Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Building Privacy Red Team

samzenpus posted more than 2 years ago | from the first-responders dept.

Google 92

Trailrunner7 writes "Google, which has come under fire for years for its privacy practices and recently settled a privacy related case with the Federal Trade Commission that resulted in a $22.5 million fine, is building out a privacy 'red team,' a group of people charged with finding and resolving privacy risks in the company's products. The concept of a red team is one that's been used in security for decades, with small teams of experts trying to break a given software application, get into a network or circumvent a security system as part of a penetration test or a similar engagement. The idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."

Sorry! There are no comments related to the filter you selected.

Netflix has ChaosMonkey (2)

symbolset (646467) | more than 2 years ago | (#41089033)

It's a good idea too. Deliberately cause mayhem to encourage and test true redundancy.

Re:Netflix has ChaosMonkey (2)

icebike (68054) | more than 2 years ago | (#41089567)

But doesn't ChaosMonkey [informationweek.com] concentrate on trying to break content delivery rather than security breaches?

After all Netflix record isn't exactly stellar [proskauer.com] on privacy issues.

Re:Netflix has ChaosMonkey (4, Funny)

interkin3tic (1469267) | more than 2 years ago | (#41089597)

I don't know if it's ALWAYS a good idea. My boss really didn't like "Show up drunk" Mondays. I guess ambulance driving isn't important enough to stress test in such a rigorous manner. Fuckers.

Re:Netflix has ChaosMonkey (1)

davester666 (731373) | more than 2 years ago | (#41091459)

Ambulance driving gets drunk-tested all the time. It's called a "use-case".

Oh god... make them stop, please. (-1, Troll)

fustakrakich (1673220) | more than 2 years ago | (#41089041)

On the internet there is no privacy, m'kay? Why this charade?

Re:Oh god... make them stop, please. (0)

Anonymous Coward | more than 2 years ago | (#41089119)

You are a fucking idiot. Die.

Re:Oh god... make them stop, please. (-1)

Anonymous Coward | more than 2 years ago | (#41090797)

Are you the cowardly moderator?

Re:Oh god... make them stop, please. (5, Insightful)

Anonymous Coward | more than 2 years ago | (#41089145)

There is, you just have to take steps to preserve yours, which most people don't do.

And the rampant privacy violations that happen by default exist because people don't care about their privacy. If they did, engaging in such practices would put companies out of business. But people actively support this world, where everything they do is tracked. Such drastic measures to preserve privacy would not be necessary if more people cared about not living in a Panopticon.

Re:Oh god... make them stop, please. (5, Insightful)

trikes57 (2442722) | more than 2 years ago | (#41089499)

I agree, and think Google is on the right track here.

I suspect they are starting to see the backlash against easily broken security, and are starting to do something about it.

This is really amazing when you stop and think that they have most to gain by learning all your habits (or at least the "Hate Google First" rabble would have you believe.

The iCloud meltdown preceded by the never ending follies of facebook probably told Google it was time to test their own stuff rather than wait for the storm to hit home. They are well ahead of the game with two factor authentication. Now if they could just add Zero Knowledge encryption techniques to their Google Drive they could be giving even more assurance they weren't out to market anything more about you than what is already public record.

I would love to have stuff backed up in the cloud, but as it is, the only cloud I trust is SpiderOak.

Re:Oh god... make them stop, please. (3, Insightful)

Nemyst (1383049) | more than 2 years ago | (#41090253)

I think the ridiculous thing is that my email and phone account is orders of magnitude safer than my bank account.

Google's security is already miles beyond the average website, it's banks I want to see get into the 21st century. I should be able to use top-notch encryption techniques if I so desired, instead of an 8-character password coupled with questions for which anybody could find answers if they even vaguely knew me.

Re:Oh god... make them stop, please. (0)

Anonymous Coward | more than 2 years ago | (#41091055)

coupled with questions for which anybody could find answers if they even vaguely knew me.

Huh? The bank didn't choose those answers. The bank doesn't care what strings of characters you entered, just so long as you can regurgitate them when required.

You chose crap, discoverable answers. Stop blaming others for your shortfall.

Re:Oh god... make them stop, please. (2)

TheRaven64 (641858) | more than 2 years ago | (#41091973)

My US bank gave me my Internet banking password, from a VoIP call from overseas, knowing nothing more than my name, address, and date of birth. Apparently this is roughly the same set of security as iCloud.

Re:Oh god... make them stop, please. (1)

Anonymous Coward | more than 2 years ago | (#41093401)

Strings of characters? Hahahahahahah. At my bank, the questions are chosen from a drop-down box, and the answers are chosen from a drop-down box. So if the question is "What model year was your first car", the answer choices are "2000-2010", "1990-2000", "1980-1990", "1970-1980", "1960-1970", "1950-1960", "1940-1950", or "1930-1940". That's a real example; I'm not making that shit up. Even if I pick randomly, there's, what, three bits of entropy there? It's goddamn embarassing; I'm thinking of switching banks.

Re:Oh god... make them stop, please. (1)

postbigbang (761081) | more than 2 years ago | (#41093811)

This is a CYA case, done for liability-- not for love of privacy. If they envisioned respect for privacy, they wouldn't have their draconian Terms of Service, which gives them the right to read your mail, watch where you go, and otherwise digest and analyze all facets of your interaction with them.

Make no mistake about apparent altruism. This is their legal department saying: seal up the holes, then twisted by PR to make them look like good guys. Right track? Any organization should have systems security and adherence to privacy regulations at the forefront of their best practices implementation. Why they haven't had such an initiative to this point is mind boggling.

Re:Oh god... make them stop, please. (0)

Anonymous Coward | more than 2 years ago | (#41089619)

I disable Javascript sites don't work including hyperlinks that were made into JS instead of standard HTML. I disable cookies, the site either asks me to enable cookies to continue or just doesn't work right.

It's all due to shitty web design and implementation. Learn to run scripts and remember state on the server side only.

Re:Oh god... make them stop, please. (1)

TheRealMindChild (743925) | more than 2 years ago | (#41089997)

People care about privacy as much as they care about their wallet. They just have no idea how valuable their privacy is

Re:Oh god... make them stop, please. (1)

shentino (1139071) | more than 2 years ago | (#41090319)

Voting with your wallet only works in a competitive environment.

There's probably also that violating your privacy is worth it in terms of higher premiums commanded on ad dollars.

Protecting a walled garden isn't easy when there's oil under it.

Re:Oh god... make them stop, please. (0)

Anonymous Coward | more than 2 years ago | (#41089245)

They are NPCs so don't worry about it.

Re:Oh god... make them stop, please. (1)

shentino (1139071) | more than 2 years ago | (#41089383)

Google pissed off the politicians.

That is why everyone does it but only google gets in trouble.

Re:Oh god... make them stop, please. (2)

klingers48 (968406) | more than 2 years ago | (#41089777)

All cynicism aside, I can understand and get behind this initative. This is actually a contemporarily rare example of Google adhering to their old "Don't be evil" mantra.

When their entire business model involves a suite of free services and applications that filter down and commoditize users' viewing habits and usage metrics, information security becomes even more important. As much as I don't really appreciate Google having this information themselves (and obviously sharing with vetted partners I might not agree with), I'd be far more concerned about illicit third-parties gaining this information.

Google are worthy of at least some ackowledgment of them doing the right thing here.

Re:Oh god... make them stop, please. (-1)

Anonymous Coward | more than 2 years ago | (#41090701)

The cowardly moderator strikes again and again. Your google is a government ops. Suck it up, dweebs!

I think... (3, Insightful)

Jafafa Hots (580169) | more than 2 years ago | (#41089045)

...the concerns about Google and privacy have next to nothing to do with what hackers might do with the data Google collects on you, rather than what Google will do with it.

Re:I think... (2, Informative)

desertfool (21262) | more than 2 years ago | (#41089083)

And that is exactly what I wanted to say. I'm more worried about Google than anyone else.

Long live Adblock and Ghostery.

Re:I think... (2)

bhagwad (1426855) | more than 2 years ago | (#41089211)

Than ANYONE else? Really? So if you had to choose an ISP, you would rather use a corporation like say AT&T or Time Warner rather than Google?

Re:I think... (0)

Anonymous Coward | more than 2 years ago | (#41089783)

Absolutely. AT&T and Time Warner have nothing close to Google's abilities to mine your data. While all three companies work with the NSA, Mossad, MI6, etc., Google is coziest with the intelligence community, having been built from the earliest days in partnership with the NSA.

Let us not forget Google is the most pro-active corporation on the planet when it comes to the erosion and/or invasion of privacy. They have their "street view" spy machines everywhere -- in many many nations -- these days. Just the idea that a private company should have a giant database on every house, person, street, etc., should be a warning sign. Especially when those "street view" spy machines were also sucking down all the wireless LAN data they could get their hands on. With the computing power and insider information that Google has on hand, decrypting WPA2 wifi data is a trivial exercise. And the spy machines are just one tiny example. Gmail, Gchat, Gdrive, etc., everything is designed so there is no privacy for the user. Let us not forget Google Voice which has recorded the voices of millions of people.

In short, there is no company that is hell bent on destroying the privacy of humanity more than Google. This latest act of theirs, "privacy theater" will not convince anyone with two working brain cells. But it is great for them to hold up as a shield of plausible deniability if they need to.

While Apple sits in the limelight as the preeminent maker of shiny toys, Google is the most powerful tech company on the planet. Microsoft is coming up fast, though. And Apple is aping Google too with the non-encrypted "iCloud" and recording the voice of everyone who uses Siri.

Information is power. Google will never be serious about privacy. It is against their core values and in direct opposition to the mission of the company, to control all the information in the world.

Re:I think... (3, Insightful)

oakgrove (845019) | more than 2 years ago | (#41089825)

You do know you can just not use Google, right? No, seriously. You can run your own mail server even. As a matter of fact if you're really worried, you can use tor or Freenet and be completely anonymous. Just make sure you have https everywhere, and noscript running and you're golden. As far as street view goes, secure your wi-fi and plant some trees in front of the house.

Re:I think... (1)

TheRealMindChild (743925) | more than 2 years ago | (#41090049)

Saying you "can not just use google" is like saying you don't have to buy your produce at a grocery store. Sure, it could be done, but in the cost/benefit analysis of is all, you are going to live a better life shopping at walmart

Re:I think... (2)

Nemyst (1383049) | more than 2 years ago | (#41090279)

That's entirely false actually. It's not only doable, but fairly simple not to use Google if you're more paranoid about them than about the alternatives, which is the statement being made here.

Instead of Google, use something like DuckDuckGo. Instead of Gmail, use Thunderbird with a private mail server. Go to YouTube with private browsing through a proxy and don't comment, or use something like Vimeo/DailyMotion/whatever. Use Android without connecting a Google account, or get an iPhone.

Nah, the thing is that it's much easier to whine about things than to do something about it.

Re:I think... (1)

tlhIngan (30335) | more than 2 years ago | (#41096465)

That's entirely false actually. It's not only doable, but fairly simple not to use Google if you're more paranoid about them than about the alternatives, which is the statement being made here.

Instead of Google, use something like DuckDuckGo. Instead of Gmail, use Thunderbird with a private mail server. Go to YouTube with private browsing through a proxy and don't comment, or use something like Vimeo/DailyMotion/whatever. Use Android without connecting a Google account, or get an iPhone.

Nah, the thing is that it's much easier to whine about things than to do something about it.

OK, so you don't use Google's front services.

What about their back services? Every ad you see is practically powered by Google (either directly through AdSense, or indirectly through Google-owned companies like DoubleClick and the link).

Practically every website uses Google Analytics. Or Google APIs. Or has some G+ thing. Or uses Google's CDN. Or dozens of other services Google offers.

If Google (and associated companies) were to suddenly disappear off the 'net tomorrow, the whole Internet would be broken - you'd be able to load up one of the few self-contained websites, while everyone else's would be broken in some way.

Google literally does know everything and practically everywhere you surf.

Re:I think... (1)

Nemyst (1383049) | more than 2 years ago | (#41105661)

Ads? Oh you mean those things most people who care about Google's intrusive practices have already blocked, alongside all scripts from blacklisted domains?

Re:I think... (2)

oakgrove (845019) | more than 2 years ago | (#41090329)

I happen to agree. I use Google because I like it and nothing I've seen so far can get me the answers for so many different things at a moments notice. That said, it's funny seeing people rail against Google when all they have to do is use something else. Hell, get a fat enough Internet pipe and index the entire web yourself if you're that paranoid.

Re:I think... (0)

Anonymous Coward | more than 2 years ago | (#41090429)

There is a lot of truth to this comment. Sooner or later in some context, likely job-related, you'll be invited to participate in a Google chat, or "hangout", or whatever they are calling it. And Google will record everything. It is very hard to get away from not being recorded whether it be by Google, Microsoft, Apple, or some other company. And there is basically no privacy protection for these recordings. The company that has them can use them for whatever they want, sell them to whomever they want.

It may be relatively simple to use non-Google email, but the other services are more difficult to get away from, especially over time.

Re:I think... (1)

Johnny Mnemonic (176043) | more than 2 years ago | (#41090641)

If you were a Chinese dissident using gmail to communicate and collaborate, you might have different priorities.

Re:I think... (1)

WoLpH (699064) | more than 2 years ago | (#41092531)

Unfortunately Ghostery and/or Adblock are not always an option.

My bank (ABN-AMRO) has recently updated their website and with that added Omniture tracking to all pages. If you use Ghostery (as I do) the site just stops functioning entirely and the entire Internet banking system doesn't work anymore.

So unless I permit Omniture to see everything what I am doing and effectively giving them access to my bank account including transferring money to other accounts... I cannot access my Internet banking system anymore.

BIG FAIL from the ABN-AMRO in my book. If you're going to use tracking/analytics software like this, make sure your website keeps working if it's not available...

Hyperbole (4, Insightful)

brunes69 (86786) | more than 2 years ago | (#41092583)

Yes, because it is much worse for Google to know I prefer a BMW to a Toyota and serve me ads appropriately, vs. having someone use the same information to steal my identity, take out a second mortgage on my home, and leave me destitute.

You can take my house, but PLEASE don't ask me what my car preference is!

Can we tone down the hyperbole please? Comparing using personal data for marketing vs. using it to steal from innocents is just stupid.

Re:I think... (1)

Yvanhoe (564877) | more than 2 years ago | (#41093143)

I still like that Google are making sure that no one can get data from them without their accord. It is a separate issue.

Re:I think... (3, Insightful)

Anonymous Coward | more than 2 years ago | (#41089957)

You shouldn't be concerned about Google. This data is Google's most valuable possession, and the company's entire value is dependent upon that data staying in the company. Google is the producer and consumer of the data, and they're not going to let it out. Google (and everyone in charge there) also has a strong sense of ethics, and while some things have gone wrong, their record is still pretty stellar.

Who you SHOULD be worried about are the companies that exist solely to collect and sell information. They don't play by the rules, they don't try to be ethical, and their entire business plan is to grab as much information about you as possible and sell it to the highest bidder.

Re:I think... (0)

Jafafa Hots (580169) | more than 2 years ago | (#41090139)

You're assuming that all of Google's planned use of this data is benign.

Re:I think... (1)

Jane Q. Public (1010737) | more than 2 years ago | (#41090903)

"...the concerns about Google and privacy have next to nothing to do with what hackers might do with the data Google collects on you, rather than what Google will do with it."

Yes. It isn't privacy "vulnerabilities" we should care about so much with Google, but the privacy losses that are inherent in their business model.

Google, boogle, buggle oh bye (1)

For a Free Internet (1594621) | more than 2 years ago | (#41089049)

If Merlin himself can't readmy mind how can G$$GLE? Truly, the Italians are getting desperate lately. I laugh at them in a high-pitched cackle sort of laugh! Olive oil is tasty, but it is not the UNITED BROTHERHOODE OF CARPENTERS! or a toy monkey!

In summary, we need IRON!

Re:Google, boogle, buggle oh bye (0)

Anonymous Coward | more than 2 years ago | (#41089213)

No, we need more vespene gas.

Re:Google, boogle, buggle oh bye (1)

WillAffleckUW (858324) | more than 2 years ago | (#41089295)

No, we need more vespene gas.

I'll settle for gold pressed latinum.

Re:Google, boogle, buggle oh bye (1)

fast turtle (1118037) | more than 2 years ago | (#41089755)

to hell with the latinum, I want "Q" to loan me his powers for an hour

Re:Google, boogle, buggle oh bye (2)

wierd_w (1375923) | more than 2 years ago | (#41089909)

He did, but the continuum set it right again. He's currently being punished by having his powers suspended, and being forced to work at the DMV.

(It was the less horrible punishment they offered. The other was signing autographs at a startrek convention.)

And I thought it was the EU and Canada fines (2, Insightful)

WillAffleckUW (858324) | more than 2 years ago | (#41089057)

And here I thought, silly me, that it was the massive fines by the EU and Canadian regulators as to their practices that caused this change.

Never mind.

I'm sure they're doing it for the reason you say.

their recommendation is... (0)

Anonymous Coward | more than 2 years ago | (#41089085)

Don't use google, block google-analytics and google-syndication at your firewall, and don't use services like gmail.

Otherwise, you have no privacy from Google, who knows everything you do on the internet.

Intentional vs. Unintentional (3, Interesting)

NoKaOi (1415755) | more than 2 years ago | (#41089163)

The fine referenced in the summary was an intentional violation of privacy, at least from what I understand. It sounds like the point of the red team is to find unintentional security flaws that may cause privacy risks. That's good and all, but it really doesn't address the issue that the article and summary are pretending to address.

Re:Intentional vs. Unintentional (4, Insightful)

LordLucless (582312) | more than 2 years ago | (#41089231)

Google is big. It's also a way to find ways the left hand is intentionally violating privacy, that the right hand doesn't know about. In big companies, decisions that could potentially impact privacy are made by people who don't necessarily have the awareness of legislation that lets them know they're opening the company to liability by doing what they're doing - they're just trying to get their project off the ground. The potential privacy violation doesn't percolate up to the top where people who know the sort of poo the company could get into by doing it actually hear of it.

Re:Intentional vs. Unintentional (4, Insightful)

shentino (1139071) | more than 2 years ago | (#41090347)

The violation may have been intentional, but the malice may still not have been there.

Re:Intentional vs. Unintentional (3, Informative)

Johnny Mnemonic (176043) | more than 2 years ago | (#41090677)

c.f. the wifi sniffing debacle. I'm pretty sure that what transpired was the developers of the product downloaded a public source program, like AirSnort. And then used it, probably with the intention of just collecting unencrypted SSIDs, but accidentally left on the more intrusive features as well.

They should have noticed that it was collecting data at a rate greater than SSIDs would indicate, but I can see overlooking that as well.

Re:Intentional vs. Unintentional (2)

arose (644256) | more than 2 years ago | (#41093377)

Hell, the developers might have even done it intentionally, either to collect debbuging data and switch it off later or because they could or whatnot. Hell, maybe their managers knew two (and didn't grok what it was about). That still wouldn't make it the company wide effort to harvest wifi trafic data for mining purposes that some poeple are convinced it was. It definitely though Google a lesson about transparency though (i.e. delete the data, code, documents and memories in question next tim). :-/

Re:Intentional vs. Unintentional (1)

arose (644256) | more than 2 years ago | (#41089409)

See, if they can convince Apple that it is a good idea to look for that kind of thing they might bother fixing their browser.

Re:Intentional vs. Unintentional (5, Informative)

Anonymous Coward | more than 2 years ago | (#41089413)

No, it wasn't intentional. A workaround was intentionally used to make a particular non-tracking cookie work on Safari (it was a simple preference cookie used for user functionality). However, the browser reacted to the workaround by allowing *all* third-party cookies involved, including the DoubleClick cookie. That was unexpected and unintentional. Nobody realized it was going to happen, and the team responsible for the workaround had nothing to do with the advertising cookie.

Posting anonymously because I work for Google.

Re:Intentional vs. Unintentional (5, Informative)

Anonymous Coward | more than 2 years ago | (#41089531)

And if you need a reference, read the original [webpolicy.org] analysis that spawned this entire debacle. It makes it very clear that one cookie, "_drt_" (which is fairly innocuous), is the only one that is deliberately set using the workaround. The unintended side-effect is that on future page loads, the "id" cookie (and others) can be directly set (no workaround needed) because Safari considers a domain whitelisted if it has *any* cookies set, and allows all further cookies.

Re:Intentional vs. Unintentional (-1)

Anonymous Coward | more than 2 years ago | (#41090781)

Cool story, bro. Tell it again.

Re:Intentional vs. Unintentional (0)

Anonymous Coward | more than 2 years ago | (#41091203)

Testing would have shown the "non tracking" cookie along with the others. This was an exploit and they knew what they were doing.

Re:Intentional vs. Unintentional (-1)

Anonymous Coward | more than 2 years ago | (#41091747)

+5 informative for this? I call BS. All this is, is a google fan sucking up to company he loves. It was a deliberate and malicious piece of code to get around user privacy settings.

Posting anonymously because I work for Google.

Best bit - it has a cool name (1)

Kittenman (971447) | more than 2 years ago | (#41089347)

I mean, "Privacy Red" - that will go well on the t-shirts, baseball hats and pens. And sound impressive to vacuous blondes at parties; "Hey, is this guy boring you? I'm on a Privacy Red team!".

Re:Best bit - it has a cool name (1)

fast turtle (1118037) | more than 2 years ago | (#41089773)

yea Red Shirts. Thanks for taking one for the Team

Re:Best bit - it has a cool name (0)

Anonymous Coward | more than 2 years ago | (#41089811)

Yes, a cool name. A nice short hand for "privacy communist". The real mission of this elite team of "the party" is to ensure Google is doing a good job covering up all of their privacy infringements.

They are lead by... (5, Funny)

Lord_of_the_nerf (895604) | more than 2 years ago | (#41089377)

...a grizzled old Google veteran, brought out of retirement. He has a rag-tag team consisting of an arrogant young prodigy, a burnt out developer with a death wish, a hard-as-nails female programmer and a sassy ex-con who learned all his coding on the street.

They are PRIVACY RED TEAM!

Re:They are lead by... (0)

Anonymous Coward | more than 2 years ago | (#41089661)

No where near as awesome as the original Red Team. Although, nothing will get rid of congressional support faster than kidnapping their children and holding them hostage to show the weakness of giving the congressional intelligence committees classified information.

Re:They are lead by... (0)

Anonymous Coward | more than 2 years ago | (#41090947)

I know you tried to be funny, but you've more or less accurately summarized a typical team at Google: Two of the guys would rather be anywhere else but at work, the other two haven't got a fucking clue what they're doing (and will post internal memes saying so), while the woman will get a hard time from all the others.

Furthermore, the skill-set and requirements of the project will be a complete mismatch. The ex-con might know assembly, and the prodigy wont touch anything but Ruby. The veteran is a Cobol guy turned manager, and the woman does mostly iPhone apps. The burn-out has a £3000 standing desk, special ergonomic keyboard, mouse and works about one hour each day.

Finally, none of them cares much about privacy whatsoever. In fact, the prodigy is probably from an old European East block country, alternatively China, and cannot fathom what the privacy hype is all about. Also, they're all looking for other opportunities both internally and externally to Google, and the only thing that keeps them in place is their lack of initiative.

Re:They are lead by... (1)

Lord_of_the_nerf (895604) | more than 2 years ago | (#41091123)

Then mod me Insightful? ;)

Re:They are lead by... (0)

Anonymous Coward | more than 2 years ago | (#41091259)

In fact, the prodigy is probably from an old European East block country, alternatively China, and cannot fathom what the privacy hype is all about.

The European East block countries were the ones that brought down ACTA in the EU...

Re:They are lead by... (0)

Anonymous Coward | more than 2 years ago | (#41093079)

...a grizzled old Google veteran, brought out of retirement. He has a rag-tag team consisting of an arrogant young prodigy, a burnt out developer with a death wish, a hard-as-nails female programmer and a sassy ex-con who learned all his coding on the street.

Sounds exciting, but actually we just hired a bunch of guys from Facebook ; if there's anyone who knows how to break privacy better than them, we haven't found them.

If your privacy area is red (1)

ozduo (2043408) | more than 2 years ago | (#41089473)

Then you have been abusing yourself much too much

Apparently they never watched Star Trek TOS (1)

Proudrooster (580120) | more than 2 years ago | (#41089595)

If you beamed down with Captain Kirk and were on the "red team" wearing a "red shirt" it wasn't going to end well for you [memory-alpha.org] . I wonder if the same will be true at Google as they bring daylight into the dark corners of Google.

Oxymoron (0)

Anonymous Coward | more than 2 years ago | (#41089629)

Google is to privacy, what Facebook is to friends.

Re:Oxymoron (2)

Lord_of_the_nerf (895604) | more than 2 years ago | (#41089645)

Passive-aggressive?

There's also a Privacy Blue Team (1)

Lord_of_the_nerf (895604) | more than 2 years ago | (#41089655)

It charges $4.95 a minute.

Sounds familiar (1)

ctnp (668659) | more than 2 years ago | (#41089689)

So QA teams are called 'Red Teams' now? So sexy.

Commercial Router? You're Already Rooted! (-1)

Anonymous Coward | more than 2 years ago | (#41089707)

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] http://www.stallman.org/ [stallman.org]

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".

##

Schneier has covered it before: power line fluctuations (differences on the wire in keys pressed).

There's thermal attacks against cpus and temp, also:

ENF (google it)

A treat (ENF Collector in Java):

sourceforge dot net fwdslash projects fwdslash nfienfcollector

No single antimalware scanner exists which offers the ability to scan (mostly proprietary) firmware on AGP/PCI devices (sound cards, graphics cards, usb novelty devices excluding thumb drives), BIOS/CMOS.

If you boot into ultimate boot cd you can use an archane text interface to dump BIOS/CMOS and examine/checksum.

The real attacks which survive disk formats and wipes target your PCI devices and any firmware which may be altered/overwritten with something special. It is not enough to scan your hard drive(s) and thumb drives, the real dangers with teeth infect your hardware devices.

When is the last time you:

Audited your sound card for malware?
Audited your graphics card for malware?
Audited your network card for malware?

Google for:

* AGP and PCI rootkit(s)
* Network card rootkit(s)
* BIOS/CMOS rootkit(s)

Our modern PC hardware is capable of much more than many can imagine.

Do you:

* Know your router's firmware may easily be replaced on a hacker's whim?
* Shield all cables against leakage and attacks
* Still use an old CRT monitor and beg for TEMPEST attacks?
* Use TEMPEST resistant fonts in all of your applications including your OS?
* Know whether or not your wired keyboard has keypresses encrypted as they pass to your PC from the keyboard?
* Use your PC on the grid and expose yourself to possible keypress attacks?
* Know your network card is VERY exploitable when plugged into the net and attacked by a hard core blackhat or any vicious geek with the know how?
* Search out informative papers on these subjects and educate your friends and family about these attacks?
* Contact antimalware companies and urge them to protect against many or all these attacks?

Do you trust your neighbors? Are they all really stupid when it comes to computing or is there a geek or two without a conscience looking to exploit these areas?

The overlooked threat are the potential civilian rogues stationed around you, especially in large apartment blocks who feed on unsecured wifi to do their dirty work.

With the recent news of Russian spies, whether or not this news was real or a psyop, educate yourself on the present threats which all antimalware scanners fail to protect against and remove any smug mask you may wear, be it Linux or OpenBSD, or the proprietary Windows and Mac OS you feel are properly secured and not vulnerable to any outside attacks because you either don't need an antivirus scanner (all are inept to serious attacks) or use one or several (many being proprietary mystery machines sending data to and from your machine for many reasons, one is to share your information with a group or set database to help aid in threats), the threats often come in mysterious ways.

Maybe the ancients had it right: stone tablets and their own unique language(s) rooted in symbolism.

#

I'm more concerned about new rootkits which target PCI devices, such as the graphics card and the optical drives, also, BIOS. Where are the malware scanners which scan PCI devices and BIOS for mismatches? All firmware, BIOS and on PCI devices should be checksummed and saved to match with others in the cloud, and archived when the computer is first used, backing up signed firmware.

When do you recall seeing signed router firmware upgrades with any type of checksum to check against? Same for PCI devices and optical drives and BIOS.

Some have begun with BIOS security:

http://www.biosbits.org/ [biosbits.org]

Some BIOS has write protection in its configuration, a lot of newer computers don't.

#

"Disconnect your PC from the internet and don't add anything you didn't create yourself. It worked for the NOC list machine in Mission Impossible"

The room/structure was likely heavily shielded, whereas most civvies don't shield their house and computer rooms. There is more than meets the eye to modern hardware.

Google:

subversion hack:
tagmeme(dot)com/subhack/

network card rootkits and trojans
pci rootkits
packet radio
xmit "fm fingerprinting" software
"specific emitter identification"
forums(dot)qrz(dot)com

how many malware scanners scan bios/cmos and pci/agp cards for malware? zero, even the rootkit scanners. have you checksummed/dumped your bios/cmos and firmware for all your pci/agp devices and usb devices, esp vanity usb devices in and outside the realm of common usb devices (thumbdrives, external hdds, printers),

Unless your computer room is shielded properly, the computers may still be attacked and used, I've personally inspected computers with no network connection running mysterious code in the background which task manager for windows and the eqiv for *nix does not find, and this didn't find it all.

Inspect your windows boot partition in *nix with hexdump and look for proxy packages mentioned along with command line burning programs and other oddities. Computers are more vulnerable than most would expect.

You can bet all of the malware scanners today, unless they are developed by some lone indy coder in a remote country, employ whitelisting of certain malware and none of them scan HARDWARE devices apart from the common usb devices.

Your network cards, sound cards, cd/dvd drives, graphics cards, all are capable of carrying malware to survive disk formatting/wiping.

Boot from a Linux live cd and use hexdump to examine your windows (and *nix) boot sectors to potentially discover interesting modifications by an unknown party.

#
eof

YUO FAIL IT.. (-1)

Anonymous Coward | more than 2 years ago | (#41089709)

BE ANYg FUCKING s7ates that there

kidding (-1)

Anonymous Coward | more than 2 years ago | (#41089749)

Congrats Kim on the anniversary!
When was your www.cougarloving.com sex tape released? I'm going to send you a greetings on that, because that's the only thing i really like about u ;)
Sorry, just kidding

Elegant Replica Handbags For Trendy (-1, Offtopic)

moyanqin (2712681) | more than 2 years ago | (#41089823)

Elegant Replica Handbags For Trendy Women are really born with taste for beauty and fashion. They are always on the way of searching chic accessories: from precious diamonds to designer handbags, from stunning luxury watches to stylish scarves, etc. To keep up with the fashion trend, they put great effort and care on their appearance and the impression to others. For them, handbags are the most iconic items that are greatly associated with women's daily life. If you're a trendy woman who has a special favor toward affordable replica fendi handbags [fendihandbags.org.uk] , then this post is right for you. If you have always fancied living like a princess owning a large number of pretty looking handbags, but worry about your small bank account, try the replicas of branded handbags. Replica handbags solve the dilemma for those who have a dream of experiencing the luxury and beauty but with a limited budget. Since they are surprisingly durable and affordable, it is not bold to say that there are no other things that could bring the dream fulfillment. Replica handbags appear as attractive and elegant compared to the original ones. You will find hard to tell the difference by simply staring. What's more, it is absolutely not an easy thing for bag experts to spot them after a thorough inspection. Manufacturers of them only select the top materials to made and copy every detail of the original ones. Carrying such kind of top quality handbags, you will surely be offered the feeling of content and happiness. Therefore, you will never be wrong by adding them to your wardrobe. Besides, it would turn out that you are really a practical and intelligent buyer. As everybody knows, one original designer replica hermes handbags [gb.net] would cost you a thousand dollars - even more for some brands. Since replica handbags are relatively cheaper than the authentic ones, you can save much money and make it more valuable. You can have chance to do other investment that your families really want. If you like, you could have many attractive and elegant desiner miu miu handbags [miumiuhandbags.org.uk] at the value of a single designer one. In a word, they would be the best and smartest choice for women all around the globe. Nowadays, we are living in the age of fashion-conscious, so the demand of replica handbags have greatly raised. If you want to stay stylish, elegant and attractive without spending too much money, look no further than designer replica handbags. They will never let you down. I'm a watch addict who like share any information and design toward replica cartier handbags [cartierhandbags.co.uk] and designer replica handbags. Hope you can share any thinking and comment toward my original articles on my blog [http://replicahandbagsreview.com]. balenciaga handbags [balenciaga...ags.org.uk]

Re: Elegant Replica Handbags For Trendy (1)

santax (1541065) | more than 2 years ago | (#41089913)

Ok I know we may not do football or rugby in here, but we are not THAT gay! Sjeez, these damn spambots get more stupid everyday.

The First Rule (0)

Anonymous Coward | more than 2 years ago | (#41089847)

The first rule of Privacy Red Team is you don't talk about Privacy Red Team. It's private.

I'm sure Microsoft had a security team (2)

93 Escort Wagon (326346) | more than 2 years ago | (#41090047)

Back in the days when ActiveX was first created, I mean. But simply having a team doesn't mean that team will be allowed by the powers-that-be to make any meaningful difference.

Here, for example - according to the linked article, this team is all about external penetration and threat testing. I don't know anyone whose primary concern regarding Google's data collection is about what an external attacker could do with that information. And the $22.5 million fine was about Google's own internal decisions and behavior, not about what some hacker pulled off because of poor security on Google's part.

This just smells like theater. Much like Microsoft's statements about security a decade or so ago.

Re:I'm sure Microsoft had a security team (0)

Anonymous Coward | more than 2 years ago | (#41093411)

Conversly not having a team in the first place means?

SETEC ASTRONOMY (1)

almightyorb (1420643) | more than 2 years ago | (#41090099)

Am I really the first to make that reference?

Re:SETEC ASTRONOMY (0)

Anonymous Coward | more than 2 years ago | (#41090567)

You're the first to get that reference out in the open. Ben Kingsley tried, but the cops got him while I was away getting pizza.

Meanwhile on Facebook... (1)

doubleplusungodly (1929514) | more than 2 years ago | (#41090121)

the entire userbase constitutes Facebook's privacy 'red team'.

thats awfully odd (0)

Anonymous Coward | more than 2 years ago | (#41090801)

for a company that makes fistfuls of money collecting and correlating every behaviour they can record

really their whole reason to exist

this is useless (1)

epyT-R (613989) | more than 2 years ago | (#41092121)

This is useless unless google builds a privacy culture within itself and also lobbies the government to respect individual liberty and rights again.

Re:this is useless (1)

Ruedii (2712279) | more than 2 years ago | (#41092941)

Lets face the facts: That privacy culture is exactly why they are the target of these investigations.

I agree, it is unfair that Google is being held to such a higher standard. However, I also think with their privacy culture, they SHOULD be putting their money where their mouth is, like this, and hire a team of specialists to address privacy issues with their products.

The fact that other companies sweep their problems under the rug and that we instead complain about Google for the problems we admit, only propagates the problem of sweeping privacy issues under the rug.

google is the key for success in digital marketing (-1, Flamebait)

dijiplat (2713807) | more than 2 years ago | (#41092295)

dijital pazarlama [dijiplat.com] aka digital marketing is the key of success in business life within 10 years.. If you can no t succeed in digital marketing, then it is impossible to survive.

Google is not real world? (0)

Anonymous Coward | more than 2 years ago | (#41092821)

[...] the idea is sometimes applied in the real world as well, in the form of people attempting to gain entry to a secure facility or other restricted area."

Everything is "real world".

A lot of companies have worse privacy practices. (1)

Ruedii (2712279) | more than 2 years ago | (#41092857)

I don't know why people focus so much on Google. A lot of other companies have far worse privacy practices, and many of those companies make absolutely no attempt to provide proper privacy or user data security.

Just take Facebook for example.

Red Leader (0)

Anonymous Coward | more than 2 years ago | (#41093631)

...standing by.

Secret to Google's continued success... (1)

hbr (556774) | more than 2 years ago | (#41093655)

... ensuring security and privacy of customer data is.

I always thought that the stupidest things that Eric Schmidt ever did were all those blase comments about how we had to learn to live without privacy, etc. (check google for eric schmidt quotes).

I'm not saying that they don't care about these issues, but in the past they have sounded like they don't care.

I reckon that they should instead make security and privacy of data their top priority, and let their customers know about it too (instead of the opposite) - so this "red team" sounds like a good idea.
They should write it into their company constitution and make it clear in their contract with their users.
We all know that google will track our internet use to improve our search results/target their ads, so we need to trust them that this data is not misused, right?
I'm surprised they don't push more that concept of "data untouched by human hand", as I think a lot of people are quite comfortable with that.

So I reckon they need to make sure that we know we can trust them, and people won't fully embrace their range of products unless there is trust there, but once you commit (yourself and your data) to the google product range you are likely to remain a loyal user/customer.

Wait, what happened to the contests? (0)

Anonymous Coward | more than 2 years ago | (#41096441)

Is Google going to pay professionals to find problems? What happened to security on the cheap with contests and prizes?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?