Aurora Attackers Were Looking For Google's Surveillance Database

An anonymous reader writes "When in early 2010 Google shared with the public that they had been breached in what became known as the Aurora attacks, they said that the attackers got their hands on some source code and were looking to access Gmail accounts of Tibetan activists. What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists. Whether this was the primary goal of the attacks as well as how much information was exfiltrated is unknown. current and former U.S. government officials interviewed by the Washington Post say that the database in question was possibly accessed in order to discover which Chinese intelligence operatives located in the U.S. were under surveillance."

First HOSTS!

[Anonymous Coward]

Should have used a HOSTS file for better security.

Google, Big Brother's Helper ?

[Taco Cowboy]

What they didn't make public is that the hackers have also accessed a database containing information about court-issued surveillance orders that enabled law enforcement agencies to monitor email accounts belonging to diplomats, suspected spies and terrorists.

... and anybody else, as long as the authority can label them "potential threats"

Welcome to 1984, man !!

Re:Google, Big Brother's Helper ?

[ozmanjusri]

.. and anybody else, as long as the authority can label them "potential threats"

"Diplomats" is a clearly defined set. The set "suspected spies and terrorists" already contains everybody.

"highering" is right!

[girlinatrainingbra]

Well, at least they didn't "lower" another country! "Highering" another country to do that work isn't always necessary. Since there are supposedly laws preventing the C.I.A. and N.S.A. from spying on our own countrymen, countrywomen, country-boys-and-girls-and-cats-and-dogs, supposedly there is a "gentleman's agreement" between the brits, israelis, and ourselves to trade info gathered on one-anothers' countrymen [damn those gendered nouns sneak in a lot in english] with the "rival" spy agencies, so that t

Re: "highering" is right!

[s.petry]

While there may be laws on the books in the US protecting citizens from the CIA, NSA, DHS, FBI, etc...(goddamn long list of Govt. agencies) those laws have been ignored for a dozen years. Because people refuse to see it does not make it go away... It just means people can be Ostriches.

Re:

[ozmanjusri]

While there may be laws on the books in the US protecting citizens from the CIA, NSA, DHS, FBI, etc...(goddamn long list of Govt. agencies) those laws have been ignored for a dozen years.

How can they be sure you're a citizen if they don't spy on you?

Be reasonable.

Re:

[TapeCutter]

Good plan, AFAIK they're not tracking ostriches.

Re:

[__aaltlg1547]

Since there are supposedly laws preventing the C.I.A. and N.S.A. from spying on our own countrymen, countrywomen, country-boys-and-girls-and-cats-and-dogs, supposedly there is a "gentleman's agreement" between the brits, israelis, and ourselves to trade info gathered on one-anothers' countrymen

What passes as fodder for discussion between intelligent people around here is beyond me.

Re:

[girlinatrainingbra]

you can look it up. i won't bother doing it for you. but here's one link:

http://www.aclu.org/technology-and-liberty/nsa-spying-americans-illegal [aclu.org]

Google the biggest fighter against govt data reque

[raymorris]

The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
https://www.documentcloud.org/documents/680852-googlemotion.html

They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)

Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.

Occupy Wallstreet

[Anonymous Coward]

I basically agree, Google are a victim as much as the ones being spied on are victims, they don't like this, nobody does.

I'm calling the people spied on 'victim' here, because it I don't believe this statement:

"The database included information about court orders authorizing surveillance — orders that could have signaled active espionage investigations into Chinese agents who maintained e-mail accounts through Google’s Gmail service"

Right and why would they use Gmail? I think a far more likely s

Hubris.

[TapeCutter]

but to think they spend time and millions of lawyer money fighting the government for the grater good is rather disingenuous

You don't have a clue what it's like to be a billionaire and even less of a clue as to what motivates them to spend money on lawyers. If it was all about financial reward then google would simply give the government everything they wanted with a minimum of fuss and pay a few PR hacks to explain why the can't "fight city hall". I don't claim to know what their motivation is, however it's obvious there's no financial reward to be had that would outweigh the costs of their self-imposed policy.

Re:

[grumpy_old_grandpa]

Google does have intensives in this matter: User trust. If they lose it, there will be less page views, less ads clicks and less money. Even if the likelihood of any single user being affected by the surveillance laws is small, it's the perception which counts. It's some of the same fear Microsofts plays on with their Scroogled ads.

The reason you don't see other companies take up the surveillance issue in same way, is that they don't stand to lose as much. Microsoft will still sell Windows and Office lice

Re:

[Xest]

"As any business, their primary objective is to line their own and their investor's coffers."

This is stupid, whilst it may be true in the majority of cases it's not true in all cases. As much as it may upset your cynical world view there are ethical companies out there and it largely depends on who is running those companies.

Born and bred sociopathic business types like Larry Ellison and Steve Ballmer may not give a damn about anything but profit, and hell, it may even be true of Schmidt but counter-balanci

Re:

[gl4ss]

The government certainly finds it useful to get search warrants and such to look at suspect's email, including gmail.
That's very much not Google's doing. Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

Just two weeks ago Google filed suit to have these information requests ruled unconstitutional:
https://www.documentcloud.org/documents/680852-googlemotion.html [documentcloud.org]

They are the only company I know of which publicizes how many supeonas and national security letters they get. That itself is thumbing their nose at the
FBI because those letters include a gag order saying Google isn't allowed to talk about them. (Which is why their name wasn't made public in Doe v Ashcroft,
they aren't allowed to reveal the things they revealed in that suit. (It's a pretty safe assumption that Doe was Goog.)

Google has founded an organization to protect their users from such government intrusion and regularly funds other organizations with the same goal.
No doubt, Google wants to HAVE information about you, but they do everything they can to avoid sharing that data with the government, with their
executives actually risking jail time for openly defying the laws requiring them to give up the info. You can't possibly ask them to do more than that.

they could just move their mail operation overseas with no US operatives.

they do it for taxes already, so why the fuck not...

Re:they could...move their mail operation overseas

[girlinatrainingbra]

Re: they could just move their mail operation overseas with no US operatives.

they do it for taxes already, so why the fuck not...

Hate to break it to you, but they don't really move their money overseas for tax purposes. They only claim to move the money overseas. It's just a sham tax avoidance scheme. See the New York Times article entitled For U.S. Companies, Money âOffshoreâ(TM) Means Manhattan [nytimes.com]:

Apple's $102 billion in offshore profits is actually managed by one of its wholly owned subsidiaries

Re:

[Anonymous Coward]

I've said it before and I'll say it again.

I'm beginning to suspect that Google is actually a front organisation for the Contact division of some race of well-meaning and meddlesome aliens, who are using it to discretely nudge our society onto the path towards peace, freedom and post-scarcity tech-utopia. Eventually, thanks to them, our descendants will be able to take their place among their peers in the stars.

But maybe I've been reading too much Iain M Banks.

Actually I take it back. It's impossible to rea

Re:

[Raenex]

Google does more than any other company, probably any company in history, to fight against that.
By law, they are required to honor National Security Letters asking them to give up information. Their policy is to refuse to provide the
information, even though the law (since 1978) says they have to hand over the information. Google claims the law is unconstitutional and
therefore void. In Doe versus Ashcroft, the judge agreed. (Courts have gone both ways.)

http://en.wikipedia.org/wiki/American_Civil_Liberties_Union_v._Ashcroft [wikipedia.org]

"American Civil Liberties Union v. Ashcroft (filed April 9, 2004 in the United States) is a lawsuit filed on behalf of a formerly unknown Internet Service Provider (ISP) owner by the American Civil Liberties Union against the U.S. federal government. In 2010, it was revealed that John Doe was in fact Nicholas Merrill of Calyx Internet Access."

So that was a small ISP owner doing the right thing, not Google. What do you think Google was d

Re:

[Anonymous Coward]

Yeah, man, court's having the authority to make orders for records after a statutorily defined, and constitutionally restricted due process is totally Orwellian.

(WTF?)

The FBI can simply issue a National Security Letter, which has no actual review or oversight. You don't have any due process. They are not contestable, and it's illegal to tell anybody including your attorney that you even received one.
Google is, in fact, one of the companies attempting to challenge these letters in court: http://www.wired.com/threatlevel/2013/04/google-fights-nsl/

You want Orwellian, you got something pretty damn close right there.

Re:Google, Big Brother's Helper ?

[FatdogHaiku]

Welcome to 1984, man !!

If I don't get my 1984 body back then I'm not buying in...

Helpful hint.

[khasim]

If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

Re:Helpful hint.

[Anonymous Coward]

Helpful hint.
If you are in the spy or terror business, and u use email to communicate, u should look for another line of work.

-HasHie @ trypnet.net

Re:Helpful hint.

[iggymanz]

nonsense, overt communication of misinformation is a time honored counterintelligence technique. Real messages can also be covertly conveyed in the same channel

Re:

[JustOK]

that's what they WANT you to think.

Re:Helpful hint.

[RMingin]

Steganography plus photos of the "kids".

Last word of every sentence plus a one time pad (NEVER EVER REUSE ONE TIME PADS. IT'S IN THE FUCKING NAME.).

Simple coded phrases that seem innocuous. The garbage can spilled again. You need to stop letting that dog off the leash! I miss you and can't wait to see you next weekend. I want to do dinner at that Szechuan place again, I think it's gotten better.

There are plenty of uses for an email account in intel/cointel. Sending plaintext messages over an uncontrolled service just isn't one of them.

When in the field on an operation without official cover, the agent should assume that all actions and responses are monitored by the local and national cointel groups at all times. Communications should be deniable and overt. Email and public message boards are ideal, as they are fully deniable. The days of taping a tiny cannister full of microfiche to the bottom of a park bench ended forty-plus years ago. It's not hard to run deniable covert operations, you just need to be somewhat intelligent, recruit people who are likewise not stupid or lazy, and NEVER EVER take things for granted or relax.

Re:Helpful hint.

[ebno-10db]

Steganography plus photos of the "kids".

Another approach is plain text that's so blatant the eavesdropper will assume no one would be stupid enough to send it seriously. For example: kill moose and squirrel.

Re:Helpful hint.

[SpaceLifeForm]

Unless the eavesdropper is Rocky or Bullwinkle.

Re:

[PPH]

Steganography plus photos of the "kids".

Yeah, but in regular e-mails to an address in the PRC intelligence division? Even if they are only about the wife and kids, that's suspicious.

Better to hide the messages in pics of underage teenage girls and post them to 4chan. At least you have a plausible audience in half the male population of China.

Re:

[umeboshi]

Jive Miguel
He's in from Bogota
Meet me at midnight
At Mr. Chow
Szechuan dumplings
After the deal has been done
I'm the one

Re:

[DNS-and-BIND]

You'd be shocked at how many people get really offended if you tell them to stop using Gmail. It's like telling someone who likes to bitch about how crap TV is to stop watching - it's just utterly out of the question. You'd think it would be easy to search for "free email provider", go to page 17 of results, and pick some random one. You would also be dead wrong.

Re:

[bmo]

No, they think you're an idiot because your tinfoil is so tight that you think that TLAs are interested in personal messages about their kids, or shopping lists for Trader Joe's.

But not only that, if you're worried about security, you don't trust third parties at all to keep stuff private. You encrypt locally and transmit over whatever you want (even shortwave. google "numbers stations"). If you are sending anything over the interbutt, or any other medium, and you are one white persian cat away from be

Re:

[Virtucon]

Uhm, like General Petraeus, former head of the CIA? [networkworld.com]

Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

Re:

[Intrepid imaginaut]

That trick was originally used by Islamic extremists I believe, so hardly that clever. Seriously though, Gmail? What? Use encrypted morse port knocking on some nothing zombie or something.

Re:Helpful hint.

[Nidi62]

Uhm, like General Petraeus, former head of the CIA? [networkworld.com]

Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

He was a political appointee, what do you expect? He was actually never in any capacity a spy. He was an infantry officer and a teacher more than he was anything else until 2004 and after when he was overall commander of Iraq then Afghanistan. The director of any agency in the US is an administrator above all else.

He is that stupid. And so are most people.

[girlinatrainingbra]

The director of any agency in the US is an administrator above all else. And he didn't really get any on the job training to be a spy. So he believed all the baloney about using "secret gmail tricks" and the "draft folder" with two people logging into the same account to pass messages back and forth. He certainly wasn't going to trust someone else with his sexual escapades and moral turpitude, was he? It's not like your executive administrative assistant, even at the C.I.A., is trustworthy enough to hel

Re:

[EvanED]

He is that stupid. And so are most people. Every compu-geek is saying, geee why didn't they use P-geeee-pee or Gee-Pee-Gee or one-time-pads, or steganography in images of zebras!!! And people here think that they're a lot smarter than they really are, or probably are

I believe The Onion had an interesting investigative report [theonion.com] on the topic of that observation applied to national security.

Re:

[kilfarsnar]

Uhm, like General Petraeus, former head of the CIA? [networkworld.com]

Seriously, if our head of the top spy agency in this country is that stupid, how stupid do you think the rest of the diplomatic or legislative folks are in DC?

He was a political appointee, what do you expect? He was actually never in any capacity a spy. He was an infantry officer and a teacher more than he was anything else until 2004 and after when he was overall commander of Iraq then Afghanistan. The director of any agency in the US is an administrator above all else.

Yes, exactly. That's why I roll my eyes whenever I hear, "Well if the head of the CIA can't keep his communications private..." Yeah, he's head of the CIA but it's not like he's trained in espionage. The spooks who do the real work generally don't have their communications compromised.

Re:

[girlintraining]

If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

Just them? You'll note it also said suspected spies and terrorists. With "broader definitions" of terrorism coming out every day, and the criteria for being included on a watchlist, paired with these hotlines opening up for anonymous "tips"... pretty much anyone these days can be a suspected spy or terrorist. And being a citizen of the US is very little barrier against invasions of your privacy; They've even talked about revoking citizenship for people simply to avoid any legal hassles.

It might be more accu

Re:

[amiga3D]

Don't use e-mail. Seriously, how secure is any e-mail server against government surveillance. Maybe using phone modems and sending a message directly computer to computer with full encryption might work. Then maybe not. I'm thinking that if I was involved in something highly illegal my paranoia would jump into overdrive. Given that I'm nobody and have nothing I think I might be safe using Gmail.

Re:

[AmiMoJo]

Email is a powerful tool so it is undesirable to give it up, especially when securing it isn't that hard. Even Gmail lets you past in encrypted text.

Re:Helpful hint.

[Jah-Wren Ryel]

If you're a spy or diplomat or whatever, don't use Gmail. At the very least it is subject to the US government's laws. Get yourself a secured server somewhere else.

You are assuming these people were using gmail for clandestine communications. I'm pretty sure even the most basic opsec training would have covered the "don't use email for secret messages" ruie.

What this looks like is a ruse - agents set up email accounts that are never used for spying purposes but are sufficient to attract exactly the kind of counter-espionage actions of getting the US to spy on the accounts. Then grab the list of accounts the US is spying on because that list is in the hands of google who don't have formal handling procedures for classified information and so are an easy target versus some system behind an air-gap firewall. Tada, now you know which spies have had their covers blown. It doesn't tell you which spies are still safe, but it does give positive confirmation of who has been exposed.

Re:

[PPH]

Then grab the list of accounts the US is spying on because that list is in the hands of google who don't have formal handling procedures for classified information and so are an easy target versus some system behind an air-gap firewall.

PROTIP: Involving untrained individuals or organizations in intelligence gathering operations is a bad idea. They tend to leak information to either the targets of investigations or third parties with interests in such surveillance.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[fuzzyfuzzyfungus]

But I hear that Gmail is trusted by the CIA at the highest levels! Who should I trust now???

Re:

[Yvanhoe]

And if you are the boss of a spy and that this is not part of uour guidelines, just resign. You are a threat to your own country.

G-Men. Gmail. Coincidence?

[gubon13]

*Cue the dramatic prairie dog*

Chinese Cyberwar

[Required Snark]

The Chinese government is waging ongoing cyber warfare against the US, and we are loosing the defensive battle.

One of the big problems is that non-governmental organizations that are not part of the defense industry have no legal responsibility to provide security. In fact, there are not even any meaningful federal level guidelines. This is, to a great extent, due to lobbying efforts on the part of entrenched business interests.

http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803 [latimes.com]

Re:

[Anonymous Coward]

They (Chinese) are doing it to themselves. It's quite sad. With all this new found global fortune and fame, they're managing to piss off the very same nations that would make them great allies. It's as though they feel entitled to take their rightful place in the world without their motives being questioned. In reality, they're just burning their social credibility. I know America had a similar attitude towards the british after the revolution, but that at least is rooted in history. But China? WTF did the

Re:

[DNS-and-BIND]

Hmm, that's odd, according to liberals the entire "Chinese are attacking us" meme is a total myth. It's not happening. It is a convenient boogeyman meant to drive government spending towards the military-industrial complex. So, which one is right?

Re:

[DNS-and-BIND]

Bill of Rights? Eroding the Bill of Rights is a good thing, the Constitution is outdated. It needs to die, the sooner the better.

Re:

[kilfarsnar]

Bill of Rights? Eroding the Bill of Rights is a good thing, the Constitution is outdated. It needs to die, the sooner the better.

Shouldn't it be amended? What wrong with the Bill of Rights except that it doesn't go far enough?

Re:

[account_deleted]

Comment removed based on user account deletion

More Helpful Hints

[Anonymous Coward]

If you're a corporation, don't use Google gmail or docs. Even if Google were somehow more secure than your own IT could be, uploading your company's spreadsheets to Google - whose primary business is selling advertising to your competitors - is a dumb idea.

Sensationalism in action

[c0lo]

TFStory title: "Aurora Attackers Were Looking For Google's Surveillance Database"
TFSummary: "Whether this was the primary goal ... is unknown

Minimal change needed to reconcile the two - "Aurora Attackers Were Maybe Looking At Google's Surveillance Database"

Stuff that matters: there may be something that can be called "Google's Surveillance Database".

Encrypted, no?

[WOOFYGOOFY]

One imagines that such information is securely encrypted within the database.. no?

Well, call me an elitist jerk, but...

[rocket rancher]

...I'm not real certain that information gleaned from an intelligence operative unprofessional enough to us a gmail account in the clear is really worth the effort.