Chinese Hacks Of Google Database Of Surveillance Targets Highlight How Dumb Technology Backdoors Are

from the how-can-people-still-not-see-this dept

We've argued for quite some time that law enforcement's desire to require backdoors for wiretapping in all electronic communications is really dumb, because it won't just be law enforcement using it (and, when they use it, it won't just be for legitimate purposes). As soon as you have that backdoor in place, you've pretty much guaranteed that it becomes something of a target. And the news that broke earlier this week about how Chinese hackers who broke into Google servers a few years ago were targeting their database of which accounts had been flagged for national security surveillance makes this point that much clearer. The people doing this kind of hacking aren't dumb: they know that there are weaknesses where they can probe. A few weeks back, a Microsoft exec had actually revealed that their own analysis of similar attacks on Microsoft's servers from China showed the same basic target and discussed the serious implications.
"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on," Aucsmith says. "So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case."
The more openings and the more data that is shared, the more openings and opportunities there are for people who you don't want to see that data to have access to it. That should be a major concern. Just before all of this was revealed, we had written about a new report how such backdoors basically destroy any competent attempt at cybersecurity. Julian Sanchez highlights how those who think this isn't a problem are almost certainly confused about how computer security works.
Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?
Creating more access to information that should be secret might help law enforcement, at the expense of our civil liberties, but it's also going to help those with nefarious intent quite a bit. And that should be a serious concern.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Atkray (profile), May 22nd, 2013 @ 2:23pm

    There is a reason it is called a firewall and not a fire-door.

    A wall blocks things.
    A door allows entry.

    While both have vulnerabilities, a wall is much easier to defend than a door.

    If you have a door you have to monitor it and allow or deny access as is appropriate.

    With a wall you can just sweep off all intruders.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Anonymous Coward, May 22nd, 2013 @ 3:55pm

      Re:

      As an aside to this, I read a while back about one firewall expert who was complaining that (near as I remember) "firewalls come with everything enabled, and you then have to figure out what to close down. Things would be a lot safer if the firewall came with everything disabled, and then taught you how to open things up, one at a time, as needed."

      Makes one wonder about what standard one should use as far as setting up your network/website. There appears to be a lot of variety out there, and in the case of firewalls, default options are not necessarily best practice.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Not an Electronic Rodent (profile), May 22nd, 2013 @ 6:31pm

        Re: Re:

        "firewalls come with everything enabled, and you then have to figure out what to close down.
        To be fair to firewall manufacturers, he was (presumably) talking about "everything enabled" outgoing since I don't thik I've ever come across a firewall enabled inbound by default but he still has a point.

        Of course the reason they are that way is because then some level of security can be obtained by (and more importantly sales made to) those whos networking skills are at the "Um... firewalls... those are good, right?" level because anything else usually elicits a blank look and the question "What's a port and why do I need 80 of them?"

         

        reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous, May 23rd, 2013 @ 7:01am

          Re: Re: Re:

           

          reply to this | link to this | view in chronology ]

        •  
          identicon
          Anonymous Anonymous Coward, May 23rd, 2013 @ 7:04am

          Re: Re: Re:

          blank look and the question "What's a port and why do I need 80 of them?"

          LOL, or 65,000 of them for that matter.

           

          reply to this | link to this | view in chronology ]

          •  
            icon
            Not an Electronic Rodent (profile), May 24th, 2013 @ 2:14am

            Re: Re: Re: Re:

            LOL, or 65,000 of them for that matter.
            That's 2 stages down after they've gathered that in fact 443 of them are required for internet banking and is the point at which "blank look" becomes "nosebleed and brains dribbling out of ears"...

             

            reply to this | link to this | view in chronology ]

  •  
    identicon
    lordbinky, May 22nd, 2013 @ 2:43pm

    Obviously the hackers would have never thought of this until people brought it up. Thanks alot guys....

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 22nd, 2013 @ 3:14pm

    Circumvent FOIA

    Given the FOIA request success track record, if you believe you're being spied on by the U.S. government, it's probably a lot more effective to just hack into Google and find out if you are than to request this information under FOIA.

    So, yeah, this makes perfect sense to me!

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 22nd, 2013 @ 3:16pm

    I like how this Magical Christmas Land thinking seems to permeate the paradox crumple-zones in both Government and Business.

     

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
     
    identicon
    Anonymous Coward, May 22nd, 2013 @ 3:24pm

    I thought we weren't at cyber war with China, Masnick? And that there was no such thing as cyber terrorism?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Mike Masnick (profile), May 22nd, 2013 @ 4:01pm

      Re:

      I thought we weren't at cyber war with China, Masnick? And that there was no such thing as cyber terrorism?


      A bit of hacking isn't cyberwar or cyber terrorism. It's just hacking and some espionage. No one died because of this. No one ever said that there wasn't hacking going on backed by nation states, but that's not "cyber war." But, if we're talking about keeping people's private data safe, opening up backdoors is a bad way to do it.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        Wally (profile), May 22nd, 2013 @ 7:58pm

        Re: Re:

        Google vehemently defends it's actions in keeping back doors open as will most fanboys defend it for doing it.

        Eric Schmidt was once quoted in basically stating that anyone working for Google has the ability and access to see users' emails without the use of users' passwords, and the reason people working there don't do it is because he'd know about it immediately and their policy is "don't be evil"...I mean seriously how delusional is that?

         

        reply to this | link to this | view in chronology ]

        •  
          icon
          Niall (profile), May 23rd, 2013 @ 5:39am

          Re: Re: Re:

          It's a little different a company having internal access to material (and we don't know if it's everything) and then that access being made 'publicly' available to the government (yours and any other that cares to investigate).

           

          reply to this | link to this | view in chronology ]

    •  
      icon
      JMT (profile), May 22nd, 2013 @ 10:31pm

      Re:

      You need to learn the meanings of the terms 'war', 'terrorism' and 'espionage'. They're all quite different.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), May 27th, 2013 @ 11:03am

      Re:

      So you have absolutely no way of arguing against the article and resort to petty non-issues and baseless attacks. Thanks for playing.

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    Beta (profile), May 22nd, 2013 @ 4:06pm

    tiny flaws in the plan

    "Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities."

    1: China has some brilliant programmers too.

    2: where excellent security is possible and has not yet been implemented, half of the time it's because no one wants to pay for it.

    3: ...and the other half of the time, it's because it's slightly inconvenient to use.

    4: this is supposed to be a free society, so when you try to install secret police, you're going to run into some problems. That's as it should be.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Jesse (profile), May 22nd, 2013 @ 5:49pm

    Every company out there that is compelled to make backdoors but don't want to should make the leakiest ones out to make the point that it will only reduce security.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 22nd, 2013 @ 6:27pm

    I'm ok with letting our brilliant programmers secure backdoors...just as soon as they come up with unbreakable DRM

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 23rd, 2013 @ 4:00am

    not according to USA law enforcement agencies. did i not read where action was going to be taken by them against a company if it didn't build in a backdoor so they could spy on whoever?

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    RyanNerd (profile), May 23rd, 2013 @ 5:24am

    Wargames

    Anyone who was alive and watched "hacking" movies during the 80's knows that there is always a back door and that this will prevent WWIII.

    "Do you want to play a game?"

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This