Surveillance Backdoor Enabled Chinese Gmail Attack?

Major Blud writes "CNN is running an opinion piece on their front page from security technologist Bruce Schneier, in which he suggests that 'In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.' His article is short on sources, and the common belief is that a flaw in IE was the main attack method. Has this come up elsewhere? Schneier continues, 'Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.'"

Careful There, Schneier

[eldavojohn]

His article is short on sources

Agreed so I visited his blog and a recent post is equally scant. He points back to another blog post with a little more but really he's just pointing out the irony of a new proposed bill outlawing Google's collaboration with China in violating human rights issues. The irony being that the US has asked for similar backdoors from Google already.

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it. He might be a first hand expert but if so why isn't he showing and describing his conclusive evidence that the US mandated backdoor is how Chinese hackers gained entry? There's no doubt the software is less secure with a backdoor -- by definition -- but when he says:

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

He better be able to back it up. And he reiterates:

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders.

I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence. And on top of that, he has zero accountability. In fact, he says none of this on his blog, he leaves it as an op-ed on CNN. Read it like a strange click generating opinion piece and nothing more.

I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.

Re:Careful There, Schneier

[PugPappa]

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it.

So what makes it ok for a "big paper like the New York Times" to publish unsubstantiated claims? We shouldn't disengage our critical thinking regardless of the source.

Re:Careful There, Schneier

[eldavojohn]

If US government want and have these, why wouldn't China? It's not that far fetched, and it's probably better for Google to say it was some virus planted on their system rather than have news all over the internet that China has such in place too. And it could be that US operations didn't know about it, Google China is its independent operation after all and why they're maybe pulling off.

This supposition just raises more questions in my mind though. 1) What do you mean by "independent operation" because it's still a subsidiary of Google and I'm sure utilizes much of the exact replicated technology. 2) Why in the world would Google enforce an American law in China? 3) If Google were providing this intercept data as access to the Chinese government then why in the hell would the Chinese government break in to steal email data from human rights activists? (From the original source, they suspect it was the government because the target was 'accessing the Gmail accounts of Chinese human rights activists') Why would the government need to gain malware access to the system that's put in place for them to access?

It just doesn't add up in so many ways. Every explanation seems to have more questions behind it. I'm almost tempted to say this was someone from Baidu or a criminal element in China or Russia that covered up all their tracks except those deliberately left to be political. But I'm getting into tin foil hat territory there.

I think it was AT&T or Verizon that we had /. article recently about how US government used their backdoor tons of times to gather info and that it would had been impossible to handle manually. Why wouldn't Google, one of the largest US companies, have similar system?

All big time communications operations have to worry about this. It sucks but it's the law. The question remains, however, what is that doing in China and if they're doing it for Chinese law, why did the government need to hack their own system set up to serve them?

Re:Careful There, Schneier

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

He better be able to back it up.

He doesn't really need to, for the same reason this is not exactly news, just sensationalist spin on something obvious.

Every email system has a "back door." Every email system maintainer has to comply with search warrants and with discovery requests for ESI. The same goes for file shares, calendars, any kind of electronic records you have, just as it does for paper records, audio tapes, photos, or any other kind of record.

Compliance for ESI requests can range from logging in as root and tarring up some files, hanging on to backup tapes indefinitely, or to sophisticated discovery interfaces like in Exchange 2010.

You can call these "back doors" if you want, but that's really being sensationalist. And it's more for the Courts than for the Feds. The fact is, if you get a subpoena or search warrant, you've got to cough up the relevant records, whether they're files on disk or folders in a file drawer. Just because Gmail is "in the cloud" doesn't mean it doesn't ultimately come down to files on disk somewhere that sysadmins will have access to.

As much of a pain in the ass it is for sysadmins, I submit that subpoena power is a good thing, because it lets the courts get to the truth about who knew/said what when. Often these records are the key to showing some government or corporate wrongdoing. There's no reason why your papers in a safety deposit box should be subject to a subpoena (as they have been for a long time) and your email shouldn't.

Now, there may be times when these records are gotten in some other way (like illegal actions by the Feds), but that's a different issue than whether they can be gotten at all. To act all shocked that people with root can (and sometimes have to) get at your email is stupid.

Re:Careful There, Schneier

A half hour after I signed my life away on the clearance background checks and such they started asking questions that sounded oddly familiar.

Anyone who has ever received a clearance knows that no way in hell does any activity start within half an hour.
Most are lucky if the investigation starts within a month.

Re:Careful There, Schneier

[Daengbo]

The story is a headline on page one. The retraction is a blurb on page 21. It's been that way for a hundred years.

I think they should print retractions on the same page and in the same font size on which the original report appeared.

ANY tech can be used to facilitate a police state

[Gothmolly]

As long as you do not place restrictions on your executive branch, anything can be used to facilitate a police state. If a cop has unrestricted rights to search you, your days of privacy are over.

Schneier been living under a rock?

"And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state."

ORLY, Bruce? Bad civic hygiene - for sure. But surely you're aware that so-called Legal Interception (LI) facilities are there in basically all communications networks used by the masses. It's not like this Google "backdoor" is anything out of the ordinary.

And you say correctly that they are a bad thing. Although, they would not be that bad, were they used to remove corruption and organized crime. But corruption and organized crime go hand in hand with top-tier politics, and therefore have protection.

As it stands now, such systems will only be used to target politically annoying individuals and kill off any dissent against status quo (whatever it may be, choose your -ism).

All of us can already now be tracked every single day by the digital communications methods we use. It doesn't matter if you live in USA or Iran, the LI facilities are built-in. In light of that, your comment strikes me as very ignorant - you say it as if it's a new thing.

Re:Correlation does not imply causation

How is this offtopic?

Mod doesn't agree with GP but lacks the intellectual capacity to compose a counter argument.

Re:Think about it a second

[eldavojohn]

Ask Google for the documentation that admits they cooperated with a secret government program to spy on Americans?

What 'secret government program to spy on Americans'? Read the article. They mention the Communications Assistance for Law Enforcement Act of 1994 (CALEA). Here is Wikipedia's summary if you don't have the stomach for legalese. You can read all about how it went in during Clinton's administration and has been enjoyed by every administration since (a lost freedom is rarely won back) and will continue to be enjoyed for a long time coming.

So Google is afraid to reveal what the law (CALEA) forces them to do?

We already know the telephone and cellular companies have found a way to monetize state surveillance by law enforcement, so they're not complaining.

That's funny. If they didn't charge for it, the consumer would be paying for the overhead of them being spied on. Would you like that scenario better? Get out, get vocal, tell people, tell average people on the street when they hang up their phone that all that information just got logged for the government. And do it with some tact so you don't look like a goddamn crazy.

Google's internal security vulnerbilities

[lumierang]

This is congruent with another report that mentioned
  Google put its Google China staff on paid leave and
suspended their access after the incident:

http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack

      A lot of evidence points into google treating it as an internal security leak
, and is conducting an internal audit on all its China employee. It seems
Google has very good external security but is very vulnerable from inside .In the hacking very likely some google China employee was found to have leaked
information that facilitate the attack. And that explain Google management's fury
  as it would be a moment as shocking for them as the
“Cambridge Five” for British government .

    Firstly it would mean Google can no longer count on its Chinese
employee’s loyalty when it clashes with their loyalty to China, so if
it wants to operate in China it has to continue with a tainted staff, though that
should have been expected for any corporation operating in a foreign country.

    Secondly it would mean there are serious security loopholes in Google
internal management as it failed to implement a safety mechanism to
check or limit inside attack.It this is true, pile on the fact that
Google is already facing increasing privacy scrutiny in the US and
Europe,it would be a heavy blow to Google’s reputation as a whole as
it sends out the message that Google cannot be trusted with your data
IN ANY COUNTRY.

    In my opinion Google failed to take care of its own fences,However
  Google’s genius lies in politicizing this incident ,as
it completely shadows the question of Google’s own internal security
vulnerability, as evidenced by the blanket omitting of this question
in most of the news reports I have seen.It became a Good vs Evil in the news ,
and you cannot criticizing Good ole Google
without being grouped with the Evil Chinese Communist, can you?

Re:Google's internal security vulnerbilities

[martin-boundary]

Firstly it would mean Google can no longer count on its Chinese employees loyalty when it clashes with their loyalty to China,

It's pretty damn foolish for a corporation to think that it commands better loyalty than their employee's homeland. If Google really believes that, then it deserves what it gets.

People have a hierarchy of loyalties that are built up over their lifetime. A foreign company merely paying their checks for a few years is way, way down the list.

Re:Google's internal security vulnerbilities

[wvmarle]

With all respect to the many good Chinese, there are plenty of bad ones. Especially when it comes to money. Money gives status in China, and both are known to corrupt. China is unfortunately a very very corrupt country at the moment, and it wouldn't surprise me if those employees were simply paid off to provide such access.

Almost every day I read in the local newspaper (in Hong Kong) about corrupt government officials being caught, and of course also corrupt businesspeople. There are always two sides to corruption. And if it is normal for the government being paid by businesses for favours, why wouldn't government officials pay off company employees for the same.

For companies investing in China, trust in their employees is a major issue. You invest in a factory producing photo cameras, for example. Then it is quite commonplace that soon you see exact copies of your camera appear in the shops, with the exact same specifications and quality, just a lot cheaper. And it can very well be that those copies are made in your own factory in a second shift, after they are done producing your own orders. Or that the factory manager simply set up a second factory which is a copy of your own investment.

So there being "internal security vulnerabilities" wouldn't surprise me. At all. Whether it's really national pride, or cold hard cash, or something else I can't tell, possibly a combination of it all. But with the current state of corruption in China well it's at the very least highly plausible.

Re:Correlation does not imply causation

[Tranzistors]

More like, how is it ON topic? I have to exploit my imagination quite a bit, to see relation between stories, and I still can't see, how they correlate in any meaningful way.

Not exactly the same

[russotto]

Even if we accept Schneier's source at his word, an "internal intercept" system which shows traffic on an account is NOT the same as a system which feeds all your details to the government. There's a difference between a system which Google employees can use to comply with government warrants (as required by CALEA) and a system directly accessible by government officials ala AT&T.

Still, if you think anything you send via email unencrypted anywhere in the Western world is safe from the US government (and, by extension, any government able to penetrate the US government), you're dreaming.

Re:source

[Charles+Dodgeson]

Thanks, but I think that people are being too hard on Schneier. The Computer World article that I cited is based on an "unnamed source" who is "not authorized to speak to the press." Obviously that article should have been cited, but I that oversight in citation is a blunder, not something that challenges the integrity of Schneier.

But it is consistent with the official report out of Google, which stated that the Gmail accounts themselves were not compromised, and that the information stolen was subject lines and account creation date. The only purpose I can see for having a system that would just have access to that kind of information is would be for some kind of "pre-scanning" for law enforcement.

Among the many questions that I want answered is whether the credentials used to access that system (presumably obtained via long standing Adobe Reader or IE zero-day vulnerabilities) belong to a Google employee or someone else who had access to that system.

Eavesdropping should require SOME effort

[davidwr]

"Backdoors" into telco switches and the like should be "hardwired" to only be accessible at specific locations, by specific people, with specific reasons, with extensive logs of who saw what and when so oversight authorities (e.g. Congress, courts) can audit them.

Each switch or server should have a dedicated network port, not connected to any network except the snooper's, over which snooping is done.

Ideally, it would not be a "snooper's network" but rather a "snooper box," with an air-gap between it and the other FBI or police computers.

The military knows how to do this right. If the FBI and police departments aren't using something like this, they can take a lesson.

By the way, it's not just "telco/ISP/mail-provider backdoors" that need this, anything that gives sensitive access should be as isolated as practical. For some networks, this means complete isolation/air gap. For others, it means dedicated communication channels. For others, a traditional firewall is sufficient.

Re:MOD PARENT UP

[t0p]

If papers and news sites carried only substantiated stories they'd be pretty boring. And small.

Re:source

[t0p]

What exactly has Schneier done that needs a retraction? He's written an unsubstantiated op-ed piece: just like the thousand other unsubstantiated op-ed pieces on a thousand other news sites. It might be lazy journalism but it isn't a crime...