Chinese Hacks Of Google Database Of Surveillance Targets Highlight How Dumb Technology Backdoors Are
from the how-can-people-still-not-see-this dept
We’ve argued for quite some time that law enforcement’s desire to require backdoors for wiretapping in all electronic communications is really dumb, because it won’t just be law enforcement using it (and, when they use it, it won’t just be for legitimate purposes). As soon as you have that backdoor in place, you’ve pretty much guaranteed that it becomes something of a target. And the news that broke earlier this week about how Chinese hackers who broke into Google servers a few years ago were targeting their database of which accounts had been flagged for national security surveillance makes this point that much clearer. The people doing this kind of hacking aren’t dumb: they know that there are weaknesses where they can probe. A few weeks back, a Microsoft exec had actually revealed that their own analysis of similar attacks on Microsoft’s servers from China showed the same basic target and discussed the serious implications.
“What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on,” Aucsmith says. “So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that’s difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That’s essentially what we think they were trolling for, at least in our case.”
The more openings and the more data that is shared, the more openings and opportunities there are for people who you don’t want to see that data to have access to it. That should be a major concern. Just before all of this was revealed, we had written about a new report how such backdoors basically destroy any competent attempt at cybersecurity. Julian Sanchez highlights how those who think this isn’t a problem are almost certainly confused about how computer security works.
Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?
Creating more access to information that should be secret might help law enforcement, at the expense of our civil liberties, but it’s also going to help those with nefarious intent quite a bit. And that should be a serious concern.
Filed Under: backdoors, china, hacking, national security, surveillance, wiretapping
Companies: google, microsoft
Comments on “Chinese Hacks Of Google Database Of Surveillance Targets Highlight How Dumb Technology Backdoors Are”
There is a reason it is called a firewall and not a fire-door.
A wall blocks things.
A door allows entry.
While both have vulnerabilities, a wall is much easier to defend than a door.
If you have a door you have to monitor it and allow or deny access as is appropriate.
With a wall you can just sweep off all intruders.
Re: Re:
As an aside to this, I read a while back about one firewall expert who was complaining that (near as I remember) “firewalls come with everything enabled, and you then have to figure out what to close down. Things would be a lot safer if the firewall came with everything disabled, and then taught you how to open things up, one at a time, as needed.”
Makes one wonder about what standard one should use as far as setting up your network/website. There appears to be a lot of variety out there, and in the case of firewalls, default options are not necessarily best practice.
Re: Re: Re:
To be fair to firewall manufacturers, he was (presumably) talking about “everything enabled” outgoing since I don’t thik I’ve ever come across a firewall enabled inbound by default but he still has a point.
Of course the reason they are that way is because then some level of security can be obtained by (and more importantly sales made to) those whos networking skills are at the “Um… firewalls… those are good, right?” level because anything else usually elicits a blank look and the question “What’s a port and why do I need 80 of them?”
Re: Re: Re: Re:
Re: Re: Re: Re:
LOL, or 65,000 of them for that matter.
Re: Re: Re:2 Re:
That’s 2 stages down after they’ve gathered that in fact 443 of them are required for internet banking and is the point at which “blank look” becomes “nosebleed and brains dribbling out of ears”…
Obviously the hackers would have never thought of this until people brought it up. Thanks alot guys….
Circumvent FOIA
Given the FOIA request success track record, if you believe you’re being spied on by the U.S. government, it’s probably a lot more effective to just hack into Google and find out if you are than to request this information under FOIA.
So, yeah, this makes perfect sense to me!
I like how this Magical Christmas Land thinking seems to permeate the paradox crumple-zones in both Government and Business.
I thought we weren’t at cyber war with China, Masnick? And that there was no such thing as cyber terrorism?
Re: Re:
I thought we weren’t at cyber war with China, Masnick? And that there was no such thing as cyber terrorism?
A bit of hacking isn’t cyberwar or cyber terrorism. It’s just hacking and some espionage. No one died because of this. No one ever said that there wasn’t hacking going on backed by nation states, but that’s not “cyber war.” But, if we’re talking about keeping people’s private data safe, opening up backdoors is a bad way to do it.
Re: Re: Re:
Google vehemently defends it’s actions in keeping back doors open as will most fanboys defend it for doing it.
Eric Schmidt was once quoted in basically stating that anyone working for Google has the ability and access to see users’ emails without the use of users’ passwords, and the reason people working there don’t do it is because he’d know about it immediately and their policy is “don’t be evil”…I mean seriously how delusional is that?
Re: Re: Re: Re:
It’s a little different a company having internal access to material (and we don’t know if it’s everything) and then that access being made ‘publicly’ available to the government (yours and any other that cares to investigate).
Re: Re:
You need to learn the meanings of the terms ‘war’, ‘terrorism’ and ‘espionage’. They’re all quite different.
Re: Re:
So you have absolutely no way of arguing against the article and resort to petty non-issues and baseless attacks. Thanks for playing.
tiny flaws in the plan
“Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities.”
1: China has some brilliant programmers too.
2: where excellent security is possible and has not yet been implemented, half of the time it’s because no one wants to pay for it.
3: …and the other half of the time, it’s because it’s slightly inconvenient to use.
4: this is supposed to be a free society, so when you try to install secret police, you’re going to run into some problems. That’s as it should be.
Every company out there that is compelled to make backdoors but don’t want to should make the leakiest ones out to make the point that it will only reduce security.
I’m ok with letting our brilliant programmers secure backdoors…just as soon as they come up with unbreakable DRM
Re: Re:
They did…. but then they couldn’t work out how to get the content to play afterwards… /tongue in cheek
Re: Re:
The problem is that a “secure back door” is an enormous, glaring, pulsing oxymoron term….
not according to USA law enforcement agencies. did i not read where action was going to be taken by them against a company if it didn’t build in a backdoor so they could spy on whoever?
Wargames
Anyone who was alive and watched “hacking” movies during the 80’s knows that there is always a back door and that this will prevent WWIII.
“Do you want to play a game?”
hadoop training institutes in hyderabad
thanks for your information Chinese Hacks Of Google Database , you did a great job, keep blogging.for best hadoop training hadoop training institutes in hyderabad
Hadoop is a free, Java-based programming framework that supports the processing of large data sets in a distributed computing environment.learn and get the full knowledge on hadoop.
Hadoop training in Hyderabad
If you are looking for a good quality Hadoop training in Hyderabad there are variety of institutes Hadoop is a combination of online running applications on a very huge scale built of commodity hardware.