Google warns users of state-sponsored hacking

More...

 

I'm not sure how I feel about that. It's good on the one hand, but bad on the other.

 

Basically just confirmation of what some of us have been warning about all along. I'll bet anything that this will only apply to non-ally foreign governments. Then again, with our own government, it's not hacking. It's a backdoor.

 

here is another LINK
-http://www.geekstogo.com/2512/state-sponsored-malware-the-new-normal/-

 

Game within game within games

 

Definitely. Part real, part propaganda, part weapon. Unbiased? Not a chance.

 

When some of this malware could be part of the PCs firmware, there is no sure defense. IMO, it also makes any security package that trust signatures or certificates worthless against such an adversary. AFAIC, the best you can do to protect the PC itself is to start with a unit that predates this activity and enforces a strict default-deny policy that ignores certificates, trusts, etc, and relies on file integrity. Then apply the same standard to internet access and all web/external origin content.

At one time, this was a paranoid concept. But now, almost anything can make you an enemy, suspect, criminal, etc of somebody. I don't see this getting any better anywhere. Download a video and get labelled a pirate and a terrorism supporter. Say an official is corrupt and you're an enemy of the state. Expose government crime and you better have an unlisted rock to hide under. The number of places this is becoming normal is growing.

 

Yeah, I very much remember the blow-offs and "know nothing" insults many of us got when we told people this stuff wasn't just for sci-fi books and conspiracy theorists. And that was even in the last two years and several times at forums such as and including this one. We don't look so crazy and paranoid now, do we?

No, this won't get better until people actually start to care, and more than just the privacy types. And really this isn't just about government. Think about it, with social media, the increased value of personal data and so on, people overall are walking auctions. Unfortunately, we're becoming less and less able to control who we're sold to and for what price. All the things we can do now are amazing, many things we can do just sitting at our desk. But, it all comes with a price tag, and, perhaps the cost is getting too high in terms of our personal lives.

I see so many say "big deal, they get a little data from me, I get great services". When I turn it around and ask them how they'd react if a physical person came to their door and tried to get the amount of data many websites now can get and the amount we often willingly hand over..they don't shrug their shoulders so much. Everything needs a limit, even technology.

As for Google and this situation, they're playing a dangerous and, probably a financially risky game. Users also should question Google stepping in for them, as obviously Google knows more than they tell their users.

 

When a company openly admits that they work with a government and willingly hand over to them any data they want, there is no way in hell I'll believe that they'd warn me about that same government hacking into an account. Once that gets factored in, it's clear that they'll only "warn" the user when the "hacking" comes from a non-aligned state. That makes this nothing more than a propaganda tool and FUD. It's all immaterial to me anyway. My PC cannot connect to Google or any of its services.

 

Prior to your edit, you asked what were, in my opinion, a couple of good questions... how is Google doing it, and why do they feel they're in a position to do so?

 

Yeah, I edited it because I wanted to come back to it after I've done some looking into it. It warrants close investigating imho, as Google (even though it's become increasingly clear they are) shouldn't be involved with any government activity. I'll come right out and say I think the tendency of some governments to invade and spy on the lives of their citizens is outright pathetic. But that isn't the business of Google, and it isn't their place to interfere with it.

Edit: It's hard to find anything publicly that doesn't end up in anti-U.S rants or go off on a political war. http://threatpost.com/en_us/blogs/google-warning-users-about-state-sponsored-attacks-060512 is about as good as it gets right now. Their explanation makes good sense, but it's leaving out what I can only assume for the moment is government assistance in the matter. Honestly, this really does seem less like Google watching out for others, and more being used as a political tool. I'm not at Google, so I can't say anything 100% (but for even those at Google, it would be a "need to know" basis situation). It just smells funny to me.

 

Pretty sure it's the Chinese government, which Google hates.

This is not the first time they've done this. If they see your account being accessed by IPs or redirects or whatever it's a red flag that you're being attacked. No gov't involvement necessary.

 

It's practically impossible to discuss a subject like this without it having a political component. On the other hand, it's definitely a legitimate security and privacy issue for users.

Lets take that a bit farther. No, it's not their place to interfere with it. By the same token, it's not their place to contribute to it either. Google's concern for users is limited to the amount they profit from them. The rest is lip service.

 

They're not saying what is red flagging the accounts though, nor does the report say anything about whether it is just China, or possibly other accounts in other countries. I'm just throwing it out there that there may be more to this than just Google being a friendly neighborhood watcher, but there also may not be. I still don't believe Google needs to be involving itself in such matters. They may hate the Chinese government, but if they want to provide services to Chinese users, they have to grin and bear it, much like any other country.

This just isn't a good position for Google to place itself in, imho. Also, the question gets repeatedly asked, if this were a U.S issue, do you think those same warnings would go out to U.S users, or even foreign users? If not, how much worse does Google look in this? I'm not wanting this to be a political debate, I'm simply pointing out that Google might be putting itself into a corner.

Edit: @Noone: I know, it really is next to impossible not to discuss the political side of it. But let's try for the sake of the thread, as this is a pretty important bit of news and can affect a lot of people.

 

In the past they've said what's red flagged it (though obviously different attack = different flag.) It shouldn't be hard to understand that interacting with a website will give it information. Especially if it's an email account or whatever.

I don't really understand what the negative part of this is. We don't want Google telling users they're being attacked because... it's not their business? It seems a bit silly.

If this were a US issue Google would probably be tied by US laws, which I assume would come into play, right? Just as every other company. They aren't tied by Chinese laws (and in fact have a very hostile relationship with the government) so it's not surprising at all that they're telling people.

I just don't understand the negative aspect.

This is, by the way, the same light that is often shown on Kaspersky for being Russian. There are doubts surrounding the company that they might purposefully not detect x y or z for various reasons.

It's all just silly. The simple fact is that someone is being hacked/ is infected and a website let them know about it. Anything about hypothetical US attacks is fine to discuss but to attach a stigma to a company based on theory is a bit... nonsensical.

 

Yes, leave the political side of it out of the discussion and what do you have? A company that is performing a service to its users. I see it as a plus for the company and a plus for the users.

 

Well, you're entitled to call it as you see it of course There are attacks, and there are attempts for governments to spy on and restrict citizens (which, while vile, is exactly what China does, and, by their own laws, legal for them to do). All I'm saying Hungry, is that by Google involving themselves in government matters (and this report seems to point out China looking at its own users, and not, say, Iran attacking users in another nation...very big difference here), is just asking for trouble.

No, it is not their place to do so. Warning of "standard" attacks and hacking, yes, warning of, say a Chinese/Iranian/Russian attack hack on a user in another country, yes. Interfering in "legal" government spying of its own citizens, not so much. Using the U.S example again, if they did this within the U.S, they'd more than likely be hauled before the DOJ so quick their heads would spin. I'm not advocating government attacks/spying, Hungry, I'm saying Google has its place, and government affairs isn't that place.

 

The problem is, they're forcing it to be a political issue.

 

I totally agree. I also believe it would be beyond naive to accept Googles statement at face value.

 

Same here, I don't buy the "Google is protecting me" argument, not in this case. Of course that being the case, I have little left I can say without the thread getting killed. I just don't see this as a good place for Google to be.

 

Why? I mean why is it ok for google to tell you about the DNS hijacking trojan but not ok for them to tell you about the same thing but created by government?

Not saying it's wrong is a lot like saying it's alright. That's my opinion.

 

On a non-political note, this does make one thing clear. Privacy and security are not separate issues. They're completely intertwined. Any attempt to formulate a comprehensive security policy has to address the privacy aspects. That greatly increases what needs to be treated as your attack surface. When the breaching of an online mail account (like Google) can result in direct legal and physical threats to your personal security, you can't ignore or rationalize away the subject.

 

Because the DNS changer is not made by the government and government spying, if allowed by their own laws is legal, and the DNS changer is not? Google isn't the police, they aren't the government, they don't make laws. Google is a for-profit corporation, nothing more. What some Anon kid does is their business, what a government does is not. There's no more simpler of a way to put it, and I guess we'll just be disagreeing.

@Noone: You're right, privacy and security can't be separated, especially online, as without one, you don't have the other.

 

But if the UN or some government entity outed China for spying on its citizens it would be fine? The way I see it China, if they are the ones spying on their citizens (and this isn't really clear) is at fault here and I don't really care who calls them out on it. It's everyone's responsibility to fight against ******** like government censorship, whether it's a company, person, or government.

But I think it's fair to leave it at 'we'll just disagree'

 

What statement are you referring to?