Aurora Attackers Were Looking For Google's Surveillance Database 81
An anonymous reader writes "When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists. What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Whether this was the primary goal of the attacks as well as how much information was exfiltrated is unknown. current and former U.S. government officials interviewed by the Washington Post say that the database in question was possibly accessed in order to discover which Chinese intelligence operatives located in the U.S. were under surveillance."
Re:Helpful hint. (Score:3, Interesting)
G-Men. Gmail. Coincidence? (Score:2, Interesting)
Re:Helpful hint. (Score:5, Interesting)
Steganography plus photos of the "kids".
Last word of every sentence plus a one time pad (NEVER EVER REUSE ONE TIME PADS. IT'S IN THE FUCKING NAME.).
Simple coded phrases that seem innocuous. The garbage can spilled again. You need to stop letting that dog off the leash! I miss you and can't wait to see you next weekend. I want to do dinner at that Szechuan place again, I think it's gotten better.
There are plenty of uses for an email account in intel/cointel. Sending plaintext messages over an uncontrolled service just isn't one of them.
When in the field on an operation without official cover, the agent should assume that all actions and responses are monitored by the local and national cointel groups at all times. Communications should be deniable and overt. Email and public message boards are ideal, as they are fully deniable. The days of taping a tiny cannister full of microfiche to the bottom of a park bench ended forty-plus years ago. It's not hard to run deniable covert operations, you just need to be somewhat intelligent, recruit people who are likewise not stupid or lazy, and NEVER EVER take things for granted or relax.
Chinese Cyberwar (Score:2, Interesting)
One of the big problems is that non-governmental organizations that are not part of the defense industry have no legal responsibility to provide security. In fact, there are not even any meaningful federal level guidelines. This is, to a great extent, due to lobbying efforts on the part of entrenched business interests.
http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803 [latimes.com]
So the Republicans and the business community put their own short term interests ahead of the security of the United States. They are literally dumber then a box of rocks. Even so, if you listed to Republican rhetoric/propaganda they claim to be only ones who know how to defend the country. It's pathetic and frightening.
More Helpful Hints (Score:1, Interesting)
If you're a corporation, don't use Google gmail or docs. Even if Google were somehow more secure than your own IT could be, uploading your company's spreadsheets to Google - whose primary business is selling advertising to your competitors - is a dumb idea.
Google the biggest fighter against govt data reque (Score:5, Interesting)
That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)
Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
https://www.documentcloud.org/documents/680852-googlemotion.html
They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)
Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.
Re:they could...move their mail operation overseas (Score:3, Interesting)
Re: they could just move their mail operation overseas with no US operatives.
they do it for taxes already, so why the fuck not...
Hate to break it to you, but they don't really move their money overseas for tax purposes. They only claim to move the money overseas. It's just a sham tax avoidance scheme. See the New York Times article entitled For U.S. Companies, Money âOffshoreâ(TM) Means Manhattan [nytimes.com]:
Apple's $102 billion in offshore profits is actually managed by one of its wholly owned subsidiaries in Reno, Nev., according to the Senate report on the company's tax avoidance. The money is tracked by Apple company bookkeepers in Austin, Tex. What's more, the funds are held in bank accounts in New York.
...
''The offshore companies are a fiction and the statement that the money is offshore is a fiction,'' said Edward D. Kleinbard, former staff director for the Congressional Joint Committee on Taxation. ''What they are asking for is a reward for having gamed the system.''
So they could claim that the servers are the diplomatic property of that imaginary land of Googylvania, couldn't they? Googylvania, that's my name for that concept, see also /. article about Google Island [slashdot.org]. Way, way, way beyond the reach of the USA laws.
But you forget that the point of this is not really to stop servicing the Law Enforcement community of the USA. It's just to put up the pretense of protesting at serving and servicing the interests of the spies and LEOs of the USA: mollify the sheeple customers into believing that "it's the bad old guvviment that's so mean and googa-woogle is so good and on your side, we even pwotest these national secuwity lettews!" Don't fall for it. Google is NOT on your side.