COMSEC: June 2010 Archives


June 18, 2010

When I first heard about government's requesting copies of Google's over-captured WiFi traffic, my first thought was what could possibly go wrong?. Shockingly, it now turns out that the French government has your password. Well, maybe not your password, but someones's password:
Wi-Fi traffic intercepted by Google's Street View cars included passwords and email, according to the French National Commission on Computing and Liberty (CNIL).


At the time, Google said it only collected "fragments" of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54Mbps, it always seemed likely that those one-fifth of a second recordings would contain more than just "fragments" of personal data.

That has now been confirmed by CNIL, which since June 4 has been examining Wi-Fi traffic and other data provided by Google on two hard disks and over a secure data connection to its servers.

"It's still too early to say what will happen as a result of this investigation," CNIL said Thursday.

"However, we can already state that [...] Google did indeed record email access passwords [and] extracts of the content of email messages," CNIL said.

Well, duh.

Look, these are packet switched networks, and to a great degree the packets are independently interpretable. Even on a much slower network, a password submission (say 300 bytes when you add all the HTTP overhead) takes far less than 200 ms. (Do the math here: even on a 56 kbps modem which is much slower than your average WiFi network this takes something under 50 ms.) Statistically, as long as you capture enough traffic to get a full packet, there's not a huge amount of difference in the number of packets you would expect to capture listening to a single network for hours versus switching which network you listen to every 200 ms. [Handwavy explanation available on request if really necessary.]

In any case, Google no doubt captured a bunch of passwords and now the French CNIL has some of them. I wonder which data set Google provided them, or, more precisely, whether they provided them with a data set captured in France or one from outside of France. From a personal perspective (though I try to use encryption whenever possible), I hope it's the second. Any readers with more legal experience know what the legal implications would be of one choice versus the other?

Regardless of where the traffic came from, it seems like it might have been nice for Google to sanitize the data to remove obvious passwords. This isn't possible in every case, but it seems likely that the vast majority of passwords come from a small number of sites, so Google could have figured out the password submission format and built some kind of masking software. It's pretty hard to tell from the press coverage whether or not they attempted this (or were allowed to), but of course if they had we would of course know that there were passwords since the masking software would have identified them.


June 4, 2010

OK, so I get how Google could have accidentally captured packet payloads when recording data for Google Street View. Mistakes happen, etc.1 I also understand why if you were some national government you might want to investigate this sort of potential privacy compromise. That said, it's not clear that this is that great an idea:
A Google spokesman said Thursday that the data should be handed over within a matter of days. Last week, the company found itself in conflict with a privacy regulator at the German city of Hamburg, who wanted access to the data. Google said that it wasn't sure that handing over the data would be legal.

"The data protection authority in Hamburg has made a number of requests -- including to be given access to an original hard-drive containing the payload data, and to a Street View car. We want to cooperate with these requests -- indeed we have already given him access to a car -- but as granting access to payload data creates legal challenges in Germany which we need to review, we are continuing to discuss the appropriate legal and logistical process for making the data available," Google said in a statement last week.

Those challenges have apparently now been addressed.

The company plans to hand over data to German, French and Spanish authorities, according to the Financial Times, (FT) which first reported this latest development on Thursday.

This seems to miss the point a bit: the presumptive objection to Google capturing packet payloads is that it potentially contains people's sensitive information and someone might use it to learn that information. Turning it over the government presumably means that some larger set of people will have access to it. Of course, it's the government, so what could possibly go wrong?

1.Ironically, the opposite error is the common one for packet sniffing applications: by default tcpdump only records the initial bytes of a packet. So, when you record a protocol trace, if you forget the -s 0 flag, you only end up with the beginning of the packet, which can cause problems in applications that do full packet reassembly.