Google Warning Gmail Users About State-Sponsored Attacks

← Back to Stories (view on slashdot.org)

Google Warning Gmail Users About State-Sponsored Attacks

Posted by Soulskill on Tuesday June 5, 2012 @10:15AM from the state-of-distributed-denial dept.

Trailrunner7 writes "Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers. Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly that kind of activity."

69 comments

Min score:

Reason:

Sort:

Google thinks texting is secure??? by madbavarian · 2012-06-05 10:17 · Score: 5, Insightful

Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys. I believe that browsers already allow client certificates for setting up https connections. Using computer generated and invoked keys would solve the phishing and guessing attacks. The keys would have a high enough search space that guessing would be impossible. The connections would be authenticated in a way that wouldn't expose the private key itself, so phishing wouldn't work. 1) the google server key would be checked in a secure crypto manner and a MITM attack wouldn't be possible. 2) the user's key would be checked in they standard public key crypto manner also, which wouldn't expose the private key in the process of authentication. Crap, I know practically nothing about crypto and can punch holes in Googles stuff. They don't think the equivalent of some evil country's NSA could do much better?ï
1. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-05 10:21 · Score: 1
  
  Not just text messages, they support hardware tokens too. http://yubico.com/totp
  I've been lolling a lot over the past few years that people would trust their phones more than their computers.
2. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-05 10:32 · Score: 3, Informative
  
  First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.
  Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prepaid cards for example).
3. Re:Google thinks texting is secure??? by Catskul · 2012-06-05 10:32 · Score: 4, Insightful
  
  I think the text message is not supposed to be 100% secure, but another obstacle to put in the way of attackers. It's an 80% solution.
  
  --
  
  Im not here now... Im out KILLING pepperoni
4. Re:Google thinks texting is secure??? by anared · 2012-06-05 10:38 · Score: 1
  
  What about other OS's?
5. Re:Google thinks texting is secure??? by utkonos · 2012-06-05 10:44 · Score: 4, Informative
  
  Using computer generated RSA/DSA keys is actually a bit less secure than the best option, SRP. I'm not clear on why the Secure Remote Password protocol is not deployed more widely.
  
  Another point is that you can use Google authenticator rather than the SMS garbage. This is much more secure and uses HMAC-Based One-Time Password Algorithm (RFC 4226) and Time-Based One-Time Password Algorithm (RFC 6238). It even has a PAM module that you can use with just about anything that supports PAM, and it has iOS, Android, and Blackberry versions of the client app.
6. Re:Google thinks texting is secure??? by hackertarget · 2012-06-05 10:57 · Score: 1
  
  Adding a phone based PIN via text to the authentication of Google accounts increases the complexity of an attack against the users authentication. It is not perfect but phone intercepts vs keyloggers are two very different levels of attack.
7. Re:Google thinks texting is secure??? by DragonWriter · 2012-06-05 11:09 · Score: 4, Insightful
  
  Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys.
  
  Username and password with the authentication code is more secure than without it, though using the SMS or voice-channel option (which isn't the preferred two-factor mechanism) is a greater risk against an attacker with your password than the preferred two-factor method (which uses an app which generates computer-generated keys instead of sending them two you over a telecommunication network.)
  
  Using computer generated and invoked keys would solve the phishing and guessing attacks.
  
  It would be a single-factor authentication method subject to compromise of the device with the key-generating software. In practice, it would be less secure than using Google's existing two-factor authentication system using the preferred (mobile app) mechanism, which involves both device generating a limited-time authentication code and a regular password, so that compromise of either the password or the device doesn't compromise the account.
8. Re:Google thinks texting is secure??? by Dan541 · 2012-06-05 12:23 · Score: 4, Funny
  
  Crap, I know practically nothing about crypto and can punch holes in Googles stuff. ;
  Thanks for the pointer. We would never have guessed.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
9. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-05 12:23 · Score: 0
  
  WinMo is a dumb phone
10. Re:Google thinks texting is secure??? by Flere+Imsaho · 2012-06-05 12:37 · Score: 0
  
  They don't think the equivalent of some evil country's NSA could do much better?ï
  Like the USA/NSA doesn't do evil things. Yeah, right.
  
  --
  It gripped her hand gently. 'Regret is for humans,' it said.
11. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-05 12:39 · Score: 1
  
  With Google's 2 factor authentication you can either opt for them to call you with a code or send you a txt, along with making that cookie be a one time sign-on or expire in 30 days.
12. Re:Google thinks texting is secure??? by Runaway1956 · 2012-06-05 14:08 · Score: 0
  
  To which "other OS's" do you refer? Maybe AC answered your question after all. I can't believe that anyone who is worthy of the "Geek" title would be using a WINDOWS PHONE! At best, a Windows phone would be a neat toy to play with. When you get tired of it, hand it off to unsuspecting fool who doesn't understand, need, or want any security.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
13. Re:Google thinks texting is secure??? by swillden · 2012-06-05 15:26 · Score: 2
  
  First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.
  Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prepaid cards for example).
  Another option is to pre-generate a list of codes, print them out and cross them off as you use them. When you get low, log in and generate and print another set.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
14. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-05 18:16 · Score: 0
  
  security is never going to be perfect. The point is to make it as hard for the attackers as possible.
15. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-05 19:13 · Score: 0
  
  About Man in the Middle Attack : state sponsored attackers are likely to have access to an official, governement funded Certificate Authority, and may have a "legit" wildcard certificate allowing to do MITM attack on any domain without raising a browser alert...
  Also considering what a state sponsored spook can do with GSM operator, it is VERY hard to defand against such attacker (cf. Syrian and Iranian activists given away by their phones...)
16. Re:Google thinks texting is secure??? by DrXym · 2012-06-05 20:01 · Score: 1
  
  Google offers an app for various devices that provides 2 factor authentication. You get challenged during login with a number and you type the response that shows up on the app. Use that. There is nothing to say the phone, tablet or emulator you run it from even has to be attached to the internet or an active phone number. If you were super paranoid you'd buy some shitty android phone solely to run the app. Or launch an emulator from an encrypted volume. Or use it in conjunction with other measures such as encryption. Or don't use a cloud based email system run by a large corporation at all.
  The whole PIN reset thing is for a different scenario. If someone DOES hack into your account and change the password, how do you regain control of it again. That's what the PIN reset is for, and it would be completely adequate for the vast majority of people.
17. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-06 00:08 · Score: 0
  
  You can also install an application on your phone so then text and calls are unecessary. While I'm sure the carrier could push an update to subvert this, it does seem a bit safer.
18. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-06 04:29 · Score: 0
  
  To which "other OS's" do you refer? Maybe AC answered your question after all. I can't believe that anyone who is worthy of the "Geek" title would be using a WINDOWS PHONE! At best, a Windows phone would be a neat toy to play with. When you get tired of it, hand it off to unsuspecting fool who doesn't understand, need, or want any security.
  The "geek" and "nerd" title is still derogatory where I come from ( even with those movies that made geeks look "cool", and people like Jobs and Zuckerberg ).
  I love math and algorithms(and many more similar stuff), result? I have close to no real friends.
  I have about four distros of linux on my machine, a linux box is tailored for the kind of work I do. But I have a windows machine as well.
  How do you think people write exploits for windows phones and test community built softwares? are they not geeky enough?
  Linux-I believe-was concieved by hackers ( wizards, not script kiddies and theives) to scratch their personal itch, do you think they would have implemented a flashy gui if they didn't have to compete with windows and macs?
19. Re:Google thinks texting is secure??? by Anonymous Coward · 2012-06-06 05:45 · Score: 0
  
  Shut up. For the love of Pete, just shut up.
20. Re:Google thinks texting is secure??? by anared · 2012-06-06 05:59 · Score: 1
  
  MeeGo is better than any of those. But your attitude tells everything about you :D
How about... by betterunixthanunix · 2012-06-05 10:20 · Score: 1

...encrypting your email?

--
Palm trees and 8
1. Re:How about... by Anonymous Coward · 2012-06-05 10:27 · Score: 0
  
  Most of my gmail ads are for PGP. I shit you not.
2. Re:How about... by Anonymous Coward · 2012-06-05 10:36 · Score: 0
  
  "...encrypting your email?"
  Encryption for email has been widely available since the mid 1990s, with native support or plugins for almost (but not quite) every major mailer, yet almost no one uses it. That shows just how much most people care about security of online communication.
3. Re:How about... by Anonymous Coward · 2012-06-05 10:38 · Score: 0
  
  I love you...
4. Re:How about... by Smallpond · 2012-06-05 11:09 · Score: 4, Insightful
  
  "...encrypting your email?"
  Encryption for email has been widely available since the mid 1990s, with native support or plugins for almost (but not quite) every major mailer, yet almost no one uses it. That shows just how much most people care about security of online communication.
  Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.
5. Re:How about... by betterunixthanunix · 2012-06-05 11:17 · Score: 4, Informative
  
  Which email client has encryption installed out of the box?
  Outlook, Thunderbird, the mail client in OS X, Evolution, and KMail all come to mind -- they all at least support S/MIME out of the box. Now, I think S/MIME is not appropriate for the typical PC user's email and the PGP's web-of-trust approach is a lot better, but it is not as though there is no encryption option available in popular email clients.
  
  find out how to generate keys
  This is definitely the weakest link in the chain for email encryption -- I do not think any of the clients I mentioned above have an automatic key generation process. Maybe Google should submit a patch to Thunderbird instead of working on better ways to let people know that they have been compromised (or perhaps in conjunction with that).
  
  somehow get my public key to all of the people that I want to communicate with?
  S/MIME does this automatically when you send signed email to people.
  
  --
  Palm trees and 8
6. Re:How about... by Dan541 · 2012-06-05 12:27 · Score: 1
  
  Maybe Google should submit a patch to Thunderbird instead of working on better ways to let people know that they have been compromised (or perhaps in conjunction with that).
  And undermine their own business? I doubt it.
  
  --
  An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
7. Re:How about... by Anonymous Coward · 2012-06-05 14:11 · Score: 0
  
  S/MIME does this automatically when you send signed email to people.
  You mean, when you send signed email to the NSA and the NSA sends signed email to people.
8. Re:How about... by Smallpond · 2012-06-05 14:23 · Score: 1
  
  From the Wikipedia article:
  "Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA"
9. Re:How about... by wintersdark · 2012-06-05 17:32 · Score: 2
  
  Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.
  And, of course, what of your recipients? I'd love to encrypt all my mail, but having to have everyone I converse with do the same *AND* use the same set of plugins, clients, etc? Particularly considering most access their email over a variety of clients, browsers, and even operating systems? I know I access mine over three separate OS's on a daily basis.
  Yeah, that's just not going to happen. Sure, you can secure point to point email that really needs to be, but otherwise it's entirely impractical.
  
  --
  Meh.
10. Re:How about... by psiclops · 2012-06-05 23:28 · Score: 1
  
  you know gmail has instructions for setting up POP/IMAP access in the help section.
  they even contain specific details for what you need to do in Thunderbird to get it working(and other clients)
  
  --
  i spent five minutes thinking and all i got was this crappy sig
11. Re:How about... by Anonymous Coward · 2012-06-06 02:08 · Score: 0
  
  Go to your local book store and purchase "pgp and gpg" by Michael W. Lucas. If it's not available, the book can be found online from No Starch Press. All the documentation you will ever need.
so what about NSA accesses? by Anonymous Coward · 2012-06-05 10:30 · Score: 5, Interesting

One of two things are true:
1) Google never ever receives any requests for information from the NSA;
2) What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with.
It's one thing to have corporations battling with government for control. It's quite another when one information-gathering corporation has become so big that it's playing its own overt part in the propaganda war.
1. Re:so what about NSA accesses? by Anonymous Coward · 2012-06-05 10:40 · Score: 1
  
  If the NSA makes a request and Google compiles then it's not really an attack and the NSA can just use whatever access/API Google gives. Google doesn't need your credentials.
2. Re:so what about NSA accesses? by Anonymous Coward · 2012-06-05 10:52 · Score: 0
  
  If the NSA makes a request and Google compiles then it's not really an attack
  
  If the NSA makes a request, Google complies. Google does not tell you.
  If the Chinese government makes a request, Google does not comply. The Chinese government therefore uses other means to get the information. Google tells you.
  They're both clear attacks on security against unreasonable searches. Of course, the US Constitution doesn't protect you from the Chinese government.
3. Re:so what about NSA accesses? by daveschroeder · 2012-06-05 11:24 · Score: 3, Insightful
  
  Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
  The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.
  Google isn't doing this with direct knowledge that a particular person is being spied on by their government. They're doing it based on aggregate evidence in nations known to be monitoring certain groups of internet users en masse; i.e., NOT the United States.
  Do you think the US government and US corporations should follow the law, or not? If not, what should govern it?
  Your opinion?
  Communications metadata in various forms has been fair game for decades (i.e., not a "new" or "post-9/11" construct), and has been validated by the US Supreme Court. How do you propose identifying and targeting specific foreign communications — the content of which does not require, and never has required, a warrant — now increasingly traveling on systems and networks within the US, without first having a mechanism to first identify and target those communications?
  Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights, and realize that the US has adversaries — not even of our own creation! — and that most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.
4. Re:so what about NSA accesses? by Anonymous Coward · 2012-06-05 11:46 · Score: 1
  
  Obsession with "the NSA" aside
  I've posted threads about "the NSA" perhaps half a dozen times on Slashdot in the ~14 years I've been here. I've seen posts re the government by you, usually of the sycophantic cheerleading variety, hundreds of times. What's your interest?
  Anyway, what you are saying is that there is no such thing as a national security letters and the federal government has never installed systems which intercept data belonging to US citizens. You're also using a shitty "it may not be communications between US citizens even though it is very highly probable" excuse to intercept all metadata, an argument which could be applied to intercept every single piece of information travelling through the US.
  
  Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights
  Try to get out of your bubble where you perceive that the government is on the side of the regular citizen.
  
  most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.
  In my experience, no, they don't. Not sure two Internet anons exchanging anecdotes is going to get us anywhere, though.
5. Re:so what about NSA accesses? by mapkinase · 2012-06-05 11:47 · Score: 1
  
  >What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with
  Bingo.
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
6. Re:so what about NSA accesses? by Anonymous Coward · 2012-06-05 13:36 · Score: 0
  
  Dude you think NSA/America is totally above board/boy scout jamboree, then at best you're a fucking idiot.
  Why do you think Americans travel the world with a Canadian flag sewn on their backpacks?
  You think people the world over hate boy scouts?
  And Google certainly shows all the symptoms of a marionette with a puppet master's hand shoved up it's ass.
7. Re:so what about NSA accesses? by russotto · 2012-06-05 13:45 · Score: 4, Insightful
  
  Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
  If a US agency (law enforcement or no) with no warrant makes a request to a US corporation, that US corporation (e.g. AT&T) complies. Because if that corporation (e.g. Qwest) resists, their principals end up on the wrong end of an investigation of the sort Cardinal Richelieu made famous ("If you give me six lines..."). Because we're not actually a nation of laws.
8. Re:so what about NSA accesses? by Anonymous Coward · 2012-06-05 14:13 · Score: 0
  
  What's your interest?
  He's either a troll or a big-government neocon. The fact that he only replies to idiots he's baited and not to intelligent discussion of the errors in his posts makes me think the former. The latter tend to rant foaming at the mouth at anyone who dares question them with truthy facts.
9. Re:so what about NSA accesses? by Runaway1956 · 2012-06-05 14:19 · Score: 2
  
  "if a US law enforcement entity with a warrant makes a request "
  I don't know for sure, but I get the impression that you've been sleeping for most of a decade. Remember all the hoopla over warrantless taps? Warrantless searches and seizures? In one single instance, virtually all United States telcos were ordered by the US government to cooperate with federal officials to monitor email communications for hints of terroristic threats. Long afterward, the courts started to get involved, and started to find all that shit was unconstitutional. In fact, Congress passed a special law to indemnify all those telcos against being sued for cooperating with the government.
  Obsessions? Pal - the government may or may not "be out to get you", but if you believe for one moment that the government is your friend, then you are a fool.
  The very men who created this country warned us that it was our duty to guard against government intrusion on our rights.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
10. Re:so what about NSA accesses? by Runaway1956 · 2012-06-05 14:24 · Score: 0
  
  "Why do you think Americans travel the world with a Canadian flag sewn on their backpacks?"
  Because they are cunts.
  Hey, I happen to love and admire Canada. But, I will never attempt to pass myself off as Canadian. I'm an American citizen. Wherever I go, I'm just as American. Anyone who lacks the balls to be American in - Tehran, or Beruit, or wherever, should just move their asses to whatever country it is that they prefer. Hell - let them stay in Mogudishu, for all I care. They don't need to come home to wave a flag on July 4th. Wave the American flag in Beijing, or don't wave it at all.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
11. Re:so what about NSA accesses? by Anonymous Coward · 2012-06-05 14:57 · Score: 0
  
  You're either:
  (1)delusional
  (2)full of shit
  Not sure if either is necessarily going to advance the cause of human progress much.
  
  Because they are cunts
  I tend to credit them as having sufficient sagacity to realize that their government is not a group of boy scouts.
  This is a bit more than I can give you credit for.
12. Re:so what about NSA accesses? by X.25 · 2012-06-05 16:37 · Score: 1
  
  Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
  The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.
  Google isn't doing this with direct knowledge that a particular person is being spied on by their government. They're doing it based on aggregate evidence in nations known to be monitoring certain groups of internet users en masse; i.e., NOT the United States.
  Do you think the US government and US corporations should follow the law, or not? If not, what should govern it?
  Your opinion?
  Communications metadata in various forms has been fair game for decades (i.e., not a "new" or "post-9/11" construct), and has been validated by the US Supreme Court. How do you propose identifying and targeting specific foreign communications â" the content of which does not require, and never has required, a warrant â" now increasingly traveling on systems and networks within the US, without first having a mechanism to first identify and target those communications?
  Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights, and realize that the US has adversaries â" not even of our own creation! â" and that most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.
  Wow.
  This is a brilliant troll.
  Awesome!
13. Re:so what about NSA accesses? by triclipse · 2012-06-05 18:16 · Score: 1
  
  "A multiplicity of laws is an embarrassment to justice."
  We have become a nation of too many laws and too little justice.
  
  --
  No Inflation Taxation without Representation
even more... by harvey+the+nerd · 2012-06-05 10:34 · Score: 1

This article shows Israeli security at the airport *demanding* incoming US passengers to open their Gmail accounts for perusal. Can imagine UK or US govt Nazi agencies pulling this sh|t sooner than later.
1. Re:even more... by St.Creed · 2012-06-05 10:58 · Score: 1
  
  I can imagine them doing it this year. Employers are already demanding access to your facebook page, so this will probably be next. Time to create two new accounts for both.
  "This account is empty"
  "Yeah, I use POP to pull the messages out to my own account and set everything to remove it from the server. I like a clean mailaccount".
  "This facebook photo doesn't look like you, and you have no friends"
  "Yeah, it's so sad... After my disfiguring disease everyone left me" :)
  
  --
  Therefore, by the (faulty) logic you're using, you're just a cow with a keyboard - osu-neko (2604)
2. Re:even more... by nurb432 · 2012-06-05 11:42 · Score: 1
  
  "Sorry dear employer, i have neither, and if i did you wouldn't be getting the passwords anyway". Then flip them the bird as i walk.
  
  --
  ---- Booth was a patriot ----
3. Re:even more... by Psyborgue · 2012-06-05 21:26 · Score: 1
  
  So? Don't want that level of security? Don't fly El Al. They may offend your delicate sensibilities but you can hardly argue with results. Personally I'd prefer their proven methods to our security theatre.
Armchair experts by Namarrgon · 2012-06-05 10:38 · Score: 4, Insightful

I know practically nothing about crypto
That should be a sign right there that they've likely thought this through more than you have. What makes you think the entirety of their security policy is accurately conveyed in TFA?
PINs through texts are not bulletproof, but they do add security. So do the other methods Google offers, like locally-generated tokens. Certificates are hardly bulletproof either, as Microsoft recently found out. And most methods will fail if you've got a state-sponsored infection like Flame on your system...

--
Why would anyone engrave "Elbereth"?
How about the American government? by Eightbitgnosis · 2012-06-05 10:42 · Score: 5, Insightful

Somehow I don't think I'd be getting a notification in this situation
1. Re:How about the American government? by mapkinase · 2012-06-05 11:48 · Score: 1
  
  How about Guantanamo? Or how about solitary confinement 23/7?
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
2. Re:How about the American government? by Eightbitgnosis · 2012-06-05 12:29 · Score: 1
  
  I don't think Google has a warning for that....
Google is doing a good thing - mostly by raque · 2012-06-05 11:49 · Score: 4, Interesting

We can argue the details of security from now to doomsday. It's a good thing that Google is doing this. Except it's of limited value. As has been pointed out in reference to the Flame attack, State sponsored hacking is very hard to detect. Google might be able to detect some, but how many? And when does Google encounter a conflict of interest? What happens then, and will we know? This is one reason I like the existence of things like Bing and Yahoo Axis, I get to spread things around. No, it's not a cure all and I'm aware that I still can be tracked, but I am raising the price (effort, etc) needed to get things on me.
We're back to the price of Freedom is Eternal Vigilance. Some things don't change in the digital world. Politics didn't, Sex did. Go figure.
This comment will not be saved until you click the Submit button below.
1. Re:Google is doing a good thing - mostly by iamacat · 2012-06-05 19:01 · Score: 1
  
  OUR state sponsored hacking is very hard to detect. If you lock people up just for sending tweets, don't expect them to be great hackers.
2. Re:Google is doing a good thing - mostly by raque · 2012-06-07 04:04 · Score: 1
  
  I would tend to think the opposite. If you have a reason to hide things, then you will find how to hide them. This is why repressive countries have significant organized crime issues (AFAIK).
Add 2 + 2 by ozonearchitect · 2012-06-05 12:25 · Score: 1

Microsoft has been hob knobbing with China the past couple years. Bing is huge in China. Google is no more (in China). Now Windows phone is taking off like wildfire there. Google is talking about pulling Android out of China. Google has been cutting it's own throat. Microsoft stock is still cheap... way cheap. http://windowsphonethoughts.com/news/show/165736/a-sign-of-improving-times-for-windows-phone.html
1. Re:Add 2 + 2 by Anonymous Coward · 2012-06-06 18:20 · Score: 0
  
  Bing is huge in China. Google is no more (in China).
  Chinese search market share:
  Baidu: 54%
  Google: 41%
  Bing: 2%
  http://gs.statcounter.com/#search_engine-CN-monthly-201105-201205-bar
  If 2% is "huge", companies with 27x and 20x the market share must be truly enormous.
What about USGov intrusion ? by Taco+Cowboy · 2012-06-05 13:42 · Score: 1

I thank Google for their concern of users' right
But I wonder, what if the US Government decides to hack into Gmail accounts that they believe belong to members of "terrorist groups"?
Would GMail allow that?

--
Muchas Gracias, Señor Edward Snowden !
1. Re:What about USGov intrusion ? by ark1 · 2012-06-05 13:53 · Score: 1
  
  I thank Google for their concern of users' right
  But I wonder, what if the US Government decides to hack into Gmail accounts that they believe belong to members of "terrorist groups"?
  Would GMail allow that?
  US Govt has likely the keys to any gmail account. No need for hacking.
2. Re:What about USGov intrusion ? by Anonymous Coward · 2012-06-05 14:02 · Score: 0
  
  Google isn't a US Govt sponsored entity?
3. Re:What about USGov intrusion ? by Anonymous Coward · 2012-06-05 20:38 · Score: 0
  
  Only if the US gov followed due process, since Google is a US company they have to comply with US law. If the US gov didn't follow due process and decided to go the hacking route, you would expect that the agents doing the hacking would cover their tracks well enough that Google couldn't tell who was behind the hacking.
What about non state sponsored? by TheInternetGuy · 2012-06-05 14:59 · Score: 1

I think Google should notify me if they suspect any type of attack ,not just state sponsored ones.

--
If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
1. Re:What about non state sponsored? by Fastolfe · 2012-06-06 04:15 · Score: 1
  
  Please RTFS.
2. Re:What about non state sponsored? by TheInternetGuy · 2012-06-06 13:54 · Score: 1
  
  Please RTFS.
  Reading the summary before commenting, how very unslashdotesque of you. :D
  
  OK, Ill admit it, I somehow missed that part.
  
  --
  If my comment didn't sound as good in your head as it did in mine, then I guess we all know who's to blame
State Sponsored Propaganda by Anonymous Coward · 2012-06-05 15:48 · Score: 0

Since New York Times recently reported that Stuxnet is a US State Sponsored Cyber virus - which if you recall was accidentally released into the wild and affected and attacked innocent end-user machines as collateral damage, and with the ongoing US-Israeli state sponsored cyber warfare weapons of mass destruction (operation Olympic Games) including the more recent releases of Duqu and Flame virus.... can Google clarify if through its detailed analysis as well as victim reports if Google will apply the same exacting standards and warn end-users (both in the US and abroad, example: Iranian users) of these domestic (US) state sponsored attacks as well? Even if Google was to choose to go the higher route, wouldn't this kind of undermining and subterfuge (however unintentional) really go unnoticed by its host nation? Or are exceptions of convenience made in these cases due to the close ties that Google has with the US intelligence agencies and the confirmed but secret and classified collaboration that the Google has with the CIA and NSA in regards to GMail and Google Accounts? No doubt there is a clear conflict of interest going on here. To me this smells more like Google catering to State Sponsored Propaganda than really caring about the security and privacy of their end-users.
1. Re:State Sponsored Propaganda by VanessaE · 2012-06-06 05:33 · Score: 1
  
  "Cyber" virus? Seriously?
  *groans*