Google Warning Gmail Users About State-Sponsored Attacks 69
Trailrunner7 writes "Google, whose users have been frequent targets of suspected attacks by foreign governments, is deploying a new warning system for users who may be victims of those kinds of attacks. The new system is in addition to existing warnings that Google will show Gmail users when their accounts may have been accessed by attackers. Gmail users have been on the receiving end of a number of known attacks, including the infamous Google Aurora attack that has been blamed on China. Part of that operation was aimed at a specific subset of Gmail users, including Chinese dissidents and journalists. Now, Google says it will warn users about exactly that kind of activity."
Google thinks texting is secure??? (Score:5, Insightful)
Google's security people aren't thinking straight. They believe there is state sponsored hacking and they then recommend their silly phone pin nonsense ("two factor authentication")? Did they think that the phone channel was secure? They don't believe someone could watch them send the PIN over a text message? If they really cared about security they'd ween people off of passwords and only use computer generated RSA/DSA keys. I believe that browsers already allow client certificates for setting up https connections. Using computer generated and invoked keys would solve the phishing and guessing attacks. The keys would have a high enough search space that guessing would be impossible. The connections would be authenticated in a way that wouldn't expose the private key itself, so phishing wouldn't work. 1) the google server key would be checked in a secure crypto manner and a MITM attack wouldn't be possible. 2) the user's key would be checked in they standard public key crypto manner also, which wouldn't expose the private key in the process of authentication. Crap, I know practically nothing about crypto and can punch holes in Googles stuff. They don't think the equivalent of some evil country's NSA could do much better?ï
Re: (Score:1)
Not just text messages, they support hardware tokens too. http://yubico.com/totp
I've been lolling a lot over the past few years that people would trust their phones more than their computers.
What about USGov intrusion ? (Score:2)
I thank Google for their concern of users' right
But I wonder, what if the US Government decides to hack into Gmail accounts that they believe belong to members of "terrorist groups"?
Would GMail allow that?
Re: (Score:1)
I thank Google for their concern of users' right
But I wonder, what if the US Government decides to hack into Gmail accounts that they believe belong to members of "terrorist groups"?
Would GMail allow that?
US Govt has likely the keys to any gmail account. No need for hacking.
Re: (Score:3, Informative)
First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.
Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prep
Re: (Score:1)
Re: (Score:1)
To which "other OS's" do you refer? Maybe AC answered your question after all. I can't believe that anyone who is worthy of the "Geek" title would be using a WINDOWS PHONE! At best, a Windows phone would be a neat toy to play with. When you get tired of it, hand it off to unsuspecting fool who doesn't understand, need, or want any security.
Re: (Score:1)
Re: (Score:3)
First, there is an Android/iPhone/BlackBerry authenticator app (software one-time pad) that you can and should use instead of SMS-sent confirmation code if you don't have a dumbphone.
Second, if you cannot use such an app: obviously SMS represents in no way a secure channel, but it still adds another unsecure channel a potential attacker has to identify then crack (although wiretapping SMS is peanut butter for NSA and friends, linking phone number to Google account might not always be trivial when using prepaid cards for example).
Another option is to pre-generate a list of codes, print them out and cross them off as you use them. When you get low, log in and generate and print another set.
Re:Google thinks texting is secure??? (Score:5, Insightful)
I think the text message is not supposed to be 100% secure, but another obstacle to put in the way of attackers. It's an 80% solution.
Re: (Score:1)
With Google's 2 factor authentication you can either opt for them to call you with a code or send you a txt, along with making that cookie be a one time sign-on or expire in 30 days.
Armchair experts (Score:5, Insightful)
I know practically nothing about crypto
That should be a sign right there that they've likely thought this through more than you have. What makes you think the entirety of their security policy is accurately conveyed in TFA?
PINs through texts are not bulletproof, but they do add security. So do the other methods Google offers, like locally-generated tokens. Certificates are hardly bulletproof either, as Microsoft recently found out. And most methods will fail if you've got a state-sponsored infection like Flame on your system...
Re:Google thinks texting is secure??? (Score:5, Informative)
Another point is that you can use Google authenticator rather than the SMS garbage. This is much more secure and uses HMAC-Based One-Time Password Algorithm (RFC 4226) [ietf.org] and Time-Based One-Time Password Algorithm (RFC 6238) [ietf.org]. It even has a PAM module that you can use with just about anything that supports PAM, and it has iOS, Android, and Blackberry versions of the client app.
Re: (Score:1)
Re:Google thinks texting is secure??? (Score:5, Insightful)
Username and password with the authentication code is more secure than without it, though using the SMS or voice-channel option (which isn't the preferred two-factor mechanism) is a greater risk against an attacker with your password than the preferred two-factor method (which uses an app which generates computer-generated keys instead of sending them two you over a telecommunication network.)
It would be a single-factor authentication method subject to compromise of the device with the key-generating software. In practice, it would be less secure than using Google's existing two-factor authentication system using the preferred (mobile app) mechanism, which involves both device generating a limited-time authentication code and a regular password, so that compromise of either the password or the device doesn't compromise the account.
Re:Google thinks texting is secure??? (Score:5, Funny)
Crap, I know practically nothing about crypto and can punch holes in Googles stuff. ;
Thanks for the pointer. We would never have guessed.
Re: (Score:2)
How about... (Score:2)
Re:How about... (Score:5, Insightful)
"...encrypting your email?"
Encryption for email has been widely available since the mid 1990s, with native support or plugins for almost (but not quite) every major mailer, yet almost no one uses it. That shows just how much most people care about security of online communication.
Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.
Re:How about... (Score:5, Informative)
Which email client has encryption installed out of the box?
Outlook, Thunderbird, the mail client in OS X, Evolution, and KMail all come to mind -- they all at least support S/MIME out of the box. Now, I think S/MIME is not appropriate for the typical PC user's email and the PGP's web-of-trust approach is a lot better, but it is not as though there is no encryption option available in popular email clients.
find out how to generate keys
This is definitely the weakest link in the chain for email encryption -- I do not think any of the clients I mentioned above have an automatic key generation process. Maybe Google should submit a patch to Thunderbird instead of working on better ways to let people know that they have been compromised (or perhaps in conjunction with that).
somehow get my public key to all of the people that I want to communicate with?
S/MIME does this automatically when you send signed email to people.
Re: (Score:2)
Maybe Google should submit a patch to Thunderbird instead of working on better ways to let people know that they have been compromised (or perhaps in conjunction with that).
And undermine their own business? I doubt it.
Re: (Score:2)
you know gmail has instructions for setting up POP/IMAP access in the help section.
they even contain specific details for what you need to do in Thunderbird to get it working(and other clients)
Re: (Score:2)
From the Wikipedia article:
"Before S/MIME can be used in any of the above applications, one must obtain and install an individual key/certificate either from one's in-house certificate authority (CA) or from a public CA"
Re: (Score:2)
Which email client has encryption installed out of the box? How "widely available" is it if I have to go download a plugin, then find out how to generate keys, then somehow get my public key to all of the people that I want to communicate with? None of this process being standardized or documented in one place.
And, of course, what of your recipients? I'd love to encrypt all my mail, but having to have everyone I converse with do the same *AND* use the same set of plugins, clients, etc? Particularly considering most access their email over a variety of clients, browsers, and even operating systems? I know I access mine over three separate OS's on a daily basis.
Yeah, that's just not going to happen. Sure, you can secure point to point email that really needs to be, but otherwise it's entirely impractical.
so what about NSA accesses? (Score:5, Interesting)
One of two things are true:
1) Google never ever receives any requests for information from the NSA;
2) What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with.
It's one thing to have corporations battling with government for control. It's quite another when one information-gathering corporation has become so big that it's playing its own overt part in the propaganda war.
Re: (Score:1)
Re: (Score:3, Insightful)
Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.
Google isn't doing this with direct knowledge that a
Re: (Score:1)
Obsession with "the NSA" aside
I've posted threads about "the NSA" perhaps half a dozen times on Slashdot in the ~14 years I've been here. I've seen posts re the government by you, usually of the sycophantic cheerleading variety, hundreds of times. What's your interest?
Anyway, what you are saying is that there is no such thing as a national security letters and the federal government has never installed systems which intercept data belonging to US citizens. You're also using a shitty "it may not be communications between US citizens even
Re: (Score:1)
"Why do you think Americans travel the world with a Canadian flag sewn on their backpacks?"
Because they are cunts.
Hey, I happen to love and admire Canada. But, I will never attempt to pass myself off as Canadian. I'm an American citizen. Wherever I go, I'm just as American. Anyone who lacks the balls to be American in - Tehran, or Beruit, or wherever, should just move their asses to whatever country it is that they prefer. Hell - let them stay in Mogudishu, for all I care. They don't need to come home
Re:so what about NSA accesses? (Score:5, Insightful)
If a US agency (law enforcement or no) with no warrant makes a request to a US corporation, that US corporation (e.g. AT&T) complies. Because if that corporation (e.g. Qwest) resists, their principals end up on the wrong end of an investigation [washingtonpost.com] of the sort Cardinal Richelieu made famous ("If you give me six lines..."). Because we're not actually a nation of laws.
Re: (Score:2)
"A multiplicity of laws is an embarrassment to justice."
We have become a nation of too many laws and too little justice.
Re: (Score:3)
"if a US law enforcement entity with a warrant makes a request "
I don't know for sure, but I get the impression that you've been sleeping for most of a decade. Remember all the hoopla over warrantless taps? Warrantless searches and seizures? In one single instance, virtually all United States telcos were ordered by the US government to cooperate with federal officials to monitor email communications for hints of terroristic threats. Long afterward, the courts started to get involved, and started to find
Re: (Score:2)
Obsession with "the NSA" aside, if a US law enforcement entity with a warrant makes a request to a US corporation, that US corporation complies. Because we're, you know, actually a nation of laws.
The CONTENT of the private communications of US Persons are off limits without an individualized warrant from a court of competent jurisdiction. It's our friends across the Pacific that are monitoring the content of communications, including of their own citizens.
Google isn't doing this with direct knowledge that a particular person is being spied on by their government. They're doing it based on aggregate evidence in nations known to be monitoring certain groups of internet users en masse; i.e., NOT the United States.
Do you think the US government and US corporations should follow the law, or not? If not, what should govern it?
Your opinion?
Communications metadata in various forms has been fair game for decades (i.e., not a "new" or "post-9/11" construct), and has been validated by the US Supreme Court. How do you propose identifying and targeting specific foreign communications â" the content of which does not require, and never has required, a warrant â" now increasingly traveling on systems and networks within the US, without first having a mechanism to first identify and target those communications?
Try to get out of your bubble where you perceive that the government is out to "get you" and take away your rights, and realize that the US has adversaries â" not even of our own creation! â" and that most in government and military leadership take their obligations to the law, the Constitution, and the people of the United States seriously.
Wow.
This is a brilliant troll.
Awesome!
Re: (Score:2)
>What Google actually means is that it will warn Gmail users about state-sponsored "attacks" from countries the US isn't on perfect terms with
Bingo.
even more... (Score:2)
Re: (Score:2)
I can imagine them doing it this year. Employers are already demanding access to your facebook page, so this will probably be next. Time to create two new accounts for both.
"This account is empty"
"Yeah, I use POP to pull the messages out to my own account and set everything to remove it from the server. I like a clean mailaccount".
"This facebook photo doesn't look like you, and you have no friends" :)
"Yeah, it's so sad... After my disfiguring disease everyone left me"
Re: (Score:2)
"Sorry dear employer, i have neither, and if i did you wouldn't be getting the passwords anyway". Then flip them the bird as i walk.
Re: (Score:2)
How about the American government? (Score:5, Insightful)
Re: (Score:2)
How about Guantanamo? Or how about solitary confinement 23/7?
Re: (Score:2)
Google is doing a good thing - mostly (Score:5, Interesting)
We can argue the details of security from now to doomsday. It's a good thing that Google is doing this. Except it's of limited value. As has been pointed out in reference to the Flame attack, State sponsored hacking is very hard to detect. Google might be able to detect some, but how many? And when does Google encounter a conflict of interest? What happens then, and will we know? This is one reason I like the existence of things like Bing and Yahoo Axis, I get to spread things around. No, it's not a cure all and I'm aware that I still can be tracked, but I am raising the price (effort, etc) needed to get things on me.
We're back to the price of Freedom is Eternal Vigilance. Some things don't change in the digital world. Politics didn't, Sex did. Go figure.
This comment will not be saved until you click the Submit button below.
Re: (Score:2)
OUR state sponsored hacking is very hard to detect. If you lock people up just for sending tweets, don't expect them to be great hackers.
Re: (Score:2)
I would tend to think the opposite. If you have a reason to hide things, then you will find how to hide them. This is why repressive countries have significant organized crime issues (AFAIK).
Add 2 + 2 (Score:1)
What about non state sponsored? (Score:2)
Re: (Score:2)
Please RTFS.
Re: (Score:2)
Please RTFS.
Reading the summary before commenting, how very unslashdotesque of you. :D
OK, Ill admit it, I somehow missed that part.
Re: (Score:2)
"Cyber" virus? Seriously?
*groans*