Aurora Attackers Were Looking For Google's Surveillance Database

An anonymous reader writes "When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists. What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Whether this was the primary goal of the attacks as well as how much information was exfiltrated is unknown. current and former U.S. government officials interviewed by the Washington Post say that the database in question was possibly accessed in order to discover which Chinese intelligence operatives located in the U.S. were under surveillance."

Re:Helpful hint.

[DNS-and-BIND]

You'd be shocked at how many people get really offended if you tell them to stop using Gmail. It's like telling someone who likes to bitch about how crap TV is to stop watching - it's just utterly out of the question. You'd think it would be easy to search for "free email provider", go to page 17 of results, and pick some random one. You would also be dead wrong.

G-Men. Gmail. Coincidence?

[gubon13]

*Cue the dramatic prairie dog*

Re:Helpful hint.

[RMingin]

Steganography plus photos of the "kids".

Last word of every sentence plus a one time pad (NEVER EVER REUSE ONE TIME PADS. IT'S IN THE FUCKING NAME.).

Simple coded phrases that seem innocuous. The garbage can spilled again. You need to stop letting that dog off the leash! I miss you and can't wait to see you next weekend. I want to do dinner at that Szechuan place again, I think it's gotten better.

There are plenty of uses for an email account in intel/cointel. Sending plaintext messages over an uncontrolled service just isn't one of them.

When in the field on an operation without official cover, the agent should assume that all actions and responses are monitored by the local and national cointel groups at all times. Communications should be deniable and overt. Email and public message boards are ideal, as they are fully deniable. The days of taping a tiny cannister full of microfiche to the bottom of a park bench ended forty-plus years ago. It's not hard to run deniable covert operations, you just need to be somewhat intelligent, recruit people who are likewise not stupid or lazy, and NEVER EVER take things for granted or relax.

Chinese Cyberwar

[Required Snark]

The Chinese government is waging ongoing cyber warfare against the US, and we are loosing the defensive battle.

One of the big problems is that non-governmental organizations that are not part of the defense industry have no legal responsibility to provide security. In fact, there are not even any meaningful federal level guidelines. This is, to a great extent, due to lobbying efforts on the part of entrenched business interests.

http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803 [latimes.com]

But theU.S. Chamber of Commerceand other business groups strenuously opposed the measure, condemning it as excessive government interference in the free market and arguing that cumbersome federal regulations could hamper companies trying to defend against cyber intrusions.

Democrats overwhelmingly supported the legislation, but for Republicans, it meant a stark choice between competing constituencies: national security officials and business leaders. Even after the bill's backers made the standards voluntary, the Chamber of Commerce, which spends more on lobbying than any other trade group, opposed it.

On Thursday, the Senate cyber-security bill failed to overcome a Republican-led filibuster. Analysts say the bill couldn't breach a wall of anti-regulatory sentiment that proved resistant to the dire warnings.

The measure fell short of the 60-vote threshold needed to end debate, 52 to 46, with 40 Republicans joined by six Democrats voting in support of the filibuster.

"Rarely have I been so disappointed in the Senate's failure to come to grips with a threat to our country," said Sen. Susan Collins, the ranking Republican on the Senate Homeland Security Committee and one of the bill's chief sponsors, who had tried in vain to sway her GOP colleagues. Just four sided with her.

So the Republicans and the business community put their own short term interests ahead of the security of the United States. They are literally dumber then a box of rocks. Even so, if you listed to Republican rhetoric/propaganda they claim to be only ones who know how to defend the country. It's pathetic and frightening.

More Helpful Hints

[Anonymous Coward]

If you're a corporation, don't use Google gmail or docs. Even if Google were somehow more secure than your own IT could be, uploading your company's spreadsheets to Google - whose primary business is selling advertising to your competitors - is a dumb idea.

Google the biggest fighter against govt data reque

[raymorris]

The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
https://www.documentcloud.org/documents/680852-googlemotion.html

They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)

Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.

Re:they could...move their mail operation overseas

[girlinatrainingbra]

Re: they could just move their mail operation overseas with no US operatives.

they do it for taxes already, so why the fuck not...

Hate to break it to you, but they don't really move their money overseas for tax purposes. They only claim to move the money overseas. It's just a sham tax avoidance scheme. See the New York Times article entitled For U.S. Companies, Money âOffshoreâ(TM) Means Manhattan [nytimes.com]:

Apple's $102 billion in offshore profits is actually managed by one of its wholly owned subsidiaries in Reno, Nev., according to the Senate report on the company's tax avoidance. The money is tracked by Apple company bookkeepers in Austin, Tex. What's more, the funds are held in bank accounts in New York.

...

''The offshore companies are a fiction and the statement that the money is offshore is a fiction,'' said Edward D. Kleinbard, former staff director for the Congressional Joint Committee on Taxation. ''What they are asking for is a reward for having gamed the system.''

So they could claim that the servers are the diplomatic property of that imaginary land of Googylvania, couldn't they? Googylvania, that's my name for that concept, see also /. article about Google Island [slashdot.org]. Way, way, way beyond the reach of the USA laws.

But you forget that the point of this is not really to stop servicing the Law Enforcement community of the USA. It's just to put up the pretense of protesting at serving and servicing the interests of the spies and LEOs of the USA: mollify the sheeple customers into believing that "it's the bad old guvviment that's so mean and googa-woogle is so good and on your side, we even pwotest these national secuwity lettews!" Don't fall for it. Google is NOT on your side.