Tuesday, April 20, 2010

Google code stolen by Chinese

Google has been put in an awkward position after the New York Times revealed that its password system may have been compromised in Chinese cyberattacks last year. Those attacks resulted in Google making forceful public statements and eventually moving its censored Chinese search engine from mainland China routing all traffic to Hong Kong which is not subject to censorship. But the latest revelations may force the company to reveal more details about the attacks and announce what measures they have implement in order to reassure its vast user-base their information is secure.

The exact nature and extent of the theft has been kept secret but a person said to have direct knowledge of the investigation claims a password system that controls access by millions of users was breached. The program, code named Gaia, the Greek goddess of the earth, was attacked and while the intruders do not appear to have stolen passwords of Gmail users, it leaves open the possibility that the intruders may find weaknesses that Google might not even be aware of some independent computer experts say.

Google say they made significant changes to the security of its networks after the intrusions and even made GMail https by default. But the theft highlights a worrying concern not only for Google but also its customers. The revelations will doubtless increase the debate about the security and privacy of vast computing systems such as Google's that now centralize the personal information of millions of individuals and businesses. It may also fuel concerns, already raised by some, about doing business with China.

This cyberattack was not only an attack on Google, but also a threat to millions of individuals and companies around the world. And it appears to have been carried out under the auspices of the Chinese government. 

In his latest book Cyberwar: The Next Threat to National Security and What to do About it, Charles Clarke reveals China has already collected vast amounts of data which could allow it launch serious attacks on the West. And companies have too willingly shared data with the Chinese government, allowing it to make counterfeit products and design its own cyberweapons [Business Week].

Warning that a cyberwar is as dangerous as terrorism, the authors describe cyberweapons, list likely targets, and point out the vulnerability of power grids, aircraft, and security apparatus. Clarke, a former Special Advisor to the President for Cyberspace Security, and co-author Robert Knake, currently a principal at Good Harbor Consulting, argue that the US is already seriously behind in fighting this latest threat.

Clarke points a finger at Microsoft which refused to "share a copy of its secret operating code to its largest US commercial customers," but was compliant with demands from the Chinese government. "By threatening to ban Chinese government procurement from Microsoft, Beijing persuaded Bill Gates to provide China with a copy of its secret operating code," he says, and as part of the deal, "China modified the version sold in their country to introduce a secure component using their own encryption."

Clarke says China has also developed its own operating system, Kylin, modeled on open source Free BSD, which has been approved by the People's Liberation Army for use on their systems. Following the recent Google spat, Xinhua published an article headlined "Bill Gates bats for China" after the Microsoft head criticised Google's stance and announced his intention to continue doing business in the country. By effectively giving away Microsoft source code to the Chinese government, Gate's is not only batting for China, he risks becoming a lackey of the Chinese state.

Even where others have not been so compliant, by operating within China many companies have had their ideas and intellectual property stolen. Clarke cites the alarming situation that exists whereby Chinese companies sell counterfeit Cisco routers at cut-rate discounts around the world. One firm, Syren Technology, was even indicted by the FBI and Justice Department as having a customer list that included the Marines Corps, Air Force and multiple defence contractors.

"The cyberwar has already begun," Clarke argues. "In anticipation of hostilities, nations are already preparing the battlefield. They are hacking into each other's networks and infrastructures, laying in trapdoors and logic bombs -- now, in peacetime. This ongoing nature of cyberwar, the blurring of peace and war, adds a dangerous new dimension of instability."

Several technical experts have said that because Google had quickly learned of the theft of their software, it was unclear what the consequences had been. One of the most alarming possibilities is that the attackers might have intended to insert a Trojan horse, into the Gaia program and install it in dozens of Google's global data centers to establish clandestine entry points. But independent security specialists emphasise that such an undertaking would have been difficult, particularly because Google's security specialists had been alerted to the theft of the program.

While Google may have increased security it should still allay fears and make a public statement. The revelations should also serve as a wake-up call to not only tech-companies, but also individuals and businesses. Google's CEO recently announced many at the company were "paranoid" about security [Register]. The latest reports seem to indicate why.

The latest chapter to this Google saga has also stirred the imagination a little, if only because of some of the program names and a coincidental film release. Gaia is a primordial deity in the Ancient Greek pantheon and considered a Mother Goddess, as well as the name of Google's password system. A Trojan Horse program is derived from its namesake after a tale set at the time of the Trojan War, which again has links to Greek Mythology. Gaia's lineage brings forth Zeus who fathers Perseus the hero depicted in the recently released Clash of the Titans. Actually any analogy to Greek mythology may be stretching things a little far, though there have already been several stories likening Google's stance with China as being like a Clash of the Titans. Google's clash with Apple and Microsoft have also been described similarly. A cyberwar with China may need a little more help than Persus might provide.

Google may be paranoid but this new kind of war is not "a figment of our imaginations," Clarke says. "Far from being an alternative to conventional war, cyberwar may actually increase the likelihood of the more traditional combat with explosives, bullets and missiles. If we could put the genie back in the bottle, we should -- but we can't." Pandora's box, to use another mythological analogy, has already been opened.

tvnewswatch, Beijing, China

No comments: