According to the first paragraph of the article you linked:
"NSLs can only request non-content information, such as transactional records, phone numbers dialed or email addresses mailed to and from."
According to the sample NSL from the article you linked:
"We are not directing that you provide, and you should not provide, information pursuant to this letter that would disclose the content of any electronic communication. [...] Subject lines of emails and message content are content information and should not be provided pursuant to this letter."
So NSL is not the USA "reading your email."
I'm not defending the NSL, but I am opposed to misinformation, as well as the frequent attempts to paint the USA as being just as bad as China.
NSLs can't legally request ANYTHING. They are UNCONSTITUTIONAL. The government has NO AUTHORITY to issue them. The fact that they are presently limiting themselves to illegal request x instead of illegal request y is not relevant.
Let's skip the abuses of the FBI et al and talk about the government as a whole for a minute.
Are you aware that the NSA monitors _all_ traffic at major exchanges in the US?
'haberman's comment includes actual information. Can we not punish people for posting information? I doubt very much that 'haberman approves of NSLs, especially since he said as much.
Moreover, your comment may actually be incorrect; a good chunk of all the mail Gmail handles is never on the wire in a format that can be decrypted with any known attack without access to Google's (often pinned) secret keys. The NSA's ability to snarf it off the wire, stipulated, does not connote their ability to read it.
when I receive email from people on non-Google hosted domains, I sometimes check the headers and see that mail was delivered to my gmail with ESMTPS, using TLS. so a lot of non-google hosted mail on the internet will use ESMTPS for delivery between servers, silently.
you can check this too by looking at the SMTP headers on some mail in your inbox.
The PKI is broken, and I bet a lot of client SMTP plays fast and loose with certificate checking anyway, even if it wasn't. DNSSEC can't come fast enough.
It helps against passive adversaries, but if someone's got access to the sending mailserver's network there are active MITM attacks that will probably defeat this.
Option 1: Try doing MITM and sending a self-signed cert for Google. The client smtpd may accept it anyway. (Cost: free)
Option 2: Spend resources to obtain a legitimate intermediate CA cert, and issue a valid cert for Google's mailserver, and MITM with that. (Cost: ca $25k-$100k, maybe less with proper connections.)
The only thing worse than self-censorship after assuming an insecure channel is a false sense of security.
DNSSEC is a PKI run by governments. If DNSSEC had been deployed and used to run the TLS PKI a couple years ago, Ghadafi would have effectively controlled Bit.ly's SSL keys.
DNSSEC is a debacle. Reprising an older comment:
* Amazingly, contrary to everything you'd expect about "secure DNS", DNSSEC does not in fact secure DNS queries from your machine. Instead, it delegates securing DNS to DNSSEC-enabled resolver servers. For securing the actual queries your computer makes, your browser is on its own. There's a whole different protocol, TSIG, intended to address that problem.
* DNSSEC has zero successful real-world deployments, and no existing integration with any TLS stack. DNSSEC obviously does nothing to secure your actual traffic; all it does is try to protect the name lookup. TLS protects both.
* DNSSEC does nothing to address all the other intercepts, from ARP to BGP4, that real traffic has to contend with. Once you go from name to IP address (or "cert" in the fairytale world where DNSSEC has replaced the CAs), you're on your own. TLS addresses all of these issues except for CA configuration.
* DNSSEC actually reduces the security of DNS in some ways: in order to authenticate "no such host", DNSSEC publishes a sort-of-encrypted list of all your hosts. There's a whole other standards group drama surrounding the proposals to resolve this problem (NSEC3, whitelies, etc).
* DNSSEC fails badly compared to TLS. When keys inevitably get screwed up in TLS, you get a browser click-through. There is no API support to recover from a "gethostbyname()" failure caused by DNSSEC. This sounds like a reliability problem, but it's actually a security problem, in the same sense as "the little blue key icon isn't big enough" is a security problem for SSL. We just don't know what the exploit is, because nobody has designed the "solution" for this problem.
* TLS has 15+ years of formal review (it is the most reviewed cryptosystem ever published). We still find things in it. DNSSEC has received nothing resembling the same scrutiny. It's ludicrous to believe we won't find horrible problems with it. You'd be asserting that a protocol co-designed by Paul Kocher will eventually fare worse than one designed by the IETF DNS working group. The IETF DNS working group would basically have to crush some of the smartest practical crypto people in the world.
* TLS is at least configurable (virtually all TLS problems are in fact user interface and configuration problems, not problems with the underlying system). You can nuke untrustworthy CAs. There is no clean way to opt in or out of different DNSSEC policies, as the drama surrounding DLV illustrates.
In the '90s, we designed web security to assume that DNS was insecure. That was a smart decision. "Security" means different things to different people. It's a policy decision. The end-to-end argument strongly suggests that it's something that can't be baked into the lower parts of the stack. DNSSEC is a step backwards. I think you can already see the indications of the problems it will cause just by looking at the places it already falls down.
What we need is a concerted effort to solve the security UI and policy problems that browsers have.
If you're looking for protocol-level remediation for TLS's current CA policy problem, you want to pay attention to TACK:
"Before yottabytes of data from the deep web and elsewhere can begin piling up inside the servers of the NSA’s new center, they must be collected. To better accomplish that, the agency has undergone the largest building boom in its history, including installing secret electronic monitoring rooms in major US telecom facilities. Controlled by the NSA, these highly secured spaces are where the agency taps into the US communications networks, a practice that came to light during the Bush years but was never acknowledged by the agency. The broad outlines of the so-called warrantless-wiretapping program have long been exposed—how the NSA secretly and illegally bypassed the Foreign Intelligence Surveillance Court, which was supposed to oversee and authorize highly targeted domestic eavesdropping; how the program allowed wholesale monitoring of millions of American phone calls and email. In the wake of the program’s exposure, Congress passed the FISA Amendments Act of 2008, which largely made the practices legal. Telecoms that had agreed to participate in the illegal activity were granted immunity from prosecution and lawsuits. What wasn’t revealed until now, however, was the enormity of this ongoing domestic spying program."
Its a recent article outlining what's ahead (and presently implemented) for the NSA. Given what is already known, the U.S. Govt already has access to your e-mail, and they have the capabilities to decrypt it should your e-mail become high priority.
NSA ability to sniff traffic at major telecom exchanges is real. NSA ability to break $cipher or $hash based on the hearsay journalism involving an interview of (ex-)NSA employees (who would certainly be barred from talking about any real non-public attacks) is not real [1]. It's possible the NSA is setting up real systems that will brute force or factor or find collisions for known borderline algorithms/keysizes. Maybe they have a collection of old DES-encrypted traffic and they are building enough computing resources to do large-scale cracking of DES keys.
The idea that they can create collisions for hashes or crack ciphers believed to be relatively secure in the near to mid future is paranoid speculation.
However, if you're going to be paranoid, direct your attention to RSA and DH (plain, not ECDH). In Suite B, which the NSA recommends for use by government, RSA and DH are absent. If the NSA knows of a weakness in anything currently believed to be secure (I think that's unlikely), I would bet that it's RSA and DH, because the NSA no longer recommends them. I think RSA and DH are superseded by ECDSA/ECDH simply because of speed at comparable key strengths, not because the NSA knows something the public doesn't. As an aside, it indicates that the NSA has a fair amount of confidence in ECDSA/ECDH.
I do not think the NSA is stupid enough to play chicken with the public crypto community by recommending encrypting classified information with ciphers NSA knows to be weak. The public could discover those weaknesses tomorrow. The most sensitive information inside the U.S. government and military is presumably protected by the NSA's Suite A algorithms, but other important information is not, notably military communications between U.S. allies, for which Suite B is recommended.
I heard a story somewhere that public key cryptography was known to the NSA long before the 70s. Maybe they are 30 years ahead in cryptographic number theory? Maybe prime factorization isn't actually hard? Maybe...
What was essentially RSA was known to Britain's GCHQ (Government Communications Headquarters) in 1973. Is this what you were thinking of? Rivest, Shamir and Adleman rediscovered it in 1977.
But it's worth acknowledging such programs exist and don't appear to be going away.
Beyond the AT&T incident (and following legal ruling dismissing, retroactively, carriers from wrongdoing in wiretapping).... there's also the 'TrailBlazer Project'[1] with public accounts from William Binney (NSA , 'Director of World Geopolitical and Military Analysis Reporting Group')and Thomas Drake [2] (NSA) regarding the overreach of such projects....that it's kinda hard to exclude data and so forth.
Jacob Applebaum (Tor, etc) recently dragged William Binney around NYC to gather publicity [3] - but few outlets paid much attention.
Try reading critically. To process 1 yottabyte of data assuming you have 128 bit registers you would need 100,000,000 petaflops.(See http://www.wolframalpha.com/input/?i=%2810%5E24+bytes+%2F+12...) Therefore, there must be a great deal of preprocessing using classifiers to basically eliminate a great deal of useless information. Just because you store it doesn't mean you will listen to it.
I'm a privacy researcher, specifically focusing on government access to data held by Internet companies.
Google, your employer, will not confirm, on the record, what they will or will not disclose when they get an NSL. The NSL statute does not authorize the disclosure of transactional records.
18 USC 2709(b)(1) states that the government can only get "the name, address, length of service, and local and long distance toll billing records"
Furthermore, a 2008 opinion from the Office of Legal Counsel at DOJ specifically confirmed that the FBI cannot use NSLs to get email to/from data, even though the government has asked for it in the past. See: http://www.justice.gov/olc/2008/fbi-ecpa-opinion.pdf
NSLs are gagged, and so Google cannot confirm when it gets NSLs, or for which customers the government is seeking data. However, Google could very easily provide information to the public confirming what it will and will not deliver to the FBI when it receives an NSL. I have asked Google's legal and DC policy team for this info, repeatedly, and hit a brick wall.
I'm not a privacy researcher, but my guess is this is probably less "they won't answer because all your worst fears are true" and more "they won't answer because they don't want to narrow their future options and political maneuvers".
I understand as a hacker that you want to provide the truth, but the way to stop these letters isn't to downplay their danger, but to make people scared to death of them.
If someone appeals to me to care about X but lies about the facts of X, their credibility is damaged in my eyes and I am inclined to think that they are overplaying the danger.
For example, "sneak" replied to my comment with lots of CAPITAL LETTERS and links to other information. But I'm already less inclined to trust sneak, since he/she is already known to play fast and loose with the facts.
I don't mean to appear to be playing fast and loose with the facts. Certainly, the NSA tapping exchanges is a different issue than whatever restrictions the government has placed on itself when issuing NSLs for message metadata.
The fact is, message metadata is enough. I have friends and acquaintances that have been harassed and detained by officials based on their names appearing in contact lists of other suspected-but-not-charged-with-anything individuals. We're not even talking about evidence of actual communications such as message headers or metadata.
The fact that they can (and do) pull thousands of people's message headers and have access to the communications graph and traffic frequency without ANY JUDICIAL OVERSIGHT WHATSOEVER means that their ability to conduct state-sponsored extrajudicial harassment is way out of control.
It truly doesn't matter if NSLs allow them to get the body of the messages or not. If you're on the radar, you and everyone you communicate with regularly is a target. There are no legal remedies for this sort of stuff anymore.
If you do anything of import non-anonymously, you can expect to have your hardware stolen and never returned (under the guise of a search), your travel impeded, your accounts inaccessible (google "civil asset forfeiture"), your social network harassed and detained similarly, and your access to legal remedies hindered in every conceivable way.
A half-dozen examples known to me personally come to mind immediately. I'm sure there are more that I don't know about.
The threat is very real, and trying to split hairs about whether or not "reading your email" means message bodies or just headers is not productive.
I disagree that "It truly doesn't matter if NSLs allow them to get the body of the messages or not". It truly matters a whole hell of a lot to me if someone can see my messages, as versus my email headers.
I don't wish to open a whole separate thread, but...
The strategy you advocate is what many environmentalists, notably Al Gore, have been employing.
It turns out that most people aren't as dumb as you think. They pick up on the fact that they're being misled. And that tends to turn them against your mission.
Thus, many people are now desensitized to warning of climate change. They've seen the scientists lying and conspiring to gag dissenting views, and cherry-picking studies to highlight the worst possible outcomes. And if those scientists (rogues that they might be) need to gag the dissenters, they must not have very strong arguments.
Please note: I don't mean to take a side here in the climate debate, only to illustrate how one strategy used in that debate is having an effect opposite to what was intended.
I'm sorry if the truth is inconvenient, but that's no excuse for suppressing it and spreading lies in its place. If they really are so bad, you shouldn't need to subvert the truth in order to prove it — because their badness is the truth. If they aren't that bad, I don't see why it's so important to make people scared to death of them that I'd sacrifice my good name to do so.
You assume that people agree with me. Most people are far more interested in security than freedom. Which a valid choice so long as that choice is made for them alone, and they don't make it for me.
I don't have the speaking skills to convince the world of this, but coming of age after 9/11, I have seen first-hand the awesome power of fear.
[edit] So, and correct me if I'm wrong here, you are saying that after seeing the damage that fear has done to your culture (which I would say is far, far greater than the damage done to New York on 911), you then think that you should stir more fear and use it to achieve your political desires. In a just cause, of course. Everyone has a just cause. And your justification is that you don't think you are eloquent enough to convince people by other means? That is a fucking repulsive attitude.
You say you want to use fear to influence the society of which you are a part, because you think that it's general attitude towards security impinges too much upon your own personal freedom and you also don't trust anyone else to be able to deal with honesty. And so you are actually attacking others who are trying to be honest, for not just ramping up the fear in the direction that you perceive would most satisfy your own self interest.
Remind me where the surgeon metaphor fits into all of this horseshit.
Spreading more FUD on the internet is not likely to help a cause in the long run, it won't even make it stand out from the background noise. And you aren't really scaring the shit out of people by telling them that the government can read their emails, which they already think anyway, when they also know that the same government has nukes and has been happy to play brinkmanship with them against other countries with nukes, for well over a generation.
Does reading your library records count... How do you know the same hasn't been done with your email? You don't. Because it's secret. Is this an open society? A free society?
The difference between rights in America and China are vast. Criticizing legitimate American counter-terrorism and counter espionage and suggesting that it's equivalent to China's suppression of thought of its citizens (and people in occupied zones like Tibet) are disingenuous. Dissent in China will get you a prison sentence or worse. Dissent in America will get your karma modded down. (Q.E.D) Want more relevant wikipedia links? click here : http://en.wikipedia.org/wiki/September_11_attacks AND here http://en.wikipedia.org/wiki/Internet_censorship_in_the_Peop...
Actually in the USA we have 5x the prison rate of China.
Of course the official rates ignore people in "administrative detention" which is what China does to a lot of its political dissenters. But even if you add those back in, the USA has 4x the detention rate of China. (We are also ahead of every other country in the world.)
It would seem that if you're afraid of landing in prison, the USA is a much worse country to be in than China. Not slightly, much. (And a brief glance at the jail statistics will convince you that our justice system is not color-blind. For instance I've seen no data indicating that drug use rates are significantly different among whites and blacks. But incarceration rates for drugs are very, very different...)
There are certainly examples of persecuted dissidents in both countries. What I'm missing in China is any examples of dissidents who've achieved any success, comparable to American examples of dissidents in prominent, even state-sponsored roles. And, in particular, any ability of ordinary people to read and discuss what dissidents write. You and I can discuss Bradley Manning here. And I'll agree he is not being treated in a justifiable manner. Can Chinese citizens openly discuss dissidents, and criticize their governments' treatment of them?
For example, after Angela Davis (Black Panther activist) was acquitted, she became a tenured professor at the University of California, where she has, for several decades, continued to unapologetically oppose the United States government. And she's hardly the only one; there are many dissidents who are professors at American universities, some of which are even state-run universities. Noam Chomsky, of course, has not been removed from his professorship at MIT, despite his political views.
Are there any prominent Chinese dissidents who are now tenured professors at Chinese universities, without recanting? If we compare to Davis's role as a minority-group activist--- can you imagine a Tibetan or Xinjiang activist, who opposes the Chinese government's rule over those regions, becoming a tenured professor in China? Being able to teach courses openly about those disputes? Being able to publish critical books through the university press, which any ordinary person can order online with a few clicks? All of that happens in the United States, but doesn't happen in China.
I'm not hugely into political theory, but I read some of it, mostly tending towards the leftist side. And I am able to buy any of this in the United States, completely openly, even stuff much more radical than what I typically buy. Not even in backrooms or dark alleys, but from Amazon, delivered to my home address with my real name on the label! I can buy manifestos openly urging the overthrow of the United States government (under Brandenburg v. Ohio, these can't be prosecuted as treason). Can Chinese citizens openly buy manifestos urging the overthrow of the Chinese government?
Not directly relevant, but one should also recognize that there are examples of modern-day American academics who do suffer censure for being outspoken dissidents -- Norman Finkelstein being an example (http://www.americanradicalthefilm.com/).
There's a difference between "dissent" and "passing classified information to unauthorized sources". You can get away with criticizing the government here; you can't get away with espionage.
Playing fast and loose with facts continues to hurt your case.
Sklyarov - charges dropped.
Manning - U.S. soldier deliberately mishandled diplomatic cables.
Assange - I'm aware of no official charges or actions by the U.S.
I have a friend who's life was completely ruined by a federal criminal case before charges were ever even filed.
I'm not sure you understand the implications of "charges dropped". Sometimes that can consume 5+ years of one's life, sometimes part or all of that imprisoned. It always costs a fortune, too.
If you aren't aware of what the US is planning for Assange, you're not paying attention. This is the same government that thinks that people at the New York Times should be indicted for espionage.
Would you hire someone who was facing charges of abusing children to look after your children? I probably wouldn't. The charges sometimes stick, no matter what happens after they are filed.
As for Assage, I assume you're aware of the way some US politicians have behaved.
http://abcnews.go.com/blogs/politics/2010/11/does-palin-want...
> Criticizing legitimate American counter-terrorism and counter espionage and suggesting that it's equivalent to China's suppression of thought of its citizens (and people in occupied zones like Tibet) are disingenuous.
However, what is not disingenuous is characterizing American behavior vis-a-vis the propaganda it espouses. That is a good test for any institution or country. Don't even need China here. Compare what happens in US and what US does internationally vs. what US govt and many of its citizens believe or tell others about America. "We are a beacon of democracy " that's a common idea. So now let's see how is the power distributed in US? Does the average citizen have the power to make decision and is that comparable to what the propaganda fantasy is promoting. How about another one "US Constitution protects us from unreasonable searches and severely restricts the power of the government from invading our privacy". A lot of people believe that (doesn't matter if they are Americans or not). Is that true compared to the number of people believing in that? I say it is not. A lot of people are living a lie, believing in a fantasy about the government that is not based in reality. I say that is unhealthy.
Something similar is happening in China or other repressive governments. People are lead to believe in things that are divorced from reality. "We are a paradise". "American Imperialists are out to destroy US" and so on.
There is actually one difference. In some countries (and I can speak for the former Soviet Union during its last days) people knew propaganda was lie and they laughed at it in private. We knew the image we were supposed to have about our country was false. Many Americans are not aware of it. The brainwashing is so effective, they actually believe we are exporting democracy in the Middle East. They believe we have the best health care system . Heck, many believe evolution is a big lie. There is a great amount of self delusion and self censorship. That is unhealthy.
So going back to the comparison. You are right, comparing US to China in absolute terms in certain areas, is like night and day. Say, when it comes to freedom of speech. You can grab a megaphone and go yell out crazy conspiracy stuff right by Obama's front gate. But if you look at the level of delusion, the situation, I think is not as great.
The philosopher Zizek has a great bit about the "unknown knowns" (the quadrant Rumsfeld wasn't smart enough to articulate). Meaning, of course, the unperceived fabric of Western ideology -- that works far better than explicit propaganda ever could.
Gmail has state mandated backdoors. No combination of increased password complexity or multi-factor authentication will prevent these backdoors from being used (or abused) to access your account. Have a nice day.
In other news: I offer 50 bitcoins to anyone who can get me at least 5 or 10 good screenshots of the features and UI of the (presumably web) interface that Google provides to the feds for NSL/PATRIOT (un)"lawful intercept". 10 bitcoins for each of any other Alexa-top-50 provider (e.g. hotmail, FB, etc).
Anonymous mails accepted at [email protected]. Include bitcoin address for payment. Don't bother with fakes - I've seen quite a few 'shops in my time, and can tell from some of the pixels.
Wasn't the core of the ThinkSecret lawsuit related to enticing people to break confidentiality agreements? Maybe this offer should be restricted to legally obtained and propagated screenshots.
Because this is an attack that doesn't go through the official legal process Google is required to abide by. If Google were to find that the US gov was distributing malware to hack into Gmail accounts without Google or users knowing I hope they would react the same way. I doubt we will ever find out for sure though.
Well, Google doesn't really have a choice but to follow the laws of the country it's based in. Do they at least explicitly explain this caveat somewhere?
Google is a huge multinational, operating on the internet, which is (at least historically) devoid of specific jurisdictions. They could, at the expense of profits, sidestep this issue - but they don't.
Unfortunately the US is trying to deny that, with less and less success, but that's where we're at today.
I just think it's shitty of them to make such a noise about non-US state-sponsored surveillance, but remain relatively silent on the thousands and thousands unconstitutional USA PATRIOT wiretaps they get every single month.
That wouldn't work. Their tax avoidance strategies are legal with respect to US law. If they operated in the US without honoring DMCA requests, Patriot Act etc, they'd quickly be sued or arrested by the US govt.
Anyone know what the situation is with Google in the rest of the world? I know they have offices in various locations around Europe for example, and they have to comply with the recent EU "Cookie Laws"... which laws apply then?
Google has stepped it up against China. First warning users about search terms that trigger the Great Firewall and now this. Very interesting.
(Of course China wouldn't be the only one, but they have a history hacking into people's Google accounts and I have to imagine are a major motivator in this feature.)
Live from the scene: my partner just found that she wasn't able to log in to her Gmail account because her password was suddenly invalid. Luckily she was able to reset it quickly and regain control of the account. When she checked the recent activity, though, it showed that all logins in the past 12 hours came from her IP.
This is not looking good... some people on this list have gone and installed Google 2FA after realizing their computer might be compromised. Enabling two-factor auth WILL NOT resolve this issue if your computer has been compromised. If you get this warning, you need to bring your computer to someone with real security expertise and have it checked out. Strongly consider cleanly reinstalling your OS, then enable two-factor authentication.
It looks like they're detecting exploit code sitting in people's accounts, mostly in the form of PDF and Office docs and inside RARs. This might explain why snowfl0w is on the list, since he handles a lot of this stuff daily and some of it likely goes through his e-mail (on purpose). It's unclear if this means that your account was successfully compromised. It's more likely that it means someone is attempting to get into your account.
Since New York Times recently reported that Stuxnet is a US State Sponsored Cyber virus - which if you recall was accidentally released into the wild and affected and attacked innocent end-user machines as collateral damage, and with the ongoing US-Israeli state sponsored cyber warfare weapons of mass destruction (operation Olympic Games) including the more recent releases of Duqu and Flame virus.... can Google clarify if through its detailed analysis as well as victim reports if Google will apply the same exacting standards and warn end-users (both in the US and abroad, example: Iranian users) of these domestic (US) state sponsored attacks as well? Even if Google was to choose to go the higher route, wouldn't this kind of undermining and subterfuge (however unintentional) really go unnoticed by its host nation? Or are exceptions of convenience made in these cases due to the close ties that Google has with the US intelligence agencies and the confirmed but secret and classified collaboration that the Google has with the CIA and NSA in regards to GMail and Google Accounts? No doubt there is a clear conflict of interest going on here. To me this smells more like Google catering to State Sponsored Propaganda than really caring about the security and privacy of their end-users.
Why the emphasis on state sponsored attacks? (I am aware of stuxnet/flame/sanger's book) If google knows I am being targeted by a non-state actor are they choosing not to notify me? Are we going back to a cold war mentality where the only credible attacks are state sponsored?
State sponsored attacks are often more serious than non-state attacks. Most malware attempts to exploit victims for the financial gain of the authors--which is bad, but something individuals recover from. If someone is targeted for surveillance by a totalitarian state, it's possible that their life is in danger.
Gmail already warns users when Google suspect their accounts are compromised. All this is doing is changing a small subset of those warnings into a less-easily-ignorable warning for those users that may be targeted by state actors.
Presumably if it's a serious attack by a non-state actor, Google's lawyers are on the job in the relevant state(s) getting police involved, for whatever that's worth.
In the state actor case, there's little or nothing they can do to make it stop happening, hence the special warning.
It's also a high-profile jab at the unnamed state actors, which is nice.
I assure you that the grandparent is misinformed, the chance of google's lawyers and/or the police being involved if some individual is sending you targeted malware (aka spear phishing) is essentially 0%.
AFAIK you do get warned if Google thinks your account has been compromised by normal pishers and what not. This is just a more detailed message that I'm sure most people will never see.
State-sponsored attackers have access to much better resources. I do wonder how they determine who gets these things; do they look for keywords in your email, or do they monitor where login attempts are happening, or do they look at phishing messages that arrive at your account?
State-sponsored attackers also likely choose different targets. I'm not afraid to be a victim of such attack, but if I worked eg. as a diplomat, or as a defence contractor, or any government agency, I might actually be worried. There were some examples of attacks lately that targeted US government officials. So I guess Google shows this warning primarily to people who might be probable targets of state-sponsored attacks in the first place.
Since Google doesn't tell you why they're showing this warning to you, and only tell you to follow standard security guidelines ("don't get phished"), I suspect people will quickly be trained to ignore this message.
My girlfriend received the warning message today. She has already activated 2-factor auth, so I'm really not sure what she's supposed to do with this information.
Mostly! I believe there's been some tampering noticed in various Middle Eastern countries (such as Iran and Syria) as well, and I suspect this warning is targeted at them too.
well this coincides nicely the the confirmation that Stuxnet was state-sponsored. This is Google taking a stand. (Not against the creators of Stuxnet, just in general.)
What kind of productive, actionable result can this notification lead to for a regular user? "Oh, my government may-or-may-not be attacking me, I'm not even sure because it doesn't say, in any case I better just push this magic fix-it-all-up button I have right here."
I can't see how this can be differentiated from simple underhanded FUD-driven political activism.
How about the steps noted in the post? Make sure you have a good password, use two-factor authentication, and be careful about clicking on any login links? It could also be incentive to change accounts, or change to a different communication mechanism. As long as this warning is triggered by actual data, I am not sure how you could categorize it as "FUD" or even political activism. Hacking into accounts should not be political - it should be criminal.
> Here are some things you should do immediately: create a unique password that has a good mix of capital and lowercase letters, as well punctuation marks and numbers; enable 2-step verification as additional security; and update your browser, operating system, plugins, and document editors. Attackers often send links to fake sign-in pages to try to steal your password, so be careful about where you sign in to Google and look for https://accounts.google.com/ in your browser bar. These warnings are not being shown because Google’s internal systems have been compromised or because of a particular attack.
How does any of this differ from regular user advice? And note the last sentence, they are explicitly admitting the warning relates to nothing in reality beyond the normal environment. Do we suppose that people in China aren't aware their government spies on them? Do you suppose your own government does not?
I don't understand why this banner isn't shown to all users - China or otherwise, or why show it at all. Do something actionable and meaningful - introduce password complexity requirements, mandatory 2 factor authentication, require use of a signed browser with pinned SSL certificates - anything but non-specific nonsense that does little but promote unactionable fear in the hearts of thousands of users.
Don't forget that government officials, defense contractors, etc. also use Google products. Not all hacking is criminal or local. Some of it is geopolitical in nature.
Apart from this being very empowering to the individual user, it is also a wake up call to states who have any interest in participating in an international community that they cannot act without consequences, potentially making it an effective deterrent to this kind of behavior in the future.
2-factor logins require, in addition to 'knowing' the password, to prove that you 'have' a token (e.g. mobile phone possession). It makes your account significantly harder to crack.
I like how "state-sponsored" is pretty much an euphemism for "we're pretty confident it was the Chinese who did it but we can't say so on our official blog".
http://en.wikipedia.org/wiki/National_security_letter
China reading your mail: Big red flag.
USA reading your mail: Business as usual.