Surveillance Backdoor Enabled Chinese Gmail Attack?

Major Blud writes "CNN is running an opinion piece on their front page from security technologist Bruce Schneier, in which he suggests that 'In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.' His article is short on sources, and the common belief is that a flaw in IE was the main attack method. Has this come up elsewhere? Schneier continues, 'Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.'"

Careful There, Schneier

[eldavojohn]

His article is short on sources

Agreed so I visited his blog and a recent post is equally scant. He points back to another blog post with a little more but really he's just pointing out the irony of a new proposed bill outlawing Google's collaboration with China in violating human rights issues. The irony being that the US has asked for similar backdoors from Google already.

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it. He might be a first hand expert but if so why isn't he showing and describing his conclusive evidence that the US mandated backdoor is how Chinese hackers gained entry? There's no doubt the software is less secure with a backdoor -- by definition -- but when he says:

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

He better be able to back it up. And he reiterates:

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders.

I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence. And on top of that, he has zero accountability. In fact, he says none of this on his blog, he leaves it as an op-ed on CNN. Read it like a strange click generating opinion piece and nothing more.

I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.

Re:Careful There, Schneier

[PugPappa]

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it.

So what makes it ok for a "big paper like the New York Times" to publish unsubstantiated claims? We shouldn't disengage our critical thinking regardless of the source.

Re:Careful There, Schneier

[eldavojohn]

If US government want and have these, why wouldn't China? It's not that far fetched, and it's probably better for Google to say it was some virus planted on their system rather than have news all over the internet that China has such in place too. And it could be that US operations didn't know about it, Google China is its independent operation after all and why they're maybe pulling off.

This supposition just raises more questions in my mind though. 1) What do you mean by "independent operation" because it's still a subsidiary of Google and I'm sure utilizes much of the exact replicated technology. 2) Why in the world would Google enforce an American law in China? 3) If Google were providing this intercept data as access to the Chinese government then why in the hell would the Chinese government break in to steal email data from human rights activists? (From the original source, they suspect it was the government because the target was 'accessing the Gmail accounts of Chinese human rights activists') Why would the government need to gain malware access to the system that's put in place for them to access?

It just doesn't add up in so many ways. Every explanation seems to have more questions behind it. I'm almost tempted to say this was someone from Baidu or a criminal element in China or Russia that covered up all their tracks except those deliberately left to be political. But I'm getting into tin foil hat territory there.

I think it was AT&T or Verizon that we had /. article recently about how US government used their backdoor tons of times to gather info and that it would had been impossible to handle manually. Why wouldn't Google, one of the largest US companies, have similar system?

All big time communications operations have to worry about this. It sucks but it's the law. The question remains, however, what is that doing in China and if they're doing it for Chinese law, why did the government need to hack their own system set up to serve them?

Google's internal security vulnerbilities

[lumierang]

This is congruent with another report that mentioned
  Google put its Google China staff on paid leave and
suspended their access after the incident:

http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack

      A lot of evidence points into google treating it as an internal security leak
, and is conducting an internal audit on all its China employee. It seems
Google has very good external security but is very vulnerable from inside .In the hacking very likely some google China employee was found to have leaked
information that facilitate the attack. And that explain Google management's fury
  as it would be a moment as shocking for them as the
“Cambridge Five” for British government .

    Firstly it would mean Google can no longer count on its Chinese
employee’s loyalty when it clashes with their loyalty to China, so if
it wants to operate in China it has to continue with a tainted staff, though that
should have been expected for any corporation operating in a foreign country.

    Secondly it would mean there are serious security loopholes in Google
internal management as it failed to implement a safety mechanism to
check or limit inside attack.It this is true, pile on the fact that
Google is already facing increasing privacy scrutiny in the US and
Europe,it would be a heavy blow to Google’s reputation as a whole as
it sends out the message that Google cannot be trusted with your data
IN ANY COUNTRY.

    In my opinion Google failed to take care of its own fences,However
  Google’s genius lies in politicizing this incident ,as
it completely shadows the question of Google’s own internal security
vulnerability, as evidenced by the blanket omitting of this question
in most of the news reports I have seen.It became a Good vs Evil in the news ,
and you cannot criticizing Good ole Google
without being grouped with the Evil Chinese Communist, can you?

Re:Google's internal security vulnerbilities

[wvmarle]

With all respect to the many good Chinese, there are plenty of bad ones. Especially when it comes to money. Money gives status in China, and both are known to corrupt. China is unfortunately a very very corrupt country at the moment, and it wouldn't surprise me if those employees were simply paid off to provide such access.

Almost every day I read in the local newspaper (in Hong Kong) about corrupt government officials being caught, and of course also corrupt businesspeople. There are always two sides to corruption. And if it is normal for the government being paid by businesses for favours, why wouldn't government officials pay off company employees for the same.

For companies investing in China, trust in their employees is a major issue. You invest in a factory producing photo cameras, for example. Then it is quite commonplace that soon you see exact copies of your camera appear in the shops, with the exact same specifications and quality, just a lot cheaper. And it can very well be that those copies are made in your own factory in a second shift, after they are done producing your own orders. Or that the factory manager simply set up a second factory which is a copy of your own investment.

So there being "internal security vulnerabilities" wouldn't surprise me. At all. Whether it's really national pride, or cold hard cash, or something else I can't tell, possibly a combination of it all. But with the current state of corruption in China well it's at the very least highly plausible.