that are scooped up in for-sale commercial databases like ChoicePoint (as well as weakly-protected search engine records, ISP usage records, electronic toll road records, cell phone location records, and on and on and on.)
We are not watching where we're going.
Why they would need a backdoor? all the emails go in their servers.
so, even google is defective by design?
If you decided to take the moral low ground, you lose the right to bitch when the shit hits the fan.
Among the many questions that I want answered is whether the credentials used to access that system (presumably obtained via long standing Adobe Reader or IE zero-day vulnerabilities) belong to a Google employee or someone else who had access to that system.
Why on earth do you think you should be told the answer to that? Unless you work for Google or the cops I dare say it's none of your business.
I'm not asking the name of the individual. But surely it is relevant to know for anyone dealing with security issues whether this particular part of the attack could have been prevented by Google.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
More on this from these earlier pieces:
http://www.motherboard.tv/2010/1/14/was-the-google-china-hack-an-inside-job--2
http://www.huffingtonpost.com/alex-pasternack/dont-be-evil-vs-serve-the_b_425476.html
And as a former BT employeee I am very surprised that Bruce S did not know this - I supect the boys from the xx floor in the yyy building will be having a word.
For example team leaders on certain systems had to be PV'd (posativly vetted) and if anything suspisious was flaged the Internat security department would get quite intense about it.
That is not a backdoor. But it did concern me that google is actively preserving all of this information that could be used in the future for good or ill by anyone.
So what ?
That's *E-MAIL* we're speaking about. The damn thing transits unencrypted all over the web. It has the inherent security of a post card : anyone who would like to read it, could.
To keep the metaphor : it doesn't change anything that the US government can peek into your mail box or even try to steal your mail, because every single postman who handled the post-card between the author and you has got a chance to see it too.
You want true secure mail ? Use END-to-END encryption. As in author encrypts the mail with his PGP/GPG/whatever key on his laptop before sending it, and you decrypt it on your laptop inside your own IMAP client that you control. Anything else is a post-card.
The problem is not the snooping ability of Google, the problem is that people consider a webmail client running on a remote server the same way they consider a local application on a secured and trusted machine.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]