Schneier Makes Uncorroborated Claims About Google Hack

by John Mark Walker - Jan. 25, 2010Comments (7)

FUD Bruce Schneier has built a successful career as a computer security guru – one who gets it right most of the time and has a wonderful ability to translate security concerns to the layman. But sometimes an author's great reputation makes him less likely to criticize his own work, and the editorial staff of whatever media organization he happens to be writing for, in this case CNN, lazy.

So when Bruce Schneier asserts that Chinese hackers exploited a government-mandated backdoor to abscond with information on human rights activists, you kind of take it for granted that there is, in fact, a back door that they exploited. Except when there's not. Or there might be, but Schneier unfortunately offers few facts and cites no sources, and I haven't found any other report to corroborate his assertion.

What I did find was a ComputerWorld article with this key piece of information:

...the hackers never got into Gmail accounts via the Google hack, but they did manage to get some "account information (such as the date the account was created) and subject line."
That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation... "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.

That is not in any way, shape, or form a “backdoor.” Yet, here is the exact language on Schneier's opinion piece:

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

The way the language reads, the reader expects that there's a system in place that the government can use to spy on users whenever they please, and the Chinese hackers were able to crack it. The use of the words “backdoor” and “exploited” are the operative terms here, and while there may in fact be a backdoor, it's not what the hackers exploited to gain access – that would be an unpatched Internet Explorer 6 on a Google employee's machine. Schneier flung these terms around without thinking about what he was saying. Or worse, he did fully understand the implications and used the words anyway to elicit a stronger response from the reader.

What Schneier is talking about sounds a lot like an internal data store designed to make information retrieval easier when complying with warrants. While you might consider the existence of such a data store an invasion of privacy (I don't), and it may have actually helped the hackers find what they were looking for (probably), and it might actually be ridiculous and extraneous (debatable), no reasonable person can define it as a backdoor to be exploited. By that definition, any SQL database with a series of left joins and search queries to make data mining easier is a backdoor.

This is irresponsible. This matters because Schneier and anyone else making claims with respect to government abuse of information rights needs to be painstakingly correct. It's very easy to lose credibility and be casually disregarded in the future if we can't back up our accusations. There are enough bad things on the internet perpetrated by governments that there's no need to invent new ones which cannot be corroborated. Schneier has done a disservice to those of us who advocate for information rights, and he needs to set the record straight. Casual fear mongering does none of us any good.

John Mark Walker is a long-time open source agitprop and community organizer. He is the founder of the UbuCon, the 2nd incarnation of GeekPAC and Community Root, LLC. You can read all of his musings at johnmark.org/blog. Follow him at Twitter - @johnmark - and identi.ca - @johnmark

Previous: OStatic Buffer Over...Next: When Ideologies Coll... Browse Blog

by Jack Repenning on Jan. 25, 2010

Indeed, if the situation is as you read it (and your reading sounds right to me as well), one could fairly say that

1. Google established this "intercept system" in such a way as specifically to protect gmail user privacy, by separating the message metadata from the messages themselves.

2. It worked: even though that system was compromised, the user message data was not.

0 Votes

by John Doe on Jan. 26, 2010

I guess you NEVER heard of a NDA before?

When the NSA comes knocking at your door, just as they did with Microsoft, it is any wonder why nobody at Microsoft was able to tell the public, what the NSA actual did?

Non Disclosure Agreement, for those who don't know... If you talk, you go to prison!!!!!!

So yes, most individuals are NOT talking! Wikileaks, isn't posting either...

Google already said too much, regarding the attack code, built into Microsoft code.

Don't forget that, it was Microsoft buggy code, in IE...

In fact, Microsoft themselves won't use their own IE code, to render HTML email in Outlook 2003, 2007 and 2010! That should tell you something right there...

IE isn't good enough for Microsoft's own HTML email?

Isn't IE built using HTML? Is anyone else validating their HTML, since Microsoft plainly refuses to follow ISO standards!

No wonder why everything is broken with Microsoft, making it possible to exploit, as the Chinese didn't waste time!

Now, will Americans wake up?

0 Votes

by Jay Heiser on Jan. 26, 2010

Words are so often exaggerated and abused these days that we often find ourselves in semantic arguments that distract instead of elucidating. In Bruce's defense, there is a long tradition in the infosec field of referring to law enforcement mechanisms as 'backdoors', although the size of this particular door is certainly debatable.

The point is not what you call this thing, but that it exists at all, which has multiple implications for the users. Service providers in North America and Europe are required by law to collect certain metadata about customer activities, and provide it to law enforcement under specific circumstances.

The customers, and potential customers, of externally provisioned services should have every expectation of being told exactly what data, and metadata, is being collected about their activities, and how that data is protected. Whether or not Google's law enforcement logs were actually breached remains to be confirmed (although the type of information they admitted has been stolen is entirely consistent with that).

The lesson to take from this is that you should not expect that an external service provider will operate the same way you do, and that it is difficult or impossible to assess how at risk your data is when it is being processed and stored within an ambiguous infrastructure. Service providers have different motivations than their customers, and they have different regulatory and social obligations. Let the buyer beware.

http://blogs.gartner.com/jay-heiser/

1 Votes

by an anonymous user on Jan. 27, 2010

from what I remember of the first reports they were say just that, that the attack was a coordinated multi-vector attack, very sophisticated, and there were a number of methods used, including social engineering, possibly insider actions, a relatively old virus payload, that was probably fired by opening an attached emial,

They also noted that one of the vectors of the attack was the google written application for the automated execution of warrent searches.

Oh yea, and also that thing with adobe, thus "multi-vectored attack".

So it's possible the attack being coordinated would be a chinese employee of google specifically opeing a email attachment, and exploiting a know exploit on an old version of windows (XP) and IE6, probably with the aid of the adobe exploit, (that was patched the next day).

This all sounds very feasible to me, and I would assume there would be mechanisams in place for law enforcement and national security to process warrent searches.

In fact I know they do, I have heard of several murder investigations, where their googles searches are checked, and it's claimed they looked up poisons or whatever.

So they DO do it, and thats one reason I dont use Google, and I would never trust any REAL information personal or not, that was of any privacy or importance on a google Gmail server, or hotmail for that matter.

If I want to use data, I keep it on my own hard drive,

Oh my background is in military communications and security. But if I said any more I would have to dispatch you. :)

0 Votes

by John Mark Walker on Jan. 27, 2010

Jay - thanks for your response. That was a very clear description of the points in play here. I had assumed the stuff that you laid out, above, so getting confirmation of my suspicions doesn't shock me.

I'll never forgot when C. Li from Forrester talked about "In Google We Trust", and I was like, WTF? I take the Fox Mulder approach - trust no one.

Again, while I don't think compiling the metadata is necessarily a violation of my privacy - after all, I've already granted them access to my data by providing it willingly - that doesn't mean I have to like how it's used. And in this case, I actually agree with Schneier's point about govt. spying. I just don't want such viewpoints to be laughed off because the arguments in support were over the top.

0 Votes

by Steve Baba on Jan. 28, 2010

Google, China and IP

First they came for and stole music online, and I did not speak out—because I was not a musician;

Then they came for and stole movies online, and I did not speak out—because I was not an actor;

Then they came for and stole books online, and I did not speak out—because I was not a writer;

Then they came for and stole my intellectual property, and I finally spoke out.

Remix by Steve Baba, Ph.D., www.Shrewd.com

0 Votes

by masini on Feb. 12, 2010

All your life you turn. Is it normal to get together many no longer agree with your former decision. Develop the more experience you both the best in your field.dezmembrari auto

0 Votes