Steven Houben Student Human-Computer Interaction

Google vs China: Fundamental problems

What

Most of you have probably already heard about the cyber-attacks on Google and other international IT companies performed by the Chinese government. The latter attempted to access for example the Google mail account of Chinese human rights activists.[1]  MacAfee labs  stated in their official blog that the hack was done using a new vulnerability in Internet Explorer [4]:

In our investigation we discovered that one of the malware samples involved in this broad attack exploits a new, not publicly known vulnerability in Microsoft Internet Explorer.

George Kurtz - MacAfee Labs

Google responded to the attack by stating it is now considering a new approach to the China situation [2]. In the past Google received much criticism for censoring the Google search result in China. This self-censorship is done to comply with the Chinese law that forbids information sharing about certain subjects (including parts of Chinese History).

Problems

A lot has been said, even on this blog [5][6],  about the amount of information  that Google is storing about its users.  Although Google is the company that is actually storing the information, Google has no purpose or interest in abusing or reselling this information. The more dangerous players in the privacy game are governments or other organisations that may want to advise the Google database to extract information about certain people. Governments could do this via court or other legal ways.  But the fact that a government would try to cyber-attack a company as Google in order to gather information about people of interest to that government wasn't even part of this much debated privacy equation. This situation is actually exposing a very large problem: many security systems, encryption techniques, database security,... are "100%" safe against hackers or bot nets. But when the government of the largest country in the world, with an IT-agency with an alleged size of more then 40000 employees, is actively working on ways to hack security systems, these security systems may not be 100% safe. If Google in fact didn't "hack back" the source that cyber-attacked them, we probably didn't even know that the Chinese government was doing this. How can software developers protect their applications and information against this kind of enemy?

Since the attack was done via a vulnerability in Internet Explorer, this raises questions about security and bugs in many systems. Until know bugs and minor security flaws in software weren't that big of a problem to most of its users as many considered it part of the system. Scientific research [7] has even shown  that many people aren't that bothered with software bugs when they appear in non-critical systems. But what if these minor bugs are exploited to extract much more sensitive information?  This isn't really a new problem as it has happened before but it does put the problem back on the foreground. Can and does software have be 100% bug free?

References

[1] Google, Citing Attack, Threatens to Exit China, NY Times,http://www.nytimes.com/2010/01/13/world/asia/13beijing.html

[2] A new approach to China, Official Google blog, http://googleblog.blogspot.com/2010/01/new-approach-to-china.html

[3] Google censors itself for China, BBC, http://news.bbc.co.uk/2/hi/technology/4645596.stm

[4] MacAfee Blog, http://news.cnet.com/8301-27080_3-10435232-245.html

[5] [DUTCH] Google: Vloek of zege, Steven Houben,  http://anxma.com/blog/index.php/2009/10/23/google-vloek-of-zege-dutch/

[6] Google, Steven Houben, http://anxma.com/blog/index.php/2009/05/29/google/

[7] Acceptable defect rate, http://www.sei.cmu.edu/library/assets/dietz.pdf