Slashdot Mirror
Surveillance Backdoor Enabled Chinese Gmail Attack?
Major Blud writes "CNN is running an opinion piece on their front page from security technologist Bruce Schneier, in which he suggests that 'In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.' His article is short on sources, and the common belief is that a flaw in IE was the main attack method. Has this come up elsewhere? Schneier continues, 'Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.'"
There was the following report:
http://www.computerworld.com/s/article/9144221/Google_attack_part_of_widespread_spying_effort
That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.
That is not a backdoor. But it did concern me that google is actively preserving all of this information that could be used in the future for good or ill by anyone.
The backdoor in question is likely only available on Google's internal network. If it's guarded by VPN, this is fairly secure. Of course, there are many ways to hack into a company's internal network, as the Chinese hack demonstrates. But the law enforcement interface isn't uniquely problematic in this regard. Once you're into the internal network, there are all types of things you can do.
The real problem here is pen register taps, and it's application to email. The police can get as much "traffic analysis" information as they want without a warrant. This law enforcement interface was designed to allow easy access to this information, further invading our privacy through warrantless activities.
* All email header information other than the subject line, including the email addresses of the people to whom you send email, the email addresses of people that send to you, the time each email is sent or received, and the size of each email that is sent or received.
* Your IP (Internet Protocol) address and the IP address of other computers on the Internet that you exchange information with, with timestamp and size information.
* The communications ports and protocols used, which can be used to determine what types of communications you are sending using what types of applications.
From the EFF.
When I blogged about this the week before last, I was relying on an article in Computer World which talked about the intruders gaining access to "a system used to help Google comply with search warrants by providing data on Google users."
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence.
And how is he going to get the documentation now? Sue? The government steps in and claims state secrets, case dismissed. Ask Google for the documentation that admits they cooperated with a secret government program to spy on Americans? Bad for business and then they'd face federal criminal prosecution.
He probably has sources, but wants to protect them. Can't quote your sources, can't produce the docs, so the only option is to make the accusation and invite Google to sue him for defamation and tortious interference. He could still protect his sources and it would open Google up to discovery, something I'm sure the government isn't anxious to see happen.
We already know the telephone and cellular companies have found a way to monetize state surveillance by law enforcement, so they're not complaining. Who exactly is motivated to blab about any of this? And since Microsoft has decided to continue operating in China, one could also conclude they have back door systems as well and are more than willing to cooperate with both governments spying on their people. We assume for slightly different reasons, but how do we really know?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Schneier is not primarily a 'blogger,' although that may be how we most frequently encounter him. As the publisher of the renowned book "Applied Cryptography," Schneier is a recognized domain expert in the field of security.
Therefore it is possible, even likely, that Schneier has directly received information pertinent to the attack. Someone assigned to the investigation may have phoned him up to consult his opinion, if nothing else. Given the progressive techno-legal opinion he wrote, I think it is just as possible that someone from the investigation 'leaked' information to Scheneier about the use of the CALEA interface.
By the way, for those who doubt that there is a 'backdoor' to gmail, CALEA is a law which _mandates_ a law enforcement backdoor, either through manual procedures or through computational interface. It sounds like Google has implement a CALEA interface, and China used an IE6 vulnerability to hack first Google, then used the CALEA interface to monitor specific accounts.
The nice thing about using the CALEA interface is that I presume this would not give any clue to the monitored user that the account is being monitored. Logging in with the user's password, as a contrary example, updates the IP usage information displayed by gmail.
http://www.cato-at-liberty.org/2010/01/13/surveillance-secruity-and-the-google-breach/
It's the people's responsibility to push their representatives to keep these government mandates from happening in the first place, or replace those representatives with those who do what the fuck they're told by the people they represent.
Yeah, because that works just so well.
Companies sure as hell should be shouting when the government tries to force them to take these stupid, police-state measures: bad publicity is far more effective at eliminating bad laws than mere voting ever has been.
Did you ever believe there was a time when a wiretap was nearly impossible?
It used to be far more difficult. In the electromechanical switching era, there was no built-in support for wiretaps. Somebody had to physically wire into the appropriate cable pair, either near the phone being tapped or in the central office. New York Telephone would only do that if they got a court order, and they'd then bill the law enforcement organization for a private line. When Giuliani was a prosecutor taking down the New York Mafia, there was much grumbling about the million dollar a year phone bill for wiretaps. There was one embarrassing situation when the FBI didn't pay their wiretap bill on time, and the billing software billed the party being wiretappped for their "additional extension".
It was possible to listen in on an line using the Automatic Line Insulation Test equipment, but a typical central office only had two ALIT units, and they had line testing work to do, so tying up one for wiretapping really irked telcos. Sometimes telcos would do that for the FBI, but not for local law enforcement.
Because of this, wiretapping was rare. It was just too much work to be used lightly.
As for call data, the original "pen register" was a physical device hooked to one line which produced dashes on a paper tape for dial pulses. The electromechanical central offices didn't store any data about local calls; only toll calls produced a billing record. Law enforcement agencies that wanted information about toll calls could only get it for the calling party, in the form of a copy of the phone bill. The data wasn't sorted by receiving party.
Now, it's too easy. All the call data is in indexed databases, and CALEA has huge capacity for recording calls.