
Google's Backdoor Access System into Gmail Accounts - powertower
http://www.schneier.com/essay-306.html
======
raintrees
"In the aftermath of Google's announcement, some members of Congress are
reviving a bill banning U.S. tech companies from working with governments that
digitally spy on their citizens. Presumably, those legislators don't
understand that their own government is on the list."

Gave me a good laugh this morning...

------
beagle3
Some people on this discussion mention that they simply run their own mail
servers -- that's dandy for incoming mail. But how do you guys make sure your
outgoing mail is not blacklisted/ignored/considered spam? That's been a non
trivial problem for me in the past when I was running a mail server (and spam
was not such a big problem back then).

Also, is there any mail server you can run/recommend that has gmail-speedy
searches and tagging? (And maildir support would be a super-extra-plus?)

~~~
thaumaturgy
I use a mail server stack that includes Postfix + Dovecot + RoundCube;
RoundCube's search function isn't as good as Gmail's, but the ability to
filter messages by literally _any_ part of the message content just blows
Gmail's tagging out of the water, IMO. (You need managesieve + a plugin for
RoundCube to do this.)

I so far haven't had the mail server blacklisted even once since I started
using it 18 months ago. I have a number of other customers on it, including
one that sends out a 500-odd subscriber newsletter, using software I
developed. I have taken a couple of precautions against spam: I use SPF
records for as many domains as possible, the mail server itself is locked down
tighter'n a flea's bunghole (including some proactive security measures), I
have remote monitoring that keeps an eye on the server constantly, and (so
far) I've had the pleasure of only doing business with people I trust.

It requires a lot of effort to build a good mail server, and there isn't a
single "perfect" tutorial on the web for it. So, for a lot of people, it might
not be worth it. For me though, I haven't touched my Gmail account in a very
long time, and I really do love the fact that I have _complete_ control over
every aspect of my email (and my customers').

~~~
windsurfer
Hear hear! I use a similar set up, and it truly is great. It's even caused me
to seriously consider a service that sets up a Linode for people that wants
something as awesome.

~~~
thaumaturgy
Yeah, I've been sorely tempted to make a Stackscript for this setup and make
it public.

There are two downsides: it's at least $20 a month to do it, and having your
own mail server really isn't quite a set-it-and-forget-it deal. It requires an
amount of attention that wouldn't make sense for a lot of people (or
businesses).

~~~
dspillett
> (or businesses)

I'm surprised by how many businesses (even small ones) _don't_ run their own
mail server, or at least have a proper outsourcing arrangement rather than
just using a public service. We run our own (well, I run our own...) because
we work with banks and all contracts we sign with them have clauses regarding
where information from them gets stored and who could possibly have access to
it - this is to protect their data in instances where we might be sent
(intentionally or otherwise) information about some of their employees or
customers. I'm guessing a great many businesses work with clients who have
similar concerns so those clauses will be present in contracts that have
signed too, so using a "public" service like gmail or hotmail just isn't
compatible with them - we can't make any demands to Google about who can
access what on their servers or audit them.

No business should use a public service like that and leave the mail on it.
This isn't a dig at the public services like gmail, as they provide a valuable
resource for those the resource is not wrong for, but they can not provide the
accountability I would expect to be able to provide my clients as a business.
Businesses should (IMO, and in order of preference) run their own server, use
a service that has some contractually enforced security guarantee, or pull
down the mail to local systems rather then leaving it on a public server -
otherwise they can have no hope at all of controlling who can access their
(potentially confidential and sensitive) mail.

Aside from the data security issue there are other potential problems that
should be concerned about. If a public services goes down there is nothing you
can do to help a fast recovery and you will not be their priority: your
services will be available again when it is available again. Also you need to
implement a good backup system no matter what you chose - you should not (as
many people do) rely on a single service for both your live mail handling and
backups.

The $20/month is nothing to a business (or should be), but you are right in
that a mail server should never be considered a set-and-forget system so there
will be technical resource cost involved with running a mail server and
dealing with possible issues like "friendly fire blacklisting" so a reputable
outsourcing arrangement would be more cost-/manpower- effective for many small
businesses.

FYI: we currently use Zimbra's "community edition", though at some point I'd
like to convince the powers that be that using the paid edition would be worth
it for the support (there has never been an issue I can't resolve, and there
is never likely to be, but I'm not here 24/7 and don't have someone with the
right skills to delegate the job to when I'm not around). It is more resource
hungry than Postfix+Dovecot+RoundCube though so needs significantly more the
linode's $20 VM product to be usable, but I recommend people give it a try as
its single install removes the need for you to perform any integration work
putting a stack together and the feature set aside from email is no
unattractive either.

~~~
thaumaturgy
You have a good point. We just recently deployed an in-house mail server for a
client with security concerns; they wanted all of their intra-office email to
not leave the building. Our mail server does backup duty for their mail
server, in case their connection drops or anything goes haywire, and we
monitor their server and keep it healthy for a really low monthly amount.

I had only sorta-kinda considered trying to offer that to a wider audience,
but I didn't really think the market for it was that big. I might be wrong.

------
rryan
"The rumor that China used a system Google put in place to enable lawful
intercepts, which I used as a news hook for this essay, has not been
confirmed. At this point, I doubt that it's true."

[http://www.schneier.com/blog/archives/2010/02/more_details_o...](http://www.schneier.com/blog/archives/2010/02/more_details_on.html)

~~~
andybak
Sigh. Can we get this correction to the top of the comment list please?

------
VladRussian
all this evil isn't done by some special evil people. It is you or people like
you who does it.

people like you write the laws mandating backdoors, people like you force
companies to implement it, people like you actually implement it. After all
that, you dare to express displeasure with the thing you done pretty much by
yourself to yourself. Man up and take responsibility for your actions. Next
time you're groped by a TSA agent, you can find a relief in the thought that
you (or your friend working at Google) groped the agent's Gmail account. Tit-
for-tat.

~~~
hammock
Damn I wish more people would realize this. Our brains "need" a clear
antagonist, someone to pin the blame on. But that's not how it works, rather
it's an agglomeration of many small attitudes that result in an emergent
phenomenon known as culture- every time you say "hmm we need this or that!" -
or more likely, every time you don't question authority and instead just roll
over and accept it- you are feeding into the fucked up system that results in
evil. It's not special evil people doing it. It's us.

~~~
jrwoodruff
All that is necessary for the triumph of evil is that good men do nothing.

It's a great quote because it's so true, and it's happened so many times
throughout history.

------
pragmatic
Could anyone recommend a hosted email service that does not allow spying on
users?

Alternatively I wonder what Bruce Schneier recommends? Do you have to host
your own email server?

~~~
hvs
Under U.S. laws, providers are often required to give information to the
government if they have a warrant. If you want (more) security, host it
yourself.

~~~
SageRaven
True, however some providers make attempts to thwart this by making it
impossible for even themselves to access mail by way of encryption. I haven't
looked at it in a long while, but lavabit.com was one such company, and it's a
pretty good raw POP/IMAP service (at last check the web interface and spam
measures were somewhat lacking).

~~~
mike-cardwell
I like what lavabit has done, but at the end of the day, if they are forced
to, they can modify their server side software to log your password when you
log in, and then use that password to decrypt all of your email on the server
side.

It also doesn't secure the email on the client side. If your IMAP client
stores the email on disk, then you need to make sure it is encrypting it in a
secure fashion first.

Lavabit _should_ offer an extra layer of encryption whereby they allow you to
upload a public pgp key which they encrypt all your incoming email with using
PGP/MIME.

~~~
earl
I don't think even what you said is sufficient -- as long as they are within
the jurisdiction of the US court system, I think a judge can order them to
start saving copies of incoming mail before encrypting, etc.

I think fundamentally you can't circumvent the law with technical measures.
You need to change the law to require warrants.

~~~
mike-cardwell
Sure. The method I stated would protect historical email, but it wouldn't
prevent the capture of new email after an order has been made to start saving
it.

------
obtino
You guys realise that this essay was published on January 23, 2010 right? I'm
sure it's been posted here before.

~~~
rryan
Not only that, but Schneier posted a follow-up later that month saying that
there was no evidence for what he had claimed:

[http://www.schneier.com/blog/archives/2010/02/more_details_o...](http://www.schneier.com/blog/archives/2010/02/more_details_on.html)

------
pnathan
So let's go with a rational assumption, which is that your email provider has
the capability to read your email (scenarios: warrant, hacker, bored
sysadmin).

You, being a good geek, encrypt your personal systems out the wazzoo.

Then you want to take the next step: encrypted communications (examples:
legal, business).

This now makes your request of everyone you deal with to dink with
public/private keys and - likely - some sort of infrastructure.

What's the best _real-world_ (i.e., non-propellerhead) solution to this?

~~~
ChuckMcM
_What's the best real-world (i.e., non-propellerhead) solution to this?_

There isn't one. I've looked at creating one, and while its a sizable
engineering job all the pieces are available. What it isn't is monetizable.
Not like 'make me a gazillion dollars' monetizable, but like 'pay me a living
wage to work on it' monetizable.

The key (and its a horrible pun) is the key. You can build zero knowledge
proof [1] key exchangers now (patent expired :-) and a relatively inexpensive
'key' based on either USB or bluetooh communications (see Yubikey [2] as an
example). Such that email to a new third party could be done in an encrypted
way such that the message could only be read when that exact party was reading
the email in a reader that could get the keys to unlock it from the physical
key.

Like most such systems it only 'makes sense' if everyone (or at least a large
fraction of everyone) has one.

To get initial adoption it needs support in 'free' tools which means it needs
to be open in the sense that folks can trust what it does, and implement a
compatible protocol without paying you anything.

To earn a spot in your pocket/purse/pack it needs to be flexible enough to
accomodate other uses. To get those other uses the folks who provide them need
to be able to support it for 'free' since their customers won't be paying them
to put it in.

So a large investment in propellor heads to make it usable by the rest of the
world and achieve critical mass for adoption. Oh, and if you do start getting
traction the governments of the world are going to want to disappear you
(which was one of Bruce's points)

[1] <http://en.wikipedia.org/wiki/Zero-knowledge_proof>

[2] <http://www.yubico.com/yubikey>

------
SageRaven
Not that I think this would truly help (they probably replicate all
inbound/outbound mail to some vast pool for statistical analysis), but is
there an automated way to delete _all_ mail from one's Gmail account? I use
fetchmail to remove mail from my inbox and manage it on my workstation, but
must periodically log on via the web interface and go to my "All Mail" folder
and do a manual select and delete.

~~~
pudquick
Well, if you use POP3 - it can definitely be automatic. Client-side
configuration on how long to retain messages seen on the server.

~~~
SageRaven
Mail removed from the inbox (or most other "folders" on gmail) works as
expected. However, they still remain in the "All Mail" folder, which doesn't
appear to be accessible to POP/IMAP clients.

~~~
LordLandon
<https://mail.google.com/mail/?shva=1#settings/fwdandpop>

_When a message is marked as deleted and expunged from the last visible IMAP
folder:_

------
mgrouchy
Unless you host your own email, I assume that even without this specific
backdoor built in google would have little trouble getting at the email they
host.

This is not necessarily bothering to me, or unexpected for hosted services.

~~~
jganetsk
The backdoor would not be for Google, but for US intelligence.

~~~
mgrouchy
I'm not sure your conclusion is exactly right.

If Google can access my data anyway(even though its a pain in the ass), they
can still comply with US subpoena's. I would imagine its easier to just
automate the process(with a backdoor of sorts) then have to mess around doing
this all the time.

I don't see any details on the actual backdoor in the article, so I hesitate
to jump to conclusions.

------
gbrindisi
I know it's sad to say but as a rule of thumb I've always assumed that my
mails are always read and/or stored by third parties.

For really important stuff my only solution is encryption.

------
edanm
I'm guessing this is in response to this thread:

<http://news.ycombinator.com/item?id=2505857>

------
jamespo
Some more detail in that article would be nice.

------
truthtechnician
I run my own mail server with a roundcube frontend interface, for $5 a month
(if that) on Amazon EC2.

What's the point of SSL in Gmail if Google has your certs?

~~~
maqr
SSL is for end-point to end-point security. SSL does not attempt to solve the
problem of either end being compromised. This means that SSL won't help you if
your computer is infected with rogue software or if the server you're talking
to is compromised.

SSL does, however, help to prevent eavesdropping between point A and point B.

~~~
jamespo
Worthwhile if you use wireless networks, particularly unencrypted ones to
access your email.

And with the cost of a godaddy or similar certificate so low, well worth
implementing on your own box.

------
known
Since Gmail is free, you're the product Google is selling.

~~~
crocowhile
This is true but not relevant to this discussion. Any commercial provider
would have to comply if the government asked information about their
customers.

