Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Surveillance Backdoor Enabled Chinese Gmail Attack?

Soulskill posted more than 3 years ago | from the let's-blame-the-government-now dept.

Google 143

Major Blud writes "CNN is running an opinion piece on their front page from security technologist Bruce Schneier, in which he suggests that 'In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.' His article is short on sources, and the common belief is that a flaw in IE was the main attack method. Has this come up elsewhere? Schneier continues, 'Whether the eavesdroppers are the good guys or the bad guys, these systems put us all at greater risk. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in. And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.'"

Sorry! There are no comments related to the filter you selected.

Correlation does not imply causation (1, Interesting)

Anonymous Coward | more than 3 years ago | (#30878982)

Larry & Sergey To Cash In $5.5B of Google Chips

Re:Correlation does not imply causation (0, Offtopic)

jernejk (984031) | more than 3 years ago | (#30879188)

How is this offtopic?

Re:Correlation does not imply causation (0, Insightful)

Anonymous Coward | more than 3 years ago | (#30879352)

How is this offtopic?

Mod doesn't agree with GP but lacks the intellectual capacity to compose a counter argument.

Re:Correlation does not imply causation (2, Insightful)

Tranzistors (1180307) | more than 3 years ago | (#30879600)

More like, how is it ON topic? I have to exploit my imagination quite a bit, to see relation between stories, and I still can't see, how they correlate in any meaningful way.

Re:Correlation does not imply causation (0)

Anonymous Coward | more than 3 years ago | (#30879994)

More like, how is it ON topic? I have to exploit my imagination quite a bit, to see relation between stories, and I still can't see, how they correlate in any meaningful way.

Perhaps, but the correct tool for solving that is discussion, not moderation. This isn't a GNAA troll or a racist joke or something else that is useless to argue with and requires moderation. It can be rebutted instead.

Re:Correlation does not imply causation (0)

Anonymous Coward | more than 3 years ago | (#30880902)

the correct tool for solving that is discussion, not moderation

Can I use that as my sig?

Careful There, Schneier (4, Insightful)

eldavojohn (898314) | more than 3 years ago | (#30878992)

His article is short on sources

Agreed so I visited his blog and a recent post is equally scant [schneier.com] . He points back to another blog post with a little more [schneier.com] but really he's just pointing out the irony of a new proposed bill outlawing Google's collaboration with China in violating human rights issues. The irony being that the US has asked for similar backdoors from Google already.

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story [slashdot.org] without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it. He might be a first hand expert but if so why isn't he showing and describing his conclusive evidence that the US mandated backdoor is how Chinese hackers gained entry? There's no doubt the software is less secure with a backdoor -- by definition -- but when he says:

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

He better be able to back it up. And he reiterates:

China's hackers subverted the access system Google put in place to comply with U.S. intercept orders.

I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence. And on top of that, he has zero accountability. In fact, he says none of this on his blog, he leaves it as an op-ed on CNN. Read it like a strange click generating opinion piece and nothing more.

I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.

Re:Careful There, Schneier (5, Informative)

Anonymous Coward | more than 3 years ago | (#30879064)

There was the following report:
http://www.computerworld.com/s/article/9144221/Google_attack_part_of_widespread_spying_effort

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

That is not a backdoor. But it did concern me that google is actively preserving all of this information that could be used in the future for good or ill by anyone.

Re:Careful There, Schneier (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#30879086)

If Butch goes to Indochina I want a nigger hiding in a bowl of rice waiting to pop a cap in his ass.

Re:Careful There, Schneier (2, Interesting)

sopssa (1498795) | more than 3 years ago | (#30879110)

If US government want and have these, why wouldn't China? It's not that far fetched, and it's probably better for Google to say it was some virus planted on their system rather than have news all over the internet that China has such in place too. And it could be that US operations didn't know about it, Google China is its independent operation after all and why they're maybe pulling off.

I think it was AT&T or Verizon that we had /. article recently about how US government used their backdoor tons of times to gather info and that it would had been impossible to handle manually. Why wouldn't Google, one of the largest US companies, have similar system?

Re:Careful There, Schneier (3, Insightful)

eldavojohn (898314) | more than 3 years ago | (#30879332)

If US government want and have these, why wouldn't China? It's not that far fetched, and it's probably better for Google to say it was some virus planted on their system rather than have news all over the internet that China has such in place too. And it could be that US operations didn't know about it, Google China is its independent operation after all and why they're maybe pulling off.

This supposition just raises more questions in my mind though. 1) What do you mean by "independent operation" because it's still a subsidiary of Google [wikipedia.org] and I'm sure utilizes much of the exact replicated technology. 2) Why in the world would Google enforce an American law in China [askcalea.net] ? 3) If Google were providing this intercept data as access to the Chinese government then why in the hell would the Chinese government break in to steal email data from human rights activists? (From the original source [blogspot.com] , they suspect it was the government because the target was 'accessing the Gmail accounts of Chinese human rights activists') Why would the government need to gain malware access to the system that's put in place for them to access?

It just doesn't add up in so many ways. Every explanation seems to have more questions behind it. I'm almost tempted to say this was someone from Baidu or a criminal element in China or Russia that covered up all their tracks except those deliberately left to be political. But I'm getting into tin foil hat territory there.

I think it was AT&T or Verizon that we had /. article recently about how US government used their backdoor tons of times to gather info and that it would had been impossible to handle manually. Why wouldn't Google, one of the largest US companies, have similar system?

All big time communications operations have to worry about this. It sucks but it's the law [askcalea.net] . The question remains, however, what is that doing in China and if they're doing it for Chinese law, why did the government need to hack their own system set up to serve them?

Re:Careful There, Schneier (1)

Glonoinha (587375) | more than 3 years ago | (#30879754)

I believe what's being implied here is that Google lied about the vector by which the Chinese gained access, in order to cover up the real (dare I say 'Evil'?) vector.

I'm going to go out on a limb and extrapolate here :

1. Google has a simple interface by which the US Government can do the exact same thing.
2. Chinese Government figured out how to access it. [*]
3. Chinese Government does it, same as the US Government has been doing for a while.
4. Chinese Government access gets discovered.
5. Heard somewhere in Google : 'Oh shit! How do we spin this?'
6. The story we heard gets dreamed up.

[*] - It's entirely possible that the vector by which they learned the keys to access the system were implanted via a Trojan (malware) in a drive-by download in IE, or possibly included in a file emailed to a staffer inside - but I'd say it is more likely that a Chinese employee of Google (whether working in the China office of Google, or an H1-B working in an American Google shop) got access to the codes and sent them up the channel.

As for the business of targeting the human rights activists - that is exactly who the Government fears (and targets) most. Take a look at the interest the US Government gave the Black Panthers in the 60's for an obvious example.

Re:Careful There, Schneier (2, Interesting)

Anonymous Coward | more than 3 years ago | (#30880354)

I heard from a third- or fourth-hand source, that Google has a separate network for the workstations that do legal e-discovery, and that was what was compromised.

Legal e-discovery is a fact of life. People sue each other, and the court wants the email evidence. This was news during Enron....

Anyway, I heard that the malware was specifically crafted for the Google e-discovery machines. The IE Exploit is probably the truth. The question then becomes "how did the machines on the separate network get access to the malware?"

The opinion article mentions two separate things: "search warrants on user data" with "access system Google put in place to comply with U.S. intercept orders", and then summarizes with "... systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in."

True, but naive.

Google lawyer under scrutiny by a judge: "um, yeah, that email system we have? Yeah, we don't have the ability to search it. Yes, we do Search for a living. Yes, we knew the court would issue discovery orders. Yes, we have corporate customers that have a need to find all the email in the company by searching. Yes, we know a little bit about automation. But no, we cannot comply with your e-discovery order, and we've told all our corporate customers to stuff themselves too."

Generally, I like Bruce Schneier, but this was a pie-in-the-sky opinion piece.

Google + ChiCom Gov (2, Interesting)

WED Fan (911325) | more than 3 years ago | (#30879164)

It is not beyond belief that Google made certain concessions to the Chinese Government. Eventually, any concession to ANY government is going to bite the company and the user in the ass. Or, in the case of the Chinese, put a lethal 9mm sized hole in the head.

Re:Google + ChiCom Gov (3, Interesting)

Jerry (6400) | more than 3 years ago | (#30881974)

This episode reminds me of a Microsoft claim made seven years ago:

http://forums.macrumors.com/archive/index.php/t-21643.html/ [macrumors.com]
March 06, 2003

According to its own testimony at its anti-trust trial last year, Microsoft Corporation, purveyor of the omnipresent Office and Windows product lines, has betrayed the United States of America.

Microsoft has been struggling over the past year to slow the loss of international market share to cheaper, Linux-based alternatives. To that end, it recently began sharing the source code of its Windows operating system with various foreign governments. The problem is that this initiative comes just months after Jim Allchin, Microsoft's head of Windows development, claimed under oath that releasing such code to its competitors would be a major risk to American national security.

The disconnect between the software giant's actions and claims became even more striking last week when Microsoft announced that the second major nation to receive a tour of Windows' plumbing will be the People's Republic of China.

China is not America's ally. China is not our friend. At best, our two nations tolerate each other. At worst, we are on a cultural collision course that could dwarf the Cold War. And now Microsoft is planning to give China information that it has claimed could seriously compromise American security. Thanks a lot, Mr. Gates.

Re:Careful There, Schneier (1)

amiga3D (567632) | more than 3 years ago | (#30879186)

I suspect that going into detail about a backdoor system put into place by the government would be hazardous to his freedom. I'd bet the details are classified.

Re:Careful There, Schneier (1)

Shark (78448) | more than 3 years ago | (#30880524)

But I thought the government was supposed to protect freedom... What are we going to do?

Think about it a second (2, Informative)

HangingChad (677530) | more than 3 years ago | (#30879302)

I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence.

And how is he going to get the documentation now? Sue? The government steps in and claims state secrets, case dismissed. Ask Google for the documentation that admits they cooperated with a secret government program to spy on Americans? Bad for business and then they'd face federal criminal prosecution.

He probably has sources, but wants to protect them. Can't quote your sources, can't produce the docs, so the only option is to make the accusation and invite Google to sue him for defamation and tortious interference. He could still protect his sources and it would open Google up to discovery, something I'm sure the government isn't anxious to see happen.

We already know the telephone and cellular companies have found a way to monetize state surveillance by law enforcement, so they're not complaining. Who exactly is motivated to blab about any of this? And since Microsoft has decided to continue operating in China, one could also conclude they have back door systems as well and are more than willing to cooperate with both governments spying on their people. We assume for slightly different reasons, but how do we really know?

Re:Think about it a second (2, Insightful)

eldavojohn (898314) | more than 3 years ago | (#30879384)

Ask Google for the documentation that admits they cooperated with a secret government program to spy on Americans?

What 'secret government program to spy on Americans'? Read the article. They mention the Communications Assistance for Law Enforcement Act of 1994 (CALEA) [askcalea.net] . Here is Wikipedia's summary if you don't have the stomach for legalese [wikipedia.org] . You can read all about how it went in during Clinton's administration and has been enjoyed by every administration since (a lost freedom is rarely won back) and will continue to be enjoyed for a long time coming.

So Google is afraid to reveal what the law (CALEA) forces them to do?

We already know the telephone and cellular companies have found a way to monetize state surveillance by law enforcement, so they're not complaining.

That's funny. If they didn't charge for it, the consumer would be paying for the overhead of them being spied on. Would you like that scenario better? Get out, get vocal, tell people, tell average people on the street when they hang up their phone that all that information just got logged for the government. And do it with some tact so you don't look like a goddamn crazy.

Re:Think about it a second (3, Interesting)

Glonoinha (587375) | more than 3 years ago | (#30879800)

Where does the money that the government pays the companies come from? Taxes.
Who pays these taxes? The same people being spied on.

So yes. the consumer is paying for the overhead so they can be spied on.

Re:Think about it a second (4, Informative)

chill (34294) | more than 3 years ago | (#30879872)

Get out, get vocal, tell people, tell average people on the street when they hang up their phone that all that information just got logged for the government.

That isn't quite how it works. Other than the normal billing logs, the phone companies do NOT log all the data, much less voice logs, without a specific request.

I spent 2 years helping implement CALEA for Sprint/Nextel and was the point person for much of the integration. The simple truth is, the telecom companies don't have the storage capacity to log all the niggling details that CALEA requires for everyone. Hell, if the link between the CO and the LEO goes down, they're only required to store call data, not voice. That is all the button pushes, numbers called, etc. Voice is uploaded live and if the link is down, so is the voice collect.

Normal billing records include the phone number, direction and duration. CALEA records include EVERYTHING -- cell tower connected to, buttons pushed, call response, number of rings, text messages, multi-party calls, etc.

The truth is, the gov't DOESN'T log everything every time you use a phone. And no, on the cell networks I've worked on, they don't even listen for "key words" ala ECHELON unless it goes international.

Unless, of course, you or another party on the line is a target.

Re:Think about it a second (4, Interesting)

russotto (537200) | more than 3 years ago | (#30880252)

That isn't quite how it works. Other than the normal billing logs, the phone companies do NOT log all the data, much less voice logs, without a specific request.

I don't know about cell. But on land lines, they DO log everything. The switches emit raw call record data. The billing logs are produced from the call record data.

Re:Careful There, Schneier (3, Interesting)

Anonymous Coward | more than 3 years ago | (#30879312)

> The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with.

I can't prove it is there but I know it is.

A year so ago I was under consideration for a position with a defense firm looking to beef up for the coming Cyber War feeding frenzy. A half hour after I signed my life away on the clearance background checks and such they started asking questions that sounded oddly familiar. After two or three questions I realized they had read some Blogger posts (on technical issues) that I had written and saved in draft. I had never published a single thing from that Blogger account but it did have my name attached to it. I probably shouldn't have been freaked out - they were interviewing me for what was essentially a hacking position - but I was. I was so distracted for the rest of the interview that I didn't get the job. I couldn't shake the question of "What the fuck am I getting into here?"

Re:Careful There, Schneier (1, Insightful)

Anonymous Coward | more than 3 years ago | (#30881488)

A half hour after I signed my life away on the clearance background checks and such they started asking questions that sounded oddly familiar.

Anyone who has ever received a clearance knows that no way in hell does any activity start within half an hour.
Most are lucky if the investigation starts within a month.

Re:Careful There, Schneier (0)

Anonymous Coward | more than 3 years ago | (#30882360)

> no way in hell does any activity start within half an hour

That's true and I was indeed told it would take several months to get the clearance. This job wasn't for some obscure SONAR upgrade and I don't think for a second that it was part of the actual clearance process since the paperwork had barely left the security officer's hands. This division developed several of the systems people like to speculate about and handled some of the outsourced operations. They had my permission, they could and they did. That simple.

Re:Careful There, Schneier (5, Insightful)

PugPappa (1569423) | more than 3 years ago | (#30879318)

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story [slashdot.org] without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it.

So what makes it ok for a "big paper like the New York Times" to publish unsubstantiated claims? We shouldn't disengage our critical thinking regardless of the source.

MOD PARENT UP (1)

Brett Buck (811747) | more than 3 years ago | (#30879394)

So what makes it ok for a "big paper like the New York Times" to publish unsubstantiated claims? We shouldn't disengage our critical thinking regardless of the source.

      That's quite a good question you have there. Should be interesting to see the rationization^H^H^H^H^H^H^H, sound reasoning behind that statement.

Re:Careful There, Schneier (0)

eldavojohn (898314) | more than 3 years ago | (#30879474)

So here's my problem: More frequently Schneier acts as a reputable news source 'breaking' a story [slashdot.org] without citing the originator of the information. This is fine when it's a big paper like the New York Times but Schneier runs a blog on security. That's it.

So what makes it ok for a "big paper like the New York Times" to publish unsubstantiated claims? We shouldn't disengage our critical thinking regardless of the source.

That's not at all what I meant. I meant it was okay because they get caught. Take for instance the CBS Dan Rather screw up with Bush's documents [wikipedia.org] . Because they didn't authenticate they got some serious negative press. Do you think that Schneier faces the same sort of name-through-the-mud charges if he prints something unauthenticated? It's the journalistic integrity that the Times must uphold to remain a viable newspaper that Schneier is not facing. He's just a blog, after all.

If the New York Times broke this and said they had a source but were protecting their anonymity, I'd buy it. I'd buy it right up until they were caught relaying lies and then I'd take their news with a grain of salt from that point on.

It's the reason why I don't anything from Fox News affiliates [wikipedia.org] and avoid them altogether. They proved they have no (maybe even negative if that's possible) journalistic integrity. When providing the news is your source of income you should protect that at all costs.

Re:Careful There, Schneier (1)

jofny (540291) | more than 3 years ago | (#30880794)

It's the reason why I don't anything from Fox News affiliates [wikipedia.org] and avoid them altogether.

I dont get why people single out Fox here. The whole media mess is a cross between a game of "telephone" where stories are single sourced and passed along from outlet to outlet losing fidelity over time, deliberate pandering for access, staged details for "clarity", deliberate playing down or up of details to meet advertising demands, shoddy fact checking, and - more than anything else - wild misrepresentation of stories through just reports not understanding what they're reporting on (they're entertainers after all).

These are all things I've personally encountered with multiple news outlets. Calling Fox out on it in particular is sort of ridiculous, IMO.

Re:Careful There, Schneier (1)

debatem1 (1087307) | more than 3 years ago | (#30882062)

To be fair, Fox is pretty bad about it- you remember the pie chart that added up to like 117% a few weeks back? Those are the same people feeding you elections returns.

Re:Careful There, Schneier (1)

Kris_J (10111) | more than 3 years ago | (#30882526)

Fox make roughly the same number of mistakes and bad calls as everyone else, but on top of that they deliberately mislead in order to sell their agenda.

Re:Careful There, Schneier (0, Flamebait)

wtbname (926051) | more than 3 years ago | (#30880984)

You are a little bit stupid. You are a whole lot of politics. Your points don't really make sense. Your conclusions are badly thought out. Your citations are meaningless.

There are 130 citations in your CBS Dan Rather screws up link. Disregarding that, you note that "because they didn't authenticate, they got some serious negative press". That. Is. Not. The. Point. They attempted, knowingly, on purpose, with intent, to influence the presidential elections. They used falsified documents to do so. Name through the mud? They should have been shot.

Next paragraph, you'd buy it until they were caught relaying lies? Seriously? You don't think "buying" it is a little naive? Maybe you should, as one of the previous posters indicated, apply critical thinking to all of your news sources. Maybe that might help you out with the problems I listed above.

And then you just randomly bash Fox News? Really? Fox News is shit, but we don't need morons like you telling us so. Did you read the god damn decision? It does more than just put quotation marks around "law, rule or regulation". IT FOLLOWED THE LAW YOU MORON. OH HEY LOOK THE JUDGE READ THE LAW AND THEN RULED APPROPRIATELY. Even worse, your wikipedia "citation" (see what I did there?) provides four links. Two of them are the same court document that state, yeah, Fox news appealed the verdict in question, and won. One citation is an autobiography (are you kidding me?), and the last is a Source Watch link that duplicates the wikipedia article? I can search on google for "Fox News Sucks" http://www.google.com/search?q=fox+news+sucks [google.com] and find better material than your stupid ass is citing.

Fuck off.

PS: Every time i read your post I get a little less angry, and a little more sad ;( You sadden me.

Re:Careful There, Schneier (1, Interesting)

Anonymous Coward | more than 3 years ago | (#30880960)

As an illustration of the dangers of trusting "reputable" news sources like papers:
Do you remember that newspaper article that was all over the papers (and even on the BBC) about how blonde women were more aggressive and had more of a sense of entitlement than others? Well, it turns out that the original research was about whether strong people (people! not women) were more or less assertive (i.e. whether the Napoleon aphorism is true - turns out it isn't). A news reporter then asked the researchers whether that meant blondes were more aggressive. The researchers crunched some numbers and told the reporter "no". The reporter then wrote an article with a headline like "blonde women more aggressive". And then everyone copied that.
The sad thing is, after the lie got exposed, none of the papers I read reported on that. The original article was on the front page of the science section in many, so the scandal should be of similar notability and importance but no, silence. Only the BBC went back and made changes, but the changed article still doesn't correspond to the original research and it looks like the changes were made more to try to save face than to inform the public. Shameful.
Honestly, sometimes I think you're better informed if you don't watch the news and don't read the papers.

Re:Careful There, Schneier (5, Interesting)

Anonymous Coward | more than 3 years ago | (#30879400)

"He better be able to back it up."

He doesn't have to. I'll explain later. In fact, reactionary posts like yours and the /. article is an inhibitor in favor of backdoors like this, instead of being patient and seeing what comes out. You are attacking the holder of the opinion, redirecting focus to the very real case of government backdoors and general population communication abuses, which has been proved, real, and pronounced (see AT&T eavesdropping and others).

Which is a shitload worse than Schneier mere opinion, even if unsubstantiated (which is worse than uncorroborated) on the matter.

"I just want to caution everyone that you're reading an opinion piece by a security blogger with no corroborating evidence." ,,,in the story. He may have corroborating evidence, but is smart enough not to put it forward for both his sake, his sources sake, and/or as bait.

If he had that evidence, he'd be held for obtaining classified information without a due security clearance and prosecuted.

"I have respect for the man but this certainly shakes that. Any concrete proof of this would be welcomed. The problem is I'm not sure how one would prove it one way or the other since I believe all the source in question is closed source to begin with."

Very true and you start in on the crux of this matter of releasing source info. However, I think you are looking at this as overly critical of Schneier, instead of looking at the whole picture. He lives in the real world, he has to live with the repercussions to his life, far more than you or I.

If he releases the info and has a source, Schneier himself gets prosecuted or at least subpoena'd for his source, and if he refuses to reveal it, he gets locked up. His source, at the very least, can be revealed and gets pounded (and people like you won't do a think and can't). And Schneier loses future use of his source. iow, at the very best, he can only suggest his opinion, which is what he is doing.

If he simply airs the idea out there, knowing it's true, that's fine by me. Maybe it isn't for you, but he's been right far far more often than not so in this case, I think people should look at the bulk of his work instead of just one instance that has yet to play out fully. If he continues to do this repeatedly for other issues, then yes, I'd start to shift in your opinion of the man. But I haven't seem him abuse his reputation. iow, if this is a lapse, it's unfortunate, but Schneier is human, and I doubt it's a lapse of judgment.

If he doesn't have a source, but has evidence, and isn't sure, he may be airing this out there without corroborating evidence (having no substantial evidence of course), to see what happens. If they go after him, then you have a tell tale sign. If there are code changes, again, tell tale sign. If he gets harrassed or hammered by 3 letter agencies, again, tell tale (and maybe this has already happened).

If he simply just threw it out there, then, yeah, shame on him, but again, I haven't seen him do this in the past, so I'm very willing to give him the benefit of the doubt, since his contributions, sources, and info in the past has been spot on. His hands may be tied in this case or he's being careful (esp. with a new administration that still has strong ties in the agencies to the prior administration, with a pro-prosecutional bent to it to go after small fries which Schneier would be in the grand scheme of things in the populace).

Your opinion will likely differ on this, but as you seem well aware of his legacy, I think it's over done to be this critical this early in the game.

Re:Careful There, Schneier (1)

mtrachtenberg (67780) | more than 3 years ago | (#30879430)

If there is no back door, Google should deny it unequivocally. If Google does not deny it, unequivocally, I think it would be appropriate to change the way we (many of us) think of Google.

Re:Careful There, Schneier (4, Funny)

Glonoinha (587375) | more than 3 years ago | (#30879834)

Hah. I don't believe anything until it's been unequivocally denied.

Re:Careful There, Schneier (1)

mtrachtenberg (67780) | more than 3 years ago | (#30880392)

If Google's top management denies it, and it's discovered to be true, they will have discredited themselves far more than if they remain silent. So public denials do have value. You don't know that they are truthful, but you do know that the deniers were willing to tie their future credibility to the denial.

Re:Careful There, Schneier (1)

moortak (1273582) | more than 3 years ago | (#30882532)

They would also be opening themselves up to SEC violations if they were found to be lying. Opening backdoors in one of their programs would be the type of thing that could have a material impact on their stock prices. Lying about things like that is what they popped Martha Stewart on.

Re:Careful There, Schneier (1)

nevesis (970522) | more than 3 years ago | (#30879482)

Schneier is, in my opinion, a much more reputable source than the New York Times.

Re:Careful There, Schneier (0)

Anonymous Coward | more than 3 years ago | (#30879518)

Are you a govie[1]? Do you have something to hide? :-)

[1] http://www.urbandictionary.com/define.php?term=Govie

Schneier might _be_ a source for his own article. (5, Informative)

TwineLogic (1679802) | more than 3 years ago | (#30879558)

Schneier is not primarily a 'blogger,' although that may be how we most frequently encounter him. As the publisher of the renowned book "Applied Cryptography," Schneier is a recognized domain expert in the field of security.

Therefore it is possible, even likely, that Schneier has directly received information pertinent to the attack. Someone assigned to the investigation may have phoned him up to consult his opinion, if nothing else. Given the progressive techno-legal opinion he wrote, I think it is just as possible that someone from the investigation 'leaked' information to Scheneier about the use of the CALEA interface.

By the way, for those who doubt that there is a 'backdoor' to gmail, CALEA is a law which _mandates_ a law enforcement backdoor, either through manual procedures or through computational interface. It sounds like Google has implement a CALEA interface, and China used an IE6 vulnerability to hack first Google, then used the CALEA interface to monitor specific accounts.

The nice thing about using the CALEA interface is that I presume this would not give any clue to the monitored user that the account is being monitored. Logging in with the user's password, as a contrary example, updates the IP usage information displayed by gmail.

Re:Careful There, Schneier (2, Insightful)

Anonymous Coward | more than 3 years ago | (#30879980)

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

He better be able to back it up.

He doesn't really need to, for the same reason this is not exactly news, just sensationalist spin on something obvious.

Every email system has a "back door." Every email system maintainer has to comply with search warrants and with discovery requests for ESI [wikipedia.org] . The same goes for file shares, calendars, any kind of electronic records you have, just as it does for paper records, audio tapes, photos, or any other kind of record.

Compliance for ESI requests can range from logging in as root and tarring up some files, hanging on to backup tapes indefinitely, or to sophisticated discovery interfaces like in Exchange 2010.

You can call these "back doors" if you want, but that's really being sensationalist. And it's more for the Courts than for the Feds. The fact is, if you get a subpoena or search warrant, you've got to cough up the relevant records, whether they're files on disk or folders in a file drawer. Just because Gmail is "in the cloud" doesn't mean it doesn't ultimately come down to files on disk somewhere that sysadmins will have access to.

As much of a pain in the ass it is for sysadmins, I submit that subpoena power is a good thing, because it lets the courts get to the truth about who knew/said what when. Often these records are the key to showing some government or corporate wrongdoing. There's no reason why your papers in a safety deposit box should be subject to a subpoena (as they have been for a long time) and your email shouldn't.

Now, there may be times when these records are gotten in some other way (like illegal actions by the Feds), but that's a different issue than whether they can be gotten at all. To act all shocked that people with root can (and sometimes have to) get at your email is stupid.

Re:Careful There, Schneier (3, Interesting)

DeadPixels (1391907) | more than 3 years ago | (#30880178)

He's partially right, but equally wrong.

Computer World [computerworld.com] quotes an anonymous source "familiar with the situation" as saying:

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

According to that article, what Google had was an internal system that could pull limited amounts of account information to comply with law enforcement requests, not a backdoor that gave access to the account in question. Also, it appears that the malware/attack in question didn't "subvert the system" so much as it piggybacked onto a computer with access and got in that way.

So while he's right as to the general purpose of the system, he seems to be pretty wrong as far as the scope of the 'backdoor'.

really... (2, Funny)

duanco (958176) | more than 3 years ago | (#30879008)

a back door to a hosted email service....and this fellow is an expert? Guess he was never an admin anywhere......

Re:really... (1)

bschorr (1316501) | more than 3 years ago | (#30879182)

Seems to me a hosted email service essentially IS a backdoor. I can already get into the e-mail accounts of any server I'm the admin of - hence the power of Admin. Heck, not only do they own the admin accounts, they own the physical servers.

You haven't handed them the keys, they made (and own) the locks!

Re:really... (1)

ottothecow (600101) | more than 3 years ago | (#30879770)

Yeah...while google is not making a unix user account for everyone, there is probably some system equivalent to 'su' (maybe they just login with "ChuckNorris1").

Re:really... (2, Funny)

flyingfsck (986395) | more than 3 years ago | (#30880236)

Hmmm, a hosted email system is a bazaar, not a cathedral. There are no doors or walls to speak of, much like Haiti after the earthquake...

From what I understand... (1)

benjic (1715932) | more than 3 years ago | (#30879018)

The whole telecommunications industry has been in bed with the government for years. Is it niave to think that data warehouses would be approached differently?

Re:From what I understand... (1)

Sique (173459) | more than 3 years ago | (#30879818)

How do you think a wiretap works?
Did you ever believe there was a time when a wiretap was nearly impossible?
So yes. The telecommunications industry is in bed with the government. Since 172 years [wikipedia.org] at least.

PS: For some telecommunications equipment I actually know how the intercept interface works. Because I administer them.

Re:From what I understand... (1)

The FBI (1717712) | more than 3 years ago | (#30881166)

PS: For some telecommunications equipment I actually know how the intercept interface works. Because I used to administer them, but now I'm going away on a long vacation at an undisclosed location. Don't worry about me if I should never post here or anywhere else again, I'll probably be too busy to use the Internet.

There, fixed that for you.

Re:From what I understand... (1)

Sique (173459) | more than 3 years ago | (#30882632)

Why? It is in the official technical documentation. Just go and read it yourself :)

Re:From what I understand... (1)

John Hasler (414242) | more than 3 years ago | (#30880274)

> The whole telecommunications industry has been in bed with the government
> for years.

For values of "in bed" near "Shut up and do as you are told or we will put you out of business."

Not just short on sources (1)

drinkypoo (153816) | more than 3 years ago | (#30879040)

His article has zero citations supporting his assertion. He has provided only evidence that it is possible. I'm not saying he's wrong, but this article is pure garbage.

source (3, Informative)

Charles Dodgeson (248492) | more than 3 years ago | (#30879250)

When I blogged about this [blogspot.com] the week before last, I was relying on an article [computerworld.com] in Computer World which talked about the intruders gaining access to "a system used to help Google comply with search warrants by providing data on Google users."

Re:source (1)

drinkypoo (153816) | more than 3 years ago | (#30879472)

Thank you for having more integrity than the combination of CNN and Bruce Schneier. (I figure it's not impossible that there was a citation that was removed by the editor. But I'd need to see some evidence that Bruce did his homework before I'll forgive him.)

Re:source (2, Insightful)

Charles Dodgeson (248492) | more than 3 years ago | (#30880574)

Thanks, but I think that people are being too hard on Schneier. The Computer World article that I cited is based on an "unnamed source" who is "not authorized to speak to the press." Obviously that article should have been cited, but I that oversight in citation is a blunder, not something that challenges the integrity of Schneier.

But it is consistent with the official report out of Google, which stated that the Gmail accounts themselves were not compromised, and that the information stolen was subject lines and account creation date. The only purpose I can see for having a system that would just have access to that kind of information is would be for some kind of "pre-scanning" for law enforcement.

Among the many questions that I want answered is whether the credentials used to access that system (presumably obtained via long standing Adobe Reader or IE zero-day vulnerabilities) belong to a Google employee or someone else who had access to that system.

Re:source (1)

drinkypoo (153816) | more than 3 years ago | (#30880824)

Thanks, but I think that people are being too hard on Schneier.

there's been more than enough time to issue a correction, and IIRC bruce posts here on occasion so he has little excuse for not knowing what is coming out of what he's said. It's irresponsible at best; Further, CNN should have vetted this article and stopped him from making such a mistake. If they've given him carte blanche to post anything he wants, it's their failure to consider their image as well; but clearly an editor has seen the article, at least from the editor's note at the top. So as I say, they collaborated in producing a failed article.

Re:Not just short on sources (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#30879280)

Oh, kissy kissy, you are such a Google Fan Boi! A hosted email system with a back door? Wake me up when there is real news.

It's opinion (1)

cheros (223479) | more than 3 years ago | (#30879512)

However, I agree with you.

I think that even for a guy who is so good at self marketing as Schneier this is a WAY too obvious attempt to grab publicity as well as sound off over his hobby topic. I'm not saying he's right or wrong (as I do not have access to facts on either side of the argument), I just think this is a diplomatic spat brought on by Google execs because they want to sell stock.

I would shut up until the politicians have stopped playing, but I think he's trying to ride the publiciy, and it makes me wonder why. Is he about to sell BT stock? :-)

Re:It's opinion (1)

drinkypoo (153816) | more than 3 years ago | (#30879672)

It might be opinion, but he's stating it as fact without any supporting citations, not even citing an unnamed source. This costs credibility. Even if he turns out to be right, I'd expect him to explain where he got the information (at least in general terms) if he's gong to maintain credibility. A stopped analog clock, and all that.

Re:It's opinion (1)

John Hasler (414242) | more than 3 years ago | (#30880224)

> I just think this is a diplomatic spat brought on by Google execs because
> they want to sell stock.

They want to depress the price just before they start selling? Sure. That makes a lot of sense.

Missing the real issues (5, Informative)

etymxris (121288) | more than 3 years ago | (#30879174)

The backdoor in question is likely only available on Google's internal network. If it's guarded by VPN, this is fairly secure. Of course, there are many ways to hack into a company's internal network, as the Chinese hack demonstrates. But the law enforcement interface isn't uniquely problematic in this regard. Once you're into the internal network, there are all types of things you can do.

The real problem here is pen register taps, and it's application to email. The police can get as much "traffic analysis" information as they want without a warrant. This law enforcement interface was designed to allow easy access to this information, further invading our privacy through warrantless activities.

* All email header information other than the subject line, including the email addresses of the people to whom you send email, the email addresses of people that send to you, the time each email is sent or received, and the size of each email that is sent or received.
* Your IP (Internet Protocol) address and the IP address of other computers on the Internet that you exchange information with, with timestamp and size information.
* The communications ports and protocols used, which can be used to determine what types of communications you are sending using what types of applications.

From the EFF [eff.org] .

Back Door Government Access... (1)

hackus (159037) | more than 3 years ago | (#30879178)

Woops!

Wrong government.

Sorry.

-Hack

ANY tech can be used to facilitate a police state (2, Insightful)

Gothmolly (148874) | more than 3 years ago | (#30879192)

As long as you do not place restrictions on your executive branch, anything can be used to facilitate a police state. If a cop has unrestricted rights to search you, your days of privacy are over.

Re:ANY tech can be used to facilitate a police sta (0)

Anonymous Coward | more than 3 years ago | (#30879390)

ANY tech can be used to facilitate a police state.

Et tu, SpinBrush?

mo3 0p (-1, Troll)

Anonymous Coward | more than 3 years ago | (#30879202)

I wonder what the password was (1)

madcat2c (1292296) | more than 3 years ago | (#30879226)

The facebook master password was "Chuck Norris"...what was google's ...Steven Seagal?

Re:I wonder what the password was (1)

Briareos (21163) | more than 3 years ago | (#30879412)

I hope it wasn't Michael Jackson [google.com] ...

np: Flight Of The Conchords - I Told You I Was Freaky (I Told You I Was Freaky)

Re:I wonder what the password was (2, Funny)

Felix Da Rat (93827) | more than 3 years ago | (#30879446)

Oddly enough, it was 'Bruce Schneier'.

The People's Responsibility (0)

Anonymous Coward | more than 3 years ago | (#30879228)

Bad civic hygiene? So what, companies are supposed to tell the government "no" on their own? It's the people's responsibility to push their representatives to keep these government mandates from happening in the first place, or replace those representatives with those who do what the fuck they're told by the people they represent.

It's the epitome of shameful laziness that we (the American citizens, that is) allow our 'representatives' to do what they please while throwing up our hands and saying, "oh, well, what can *I* do" then bitching about government regulations putting us in danger. With each new generation, we've become more and more complacent.

Stand up and take responsibility for your (our) government, you lazy fucks. ... and get off my lawn.

Re:The People's Responsibility (1)

argent (18001) | more than 3 years ago | (#30879526)

Bad civic hygiene? So what, companies are supposed to tell the government "no" on their own?

No, the people are. That's the so what.

Re:The People's Responsibility (0)

Anonymous Coward | more than 3 years ago | (#30879656)

Uh, yeah, that was the entirety of my point.

Re:The People's Responsibility (1)

argent (18001) | more than 3 years ago | (#30879918)

I'm just objecting to your so what.

Re:The People's Responsibility (0)

Anonymous Coward | more than 3 years ago | (#30881762)

Parse error. Read the whole sentence. "So what, ?" is not the same as "So what. " Stop being such a an obtuse child.

Re:The People's Responsibility (1)

argent (18001) | more than 3 years ago | (#30882110)

"So what" is dismissive, no matter the context. If you don't mean to be perceived as dismissing a problem, don't use dismissive language.

Re:The People's Responsibility (0, Troll)

aflag (941367) | more than 3 years ago | (#30879938)

(...) companies are supposed to tell the government "no" on their own? It's the people's responsibility (...)

Companies are run by people. Companies do what people in charge want. Companies are there to help the public, not the other way around. I think it is indeed up to companies to openly state their political views and to work towards them.

Re:The People's Responsibility (3, Informative)

0123456 (636235) | more than 3 years ago | (#30880328)

It's the people's responsibility to push their representatives to keep these government mandates from happening in the first place, or replace those representatives with those who do what the fuck they're told by the people they represent.

Yeah, because that works just so well.

Companies sure as hell should be shouting when the government tries to force them to take these stupid, police-state measures: bad publicity is far more effective at eliminating bad laws than mere voting ever has been.

Schneier been living under a rock? (1, Insightful)

Anonymous Coward | more than 3 years ago | (#30879238)

"And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state."

ORLY, Bruce? Bad civic hygiene - for sure. But surely you're aware that so-called Legal Interception (LI) facilities are there in basically all communications networks used by the masses. It's not like this Google "backdoor" is anything out of the ordinary.

And you say correctly that they are a bad thing. Although, they would not be that bad, were they used to remove corruption and organized crime. But corruption and organized crime go hand in hand with top-tier politics, and therefore have protection.

As it stands now, such systems will only be used to target politically annoying individuals and kill off any dissent against status quo (whatever it may be, choose your -ism).

All of us can already now be tracked every single day by the digital communications methods we use. It doesn't matter if you live in USA or Iran, the LI facilities are built-in. In light of that, your comment strikes me as very ignorant - you say it as if it's a new thing.

Re:Schneier been living under a rock? (1)

selven (1556643) | more than 3 years ago | (#30880212)

Putting law enforcement backdoors into services which store information is a very bad thing. The fact that it's common doesn't make it less bad. We, however, SHOULD NOT simply accept things the way they are. If we passively accept all these injustices just because they already exist, the injustices will become acceptable. From there, the enemies of freedom have a foothold and will take their intrusion of freedom and privacy to the next level, until it becomes mundane and accepted there.

Bruce Schneier is doing a very good thing by complaining about there injustices and putting them into the public eye.

Nelson would say... (-1, Redundant)

Anonymous Coward | more than 3 years ago | (#30879262)

Ha ha.

At least Google wasn't running IE 6 (3, Funny)

Greg Hullender (621024) | more than 3 years ago | (#30879378)

This item makes me feel better about Microsoft AND Google! :-)

Seriously, it really does make a lot more sense. How could anyone at Google still be running IE 6?

--Greg (Now I just need to find something to make me feel better about our government)

Re:At least Google wasn't running IE 6 (0)

Anonymous Coward | more than 3 years ago | (#30879718)

Seriously, it really does make a lot more sense. How could anyone at Google still be running IE 6?

How about testing, compatibility, that sort of thing? Many Google websites use bleeding-edge ajax. IE6 still has a large installed base, and abandoning those customers isn't good business.

Re:At least Google wasn't running IE 6 (2, Funny)

The FBI (1717712) | more than 3 years ago | (#30881274)

Now I just need to find something to make me feel better about our government

The FBI has just removed your linkedin.com profile [linkedin.com] to protect your privacy and make you feel better about our government. We hope that helps.

Google's internal security vulnerbilities (5, Insightful)

lumierang (881089) | more than 3 years ago | (#30879392)

This is congruent with another report that mentioned
  Google put its Google China staff on paid leave and
suspended their access after the incident:

http://www.guardian.co.uk/technology/2010/jan/18/china-google-cyber-attack [guardian.co.uk]

      A lot of evidence points into google treating it as an internal security leak
, and is conducting an internal audit on all its China employee. It seems
Google has very good external security but is very vulnerable from inside .In the hacking very likely some google China employee was found to have leaked
information that facilitate the attack. And that explain Google management's fury
  as it would be a moment as shocking for them as the
“Cambridge Five” for British government .

    Firstly it would mean Google can no longer count on its Chinese
employee’s loyalty when it clashes with their loyalty to China, so if
it wants to operate in China it has to continue with a tainted staff, though that
should have been expected for any corporation operating in a foreign country.

    Secondly it would mean there are serious security loopholes in Google
internal management as it failed to implement a safety mechanism to
check or limit inside attack.It this is true, pile on the fact that
Google is already facing increasing privacy scrutiny in the US and
Europe,it would be a heavy blow to Google’s reputation as a whole as
it sends out the message that Google cannot be trusted with your data
IN ANY COUNTRY.

    In my opinion Google failed to take care of its own fences,However
  Google’s genius lies in politicizing this incident ,as
it completely shadows the question of Google’s own internal security
vulnerability, as evidenced by the blanket omitting of this question
in most of the news reports I have seen.It became a Good vs Evil in the news ,
and you cannot criticizing Good ole Google
without being grouped with the Evil Chinese Communist, can you?

Re:Google's internal security vulnerbilities (3, Interesting)

TwineLogic (1679802) | more than 3 years ago | (#30879658)

Another way to look at this is the Chinese government may have planted highly-trained professional spies inside Google.

Not to group you with the Evil Chinese Communist, but where are you from? You sound overly sympathetic to the non-political interpretation of this, and it's sort of odd to blame the victim. It wouldn't be odd for the Evil Chinese Communist to excuse its own behavior and blame the victim, however. So, despite your 'disarming' final statement, I suspect exactly that -- not due to your criticism of Google, per se, but certainly due to your attempt to minimize the wrong acts of the Chinese government.

Re:Google's internal security vulnerbilities (2, Insightful)

martin-boundary (547041) | more than 3 years ago | (#30882650)

Firstly it would mean Google can no longer count on its Chinese employees loyalty when it clashes with their loyalty to China,

It's pretty damn foolish for a corporation to think that it commands better loyalty than their employee's homeland. If Google really believes that, then it deserves what it gets.

People have a hierarchy of loyalties that are built up over their lifetime. A foreign company merely paying their checks for a few years is way, way down the list.

Hmm... (3, Funny)

antifoidulus (807088) | more than 3 years ago | (#30879546)

How come when I type "backdoor entry" into google, I don't get any sites related to this attack, just massive amounts of material on anal sex. It's a cover up I tell you!

Re:Hmm... (0)

Anonymous Coward | more than 3 years ago | (#30879790)

How come when I type "backdoor entry" into google, I don't get any sites related to this attack, just massive amounts of material on anal sex. It's a cover up I tell you!

Covering up a backdoor entry.... You have a dirty mind sir!

Come-on on guys (1)

Stan92057 (737634) | more than 3 years ago | (#30879762)

Come-on on guys, just what do you expect from a "Blogger" hes not a real news reporter he just states whats on his mind at the time. He works in security and is writing whats on his mind, thats what bloggers are/do.No proof necessary.

Database Security & open architectures (2, Interesting)

turtleshadow (180842) | more than 3 years ago | (#30880264)

Google's stance on database security is poorly documented and certainly not open. I've yet to find comprehensive peer review of their architecture security (but then they are a for profit enterprise) and need not comply like Oracle, IBM DB2, MySQL?

Numerous opportunities exist in the chain of data that Google is slurping through to build in "back doors" either deliberately or by "accident" expose data.

Somehow they "parse" accounts for words, addresses, html code, etc then use those datapoints to do statistical cross references to build the ad's. Thats elementary. However since they parse EVERYTHING in the account somehow the programmer(s) have to make design decisions on how to go about it. Is there one process per type of data. One that just looks for PDF code vs keywords? Is there one process per country with applicable rules for that country? Are the configuration tables for that process well protected and not able to be circumvented?

Google has to crack open each file, Adobe reported a breach so perhaps the attack vector was in the PDF parse/scrubber at Google.

It would be trivial "once inside the system" to set configs to just suck out everything instead of what that particular process ought looking for and tee the result over to some obscure process or table buried deep in the DB to retrieve it later by some query.

Once you found a marker to your target you'd just have to find the right DB keys they are associated with to get all the other data about them. Somehow every Google account has a primary or some other key that associates the data. No one is asking about low level DB security on this thread. Who exactly gets granted access to the primary and following keys and tables. Who has authority to restart processes? Are processes logged as to why they restarted with new values?

It's quite possible there is a way to view Google accounts outside a web-interface which is what normal people think when they hear back door. Its more sophisticated than viewing the raw dump. I suspect the intrusion proved the new horizon for security: That it ispossible to "re-assemble" most if not all the account from the database(s) if you've p0wnd the DB at a low level without the need for a backdoor to the actual account nor the Google foundational OS/netstack. The Chinese probably attacked and penetrated the DB's somehow.

I think this is the great oversight it was not just that Gmail was hacked. It is broader to say Google Accounts; gmail points to web search which is tied to Picassa, which is tied to Blogger, which is tied to youtube, etc....

All these have to be fortified at the DB level else any other measure of security is meaningless.

Trying to blame Google instead of MS (1)

sp3d2orbit (81173) | more than 3 years ago | (#30880342)

He is trying to raise the point that perhaps this is Google's fault, not Microsoft's. And I agree, but not for the same reasons. If Google was stupid enough to use Windows internally they deserved to be hacked. They should know better.

No, not Goog vs. MS, rather tech law vs. privacy (1, Interesting)

Anonymous Coward | more than 3 years ago | (#30882624)

Schneier's main point is that by happily enabling "lawful" surveillance through modern technology, we're obliviously entering a new world where:
- Even lawful surveillance by a democracy is abused without accountability (FBI, NSA, oversight clearly a joke, executive claiming limitless power)
- Mechanisms of lawful surveillance can be hijacked by unauthorized entities (Greece telco, GMail in China)
- Technology created by democratic-based corporations are being used by oppressive anti-democratic states (Nokia abetting Iran, Cisco & Yahoo abetting China, etc.)
- Even in a freedom-loving democracy our individual privacy is an endangered species with zero protection, as we leave electronic trails everywhere that are scooped up in for-sale commercial databases like ChoicePoint (as well as weakly-protected search engine records, ISP usage records, electronic toll road records, cell phone location records, and on and on and on.)

We are not watching where we're going.

Not exactly the same (2, Insightful)

russotto (537200) | more than 3 years ago | (#30880344)

Even if we accept Schneier's source at his word, an "internal intercept" system which shows traffic on an account is NOT the same as a system which feeds all your details to the government. There's a difference between a system which Google employees can use to comply with government warrants (as required by CALEA) and a system directly accessible by government officials ala AT&T.

Still, if you think anything you send via email unencrypted anywhere in the Western world is safe from the US government (and, by extension, any government able to penetrate the US government), you're dreaming.

Civic Nonsense (1)

westlake (615356) | more than 3 years ago | (#30880676)

And it's bad civic hygiene to build technologies that could someday be used to facilitate a police state.

There aren't many technologies that haven't made centralized government easier.

The abacus. The Roman road.

The canal. The steam engine. The railroad. The telegraph.

The examples can be multiplied endlessly.

The geek builds these things. The state funds these things - directly or indirectly.

In the past, through land grants. Mail contracts.

Someone always finds a way to work around the liberal or conservative opposition to tech the government wants to see developed.

While the geek never quite wakes up to the fact that there is going to be another hand at the controls.

Eavesdropping should require SOME effort (2, Insightful)

davidwr (791652) | more than 3 years ago | (#30881656)

"Backdoors" into telco switches and the like should be "hardwired" to only be accessible at specific locations, by specific people, with specific reasons, with extensive logs of who saw what and when so oversight authorities (e.g. Congress, courts) can audit them.

Each switch or server should have a dedicated network port, not connected to any network except the snooper's, over which snooping is done.

Ideally, it would not be a "snooper's network" but rather a "snooper box," with an air-gap between it and the other FBI or police computers.

The military knows how to do this right. If the FBI and police departments aren't using something like this, they can take a lesson.

By the way, it's not just "telco/ISP/mail-provider backdoors" that need this, anything that gives sensitive access should be as isolated as practical. For some networks, this means complete isolation/air gap. For others, it means dedicated communication channels. For others, a traditional firewall is sufficient.

Mr. Potato Head! Mr. Potato Head!! (2, Funny)

samgman (59969) | more than 3 years ago | (#30881994)

Backdoors are not secrets.

(Un)Encrypted data.. (0)

Anonymous Coward | more than 3 years ago | (#30882390)

And I don't mean the SSL/TLS/PGP stuff included in your favorite email product, that comes pre-compromised from the supplier.

Minimum = stunnel and generate your own stunnel.pem

I recommend the above + encrypting the message as an attachment using Omziff 3.2, Iopus sea or Axcrypt.

Why a backdoor? Google owns Gmail. (1)

master_p (608214) | more than 3 years ago | (#30882652)

Why they would need a backdoor? all the emails go in their servers.

defective by design (0)

Anonymous Coward | more than 3 years ago | (#30883200)

so, even google is defective by design?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?