China Google Hack Shows Security Gaps... Or Issues In Online Surveillance Apps?

from the take-your-pick dept

Google's decision to change how it deals with China was supposedly precipitated by a hack attack on its computer system that was apparently most likely instigated by the Chinese government. While many are discussing how this shows the level of computer-based espionage -- corporate and national -- going on these days, a more interesting take comes from Julian Sanchez, who notes that the real issue isn't so much about hacking into computers, but about the official "surveillance" apps that companies now use to placate law enforcement. That's because what was hacked at Google was its surveillance app that it uses to help deal with law enforcement requests. As Sanchez notes:
The irony here is that, while we're accustomed to talking about the tension between privacy and security--to the point where it sometimes seems like people think greater invasion of privacy ipso facto yields greater security--one of the most serious and least discussed problems with built-in surveillance is the security risk it creates.
Indeed, we were just discussing how more surveillance can make us less safe by creating a bigger backlog, but Sanchez is pointing out that it's even worse than that. More surveillance can make us less safe because it can more easily expose data that should have been deleted. Creating surveillance databases creates a huge opportunity for attack. Remember those telco databases we were talking about that make it easy for law enforcement officials (hopefully with a warrant) to track your location by GPS? You have to imagine those make a nice target for hacking as well... And that's true of any such surveillance database. While they're supposed to help keep us "safer," they also put a ton of valuable info in a single place -- which makes them attractive targets for those who wish to make us less safe.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    suuuure its china, Jan 18th, 2010 @ 9:36am

    most likely instigated by the Chinese government.

    yet as such we still see no proof it was the china govt.
    yup me thinks maybe it was some yankie that just wanted to pull some bs on china. and we trust the fbi is still making good use of googles tools ?
    yes yes perfect
    trust the fbi and google to report the truth

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    Dark Helmet (profile), Jan 18th, 2010 @ 9:51am

    Interesting angle...

    So Google is effectively an aggregator for terrorists/criminals BECAUSE of how it complies with law enforcement.

    That's a hell of an angle. I like it.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    senshikaze (profile), Jan 18th, 2010 @ 10:07am

    Re: most likely instigated by the Chinese government.

    considering this is China we are talking about, might as well trust the lesser of three evils.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    DCX2, Jan 18th, 2010 @ 10:58am

    Re: most likely instigated by the Chinese government.

    Right, because the FBI would hack into the GMail accounts of Chinese dissidents...

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous, Jan 18th, 2010 @ 11:01am

    Power

    Put enough information in one place and make it accessible, even encrypted, firewalled, etc. and man's desire for power will push him to try and harness that power. The more data we collect, the more data we put in one place, the more vulnerable it becomes. It's inevitable. Hacking is part of the computer game. IT's all about who gets there first. The protective team, or the hacker.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Anonymous Coward, Jan 18th, 2010 @ 11:15am

    The protective capability simply doesn't exist

    If an individual or institution wants a specific set of data enough, and that data that they want actually exists somewhere, then they are going to get it and there's nothing anyone can do about it. At best you can maybe monitor the traffic to the storage, draw out the unauthorized intruder, and hope that you can accurately locate where they came from and send a monolith in a suit and sunglasses to DoS their meatware before they get a chance to use the hot data.

    Damage control after the fact is still a very important component of defense-in-depth, every bit as much as controls at other layers.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    william (profile), Jan 18th, 2010 @ 12:05pm

    I can just see some crimal/terrorist now

    "Fools! by creating these 'applications' you have played right into our hands! Now we'll just hack into these surveillance apps and track the movement of our targets. Or we can hack into the system and mislead investigators into the wrong directions! MWAHAHAHAHAHA~~"

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    :), Jan 18th, 2010 @ 4:22pm

    Hacking.

    Is just scary how Google one of the most secures can be hacked and you don't need to be a experienced programmer to do it.

    But at least was not like the AT&T routers that logged people on others people's accounts on facebook right?

    http://www.hardware.info/nl-NL/extcontent/ZpuZZ5hpmZfGbpSSyA/ATT_Network_Routing_Flaw_Conc erns_Security_Experts/

    http://utalk.att.com/utalk/board/message?board.id=HSIA&thread.id=15145

    Or the fix of the TLS protocol that prevents people from hijacking secure connections that will take a year to deploy.

    Google wont be able to correct those things because is not Google fault entirely, there are many vectors of attack and some are Google independent(human operation failure, javascript, flash, JAVA, XSS, CSS overflow, browsers permission scalation, SQL injection, memory overflow, file type memory overflow and many many others).

    Will people start using a mail manager to not let hotmail accounts expire and let others create a new account and ask for a change in password accounts?

    Will people start signing their emails with encrypted keys to have a chance of having some certainty about who is sending them something?

    Will Google be able to stop flash and javascript worms? or be able to catch all XSS in their services?

    Will people stop using HTML viewing as an email standart?

    I don't think so and they will be all vulnerable to scripts and no commom sense.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    :), Jan 18th, 2010 @ 5:03pm

    By the way.

    The same flaw that allowed people to logon into other user accounts in facebook was reported to work on gmail and the reason given was that websites that don't use encryption don't care where the cookie is coming from so google in that instance could be responsible for not offering encryption to all the services if people have some sensitive data on gmail.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Chargone (profile), Jan 18th, 2010 @ 6:51pm

    Re: Re: most likely instigated by the Chinese government.

    dunno. they've apparently been a driving force behind getting the NZ government to arrange the ability to do the equivalent (or at least, claim to be)

    how that works is anyone's guess.

    if they saw some way to benefit from it, it wouldn't surprise me at all.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Asight Tune, Jan 18th, 2010 @ 11:24pm

    IT WAS NOT THE CHINA GOVERNMENT

    im in china , i believe our governt. do nothing for us folk,they would have made sb. to hack Google? BS!

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Simple mind, Jan 26th, 2010 @ 6:54am

    NAME OF THE GAME IS POLICITCS

    It seems to be planned politics... Apart from all that its hard to believe that some one would keep confidential information on public email system!

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Simple mind, Jan 26th, 2010 @ 6:55am

    NAME OF THE GAME IS POLICITCS

    It seems to be planned politics... Apart from all that its hard to believe that some one would keep confidential information on public email system!

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This