Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aurora Attackers Were Looking For Google's Surveillance Database

Posted by Soulskill on from the go-big-or-go-home dept.

An anonymous reader writes "When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists. What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Whether this was the primary goal of the attacks as well as how much information was exfiltrated is unknown. current and former U.S. government officials interviewed by the Washington Post say that the database in question was possibly accessed in order to discover which Chinese intelligence operatives located in the U.S. were under surveillance."

27 of 81 comments (clear)

  1. First HOSTS! by Anonymous Coward · · Score: 2, Funny

    Should have used a HOSTS file for better security.

  2. Helpful hint. by khasim · · Score: 5, Insightful

    If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

    1. Re:Helpful hint. by Anonymous Coward · · Score: 4, Funny

      Helpful hint.
      If you are in the spy or terror business, and u use email to communicate, u should look for another line of work.

      -HasHie @ trypnet.net

    2. Re:Helpful hint. by DNS-and-BIND · · Score: 3, Interesting

      You'd be shocked at how many people get really offended if you tell them to stop using Gmail. It's like telling someone who likes to bitch about how crap TV is to stop watching - it's just utterly out of the question. You'd think it would be easy to search for "free email provider", go to page 17 of results, and pick some random one. You would also be dead wrong.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    3. Re:Helpful hint. by iggymanz · · Score: 5, Informative

      nonsense, overt communication of misinformation is a time honored counterintelligence technique. Real messages can also be covertly conveyed in the same channel

    4. Re:Helpful hint. by Virtucon · · Score: 2

      Uhm, like General Petraeus, former head of the CIA?

      Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

      --
      Harrison's Postulate - "For every action there is an equal and opposite criticism"
    5. Re:Helpful hint. by Nidi62 · · Score: 5, Insightful

      Uhm, like General Petraeus, former head of the CIA?

      Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

      He was a political appointee, what do you expect? He was actually never in any capacity a spy. He was an infantry officer and a teacher more than he was anything else until 2004 and after when he was overall commander of Iraq then Afghanistan. The director of any agency in the US is an administrator above all else.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    6. Re:Helpful hint. by girlintraining · · Score: 2

      If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

      Just them? You'll note it also said suspected spies and terrorists. With "broader definitions" of terrorism coming out every day, and the criteria for being included on a watchlist, paired with these hotlines opening up for anonymous "tips"... pretty much anyone these days can be a suspected spy or terrorist. And being a citizen of the US is very little barrier against invasions of your privacy; They've even talked about revoking citizenship for people simply to avoid any legal hassles.

      It might be more accurate to say "If you are writing anything you don't want made public, given to law enforcement, or any of the 170+ governments of the world, don't use Gmail." At least then we'd cover all the bases. :/

      --
      #fuckbeta #iamslashdot #dicemustdie
    7. Re:Helpful hint. by RMingin · · Score: 5, Interesting

      Steganography plus photos of the "kids".

      Last word of every sentence plus a one time pad (NEVER EVER REUSE ONE TIME PADS. IT'S IN THE FUCKING NAME.).

      Simple coded phrases that seem innocuous. The garbage can spilled again. You need to stop letting that dog off the leash! I miss you and can't wait to see you next weekend. I want to do dinner at that Szechuan place again, I think it's gotten better.

      There are plenty of uses for an email account in intel/cointel. Sending plaintext messages over an uncontrolled service just isn't one of them.

      When in the field on an operation without official cover, the agent should assume that all actions and responses are monitored by the local and national cointel groups at all times. Communications should be deniable and overt. Email and public message boards are ideal, as they are fully deniable. The days of taping a tiny cannister full of microfiche to the bottom of a park bench ended forty-plus years ago. It's not hard to run deniable covert operations, you just need to be somewhat intelligent, recruit people who are likewise not stupid or lazy, and NEVER EVER take things for granted or relax.

      --
      The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
    8. Re:Helpful hint. by Jah-Wren+Ryel · · Score: 3, Insightful

      If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

      You are assuming these people were using gmail for clandestine communications. I'm pretty sure even the most basic opsec training would have covered the "don't use email for secret messages" ruie.

      What this looks like is a ruse - agents set up email accounts that are never used for spying purposes but are sufficient to attract exactly the kind of counter-espionage actions of getting the US to spy on the accounts. Then grab the list of accounts the US is spying on because that list is in the hands of google who don't have formal handling procedures for classified information and so are an easy target versus some system behind an air-gap firewall. Tada, now you know which spies have had their covers blown. It doesn't tell you which spies are still safe, but it does give positive confirmation of who has been exposed.

      --
      When information is power, privacy is freedom.
    9. Re:Helpful hint. by ebno-10db · · Score: 4, Funny

      Steganography plus photos of the "kids".

      Another approach is plain text that's so blatant the eavesdropper will assume no one would be stupid enough to send it seriously. For example: kill moose and squirrel.

    10. Re:Helpful hint. by PPH · · Score: 2

      Then grab the list of accounts the US is spying on because that list is in the hands of google who don't have formal handling procedures for classified information and so are an easy target versus some system behind an air-gap firewall.

      PROTIP: Involving untrained individuals or organizations in intelligence gathering operations is a bad idea. They tend to leak information to either the targets of investigations or third parties with interests in such surveillance.

      --
      Have gnu, will travel.
    11. Re:Helpful hint. by amiga3D · · Score: 2

      Don't use e-mail. Seriously, how secure is any e-mail server against government surveillance. Maybe using phone modems and sending a message directly computer to computer with full encryption might work. Then maybe not. I'm thinking that if I was involved in something highly illegal my paranoia would jump into overdrive. Given that I'm nobody and have nothing I think I might be safe using Gmail.

    12. Re:Helpful hint. by SpaceLifeForm · · Score: 4, Funny

      Unless the eavesdropper is Rocky or Bullwinkle.

      --
      You are being MICROattacked, from various angles, in a SOFT manner.
  3. Google, Big Brother's Helper ? by Taco+Cowboy · · Score: 2, Informative

    What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists.

    ... and anybody else, as long as the authority can label them "potential threats"

    Welcome to 1984, man !!

    --
    Muchas Gracias, Señor Edward Snowden !
    1. Re:Google, Big Brother's Helper ? by ozmanjusri · · Score: 4, Funny

      .. and anybody else, as long as the authority can label them "potential threats"

      "Diplomats" is a clearly defined set. The set "suspected spies and terrorists" already contains everybody.

      --
      "I've got more toys than Teruhisa Kitahara."
    2. Re:Google, Big Brother's Helper ? by Anonymous Coward · · Score: 2, Insightful

      Yeah, man, court's having the authority to make orders for records after a statutorily defined, and constitutionally restricted due process is totally Orwellian.

      (WTF?)

      The FBI can simply issue a National Security Letter, which has no actual review or oversight. You don't have any due process. They are not contestable, and it's illegal to tell anybody including your attorney that you even received one.
      Google is, in fact, one of the companies attempting to challenge these letters in court: http://www.wired.com/threatlevel/2013/04/google-fights-nsl/

      You want Orwellian, you got something pretty damn close right there.

    3. Re:Google, Big Brother's Helper ? by FatdogHaiku · · Score: 4, Funny

      Welcome to 1984, man !!

      If I don't get my 1984 body back then I'm not buying in...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
  4. G-Men. Gmail. Coincidence? by gubon13 · · Score: 2, Interesting

    *Cue the dramatic prairie dog*

  5. Chinese Cyberwar by Required+Snark · · Score: 2, Interesting
    The Chinese government is waging ongoing cyber warfare against the US, and we are loosing the defensive battle.

    One of the big problems is that non-governmental organizations that are not part of the defense industry have no legal responsibility to provide security. In fact, there are not even any meaningful federal level guidelines. This is, to a great extent, due to lobbying efforts on the part of entrenched business interests.

    http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803

    But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

    Democrats overwhelmingly supported the legislation, but for Republicans, it meant a stark choice between competing constituencies: national security officials and business leaders. Even after the bill's backers made the standards voluntary, the Chamber of Commerce, which spends more on lobbying than any other trade group, opposed it.

    On Thursday, the Senate cyber-security bill failed to overcome a Republican-led filibuster. Analysts say the bill couldn't breach a wall of anti-regulatory sentiment that proved resistant to the dire warnings.

    The measure fell short of the 60-vote threshold needed to end debate, 52 to 46, with 40 Republicans joined by six Democrats voting in support of the filibuster.

    "Rarely have I been so disappointed in the Senate's failure to come to grips with a threat to our country," said Sen. Susan Collins, the ranking Republican on the Senate Homeland Security Committee and one of the bill's chief sponsors, who had tried in vain to sway her GOP colleagues. Just four sided with her.

    So the Republicans and the business community put their own short term interests ahead of the security of the United States. They are literally dumber then a box of rocks. Even so, if you listed to Republican rhetoric/propaganda they claim to be only ones who know how to defend the country. It's pathetic and frightening.

    --
    Why is Snark Required?
  6. Google the biggest fighter against govt data reque by raymorris · · Score: 5, Interesting

    The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
    That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
    By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
    information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
    therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

    Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
    https://www.documentcloud.org/documents/680852-googlemotion.html

    They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
    FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
    they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)

    Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
    No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
    executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.

  7. Re: "highering" is right! by s.petry · · Score: 2, Insightful

    While there may be laws on the books in the US protecting citizens from the CIA, NSA, DHS, FBI, etc...(goddamn long list of Govt. agencies) those laws have been ignored for a dozen years. Because people refuse to see it does not make it go away... It just means people can be Ostriches.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  8. Re: "highering" is right! by ozmanjusri · · Score: 2

    While there may be laws on the books in the US protecting citizens from the CIA, NSA, DHS, FBI, etc...(goddamn long list of Govt. agencies) those laws have been ignored for a dozen years.

    How can they be sure you're a citizen if they don't spy on you?

    Be reasonable.

    --
    "I've got more toys than Teruhisa Kitahara."
  9. Re:"highering" is right! by girlinatrainingbra · · Score: 2

    you can look it up. i won't bother doing it for you. but here's one link:

    http://www.aclu.org/technology-and-liberty/nsa-spying-americans-illegal

  10. Sensationalism in action by c0lo · · Score: 2

    TFStory title: "Aurora Attackers Were Looking For Google's Surveillance Database"
    TFSummary: "Whether this was the primary goal ... is unknown

    Minimal change needed to reconcile the two - "Aurora Attackers Were Maybe Looking At Google's Surveillance Database"

    Stuff that matters: there may be something that can be called "Google's Surveillance Database".

    --
    Questions raise, answers kill. Raise questions to stay alive.
  11. Re:they could...move their mail operation overseas by girlinatrainingbra · · Score: 2, Interesting

    Re: they could just move their mail operation overseas with no US operatives.

    they do it for taxes already, so why the fuck not...

    Hate to break it to you, but they don't really move their money overseas for tax purposes. They only claim to move the money overseas. It's just a sham tax avoidance scheme. See the New York Times article entitled For U.S. Companies, Money âOffshoreâ(TM) Means Manhattan:


    Apple's $102 billion in offshore profits is actually managed by one of its wholly owned subsidiaries in Reno, Nev., according to the Senate report on the company's tax avoidance. The money is tracked by Apple company bookkeepers in Austin, Tex. What's more, the funds are held in bank accounts in New York.

    ...

    ''The offshore companies are a fiction and the statement that the money is offshore is a fiction,'' said Edward D. Kleinbard, former staff director for the Congressional Joint Committee on Taxation. ''What they are asking for is a reward for having gamed the system.''

    So they could claim that the servers are the diplomatic property of that imaginary land of Googylvania, couldn't they? Googylvania, that's my name for that concept, see also /. article about Google Island. Way, way, way beyond the reach of the USA laws.

    But you forget that the point of this is not really to stop servicing the Law Enforcement community of the USA. It's just to put up the pretense of protesting at serving and servicing the interests of the spies and LEOs of the USA: mollify the sheeple customers into believing that "it's the bad old guvviment that's so mean and googa-woogle is so good and on your side, we even pwotest these national secuwity lettews!" Don't fall for it. Google is NOT on your side.

  12. Re:Google the biggest fighter against govt data re by Xest · · Score: 2

    "As any business, their primary objective is to line their own and their investor's coffers."

    This is stupid, whilst it may be true in the majority of cases it's not true in all cases. As much as it may upset your cynical world view there are ethical companies out there and it largely depends on who is running those companies.

    Born and bred sociopathic business types like Larry Ellison and Steve Ballmer may not give a damn about anything but profit, and hell, it may even be true of Schmidt but counter-balancing that are people like Sergey Brin who was bought up under the USSR's surveillance state before his parents fled to the US with him and hence has an inherent distaste for this sort of thing.

    If you think there aren't ethical people in positions of power or even outright running some businesses then you're just a bitter sad individual pissed off that they've been more successful in life than you and just want at least something to try and make yourself feel superior than them with. It's pathetic.