Slashdot Mirror
Aurora Attackers Were Looking For Google's Surveillance Database
An anonymous reader writes "When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists. What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Whether this was the primary goal of the attacks as well as how much information was exfiltrated is unknown. current and former U.S. government officials interviewed by the Washington Post say that the database in question was possibly accessed in order to discover which Chinese intelligence operatives located in the U.S. were under surveillance."
Should have used a HOSTS file for better security.
If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.
What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists.
Welcome to 1984, man !!
Muchas Gracias, Señor Edward Snowden !
*Cue the dramatic prairie dog*
With Today's technology, and the NSA's level computing power. I first off wonder what you mean by secure server somewhere (keep in mind the server has to be stored and accessed somewhere.. where a server is at can get political.. ) ..
Also if your in the U.S reading your email through the U.S network there's a large chance (in some countries its almost a promise) , high levels of government can read your email even if its stored on a secure server (if they really want to). In some ways using gmail where your less conspicuous and have a large user base to blend into can have its advantages. If you take into account modern data technicians, not having a free email account may also be a sign that your not who you say you are by some computer algorithms(obviously it would have to be correlated with other data points..) ...but I don't feel like wearing a tin foil hat today..knowing who the government is watching though tells you a lot about a government.
The comedy of all this, is theres only a few world powers that have the skill to back people like this and the agenda here is pretty clear( unless Putin is using his ninja powers to try and poison relations..) . The fact that Google servers where hacked in one of the capable countries, makes the whole situation a tad less then dubious.
and now we know it to be true
Well, at least they didn't "lower" another country! "Highering" another country to do that work isn't always necessary. Since there are supposedly laws preventing the C.I.A. and N.S.A. from spying on our own countrymen, countrywomen, country-boys-and-girls-and-cats-and-dogs, supposedly there is a "gentleman's agreement" between the brits, israelis, and ourselves to trade info gathered on one-anothers' countrymen [damn those gendered nouns sneak in a lot in english] with the "rival" spy agencies, so that the data gathering is still done with supposedly clean hands. Allegedly. O-m-g, they're tracking what I type...
"exfiltrate" ??? We've got sum miltary lingo here!
Is this some interesting "in house"/"in country" propaganda being dropped into the USA by our own military's psych ops teams? Who uses a word like "exfiltrate" so often?
Exfiltrate defined as 1. (military) To withdraw troops surreptitiously from a dangerous position [on wiktionary]
Extraction (military) redirected from exfiltrated: In military tactics, extraction (also exfiltration or exfil), is the process of removing personnel when it is considered imperative that they be immediately relocated out of a hostile environment and taken to a secure area.
So is this a "poseur" pretending to use military lingo and add an air of "military intrigue" and "international espionage" to the story, or is it a pretense of a "slip of the tongue" so that people think some military type accidentally let some patois and lingo slip through that identifies the authenticity of this,mein Mann, give this Shizz some street cred in the Hizzouse !!
It's a false flag play on the field! We've got a false flag play on the field! Are there two or three levels of misdirection involved? Place your bets, gentle-people-and-citizens!
The director of any agency in the US is an administrator above all else. And he didn't really get any on the job training to be a spy. So he believed all the baloney about using "secret gmail tricks" and the "draft folder" with two people logging into the same account to pass messages back and forth. He certainly wasn't going to trust someone else with his sexual escapades and moral turpitude, was he? It's not like your executive administrative assistant, even at the C.I.A., is trustworthy enough to help you out!!! (so unlike being the president and having the secret service boys know who's been [ahem] servicing you and keeping it confidential still yet...)
He is that stupid. And so are most people. Every compu-geek is saying, geee why didn't they use P-geeee-pee or Gee-Pee-Gee or one-time-pads, or steganography in images of zebras!!! And people here think that they're a lot smarter than they really are, or probably are. Perhaps myself included! ;>) But hey, I've still got high school to finish and college to get through... Maybe I'll learn something along the way! We may know tech, but we're likely to bungle up other things on the way...
One of the big problems is that non-governmental organizations that are not part of the defense industry have no legal responsibility to provide security. In fact, there are not even any meaningful federal level guidelines. This is, to a great extent, due to lobbying efforts on the part of entrenched business interests.
http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803
So the Republicans and the business community put their own short term interests ahead of the security of the United States. They are literally dumber then a box of rocks. Even so, if you listed to Republican rhetoric/propaganda they claim to be only ones who know how to defend the country. It's pathetic and frightening.
Why is Snark Required?
I believe The Onion had an interesting investigative report on the topic of that observation applied to national security.
If you're a corporation, don't use Google gmail or docs. Even if Google were somehow more secure than your own IT could be, uploading your company's spreadsheets to Google - whose primary business is selling advertising to your competitors - is a dumb idea.
The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)
Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
https://www.documentcloud.org/documents/680852-googlemotion.html
They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)
Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.
I basically agree, Google are a victim as much as the ones being spied on are victims, they don't like this, nobody does.
I'm calling the people spied on 'victim' here, because it I don't believe this statement:
"The database included information about court orders authorizing surveillance — orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google’s Gmail service"
Right and why would they use Gmail? I think a far more likely scenario is these orders were used to spy on Occupy Wallstreet protestors and anyone expressing political views. Since this seems to be the pattern with the FBI these days, and I don't see the criminal prosecutions from all this spying, which suggests its not a prosecutable offense like spying, but rather a non-prosecutable offense, e.g. free speech.
It's all too META that a cyber spying by the Chinese on cyber spying by the USA happens to get data on cyber-spies.
The real fear amongst C3I National Security Council is the 'Top.'
I.e. those at the 'Top' have access to the most and timely 'intelligence' and have the greatest potential to gain (money) the most from selective 'disclosure' , i.e. the 'anonymous source', using secure accounts to 'game' the US Treasury and Justice and 'forgery' of a Presidential election.
Ha ha. We are speaking in past tense !
These things have already happened and more will come from the current 'Administration.'
It shows you that email is watched, if the head of the CIA can't trust email going from point A to point B to be free from surveillance that he relies on creating a draft on Gmail servers, and his GF doing the same. They didn't even trust a dummy GMail to dummy GMail send!
"First, Patraeus set up a dummy account. And second, it's been reported that Petraeus and Broadwell never actually sent any emails to each other. ...
Petraeus would log into said Gmail account, write an email and save it as a draft. Broadwell would then log into that same email account, read the draft, and leave a draft of her own. That way, the two were able to correspond without actually having to send any data from point a to point b."
I think its time we did end to end encrypted email. We could stick the public key (in a public-private key pair) in the unencrypted email the first time you communicate do a key exchange and after that use the key to encrypt.
Webmail too, do the decode in the browser. Mark the section of the webpage that is the email text with a tag and source of that, lookup the key for that tag and decode it in the browser. Notify them of any broken keys are misleading tags.
It's vulnerable to first-key exchange interceptions, but that's all.
Looking for the surveillance database...so they were trying to download the entirety of Google then??????
TFStory title: "Aurora Attackers Were Looking For Google's Surveillance Database" ... is unknown
TFSummary: "Whether this was the primary goal
Minimal change needed to reconcile the two - "Aurora Attackers Were Maybe Looking At Google's Surveillance Database"
Stuff that matters: there may be something that can be called "Google's Surveillance Database".
Questions raise, answers kill. Raise questions to stay alive.
The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)
Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
https://www.documentcloud.org/documents/680852-googlemotion.html
They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)
Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.
they could just move their mail operation overseas with no US operatives.
they do it for taxes already, so why the fuck not...
world was created 5 seconds before this post as it is.
http://en.wikipedia.org/wiki/Operation_Aurora
On February 19, 2010, a security expert investigating the cyber-attack on Google, has claimed that the people behind the attack were also responsible for the cyber-attacks made on several Fortune 100 companies in the past one and a half years.
CISPA was all about sharing security information with other companies. If it were in place at that time, Google could have shared their counter-measures with other companies, vs the attackers using the same hacks against other large American companies.
The anti-CISPA backlash was retarded IMO. It was a different beast compared to SOPA.
Re: they could just move their mail operation overseas with no US operatives.
they do it for taxes already, so why the fuck not...
Hate to break it to you, but they don't really move their money overseas for tax purposes. They only claim to move the money overseas. It's just a sham tax avoidance scheme. See the New York Times article entitled For U.S. Companies, Money âOffshoreâ(TM) Means Manhattan:
Apple's $102 billion in offshore profits is actually managed by one of its wholly owned subsidiaries in Reno, Nev., according to the Senate report on the company's tax avoidance. The money is tracked by Apple company bookkeepers in Austin, Tex. What's more, the funds are held in bank accounts in New York.
...
''The offshore companies are a fiction and the statement that the money is offshore is a fiction,'' said Edward D. Kleinbard, former staff director for the Congressional Joint Committee on Taxation. ''What they are asking for is a reward for having gamed the system.''
So they could claim that the servers are the diplomatic property of that imaginary land of Googylvania, couldn't they? Googylvania, that's my name for that concept, see also /. article about Google Island. Way, way, way beyond the reach of the USA laws.
But you forget that the point of this is not really to stop servicing the Law Enforcement community of the USA. It's just to put up the pretense of protesting at serving and servicing the interests of the spies and LEOs of the USA: mollify the sheeple customers into believing that "it's the bad old guvviment that's so mean and googa-woogle is so good and on your side, we even pwotest these national secuwity lettews!" Don't fall for it. Google is NOT on your side.
but to think they spend time and millions of lawyer money fighting the government for the grater good is rather disingenuous
You don't have a clue what it's like to be a billionaire and even less of a clue as to what motivates them to spend money on lawyers. If it was all about financial reward then google would simply give the government everything they wanted with a minimum of fuss and pay a few PR hacks to explain why the can't "fight city hall". I don't claim to know what their motivation is, however it's obvious there's no financial reward to be had that would outweigh the costs of their self-imposed policy.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
"As any business, their primary objective is to line their own and their investor's coffers."
This is stupid, whilst it may be true in the majority of cases it's not true in all cases. As much as it may upset your cynical world view there are ethical companies out there and it largely depends on who is running those companies.
Born and bred sociopathic business types like Larry Ellison and Steve Ballmer may not give a damn about anything but profit, and hell, it may even be true of Schmidt but counter-balancing that are people like Sergey Brin who was bought up under the USSR's surveillance state before his parents fled to the US with him and hence has an inherent distaste for this sort of thing.
If you think there aren't ethical people in positions of power or even outright running some businesses then you're just a bitter sad individual pissed off that they've been more successful in life than you and just want at least something to try and make yourself feel superior than them with. It's pathetic.
I've said it before and I'll say it again.
I'm beginning to suspect that Google is actually a front organisation for the Contact division of some race of well-meaning and meddlesome aliens, who are using it to discretely nudge our society onto the path towards peace, freedom and post-scarcity tech-utopia. Eventually, thanks to them, our descendants will be able to take their place among their peers in the stars.
But maybe I've been reading too much Iain M Banks.
Actually I take it back. It's impossible to read to much Iain M Banks.
One imagines that such information is securely encrypted within the database.. no?
...I'm not real certain that information gleaned from an intelligence operative unprofessional enough to us a gmail account in the clear is really worth the effort.
What does this say?
China believes they can find real Government spy suspects through Google.
They believe that list would be valid and complete enough to warrant investigation
that was very costly.
They hacked from their home country, instead of hacking through other countries. They
likely had the military mindset. Do not trust systems you do not own and have physical
control over.
They believe the US would have to rely on this sort of surveillance on genuine spies
that China believes are worth them protecting.
They are concerned the US may know of some of their high value spies and may be
watching them. Maybe for their arrest, though how often does this happen. Maybe for
monitoring and disinformation. Is their spy returning information that is valuable,
or maybe even so valuable, it may be too good to be true? Could it be the US knows
they are a spy?
NSL process and Google advertised the Goverment's actions there making Google a target.
How did China hear of the database? Is the database real? If you were government, would
you want such a full database or list to be hackable? Would you want a fake database
out there?
Would you claim "China hacked our spy list database"? If they really did? Would you
hide that information for awhile and let someone else - a vendor, maybe - eventually
leak it to make it look real?
Or would it be business as usual. Somebody did not think through the process. It was
real. People were burdened with busy work and did not think about it. Sure, Government
is serious about protecting counterintelligence and their own spies. But did they think
this through and plan out a course of action?
How did China find the database? Emails in Google? Posts? IM? Internal co-worker?
A good cointel would be to allow hackers into a database showing assets that you wanted compromised but not the ones you don't.
Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)
http://en.wikipedia.org/wiki/American_Civil_Liberties_Union_v._Ashcroft
"American Civil Liberties Union v. Ashcroft (filed April 9, 2004 in the United States) is a lawsuit filed on behalf of a formerly unknown Internet Service Provider (ISP) owner by the American Civil Liberties Union against the U.S. federal government. In 2010, it was revealed that John Doe was in fact Nicholas Merrill of Calyx Internet Access."
So that was a small ISP owner doing the right thing, not Google. What do you think Google was doing in the meantime, if not complying with those requests? 2013 is very late in the game for Google to be filing lawsuits.
They are the only company I know of which publicizes how many supeonas and national security letters they get.
Again, they started doing this very late in the game. Google gave up information to NSLs and didn't talk about it, just like everybody else. You're a fool if you think otherwise.