A Google Lesson Learned: Backdoors Suck

So, word within various gutters of the interwebs is that Google’s big “ChinaGate” fiasco is the end result of a system Google put in place to help law enforcement gain quick access to everyone’s emails. Imagine That. (More after the break).

The story goes, that apparently things like, who an email is to, who it’s from, the datestamp and the subject line, are all considered as being written on the “outside of the envelope” as far as law enforcement is concerned…. IE: “We don’t need no steanking warrants!”…

Yes, they’re equating the Subject of your email to the same level of privacy as whatever you scrawled on the back of that postcard to Aunt Maybel last summer from Florida. And apparently, not only has some judge somewhere apparently agreed with this, but apparently it’s not uncommon for large email providers (ISPs, Google, Hotmail, whoeverelse) to have an automated system to allow “authorized law enforcement folk” access to this data on a routine basis…

I have no doubt in Google’s case it’s a rather fast, speedy web interface, and since, you know, these requests could come in from any law enforcement office, anywhere around the country (or world), they probably hand out logins to this system through some uber-secret secure process involving fist-bumping handshakes and knowing the secret code word… who knows.

The point is, word has it that this automated “sorta snoop, but not entirely” system is how the evil Chinese hackers gained access to peoples accounts… hence why Google is pointing out that “Subjects, but not emails” were compromised… I mean, wasn’t your first question “Wait, how come only subjects were accessed?”.. exactly, now you know.

Because Google has a system in place to give every LEO who calls and asks for it access to their “super database of email headers”, and low and behold, some schmuck let their login slip out, and now the evil hackers found their way in to do whatever nefarious snooping they wanted. Image that.

Having any one factor credential that can gain access to an entire dataset? Some people call it “Breached By Design”… I call it, a fuckup. This is worse then the story making rounds a coupledays ago that back in the day Facebook had a “master password” what would get FB staff access to any facebook account/profile they needed (funfact, the master password was a variation of “ChuckNorris”, imagine that, Chuck *does* have power)… At least the FB master password system only worked when the request originated from within Facebook’s own IP space. (Although, lets be honest, there are ways around that as well)… This system, by virtue of it’s needing to be accessed by whatever law enforcement official needed it, from whatever his geographical location at the time, made such a restriction impossible…

So in short, today’s geeky ProTip is this… Storing peoples data/email/photos/whatever “In The Cloud” is fucking insecure enough under the best of situations and implementations.. don’t poke giant holes in whatever security you DO have by using master passwords or backdoors “for special people only” for christsake…. sooner or later, someone who you *don’t* want to know about your supersekretclubhouse will find it, and abuse it, and then you’ll be the ones sitting there going “duuuurrr”.

Leave a Reply

Your email address will not be published. Required fields are marked *