Well, Petraeus gets a +1 for not using his official e-mail account, or an old DoD account for this. In fact, it's kind of pleasantly surprising that he used GMail over...say, an aol.com address.
In fact, it seems that for any given government official who wants to conduct risky non-official business, using something like GMail would actually be the more secure route, if you were trying to keep secrets from both your employer (which includes the public and public record requests) AND from the usual enemies of the state.
If both Petraeus and Broadwell had used GMail accounts not associated with their names, such Dave501010@gmail.com and PaulSmith900@gmail.com, how likely is it that anyone would discover their shenanigans? For an enemy of the state to find out, it would have to compromise both GMail and somehow connect Dave501010@gmail.com with David Petraeus. Sure, it's security through obscurity, but we're talking a nearly unsurmountable amount of obscurity.
Of course, once they start forwarding emails from their private account to their publicly known addresses, then the game is riskier. There's also the problem of keeping the ruse without making an AutoComplete mistake, such as sending a message from petraeus@cia.gov to PaulSmith900@gmail.com without realizing he's logged in as petraeus@cia.gov.
IMO, there's nothing wrong with a little security through obscurity if:
1) It's not your main game plan, just an extra obstacle. Anything can be compromised eventually, so you buy extra margin.
2) The obscurity is agile. Similar to benchmarking password complexity vs. projected brute-force capabilities of enemies and rotating passwords accordingly, rotate the obscurity- acknowledge that your enemies will figure it out eventually, and change it up faster than you think they can figure it out.
Right. It's a solid defense-in-depth marker that usually isn't too costly to implement and adds more time/effort to the equation. As long as you recognize it for what it is, it's OK.
> If both Petraeus and Broadwell had used GMail accounts not associated with their names, such Dave501010@gmail.com and PaulSmith900@gmail.com, how likely is it that anyone would discover their shenanigans?
I'd argue that every security agency worth its salt is also keeping a close watch on its bosses (especially on its bosses) so that let's say if Petraeus had logged in with joe.doe@gmail.com his communications being intercepted someone would have noticed. As a non-American, I'm not exactly sure what's for example the relation between the NSA and CIA, but I guess it's somehow telling that the whole thing seems to have been driven by the FBI
According to the NYT, the revelation was due to the emails being forwarded from Broadwell. So as almost always is the case in real life, it seems the security breach was through a social lapse, not through a technical obstacle. And it was not movie-like/CSI-level sleuthing, but just an accident, that the authorities found out
> WASHINGTON — The F.B.I. investigation that led to the resignation of David H. Petraeus as C.I.A. director on Friday began with a complaint several months ago about “harassing” e-mails sent by Paula Broadwell, Mr. Petraeus’s biographer, to an unidentified third person, a government official briefed on the case said Saturday.
It also makes a good april fool joke - if you still have one matching your name, just send a message on Apr 1 to your geek buddies explaining you are moving from gmail.com/outlook.com/whatever to aol, and wait for the "WTF?" replies :-)
Of course for such a high risk relationship it wouldn't have been a big deal to purchase 2 laptops that are only used for this particular communication and nothing else (no web surfing nothing, just to setup an email account to communicate with the other party). That way, no risk of auto complete and can avoid any other traces and be easily destroyed. Doesn't avoid any IP address matching but that can be handled in other ways.
I know that this is a pot shot against the American legal system (especially with regard to copyright stuff), but it really makes no sense. A spy would likely be no more expensive than a legal team (in fact, he'd be subsidized by his salary at Google) and would be monumentally more effective and secretive.
Beyond that, the hard part of training a spy to get into Google would be getting a good enough computer science student involved. From there, it's really just a matter of teaching them to cover their tracks semi-intelligently. However, given what I'm sure is a mountain of completely legitimate reasons to look at user data (for example, to resolve data corruption, investigate malicious users, etc.) and an inconceivably larger mountain of user data to look at, I don't actually think it'd be that hard to get away with it.
A surprisingly few people at Google have the authorized access to read a users GMail mailbox. It would mainly be the GMail Site Reliability Engineers, and support teams. The developers usually don't access to peoples inboxes.
Any support/SRE/developer access to a users' GMail mailbox would be logged and if they exceeded their authorized access by such as accessing a "public" persons email, They'd be fired pretty quickly.
I'm sure the auditing and control is more than enough to stop your average creeper employee from reading normal people's inboxes, but I very much doubt that it's enough to stop a very smart, very determined spy from doing the same. At the end of the day, someone has root, and that guy can do pretty much anything.
I'm confident that Google is doing a better job than pretty much anyone else, but this problem is a more or less unsolvable one.
Edited to add that another interesting idea is that the people who man the DC's are actually pretty sparse (relatively few people for a lot of servers) so it's not inconceivable that one could trigger a failure on an important box, take down a replica of the figure's mailbox, swap out the drive for RMA and then do a quick copy. I bet this would be easy.
I guess my point is that no level of internal controls at any company can actually stop a determined government. If that were true, governments, which are much more paranoid than tech companies, would have eradicated spying a long time ago.
> At the end of the day, someone has root, and that guy can do pretty much anything.
I do not disagree with your overall assessment, but this is not strictly true. Most good real-world security schemes don't follow the 'root is God'-model of Unix, and for good reason. It's perfectly possible to design a system where each operation performed by a "superuser" must be validated, or at least logged.
Do you have details of China's hack that show Google as being stupid in security, or does being compromised by a nation famous for hacking prove incompetence. Seriously, with the amount of value stored inside Google's computers, it seems like they are doing a pretty good job with their security systems.
Well not properly securing the system the us law enforcement used to legaly get info from google - that should have been locked down properly with hardware cypto gear so that it could only talk one way to approved system in the FBI or better still via an air gap.
Its blindingly obvious to any one with even a basic knowledge of computer security best practice.
Can you be more specific. From your post I am assuming that China hacked into Google by using a direct line the FBI has into Google's servers. Even assuming such a link exists (which I do not), 'hardware crypto gear' is still a far way away from a complete secure system. And it seems like an air gap would also inhibit the intended functionality of the system.
Security is hard, and it is even harder when any device on the internet is intended to be able to work with the system, and it is even harder when you operate one of the most valuable networks in the world.
And systems used by your TLA's to handle law enforcement access are not available to "any device on the internet"
As I said they should be set up to only talk over a private circuit to one other end point and also have proper hardware crypto gear that is external to the systems.
separating the extraction of data and applying the decoding probably should have been done on separate systems.
Google has a massively distributed global storage infrastructure. Pulling one hard drive would get you a millionth of a million people's gmail accounts, along with a sea of other unrelated crap.
>I know that this is a pot shot against the American legal system (especially with regard to copyright stuff), but it really makes no sense. A spy would likely be no more expensive than a legal team (in fact, he'd be subsidized by his salary at Google) and would be monumentally more effective and secretive.
A spy would also be illegal and, more importantly, potentially very embarrassing politically. It should be clear to anyone by now, the US government doesn't care about cost or efficiency. And further, there are secret court proceedings for national security kinds of cases (of which there are literally hundreds at any given time), so there's no secrecy advantage.
UM you know governments have exemptions to those laws in fact these days all western TLA's have a statutory basis took a while in the UK's case mind you.
The US government has no such exemption. They can't put an agent into a domestic company unless there's some evidence the company is deliberately breaking the law.
Thats why a I mentioned statutory if for example the FBI had suspicions that the KGB/SVR or another state had agents within a company they would take action and they have caught a number of spies doing this.
The KGB back in the day had an entire department Line X that was dedicated to industrial espionage - Putin apparently was in this Department
I'm sure the US doesn't need spys working in Google. I'm sure there is systemic collaboration with the NSA, to the point where they don't need spys "working" for google. Also, I think actual spys are placed much closer to personal sources of information, not technical. If that makes any sense. I guess I'm trying to say is, if you are going after computer information, you're going to get it from the outside. If you're going after people information, you're going to have a guy on the ground.
One would hope that the US has something like list X status for companies that are sensitive (and telcos and coms companys are) and have senior people and those with acess to sensitive information vetted.
I know a senior developer in British telecom who worked on the system that tracks every private circuit in the UK and she was being PV'd (positively vetted its called developed vetting these days) - as she had root access to this system same as being TS cleared in the USA.
There's a log of bogus assumptions in these articles, and he got caught because she was investigated, not him.
If he used a gmail account and used a separate device such as a private smart phone or tablet to access that account there would have been zero vulnerability, other than the fact that he could have been blackmailed. Gmail is pretty hard to hack into, the IP address of the device probably wouldn't tell anyone anything about where he is, since it's a private IP on the telco (can you tell a person's location from the IP on the telco?), and there wouldn't be any way to get to any of his secure accounts or make a mistake of using the wrong email account.
The news story there claims the first step in this scandal was that Paula Broadwell's yahoo account was compromised. That's not too hard if you can guess her password hints.
The next step, it seems, was sending some trolling emails. That requires acquiring or just guessing some email addresses. The people who got the trolling emails set the discovery of the affair in motion. Well played. But did not require a 133t hAx0r.
Petraeus's personal email should be no more sensitive than the mailbox outside his house, which any junkie could "hack". If he put classified information on google's servers, that's a whole different problem. This is a non-issue and a distraction from the real reason why he was forced out.
That depends on what he used the e-mail address for. If it was strictly for romantic liaisons, it's no big deal. But if he used it for any other purpose (talking with his lawyer, chatting with senators, etc.), it would be a hell of a platform for social engineering attacks. In that scenario, the information in Petraeus' personal inbox is beside the point[1]; you can use the trusted address to get your hooks into something more interesting.
Yes, in the hands of voters that kind of information could ruin an administration. He should definitely be fired lest the public find out what the CIA is upto.
In fact, it seems that for any given government official who wants to conduct risky non-official business, using something like GMail would actually be the more secure route, if you were trying to keep secrets from both your employer (which includes the public and public record requests) AND from the usual enemies of the state.
If both Petraeus and Broadwell had used GMail accounts not associated with their names, such Dave501010@gmail.com and PaulSmith900@gmail.com, how likely is it that anyone would discover their shenanigans? For an enemy of the state to find out, it would have to compromise both GMail and somehow connect Dave501010@gmail.com with David Petraeus. Sure, it's security through obscurity, but we're talking a nearly unsurmountable amount of obscurity.
Of course, once they start forwarding emails from their private account to their publicly known addresses, then the game is riskier. There's also the problem of keeping the ruse without making an AutoComplete mistake, such as sending a message from petraeus@cia.gov to PaulSmith900@gmail.com without realizing he's logged in as petraeus@cia.gov.