Schneier Makes Uncorroborated Claims About Google Hack
Bruce Schneier has built a successful career as a computer security guru – one who gets it right most of the time and has a wonderful ability to translate security concerns to the layman. But sometimes an author's great reputation makes him less likely to criticize his own work, and the editorial staff of whatever media organization he happens to be writing for, in this case CNN, lazy.
So when Bruce Schneier asserts that Chinese hackers exploited a government-mandated backdoor to abscond with information on human rights activists, you kind of take it for granted that there is, in fact, a back door that they exploited. Except when there's not. Or there might be, but Schneier unfortunately offers few facts and cites no sources, and I haven't found any other report to corroborate his assertion.
What I did find was a ComputerWorld article with this key piece of information:
...the hackers never got into Gmail accounts via the Google hack, but they did manage to get some "account information (such as the date the account was created) and subject line."
That's because they apparently were able to access a system used to help Google comply with search warrants by providing data on Google users, said a source familiar with the situation... "Right before Christmas, it was, 'Holy s***, this malware is accessing the internal intercept [systems],'" he said.
That is not in any way, shape, or form a “backdoor.” Yet, here is the exact language on Schneier's opinion piece:
In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.
The way the language reads, the reader expects that there's a system in place that the government can use to spy on users whenever they please, and the Chinese hackers were able to crack it. The use of the words “backdoor” and “exploited” are the operative terms here, and while there may in fact be a backdoor, it's not what the hackers exploited to gain access – that would be an unpatched Internet Explorer 6 on a Google employee's machine. Schneier flung these terms around without thinking about what he was saying. Or worse, he did fully understand the implications and used the words anyway to elicit a stronger response from the reader.
What Schneier is talking about sounds a lot like an internal data store designed to make information retrieval easier when complying with warrants. While you might consider the existence of such a data store an invasion of privacy (I don't), and it may have actually helped the hackers find what they were looking for (probably), and it might actually be ridiculous and extraneous (debatable), no reasonable person can define it as a backdoor to be exploited. By that definition, any SQL database with a series of left joins and search queries to make data mining easier is a backdoor.
This is irresponsible. This matters because Schneier and anyone else making claims with respect to government abuse of information rights needs to be painstakingly correct. It's very easy to lose credibility and be casually disregarded in the future if we can't back up our accusations. There are enough bad things on the internet perpetrated by governments that there's no need to invent new ones which cannot be corroborated. Schneier has done a disservice to those of us who advocate for information rights, and he needs to set the record straight. Casual fear mongering does none of us any good.
John Mark Walker is a long-time open source agitprop and community organizer. He is the founder of the UbuCon, the 2nd incarnation of GeekPAC and Community Root, LLC. You can read all of his musings at johnmark.org/blog. Follow him at Twitter - @johnmark - and identi.ca - @johnmark