Chinese cracking of Google the fault of US wiretap facilitation laws

[Rococo Modem Basilisk]

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

Google's system isn't unique. Democratic governments around the world -- in Sweden, Canada and the UK, for example -- are rushing to pass laws giving their police new powers of Internet surveillance, in many cases requiring communications system providers to redesign products and services they sell.

Many are also passing data retention laws, forcing companies to retain information on their customers. In the U.S., the 1994 Communications Assistance for Law Enforcement Act required phone companies to facilitate FBI eavesdropping, and since 2001, the National Security Agency has built substantial eavesdropping systems with the help of those phone companies.

Systems like these invite misuse: criminal appropriation, government abuse and stretching by everyone possible to apply to situations that are applicable only by the most tortuous logic. The FBI illegally wiretapped the phones of Americans, often falsely invoking terrorism emergencies, 3,500 times between 2002 and 2006 without a warrant. Internet surveillance and control will be no different.

Official misuses are bad enough, but it's the unofficial uses that worry me more. Any surveillance and control system must itself be secured. An infrastructure conducive to surveillance and control invites surveillance and control, both by the people you expect and by the people you don't.

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders. Why does anyone think criminals won't be able to use the same system to steal bank account and credit card information, use it to launch other attacks or turn it into a massive spam-sending network? Why does anyone think that only authorized law enforcement can mine collected Internet data or eavesdrop on phone and IM conversations?

Source: http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html

[Triple Zero]

I just posted this in the Google/China thread, but we'll see if it works as its own thread.

It amuses me that "US government ordered GMail to place a backdoor" is not the news here. I mean there's complying to wiretap requests, and there's installing a backdoor to facilitate. Not the same thing at all.

[Captain Utopia]

I have sympathy for Google on this - why should they be out of pocket for many hours of manual retrieval for data which they have to, by stupid laws, give up anyway?

[Triple Zero]

I have sympathy for Google on this.

I thought you conceded that point about anthropomorphizing corporations.

[The Johnny]

Oh no! Does that mean that Google pulling out of China is not about user protection?

[Captain Utopia]

I have sympathy for Google on this.

I thought you conceded that point about anthropomorphizing corporations.

It's a shortcut, an imperfect metaphor which nevertheless communicates the main thrust of my thoughts on the matter.  Was its usage unclear?  I dunno, it seems a bit dickish to throw a concession back in my face like that, but I suppose that goes some distance towards explaining why they aren't terribly common in internet discussions.

[Triple Zero]

In that case, yes. It's unclear. I don't understand how you can feel sympathy for a corporation.

They have to follow the law. But the way they did it was to make things easy for the gvmt to spy on people, for the chinese to hack into their systems, and to short-term save some money. All that without any consideration for the privacy of their users.

So it seems you feel "corp-sympathy" [let's call it that for now] because a corporation got "corp-hurt" [another imperfect metaphor] while it was only trying to do the "corp-right" thing.

And there you have it. "corp-right" is not right for people.

This corporation placed the corp-well-being of itself above that of actual people. yes I know, corporations often tend to do that, but that doesn't earn them ANY corp-sympathy in my book.

[Rococo Modem Basilisk]

In that case, yes. It's unclear. I don't understand how you can feel sympathy for a corporation.

CORPORATIONS ARE PEOPLE TOO!

[Bebek Sincap Ratatosk]

Well, for me the issue isn't so much the backdoor, but the failure to properly secure it. If you use the services of a coproration, that corporation has the right to build their system however they see fit. If a 'backdoor' in the system means saving 300 hours of ESI Hold requests (or whatever the governmnet equiv is) every month... then it makes sense. However, the back door must be as well guarded as the front door, or its a recipe for disaster. I assume most Internet services have back doors, intentionally or unintentionally. I also assume that most corporations are not all that secure.

[Rococo Modem Basilisk]

I got the impression that the back door might have been required. I mean, it kind of prevents the big hullaballoo that happened back when the feds requested a list of all search queries and only Google refused (on some technical grounds, iirc).

[Triple Zero]

Well, for me the issue isn't so much the backdoor, but the failure to properly secure it. If you use the services of a coproration, that corporation has the right to build their system however they see fit.

well, yes, and in this case I'd say that an important part of "properly securing" would be minimizing the attack surface.

which would include not building a backdoor that is to be used by people from other institutions that are not part of your corporation.

although you're right, building and properly securing it would also have been an option. but easier to get wrong.

[Captain Utopia]

In that case, yes. It's unclear. I don't understand how you can feel sympathy for a corporation.

They have to follow the law. But the way they did it was to make things easy for the gvmt to spy on people, for the chinese to hack into their systems, and to short-term save some money. All that without any consideration for the privacy of their users.

So it seems you feel "corp-sympathy" [let's call it that for now] because a corporation got "corp-hurt" [another imperfect metaphor] while it was only trying to do the "corp-right" thing.

And there you have it. "corp-right" is not right for people.

This corporation placed the corp-well-being of itself above that of actual people. yes I know, corporations often tend to do that, but that doesn't earn them ANY corp-sympathy in my book.

Nice appeal to ridicule.  It fits the pattern of "X is attacked; X doesn't deserve the attack; defend X" - yes it's a rule developed primarily for human social structures, but it is also valid for any environment you happen to give a shit about.  To dismiss it as an anthropomorphism is to miss the point.

In this case the application of "sympathy" is appropriate for summarising support for the second term, perhaps as a justification for the third.

Well, for me the issue isn't so much the backdoor, but the failure to properly secure it. If you use the services of a coproration, that corporation has the right to build their system however they see fit.

well, yes, and in this case I'd say that an important part of "properly securing" would be minimizing the attack surface.

which would include not building a backdoor that is to be used by people from other institutions that are not part of your corporation.

although you're right, building and properly securing it would also have been an option. but easier to get wrong.

Can you source this?  The most recently linked article doesn't describe it as a backdoor which is used directly by other institutions, and earlier reports describe it as an internal system used only by Google employees and then only if Google was served with a warrant for data on that individual.

Both scenarios suck from most every perspective, but in practice an externally accessible backdoor allowing unfettered access has much more potential for abuse than a warrant based system which requires a defined legal process.

[BabylonHoruv]

If Chinese hackers can access it it is, by definition, accessible to third parties.

[Rococo Modem Basilisk]

If Chinese hackers can access it it is, by definition, accessible to third parties.

I think the question is whether or not it was intended to be accessed by third parties, though. If the pentagon can directly connect to google's backdoor, then somebody in china can too (probably). If the backdoor is supposed to only be accessible on google's intranet (which would be the sane thing to do), then it's a lot harder for both the pentagon and china to get in. If the pentagon has legally required that google make the backdoor and make it externally accessible, then it won't be patched and it won't go away.

[Bebek Sincap Ratatosk]

I just spent a bunch of time with the *insert major AV company here* people doing a deep dive and rundown on this stuff... The backdoor Bruce is talking about didn't even figure into the initial attack vectors... However, after the initial compromise, the hackers have made use of several additional vulnerabilities to create new attack vectors. As of yesterday, the attack is also possible on Chrome and Firefox if you use the Flash plugin. I'm betting they compromise the 'backdoor' after they'd already compromised Google through the Aurora bug.

There's also some paranoia that there are additional vectors that are active and not yet identified... apparently some number of these "20 companies" had been compromised for at least 2 weeks before identifying it. There was almost a month between that and the public knowing.