Chinese Hacks Of Google Database Of Surveillance Targets Highlight How Dumb Technology Backdoors Are

from the how-can-people-still-not-see-this dept

Wed, May 22nd 2013 2:24pm — Mike Masnick

We've argued for quite some time that law enforcement's desire to require backdoors for wiretapping in all electronic communications is really dumb, because it won't just be law enforcement using it (and, when they use it, it won't just be for legitimate purposes). As soon as you have that backdoor in place, you've pretty much guaranteed that it becomes something of a target. And the news that broke earlier this week about how Chinese hackers who broke into Google servers a few years ago were targeting their database of which accounts had been flagged for national security surveillance makes this point that much clearer. The people doing this kind of hacking aren't dumb: they know that there are weaknesses where they can probe. A few weeks back, a Microsoft exec had actually revealed that their own analysis of similar attacks on Microsoft's servers from China showed the same basic target and discussed the serious implications.

"What we found was the attackers were actually looking for the accounts that we had lawful wiretap orders on," Aucsmith says. "So if you think about this, this is brilliant counter-intelligence. You have two choices: If you want to find out if your agents, if you will, have been discovered, you can try to break into the FBI to find out that way. Presumably that's difficult. Or you can break into the people that the courts have served paper on and see if you can find it that way. That's essentially what we think they were trolling for, at least in our case."

The more openings and the more data that is shared, the more openings and opportunities there are for people who you don't want to see that data to have access to it. That should be a major concern. Just before all of this was revealed, we had written about a new report how such backdoors basically destroy any competent attempt at cybersecurity. Julian Sanchez highlights how those who think this isn't a problem are almost certainly confused about how computer security works.

Defenders of the FBI proposal tend to pooh-pooh security concerns raised about requirisng such backdoors: Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities. But if a company like Google, with its massive financial resources and a stable of some of the smartest coders anywhere, can be victimized in this way, how realistic is it to expect thousands of Internet startups to achieve better security?

Creating more access to information that should be secret might help law enforcement, at the expense of our civil liberties, but it's also going to help those with nefarious intent quite a bit. And that should be a serious concern.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: backdoors, china, hacking, national security, surveillance, wiretapping
Companies: google, microsoft

24 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Atkray (profile), 22 May 2013 @ 2:23pm

There is a reason it is called a firewall and not a fire-door.

A wall blocks things.
A door allows entry.

While both have vulnerabilities, a wall is much easier to defend than a door.

If you have a door you have to monitor it and allow or deny access as is appropriate.

With a wall you can just sweep off all intruders.
[ link to this | view in chronology ]
- Anonymous Anonymous Coward, 22 May 2013 @ 3:55pm
  
  Re:
  As an aside to this, I read a while back about one firewall expert who was complaining that (near as I remember) "firewalls come with everything enabled, and you then have to figure out what to close down. Things would be a lot safer if the firewall came with everything disabled, and then taught you how to open things up, one at a time, as needed."
  
  Makes one wonder about what standard one should use as far as setting up your network/website. There appears to be a lot of variety out there, and in the case of firewalls, default options are not necessarily best practice.
  [ link to this | view in chronology ]
  - Not an Electronic Rodent (profile), 22 May 2013 @ 6:31pm
    
    Re: Re:
    "firewalls come with everything enabled, and you then have to figure out what to close down.
    To be fair to firewall manufacturers, he was (presumably) talking about "everything enabled" outgoing since I don't thik I've ever come across a firewall enabled inbound by default but he still has a point.
    
    Of course the reason they are that way is because then some level of security can be obtained by (and more importantly sales made to) those whos networking skills are at the "Um... firewalls... those are good, right?" level because anything else usually elicits a blank look and the question "What's a port and why do I need 80 of them?"
    [ link to this | view in chronology ]
    - Anonymous, 23 May 2013 @ 7:01am
      
      Re: Re: Re:
      [ link to this | view in chronology ]
    - Anonymous Anonymous Coward, 23 May 2013 @ 7:04am
      
      Re: Re: Re:
      
      blank look and the question "What's a port and why do I need 80 of them?"
      
      LOL, or 65,000 of them for that matter.
      [ link to this | view in chronology ]
      - Not an Electronic Rodent (profile), 24 May 2013 @ 2:14am
        
        Re: Re: Re: Re:
        LOL, or 65,000 of them for that matter.
        That's 2 stages down after they've gathered that in fact 443 of them are required for internet banking and is the point at which "blank look" becomes "nosebleed and brains dribbling out of ears"...
        [ link to this | view in chronology ]
lordbinky, 22 May 2013 @ 2:43pm

Obviously the hackers would have never thought of this until people brought it up. Thanks alot guys....
[ link to this | view in chronology ]
Anonymous Coward, 22 May 2013 @ 3:14pm

Circumvent FOIA
Given the FOIA request success track record, if you believe you're being spied on by the U.S. government, it's probably a lot more effective to just hack into Google and find out if you are than to request this information under FOIA.

So, yeah, this makes perfect sense to me!
[ link to this | view in chronology ]
Anonymous Coward, 22 May 2013 @ 3:16pm

I like how this Magical Christmas Land thinking seems to permeate the paradox crumple-zones in both Government and Business.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 22 May 2013 @ 3:24pm

I thought we weren't at cyber war with China, Masnick? And that there was no such thing as cyber terrorism?
[ link to this | view in chronology ]
- Mike Masnick (profile), 22 May 2013 @ 4:01pm
  
  Re:
  I thought we weren't at cyber war with China, Masnick? And that there was no such thing as cyber terrorism?
  
  A bit of hacking isn't cyberwar or cyber terrorism. It's just hacking and some espionage. No one died because of this. No one ever said that there wasn't hacking going on backed by nation states, but that's not "cyber war." But, if we're talking about keeping people's private data safe, opening up backdoors is a bad way to do it.
  [ link to this | view in chronology ]
  - Wally (profile), 22 May 2013 @ 7:58pm
    
    Re: Re:
    Google vehemently defends it's actions in keeping back doors open as will most fanboys defend it for doing it.
    
    Eric Schmidt was once quoted in basically stating that anyone working for Google has the ability and access to see users' emails without the use of users' passwords, and the reason people working there don't do it is because he'd know about it immediately and their policy is "don't be evil"...I mean seriously how delusional is that?
    [ link to this | view in chronology ]
    - Niall (profile), 23 May 2013 @ 5:39am
      
      Re: Re: Re:
      It's a little different a company having internal access to material (and we don't know if it's everything) and then that access being made 'publicly' available to the government (yours and any other that cares to investigate).
      [ link to this | view in chronology ]
- JMT (profile), 22 May 2013 @ 10:31pm
  
  Re:
  You need to learn the meanings of the terms 'war', 'terrorism' and 'espionage'. They're all quite different.
  [ link to this | view in chronology ]
- Ninja (profile), 27 May 2013 @ 11:03am
  
  Re:
  So you have absolutely no way of arguing against the article and resort to petty non-issues and baseless attacks. Thanks for playing.
  [ link to this | view in chronology ]
Beta (profile), 22 May 2013 @ 4:06pm

tiny flaws in the plan
"Our brilliant American programmers, they assert, will find ways to enable wiretapping without creating new vulnerabilities."

1: China has some brilliant programmers too.

2: where excellent security is possible and has not yet been implemented, half of the time it's because no one wants to pay for it.

3: ...and the other half of the time, it's because it's slightly inconvenient to use.

4: this is supposed to be a free society, so when you try to install secret police, you're going to run into some problems. That's as it should be.
[ link to this | view in chronology ]
Jesse (profile), 22 May 2013 @ 5:49pm

Every company out there that is compelled to make backdoors but don't want to should make the leakiest ones out to make the point that it will only reduce security.
[ link to this | view in chronology ]
Anonymous Coward, 22 May 2013 @ 6:27pm

I'm ok with letting our brilliant programmers secure backdoors...just as soon as they come up with unbreakable DRM
[ link to this | view in chronology ]
- Not an Electronic Rodent (profile), 22 May 2013 @ 6:34pm
  
  Re:
  ...just as soon as they come up with unbreakable DRM
  They did.... but then they couldn't work out how to get the content to play afterwards... /tongue in cheek
  [ link to this | view in chronology ]
- Wally (profile), 22 May 2013 @ 8:00pm
  
  Re:
  The problem is that a "secure back door" is an enormous, glaring, pulsing oxymoron term....
  [ link to this | view in chronology ]
Anonymous Coward, 23 May 2013 @ 4:00am

not according to USA law enforcement agencies. did i not read where action was going to be taken by them against a company if it didn't build in a backdoor so they could spy on whoever?
[ link to this | view in chronology ]
RyanNerd (profile), 23 May 2013 @ 5:24am

Wargames
Anyone who was alive and watched "hacking" movies during the 80's knows that there is always a back door and that this will prevent WWIII.

"Do you want to play a game?"
[ link to this | view in chronology ]
hadoop training institutes in hyderabad, 8 Sep 2016 @ 11:07pm

hadoop training institutes in hyderabad
thanks for your information Chinese Hacks Of Google Database , you did a great job, keep blogging.for best hadoop training hadoop training institutes in hyderabad
Hadoop is a free, Java-based programming framework that supports the processing of large data sets in a distributed computing environment.learn and get the full knowledge on hadoop.
[ link to this | view in chronology ]
Hadoop training in Hyderabad, 17 Jul 2018 @ 11:03pm

Hadoop training in Hyderabad
If you are looking for a good quality Hadoop training in Hyderabad there are variety of institutes Hadoop is a combination of online running applications on a very huge scale built of commodity hardware.
[ link to this | view in chronology ]