Slashdot Mirror
Google Warning Gmail Users On Spying From China
Trailrunner7 writes "Google is using automated warnings to alert users of its Gmail messaging service about widespread attempts to access personal mail accounts from Internet addresses in China. The warnings may indicate wholesale spying by the Chinese government a year after the Google Aurora attacks, or simply random attacks. Victims include one leading privacy activist. Warnings appeared when users logged onto Gmail, encountering a red banner reading, 'Your account was recently accessed from China,' and providing a list of IP addresses used to access the account. Users were then encouraged to change their password immediately. Based on Twitter posts, there doesn't seem to be any pattern to the accounts that were accessed, though one target is a prominent privacy rights activist in the UK who has spoken out against the Chinese government's censorship of its citizens. A Google spokesman declined to comment on the latest warnings specifically. The company has been issuing similar warnings since March, when it introduced features to identify suspicious account activity."
And what the hell do you think the US does? We do everything that China does only because we're "the west" we aren't scared about it. See, the thing is, the US government can basically force Google to access your account. I much rather have a Chinese attack where I'm alerted about it than a US attack that happens stealthily.
Yeah, China has human rights abuses and so does the US. There are people detained by US authorities who don't even have a fucking clue why they are detained because the US won't tell them!
This idea that China is a super-villain and the US is a superhero is based off of myth, nationalism and ignorance, we are no better than the Chinese.
Taxation is legalized theft, no more, no less.
Google already keeps track of all kinds of data around my Gmail account, why does it not warn me whenever *irregular* patterns of access occurred, based on implausibly localized IPs?
Thank you for your consideration
- You already know I love you, Google.
Sincerely, a concerned GMail customer.
I got the warning about being accessed from China. Unfortunately, it came 2 days after I became aware of my gmail account and World of Warcraft account both being compromised. By that time I had already changed the password, and had Blizzard restore my stuff.
Let's see - I have never been in China and don't plan to go in the near future - maybe if Google added a feature that allows me to CONTROL what countries I can access it from, it could alleviate a lot of this problem.
I'm sure those crafty hackers will find a way around it and divert through a US waypoint, but there's no need for my account to have broad access from countries I am never going to access it from.
Go ahead and comply with government demands, but tell the common people what the government is doing to them. I like it.
Yea, except when China detains you they throw you in the Laogai (Chinese gulag - forced labor prison) and harvests your organs to sell to rich westerners whose children are dying of non-functioning organs for which there is normally a giant waiting list.
And, keep in mind, China does that if you are nothing more than a political opponent, dissenter, or critic. Your fair trial consists of, "You are guilty."
When the U.S. (wrongly) detained the friend of Assange, leader of WikiLeaks, earlier this year they had to let him go. Our laws have been designed to protect human rights from abuse by even our own government. You can't say the same thing about the Chinese.
I hate to admit it, but I still love buying cheap crap from them, though.
I'm sort of afraid to post this comment now. *breathes deeply and pressing the submit button*
I guess they're not very successful at it.
I don't believe in time. It's a grand conspiracy designed to sell watches.
A couple months ago, out of the blue. I changed my password of course
And you talk just like the stupid people in the movies: We are good and they are evil.
relativistic assessments such as the parents are merely intellectual laziness and false humility.
I use a Chinese proxy server!
Set your phasers on "funky"!
http://gnupg.org/
Palm trees and 8
I was one such victim, but for me the hijacking occurred about two months ago. Lucky for me it wasn't used to send millions of malware-laden spam messages; only several dozen messages were sent (all in Chinese), and it didn't look like any attempt was made to filch information from my archives. Google did warn me at the time, and there have been no obvious consequences since I regained control of the account.
I'm not worried about China, I'm worried about my own government spying on me with Google's cooperation.
Yeah, China has human rights abuses and so does the US. There are people detained by US authorities who don't even have a fucking clue why they are detained because the US won't tell them!
Please point to a case where this has happened in modern US history, as this is a very clear violation of our sixth amendment in the Bill of Rights.
This idea that China is a super-villain and the US is a superhero is based off of myth, nationalism and ignorance, we are no better than the Chinese.
May I suggest that this belief that there are significant people who believe in your hyperbolized dichotomy is also a myth. I'm confident the majority of people in the US see it as a flawed country but on the whole comparatively better than most.
your thin skin doesn't make me a troll
Parsing your data for profit, et cetera...
Or is that okay in free market halfassery?
What he can't kill, he has sex on. Trent.
I'm not American or even European btw.
Given the recent situation with Japan, I don't know how else to see China.
Vietnam have been complaining about China's bully tactics for a while now, it's just that no one paid attention.
China has been gaining a lot of power, the US might not even be able to restraint them any more.
Frankly it scares me.
I hate to say this but the moron Bush might actually be right, China has to be contained.
If I could turn back time and somehow stop China from joining the WTO I would.
As for the US, the things you guys do in the middle east is one hell of a clusterfuck.
But I don't know.
I think would rather live under the thumb of the US government than the PRC.
From my point of view, maybe it's because I'm from a country friendly towards the US, US in general have been relatively benevolent "rulers" in comparison to what China could be capable of.
I agree. If your dad is an abusive jerk, you don't deserve to be protected from other abusive jerks. They're no worse than what you get at home, so what are you bitching about?
If you were blocking sigs, you wouldn't have to read this.
I'm not seeing the bit where GP said that "we" were good, just that "they" are bad. Can you clarify?
If you were blocking sigs, you wouldn't have to read this.
Are you that blind that you haven't heard of Gitmo? http://civilliberty.about.com/od/lawenforcementterrorism/tp/Boumediene-v-Bush.htm Yeah, the supreme court struck it down fairly quickly but note that a single vote in the opposite direction would have kept it.
Taxation is legalized theft, no more, no less.
Maybe because they added a lot of random targets to disguise the real target(s). I'd definitely do more than 100 distractions attacks per real attack just to confuse my opponents.
Uh, you know those "foreign combatants" kept in dog kennels in Guantanamo Bay, and not charged because we don't even know why we captured them in the first place? Those guys? According to those filthy liberal peacenik commies in the Supreme Court, apparently they're actually "people"!
If you were blocking sigs, you wouldn't have to read this.
...Because your dad who is an abusive jerk making an organization to prevent child abuse wouldn't be hypocritical in the least. And then him being lauded for being a great dad despite the fact he is still an abusive jerk, wouldn't come up as slightly hypocritical to you?
Taxation is legalized theft, no more, no less.
There's a really easy way google can mitigate a lot of these problems. They could cooperate a little bit with someone who wants to make a firefox plugin that would encrypt people's email.
I know that goes against their business model, which lets them use people's emails to tailor search results and target ads. And it would probably piss off a number of governments. But in reality, almost no one would actually take the trouble to encrypt their mail, and it would allow people who really needed the privacy to take care of themselves.
It's such an easy, simple solution. I wish they'd consider it.
I don't ever expect to use my Gmail from China.
I very rarely use my Gmail from anywhere outside the US.
I'd like to block ALL COUNTRIES from my Gmail, except the US. Then when I travel, I can add the country I am going to visit - for as long as I'm there.
Ideally, this function could tie in to my World Mate app on the BlackBerry - it knows when I am out of the country or not.
When those anti-government activists use easy-to-guess passwords like "FreeTibet" and "FalunGong4evah", of course their Google accounts are going to get hacked...
#DeleteChrome
Specifically you are confusing privacy and anonymity. Many geeks seem to think the right to privacy is the same as the right to remain anonymous and they aren't at all. The government has rules that there is a right to privacy implied in the Constitution, but they have never ruled there is a right to anonymity best that I know.
So what's the difference? Privacy means being able to shield what you are doing from others, if you choose. I currently have complete privacy. I am alone, in my home. That means what I am doing is not something anyone can find out, unless I let them. My actions and thoughts are as private as I wish them to be. However I'm not anonymous. Anyone who did even cursory (and fully legal) surveillance could determine what house is mine and that I am presently at home. I am in no way anonymous in my actions, just private.
The flipside of that would be a couple having sex in a park, wearing full face masks. They would have no privacy, but would have anonymity. There would be no doubt in anyone's mind what was going on if they looked over. However as to who was doing it, well that would be a mystery. The people doing it would be anonymous, but not private.
Of course you can easily find other situations that you have both or neither.
So as it applies to these activists that they are known doesn't mean they aren't successful at being private. They aren't anonymity activists, they are privacy activists. They advocate that you should be able to do things and not have the government (or others) spy on you. they are not advocating you should be unknown, a cipher to all.
Sure. I said GP talked like something, but I didn't say what you said I did. Is that clear enough for you?
About 50% of the spam I get is WoW and other MMOG account phishing. Apparently lots of people use the same WoW account pw as for their gmail account since you see "i got hacked" posts in the forums every day. Blizzard then made the brilliant move of making your WoW account username your email address.
There's a Facebook option whereby you get an email sent to you when someone accesses your account on a PC that hasn't been used for that before. I thought it was cool also.
But GMail has had the "active sessions" and "last activity on this account" options for a while, so I guess it's only working on a behaviour pattern and warning people when that pattern changes.
There are GPG plugins for most e-mail clients. E.g. there's Enigmail for Thunderbird. People just need to use them.
Four dead in Ohio. There's also the Civil Rights marches of the 1960s, the labor movement, the Trail of Tears, and a few other odd highlights. I'd suggest picking up a copy of Lies My Teacher Told Me or Howard Zinn's A People's History of the United States.
What part of "gestalt" don't you understand?
Going through a proxy (crowded, busy, high traffic, concentrated) makes hack attacks that much more difficult. From the defense standpoint, proxies may be known (lists of know proxies are widely available), detectable (reverse operations), or identifiable via patterns (large volumes of traffic or attack from a single or narrow IP band not otherwise known).
You do highlight the point, however, that patterns of behavior are what are critical. You want to see who's coming in, from what IP ranges, whether or not they're suddendly having a great deal of trouble with their passwords, etc.
I've had more than a little success identifying sources of abuse via CIDR block or ASN using the Routeviews reverse IP-to-BGP Router Data lookup (the txt record is the CIDR block and ASN of an IP). Not just in spam, as indicated in the linked paper, but for apache logs, aggregating ranges of IPs to a single identifiable source.
Sure, someone using a widely distributed botnet across multiple ASNs isn't going to turn up in that analysis (or rather, it will be more weakly distributed), but in that case, you're going to want to find other patterns of behavior to track.
What part of "gestalt" don't you understand?
XKCD puts it well: http://xkcd.com/792/
How often do you reuse passwords?
What financial or other control information transits your email account?
What blackmail or other information could be gained via your email account(s)?
I've utilized this myself in legal cases for fun and profit (lawful access to data, natch).
What part of "gestalt" don't you understand?
I wonder if that's at all irritating to users living in places like, you know - China.
I think I know what the next Slashdot poll will be...
This is a good reason for google to start supporting client identification through SSL certificates.
not only all countries but my own, I would like to be able to whitelist to
- my work IP
- my home internet provider
and that's it, if I travel I can always stop restrictions temporarily, but there should be no reason why any location but the two above should be able to access my email account on a regular basis.
If Google wanted to make things simpler for users, you could also have the option to restrict by geolocation, given how good it is nowadays it should be trivial to say 'allow connections only from this city'
-- the cake is a lie
Sure. I said GP talked like something, but I didn't say what you said I did. Is that clear enough for you?
I'm not seeing the bit where GP said that "we" were good, just that "they" are bad. Can you clarify?
And you talk just like the stupid people in the movies: We are good and they are evil.
That's supposed to be in the movies. Is this the nitpicking day on Slashdot or what?
And guess what forced Japan to release the the captain? Obama told Japan to stop playing game, not China.
I think it was because China detained four Japanese. In the 1930s, that's give Japan the excuse to invade China. Not any more.
Wait, is that the Supreme Court of the United States?
Why is it when the US is criticized, responses in the vein of "other countries do it too" is unacceptable and often labeled troll, yet when a different country is under the radar, responses in the vein of "the US does it too" is the first and greatest comeback, and in this case labeled "Insightful"?
Because the US has presented itself as a moral high ground and example for the rest of the world, or tried to. When the role model does wrong excuses don't fly.
Benevolent Rulers are only benevolent when the subjects are doe-eyed submissives.
And the subjects that are not good? Well, just wait till father gets home.
In post Patriot Act America, the library books scan you.
See how you're able to talk about those events, write books and songs about them, and view photographs? Those isolated incidents are views as public black marks on American history and are not standard operating policy, nor are they hidden by the government. In fact, many politicians have ridden to office on their outspoken criticisms of America's past.
Does Google track my normal usage pattern? If so, they should warn me of any anomaly, not just from China but any other country that is outside the norm for my account.
I am in China. I access my Gmail every day from here. I have never seen this message. Somehow, they must know that is the norm for me. Will I get a warning if my account is suddenly accessed from the US?
~A~
You seem to have deep seated daddy issues. Still wondering who yours was, eh?
If you were blocking sigs, you wouldn't have to read this.
They're just being modest. Obviously, it's really the Supreme Court of the World, and if you don't acknowledge that, well, you're either with Us or with The Terrorists.
If you were blocking sigs, you wouldn't have to read this.
" I have no idea how they got or are getting my password."
They may not be doing, this could be a simple Joe Job case. They scrape your email address from somewhere, then send out a ton of mail using your address as the Reply To. They don't need any password to do this - check your 'sent' folder, did you really send those messages or is it just claiming you did in the Reply To?
There's very little you can do about this. Personally I set up SPF to specify that only certain domains were allowed to send mail. If the receiving mailserver has a brain, it will check these records and disallow any joe-job spam. My own mailserver also recognises bounces claiming to be from me but which haven't originated from those domains.
Not perfect, but it's one possible step.
Cheers,
Ian
And then you won't be able to search for conspiracy theories in the USA. It's really no different from China in terms of how government acts. All modern governments generally act the same. Yes North Korea may be the exception, but capitalist governments generally are similar.
Individuals don't matter anymore in any government that I know of. You are either a tax payer or a consumer.
China won't let you speak at all. Honestly what difference does it make? Or did you not hear about the raids on anti war protesters around the country? Or have you not heard about Cointel Pro?
The USA has no moral high ground over any other developed nation. The moral high ground was lost when the USA started torturing people.
While you are hyping the "freedoms" of the USA, the FBI is busy raiding US citizens.
http://www.myfoxchicago.com/dpp/news/metro/feds-raid-homes-in-chicago-minnesota-in-terror-probe-20100924
Theres a time to defend the US government, this isn't the time. Morally the US government cannot be defended. In fact morality and government don't even belong in the same sentence. Governments fight and win wars, if you want morality go to church.
See how you're able to talk about those events, write books and songs about them, and view photographs? Those isolated incidents are views as public black marks on American history and are not standard operating policy, nor are they hidden by the government. In fact, many politicians have ridden to office on their outspoken criticisms of America's past.
The only reason the US government allows him to talk about it is because the FBI is probably tapping his phone and watching his every move. China might not be as efficient at spying on it's citizens but the USA is efficient enough to do it and if people speak out then they just watch you even more closely.
So while there is a mock election, there is no way to know who really won. Probably the winner is whichever side has the best hackers. How is that any better or worse than China?
They got jailed for doing something similar. In fact it was exactly the same kind of thing, only slightly more organized and a bit more vocal.
Please do not throw phrases like that around applying it to China when it can just as easily apply to the USA. Our country is just as power hungry and authoritarian, perhaps more so if you look around the globe.
Did you forget about this: http://www.salon.com/news/opinion/glenn_greenwald/2010/01/27/yemen/index.html
Can change someones status from civilian to domestic terrorists overnight.
http://www.dailykos.com/storyonly/2010/9/25/905259/-UPDATEDWheres-the-Change-FBI-Raids-Peace-Activists,-Confiscates-MLK-Photo
As I said, I'm from a country friendly with the US.
IMO, while the US has been a bully at times, the most they do is apply economic pressure, and if the their target simply refuses to budge and the matter isn't that big a deal, they either compromise or just let it go.
Only in the worst case does military force gets used.
In summary, again from my subjective PoV, the US at least has some respect for the sovereign and rights of the nations they interact with.
China? They don't seem to respect anyone.
They feel just because they are bigger, they can force their will on anyone - to them might is always right 100% of the time.
Strength and military percussions are the only thing they response to.
Now I wish my country didn't have to live under the thumb of superpower states.
But I have to say, living under the thumb of the US appears to be better then living under the rule of the PRC.
You seem to be un-aware of the nature of proxies, tunnel end-points and trojaned machines.
> check your 'sent' folder, did you really send those messages or is it just claiming you did in the Reply To?
If that is the only way you have to check if your account has been compromised, you have other problems...
This idea that China is a super-villain and the US is a superhero is based off of myth, nationalism and ignorance,
Correct.
we are no better than the Chinese.
Wrong (and hence a non sequitur as a bonus).
Google hasn't extrapolated anything. They just issued warnings about attacks coming from Chinese IPs. It was Alexander Hanff of Privacy International who said that the attacks to his account 'may' have come from the Chinese Gov.
Dilbert RSS feed
Yup. As usual, end-to-end encryption is the only valid solution to be sure that no one along the transmission chain could snoop on your e-mail. For anything private or sensitive, that's the only solution.
With anything else, there are still weak point along the chain, like the mail being stored in clear on the server and being accessed there.
And I don't think offering GPG with Webmail is acceptable. If you have to let GMail handle your GPG keys it defeats the whole purpose.
As for the webmail part, that could be actually doable it the decryption is actually done on the client side :
- the webmail servers stores and transmits email in encrypted form
- the javascript running on the reciever's Firefox does the decryptions
- as such no un-encrypted copy exists anywhere on the web
- the key remains locally stored and accessed only by the locally running Javascript. Not uploaded.
- as a bonus, as the Javscript is delivered in plain text, users can run checks to be sure that nothing shady happens (like the local app using the local GPG service to decrypt the messages, but then uploading them back to the mail server).
In fact, that could probably be done today with a combination of Userscripts and/or Plugins.
From what I've understood that partly what Meebo is doing, to avoid overloading their server and having the whole webapp running over HTTPS. Instead online login is HTTPS and then only the messages are transmitted encrypted (except it's server-to-client encryption, not end-to-end encryption).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
For everyone who has an online account, here's the issue: There's no anti-fraud checking for your "forgot my password" tools. So that means, if you are in China, and hacking an account, you go to the "I forgot my password" link for that account, and answer the question. voila! You are in. Sure, might take a few times, but who cares? I asked someone I know with a relationship with Google and Yahoo to do something with the info, and the response was un-flattering. So please, if your question is "what is my favorite color" and it is red, white, or blue, come up with a better answer. Like "red-blooded American" or "white like the stars" or "blue a shade after midnight" This will foil the Chi-coms so they can't use a dictionary attack. Longer the better. 20 characters, and Google itself would have a hard time doing a brute-force rainbow attack.
It's funny how in the last month the Financial Times reported that in Europe the number of people who fear China outnumbers the number that fear terrorists 3 to 1. Whereas here in the US we are all about Islamic terrorists.
Anyway we have so many companies here in the US which are blindly running to China for more profit. So if you are living in the US you might as well start welcoming our new overlords.
In the mean time , I am concerned that within the next 10 to 20 years China might ignite a spark that sets off a war, a big one.
Currently they are stealing (basically we are giving it to them ) technology as fast as we can create it. I've sat in my company and watched DOD development money fund projects for systems, while the Chinese looked over our shoulders and watched every step of development.
Right now the US cannot contain China in no way shape of form. We can't match them militarily or economically, we just don't have a big enough stick to swing anymore.
I think you will see Japan back step as gracefully as possible here in the near future once they realize there isn't a damn thing the US could do for them if China wanted to start fishing in Tokyo harbor.
But if China wasn't really ready for a fight they wouldn't have stopped the shipment/sale of "rare earths" to Japan. It didn't work out that well for us when we stopped shipment of oil to Japan in 1941. But I think by that time Japan was already itching for a fight.
The whole point of Webmail is that you can check your e-mail anywhere you can access a Web browser, be it your computer, a friend's computer, a public computer, a Web kiosk, etc.
If you access the mail from an unkown computer, you can't trust that computer for security.
2 requires portable storage of both the keys and possibly the browser, severely limiting where one can check mail, or at least making it so inconvenient that most people won't even bother with the system.
Theoretically, the keys could also be stored on the web, as long as they are password protected, and the client could be entirely javascript or java. Thus don't require USB access or rights to run external software.
Now practically, you still have the problem that you are running it on some untrusted machine. Which could be infected and do some snooping itself (and given the high infection rate among Windows machine that is really a possibility).
Again, only one single way to be sure about privacy and secrecy : end-to-end encryption.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Me being Gmail, and seeing this would block all incoming attempts from china into whatever server that held the american accounts,
say anyone not living in the us, can not access their us account, they would have to set up a foreign account (.ch for china i guess)
Seriously, we need to worry about this now? Google has done such an awesome job,
I would hate to think they have to start wasting money and resources to these types of problems.
I guess there will always be a way to hack, and there will always be ways to protect against....but my gmail is really only for me, and I guess if i travel overseas, and i am no longer on the american continent, then I should not have to worry about reaching my gmail from china. This could also force them to start using a lot more proxies like tor and such, but this would raise flags all over, and let you see more and more which are the proxy control centers coming out of china, then you cold shut them down...or ddos them or something...