Me on Chinese Hacking and Enabling Surveillance

CNN.com just published an essay of mine on China's hacking of Google, an update of this essay.

EDITED TO ADD (2/8): An essay along similar lines.

Posted on January 24, 2010 at 8:43 AM • 30 Comments

Comments

SeanJanuary 24, 2010 9:02 AM

Bruce,

While it may be entirely possible, maybe even probable, that Google built a back door for the government to access email accounts w/ a search warrant I was really looking for a reference to your statement somewhere.

It was stated as a fact; but you didn't back that up with some kind of reference. Like Google license agreement, a statement from a Google employee, etc.

I would be curious as to where you got the information and what Google's response to this article has been.

Thanks,
Sean

NikJanuary 24, 2010 9:29 AM

If it's true that there's government backdoors in Gmail - and by extension, presumably, in all major free email systems - then that's a scandal of huge proportions.

I will close my Gmail account as soon as possible.

I don't understand how it would make sense though, given that email generally reside on the servers un-encrypted, and those operating the servers would therefore be able to comply with search warrants - why would there need to be a (remote) backdoor capability?

So yes, I want to see something to back up this statement as well.

GrymoireJanuary 24, 2010 9:46 AM

While I believe the government can tap your gmail account, sniif on your Internet connection, install keystroke loggers in your computer, search your horse, tap your cell phone, etc... they need justification first. And then they need to convince a judge that there is "just cause."

If they have that, then you have more problems than just a gmail account.

GrymoireJanuary 24, 2010 9:49 AM

I retract my last statement. If the backdoor is accessible by unauthorized hackers, thenthis is an epic fail.

AlJanuary 24, 2010 11:02 AM

I don't like the use of the word "backdoor" as its very nondescript.

What exactly is a backdoor? If a provider gives the cops a generic account that can access customer data, is that a backdoor? Or what if specific accounts are allocated to actual officers and access is restricted to specific IP's within police facilities?

Is a backdoor when the police can "pull" data from a provider, even if the best access controls, audit controls, legal safeguards, oversight, transparency are in place?

If the data is "pushed", and the provider sends the data to the police is this any better? For example, is one monster unencrypted zip file with all your emails that safe?

Assuming the correct legal controls, law enforcement needs to have "access" to the data. What is the correct, non-backdoor, technical methodology that providers and law enforcement should use?

And assuming the best controls in the world, some "system" must be in place, even if its purely paper and procedures. That system is one of many systems surrounding your data. And any one of those systems, including those for law enforcement, is a possible avenue for attack, whether that be a technical hack, or social engineering, or insider knowledge.

Timmy303January 24, 2010 11:27 AM

Dude it's it's linked on the top row of the main page's "Don't Miss" section -- nice work!

Clint EckerJanuary 24, 2010 11:47 AM

Google, yahoo, et al. have their costs per account list (which is given to DHS etc.) published on cryptome. So it is obvious that all of these companies get sufficient requests from US law enforcement for information that they have streamlined the process so far as to be able to invoice it.

Your cloud data is as good as disclosed.

Marc B.January 24, 2010 1:15 PM

Let's distinguish the two kinds of lawful interception:

First there is law enforcement. This is done by police forces of all levels and goes through the usual channels. Warrants, court orders and the like. These orders are served to the ISPs and Telcos, then they flip a switch.

The second case are intelligence agencies. Here the ISPs and Telcos must not know when an agency does a wire tap. So all systems are required to provide a method to tap into them without the ISPs or Telcos assistance or knowledge.

The second case is new. For the US not much is published yet, but on the other side of the Atlantic ocean, the Europeans are a bit more open. At the "European Telecommunications Standards Institute" all the open and not so open agencies are involved and shape the standards to their needs. Despite the name of the institute, the American cousins are sitting at the table too.

As the invisible wire tap is new (2006 IIRC), it is not yet implemented everywhere. But we can safely assume that most newer systems already have this access point.

Clive RobinsonJanuary 24, 2010 2:26 PM

@ Clint Ecker,

"Your cloud data is as good as disclosed."

Actually there are ways you can prevent your data being disclosed IFF you take precautions.

For instance if you align records and other data in the right way then you can encrypt your DB and perform simple comparison searches against the encrypted data with an encrypted search.

However this is not that secure and there are a number of other things you have to do.

People are currently working on various ways to do various things such as simple mathmatics on encrypted data.

The aim being to get to the point where you can give a computing node encrypted data and a program and get it to do usefull work on the data.

You then take the encrypted results and unencrypt them to get the results.

We already know some things can be done (such as counters and adders) but big questions hang over others (such as branch on compare) not just so that they function but that they don't also leak data.

For instance you could do a simple addition system with a stream cipher that uses add mod 2^n. You simply add another value.

However you have to be very carefull if you then perform some other action that inadvertantly cancels out the key stream or leaks a bit of data.

It promises to be one of the next big areas of research after we get mundane things like secure hashes, crypto frameworks and possibly key handeling systems ;) worked out.

We have very good reason to belive it is not only possible but also under certain constraints can be done efficiently.

Clive RobinsonJanuary 24, 2010 2:55 PM

@ Marc B.,

"Let's distinguish the two kinds of lawful interception:"

Actually there is a third which has been used in various parts of Europe "broadcast interception".

It is lawfull and nescasary for many agencies to intercept communications without a warent if the information is "broadcast". The definition of broadcast is what you get a Judge or politician to make it...

There was talk that EMails should be regarded just like "postcards" as "broadcast" not "private" communications.

A number of organisations are looking to take cases to court (the UK's OfCom being one) just to get judges to change the accepted meaning of words. Often they use such things as the "Proceads of Crime Act" to prevent the defendent having the ability to defend themselves and in other ways "hollow out" the justice system. These organisations staffed by the likes of (Clive Corrie of OfCom Birmingham) will perjure themselves just to get a result for their seniors and find willing co-conspiritors (Barry Cartman Secretary of R&TTE Compliance and MD of BABT for 18 years) in various trade bodies.

'For the US not much is published yet, but on the other side of the Atlantic ocean, the Europeans are a bit more open. At the "European Telecommunications Standards Institute" all the open and not so open agencies are involved and shape the standards to their needs. Despite the name of the institute, the American cousins are sitting at the table too.'

It is no big secret that the likes of the FBI where in Europe at very high level briefings with scare stories long long befor 9/11 to try and get the EU to implement laws the various US three letter agencies knew would not happen in the US unless the EU did them first (in most cases they where shown the door but like the rodents they are they kept knoring away 8(

spaceman spiffJanuary 24, 2010 3:18 PM

I agree with nik. As convenient and reliable as gmail happens to be, this is unacceptable! I also plan on off-loading my email to my own server as soon as I can properly configure it for local and remote access. Unfortunately, this requires that I expose my server to the general internet (possible because I do hold a number of static IP addresses and my server has a second ethernet port to use when configuring my router), so I am more exposed to external hacks. As a lot of my work is for major manufacturing concerns, IP theft is a major concern.

yo mamaJanuary 24, 2010 8:15 PM

Why is it that the first place anyone is hearing that it was due to a lawful intercept breach is from Schneier? Citation needed!

PackagedBlueJanuary 24, 2010 9:03 PM

Actually, it was little green men in tiny space saucers, who have hacked our systems, and are working to make us fight China, and when we destroy ourselves, the little green men, have a big party and get some good laughs.

Seriously, with what is in the media these days, the above is just about as much truth that is out there.

As for Bruce Schneier's cnn article, I am happy to read such an article that might be more true, than the first line of this post.

If only the rest of the blog, was more like Bruce's article, and not like the first line.

If only some think tanks would release some papers better than the first line of this post. GRR.

RalfJanuary 24, 2010 9:06 PM

Please provide a source or citation for this claim. I am surprised you would make such a claim without backup. Or are you experimenting how far and fast rumors can spread :)

OskarJanuary 24, 2010 9:38 PM

“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Or perhaps you shouldn't put it on Google.

BallsJanuary 24, 2010 9:40 PM

Remember this is an op/ed piece, so it's just an opinion.

However, like others who have posted, I would like to see some references to the claim that Chinese exploited NSA backdoors.

Obviously if backdoors exist specifically for governments, they're not going to want to notify the public about them, but if Google is trying to get back to their "Do No Evil" mantra, not disclosing this information is counterproductive.

Back to the point, I don't like how Bruce's article passes this as fact, without links to references to back the claim up.

Just my $0.02

GregWJanuary 24, 2010 10:19 PM

For those asking for a source, Google had a system that let law enforcement read the subject line of the email according to various stories such as the one reported on by MacWorld ten days ago when the story broke: http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=28293

It sounded to my ears like this "subject-line-only" (plus to/from headers?) was the sort of government surveillance that would fall under some sort of "pen register"-phone-equivalent search process that falls short of a full tapping of the complete email contents. I have no first-hand knowledge of this of course.

nobodyJanuary 25, 2010 12:09 AM

@Grymoire
"While I believe the government can tap your gmail account, sniif on your Internet connection, install keystroke loggers in your computer, search your horse, tap your cell phone, etc... they need justification first. And then they need to convince a judge that there is "just cause."

Unfortunately, we have the Patriot Act, NSLs, no fly lists, and people being put into terror databases or on watch lists for political reasons with no judicial review. No just cause is necessary anymore.

Bogdan CalinJanuary 25, 2010 2:33 AM

Bruce, you cannot drop a bomb like this "
Google created a backdoor access system into Gmail accounts" and don't provide any reference to back it up. We need to know/verify if this information is true or not. How do we know it's not just your imagination speaking?

WillJanuary 25, 2010 3:47 AM

I wonder if Bruce knows first hand because he was consulted on the breaches? Even if he doesn't, he surely knows someone who did.

RaidenJanuary 25, 2010 5:31 AM

Google CEO Eric Schmidt:
“We made a strong statement that we wish to remain in China,”
“We like the Chinese people, we like our Chinese employees. We like the business opportunities there, but we’d like to do that on somewhat different terms than we have but we remain quite committed to being there.“
“Our business in China is today unchanged,“
“We continue to follow their laws, we continue to offer censored results. But in a reasonably short time from now we will be making some changes there.”

Larry Page and Sergey Brin co-founders of Google, have agreed to sell $5.5 Billion in stock.

"The initial purpose of keeping controlling interest was to ensure the company sticks to their “Don’t Be Evil” mantra."
http://phandroid.com/2010/01/24/google-co-founders-selling-5-5-billion-in-stock/

More on my blog:
http://raidenslair.wordpress.com

Dimitris AndrakakisJanuary 25, 2010 6:12 AM

@Sean, Nik, yo mama, Ralf, Balls, Bogdan, Calin et.al. :

I don't know if Bruce had this in mind, but it certainly seems relevant :

http://www.pcworld.com/businesscenter/article/186786/google_attack_part_of_widespread_spying_effort.html

Quote :
Drummond said that the hackers never got into Gmail accounts via the Google hack, but they did manage to get some "account information (such as the date the account was created) and subject line."

That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation, who spoke on condition of anonymity because he was not authorized to speak with the press. "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

Matthew SkalaJanuary 25, 2010 8:31 AM

And all this, my friends, is why Wikipedia has become the bane of intelligent discussion everywhere on the Net.

No, an expert speaking within his field doesn't need to provide an expletive deleted APA-format bibliographic citation for every factual claim he makes in an opinion piece. That's kind of what the words "expert" and "opinion" mean. You're free to disbelieve Bruce's expert opinion if you wish, but "{{uncited}}" isn't a legitimate debate-terminating argument against an expert opinion anywhere except on Wikipedia.

A reasonable question might be phrased as "Why do you think Google has built a government backdoor into GMail?" - and for the reasons that one or two smarter commentators above have pointed out, "I can't tell you." might be a reasonable answer to that. "Where's the citation?" isn't the right way to ask the question because in the real world, the overwhelming majority of facts don't appear in the public literature and can't be reduced to a "citation."

DavidJanuary 25, 2010 12:50 PM

@Matthew Skala: I'd consider it as why Wikipedia is improving intelligent discussion. People have been making provocative and often inaccurate statements in editorial speech for a long time, and it encourages me to see any movement towards fact-checking.

Just saying "[citation needed]" is rather abrupt, and your formulation is better, and as you point out there may not be any actual citation. Still, I'd rather there be some sort of movement to call people on statements, and "[citation needed]" may be a catchy slogan.

Nick PJanuary 25, 2010 1:20 PM

@ People Asking For A Source

Use Google. You will find it in 30 seconds. Bruce is late to this party and there is a ton of information out there on Chinese espionage, Gmail or otherwise. For those with enough time to criticize but not type "china gmail attack" or something, here's a few links:

Ton of links to blogs, press releases, etc.
http://arstechnica.com/tech-policy/news/2010/01/google-and-china-the-attacks-and-their-aftermath.ars

One of first articles on it
http://www.macworld.co.uk/digitallifestyle/news/index.cfm?newsid=28293&pn=1

US Government report on nuclear subversion
http://www.house.gov/coxreport/cont/gncont.html

If you can get a copy of the leaked British MOD security manual, it has specific data on Chinese and Russian spying efforts on companies and nations.

Nick PJanuary 25, 2010 1:27 PM

@ Clive Robinson

Sorry to tell you, but that research isn't recent. They've been working on that stuff for decades and some counters and adders are the best they've come up with. Sad, really. Secure, distributed computation could end up being one of cryptography's greatest challenges.

There is hope though. As you pointed out, researchers are furiously studying crypto schemes that let one store data on untrusted storage providers. Computing is also possible if a tamper-resistant crypto card performs and authenticates critical portions of the work. A few research proposals use the IBM crypto card to allow secure operation in an untrusted data center. MIT's Aegis secure processor can also operate in untrusted environments. I can't wait for it to get out of prototype stages. I think the easiest IT outsourcing will be storage, where files can simply be encrypted & HMAC'd with an appliance before sent out. This provides the assurance for integrity and confidentiality. A company can improve availability by choosing which and how many storage providers to use.

DierdreMJanuary 25, 2010 2:24 PM

@grymoire--

When they come search my horse, they will have gone TOO far!!! She would probably kick them anyway.

HJohnJanuary 29, 2010 3:26 PM

For those interested:

--How The Chinese Attacks Actually Work (January 27, 2010)
A report from Mandiant describes how cyber criminals launch sophisticated attacks that penetrate government and corporate computer networks and remain undetected to steal information and monitor activity over lengthy periods of time. The advanced persistent threat (APT) model described in the report is drawn from cases involving real attacks that Mandiant has researched over the last seven years. The company did not say if it is involved in investigating the recent attacks on Google, Adobe and other US companies. The report indicates that the majority of APT attacks have ties to China. Security software was able to detect just 24 percent of the malware used in the attacks. The report describes the seven stages of APT attacks: reconnaissance; intrusion into the network; establishing a backdoor; obtaining user credentials; installing multiple utilities; privilege escalation, lateral movement, and data exfiltration; and maintaining persistence.
http://www.darkreading.com/database_security/security/attacks/showArticle.jhtml?articleID=222600139

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..