Forgot your password?
typodupeerror
Google China Security The Internet

Aurora Attackers Were Looking For Google's Surveillance Database 81

Posted by Soulskill
from the go-big-or-go-home dept.
An anonymous reader writes "When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists. What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Whether this was the primary goal of the attacks as well as how much information was exfiltrated is unknown. current and former U.S. government officials interviewed by the Washington Post say that the database in question was possibly accessed in order to discover which Chinese intelligence operatives located in the U.S. were under surveillance."
This discussion has been archived. No new comments can be posted.

Aurora Attackers Were Looking For Google's Surveillance Database

Comments Filter:
  • by Anonymous Coward

    Should have used a HOSTS file for better security.

    • What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists.

      ... and anybody else, as long as the authority can label them "potential threats"

      Welcome to 1984, man !!

      • by ozmanjusri (601766) <aussie_bob.hotmail@com> on Tuesday May 21, 2013 @08:43PM (#43789293) Journal

        .. and anybody else, as long as the authority can label them "potential threats"

        "Diplomats" is a clearly defined set. The set "suspected spies and terrorists" already contains everybody.

      • by raymorris (2726007) on Tuesday May 21, 2013 @09:50PM (#43789761)
        The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
        That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
        By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
        information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
        therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

        Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
        https://www.documentcloud.org/documents/680852-googlemotion.html

        They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
        FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
        they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)

        Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
        No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
        executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.
        • by Anonymous Coward

          I basically agree, Google are a victim as much as the ones being spied on are victims, they don't like this, nobody does.

          I'm calling the people spied on 'victim' here, because it I don't believe this statement:

          "The database included information about court orders authorizing surveillance — orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google’s Gmail service"

          Right and why would they use Gmail? I think a far more likely s

        • by gl4ss (559668)

          The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
          That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
          By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
          information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
          therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

          Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
          https://www.documentcloud.org/documents/680852-googlemotion.html [documentcloud.org]

          They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
          FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
          they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)

          Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
          No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
          executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.

          they could just move their mail operation overseas with no US operatives.

          they do it for taxes already, so why the fuck not...

        • by Anonymous Coward

          I've said it before and I'll say it again.

          I'm beginning to suspect that Google is actually a front organisation for the Contact division of some race of well-meaning and meddlesome aliens, who are using it to discretely nudge our society onto the path towards peace, freedom and post-scarcity tech-utopia. Eventually, thanks to them, our descendants will be able to take their place among their peers in the stars.

          But maybe I've been reading too much Iain M Banks.

          Actually I take it back. It's impossible to rea

        • by Raenex (947668)

          Google does more than any other company, probably any company in history, to fight against that.
          By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
          information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
          therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

          http://en.wikipedia.org/wiki/American_Civil_Liberties_Union_v._Ashcroft [wikipedia.org]

          "American Civil Liberties Union v. Ashcroft (filed April 9, 2004 in the United States) is a lawsuit filed on behalf of a formerly unknown Internet Service Provider (ISP) owner by the American Civil Liberties Union against the U.S. federal government. In 2010, it was revealed that John Doe was in fact Nicholas Merrill of Calyx Internet Access."

          So that was a small ISP owner doing the right thing, not Google. What do you think Google was d

      • by FatdogHaiku (978357) on Tuesday May 21, 2013 @11:02PM (#43790179)

        Welcome to 1984, man !!

        If I don't get my 1984 body back then I'm not buying in...

  • Helpful hint. (Score:5, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Tuesday May 21, 2013 @08:13PM (#43789107)

    If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

    • by Anonymous Coward on Tuesday May 21, 2013 @08:20PM (#43789135)

      Helpful hint.
      If you are in the spy or terror business, and u use email to communicate, u should look for another line of work.

      -HasHie @ trypnet.net

      • Re:Helpful hint. (Score:5, Informative)

        by iggymanz (596061) on Tuesday May 21, 2013 @08:31PM (#43789213)

        nonsense, overt communication of misinformation is a time honored counterintelligence technique. Real messages can also be covertly conveyed in the same channel

      • Re:Helpful hint. (Score:5, Interesting)

        by RMingin (985478) on Tuesday May 21, 2013 @09:01PM (#43789405) Homepage

        Steganography plus photos of the "kids".

        Last word of every sentence plus a one time pad (NEVER EVER REUSE ONE TIME PADS. IT'S IN THE FUCKING NAME.).

        Simple coded phrases that seem innocuous. The garbage can spilled again. You need to stop letting that dog off the leash! I miss you and can't wait to see you next weekend. I want to do dinner at that Szechuan place again, I think it's gotten better.

        There are plenty of uses for an email account in intel/cointel. Sending plaintext messages over an uncontrolled service just isn't one of them.

        When in the field on an operation without official cover, the agent should assume that all actions and responses are monitored by the local and national cointel groups at all times. Communications should be deniable and overt. Email and public message boards are ideal, as they are fully deniable. The days of taping a tiny cannister full of microfiche to the bottom of a park bench ended forty-plus years ago. It's not hard to run deniable covert operations, you just need to be somewhat intelligent, recruit people who are likewise not stupid or lazy, and NEVER EVER take things for granted or relax.

        • by ebno-10db (1459097) on Tuesday May 21, 2013 @09:12PM (#43789473)

          Steganography plus photos of the "kids".

          Another approach is plain text that's so blatant the eavesdropper will assume no one would be stupid enough to send it seriously. For example: kill moose and squirrel.

        • by PPH (736903)

          Steganography plus photos of the "kids".

          Yeah, but in regular e-mails to an address in the PRC intelligence division? Even if they are only about the wife and kids, that's suspicious.

          Better to hide the messages in pics of underage teenage girls and post them to 4chan. At least you have a plausible audience in half the male population of China.

        • by umeboshi (196301)

          Jive Miguel
          He's in from Bogota
          Meet me at midnight
          At Mr. Chow
          Szechuan dumplings
          After the deal has been done
          I'm the one

    • Re: (Score:3, Interesting)

      by DNS-and-BIND (461968)
      You'd be shocked at how many people get really offended if you tell them to stop using Gmail. It's like telling someone who likes to bitch about how crap TV is to stop watching - it's just utterly out of the question. You'd think it would be easy to search for "free email provider", go to page 17 of results, and pick some random one. You would also be dead wrong.
      • by bmo (77928)

        No, they think you're an idiot because your tinfoil is so tight that you think that TLAs are interested in personal messages about their kids, or shopping lists for Trader Joe's.

        But not only that, if you're worried about security, you don't trust third parties at all to keep stuff private. You encrypt locally and transmit over whatever you want (even shortwave. google "numbers stations"). If you are sending anything over the interbutt, or any other medium, and you are one white persian cat away from be

    • by Virtucon (127420)

      Uhm, like General Petraeus, former head of the CIA? [networkworld.com]

      Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

      • That trick was originally used by Islamic extremists I believe, so hardly that clever. Seriously though, Gmail? What? Use encrypted morse port knocking on some nothing zombie or something.

      • Re:Helpful hint. (Score:5, Insightful)

        by Nidi62 (1525137) on Tuesday May 21, 2013 @08:46PM (#43789315)

        Uhm, like General Petraeus, former head of the CIA? [networkworld.com]

        Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

        He was a political appointee, what do you expect? He was actually never in any capacity a spy. He was an infantry officer and a teacher more than he was anything else until 2004 and after when he was overall commander of Iraq then Afghanistan. The director of any agency in the US is an administrator above all else.

        • The director of any agency in the US is an administrator above all else. And he didn't really get any on the job training to be a spy. So he believed all the baloney about using "secret gmail tricks" and the "draft folder" with two people logging into the same account to pass messages back and forth. He certainly wasn't going to trust someone else with his sexual escapades and moral turpitude, was he? It's not like your executive administrative assistant, even at the C.I.A., is trustworthy enough to hel

          • by EvanED (569694)

            He is that stupid. And so are most people. Every compu-geek is saying, geee why didn't they use P-geeee-pee or Gee-Pee-Gee or one-time-pads, or steganography in images of zebras!!! And people here think that they're a lot smarter than they really are, or probably are

            I believe The Onion had an interesting investigative report [theonion.com] on the topic of that observation applied to national security.

        • Uhm, like General Petraeus, former head of the CIA? [networkworld.com]

          Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

          He was a political appointee, what do you expect? He was actually never in any capacity a spy. He was an infantry officer and a teacher more than he was anything else until 2004 and after when he was overall commander of Iraq then Afghanistan. The director of any agency in the US is an administrator above all else.

          Yes, exactly. That's why I roll my eyes whenever I hear, "Well if the head of the CIA can't keep his communications private..." Yeah, he's head of the CIA but it's not like he's trained in espionage. The spooks who do the real work generally don't have their communications compromised.

    • If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

      Just them? You'll note it also said suspected spies and terrorists. With "broader definitions" of terrorism coming out every day, and the criteria for being included on a watchlist, paired with these hotlines opening up for anonymous "tips"... pretty much anyone these days can be a suspected spy or terrorist. And being a citizen of the US is very little barrier against invasions of your privacy; They've even talked about revoking citizenship for people simply to avoid any legal hassles.

      It might be more accu

      • by amiga3D (567632)

        Don't use e-mail. Seriously, how secure is any e-mail server against government surveillance. Maybe using phone modems and sending a message directly computer to computer with full encryption might work. Then maybe not. I'm thinking that if I was involved in something highly illegal my paranoia would jump into overdrive. Given that I'm nobody and have nothing I think I might be safe using Gmail.

        • by AmiMoJo (196126) *

          Email is a powerful tool so it is undesirable to give it up, especially when securing it isn't that hard. Even Gmail lets you past in encrypted text.

    • Re:Helpful hint. (Score:4, Insightful)

      by Jah-Wren Ryel (80510) on Tuesday May 21, 2013 @09:03PM (#43789423)

      If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

      You are assuming these people were using gmail for clandestine communications. I'm pretty sure even the most basic opsec training would have covered the "don't use email for secret messages" ruie.

      What this looks like is a ruse - agents set up email accounts that are never used for spying purposes but are sufficient to attract exactly the kind of counter-espionage actions of getting the US to spy on the accounts. Then grab the list of accounts the US is spying on because that list is in the hands of google who don't have formal handling procedures for classified information and so are an easy target versus some system behind an air-gap firewall. Tada, now you know which spies have had their covers blown. It doesn't tell you which spies are still safe, but it does give positive confirmation of who has been exposed.

      • by PPH (736903)

        Then grab the list of accounts the US is spying on because that list is in the hands of google who don't have formal handling procedures for classified information and so are an easy target versus some system behind an air-gap firewall.

        PROTIP: Involving untrained individuals or organizations in intelligence gathering operations is a bad idea. They tend to leak information to either the targets of investigations or third parties with interests in such surveillance.

      • by houghi (78078)

        Perhaps they do not want the people who maintain the servers to have access to said data. Perhaps they are real spies and they do think that using spy@example.gov might blow their cover and using a Gmail account will be less suspicious.

        Also for others, the content might not be interesting, but the people might be. If one person receive private email from e.g. GayLover@example.com and the like and your country is very panicky about people being gay and in politics, it could be used to look in that direction

    • But I hear that Gmail is trusted by the CIA at the highest levels! Who should I trust now???

    • by Yvanhoe (564877)
      And if you are the boss of a spy and that this is not part of uour guidelines, just resign. You are a threat to your own country.
  • *Cue the dramatic prairie dog*
  • The Chinese government is waging ongoing cyber warfare against the US, and we are loosing the defensive battle.

    One of the big problems is that non-governmental organizations that are not part of the defense industry have no legal responsibility to provide security. In fact, there are not even any meaningful federal level guidelines. This is, to a great extent, due to lobbying efforts on the part of entrenched business interests.

    http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803 [latimes.com]

    • by Anonymous Coward

      They (Chinese) are doing it to themselves. It's quite sad. With all this new found global fortune and fame, they're managing to piss off the very same nations that would make them great allies. It's as though they feel entitled to take their rightful place in the world without their motives being questioned. In reality, they're just burning their social credibility. I know America had a similar attitude towards the british after the revolution, but that at least is rooted in history. But China? WTF did the

    • Hmm, that's odd, according to liberals the entire "Chinese are attacking us" meme is a total myth. It's not happening. It is a convenient boogeyman meant to drive government spending towards the military-industrial complex. So, which one is right?
    • This is terrible. We are letting halfwits, like the current leadership of the /US Chamber of Commerce/ dictate to us how to defend ourselves against our ene

      Letting deluded political extremists do this is the height of fucking insanity.

  • More Helpful Hints (Score:1, Interesting)

    by Anonymous Coward

    If you're a corporation, don't use Google gmail or docs. Even if Google were somehow more secure than your own IT could be, uploading your company's spreadsheets to Google - whose primary business is selling advertising to your competitors - is a dumb idea.

  • by c0lo (1497653) on Wednesday May 22, 2013 @01:49AM (#43790967)

    TFStory title: "Aurora Attackers Were Looking For Google's Surveillance Database"
    TFSummary: "Whether this was the primary goal ... is unknown

    Minimal change needed to reconcile the two - "Aurora Attackers Were Maybe Looking At Google's Surveillance Database"

    Stuff that matters: there may be something that can be called "Google's Surveillance Database".

  • One imagines that such information is securely encrypted within the database.. no?
  • ...I'm not real certain that information gleaned from an intelligence operative unprofessional enough to us a gmail account in the clear is really worth the effort.

The opposite of a correct statement is a false statement. But the opposite of a profound truth may well be another profound truth. -- Niels Bohr

Working...