Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Shares Its Security Secrets

Posted by kdawson on from the cultural-values dept.

Stony Stevenson writes "Google presents a big fat target for would-be hackers and attackers. At the RSA conference Google offered security professionals a look at its internal security systems. Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained how the company handles constant pressure and scrutiny from attackers. In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value.' The program includes mandatory security training for developers, a set of in-house security libraries, and code reviews by both Google developers and outside security researchers."

39 of 106 comments (clear)

  1. More PHD Cowbell by mfh · · Score: 5, Funny

    Google fights scrutiny with scrutiny (and by having more PHDs than you).

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:More PHD Cowbell by jgarra23 · · Score: 5, Funny

      Whoever modded me troll must have a PhD & work for Google :)

      Good luck selling those tiny little ads!!

    2. Re:More PHD Cowbell by Anpheus · · Score: 2

      I don't think they need your luck, they seem to be doing well enough selling tiny little ads on their own.

    3. Re:More PHD Cowbell by jgarra23 · · Score: 2, Interesting

      so is Don Lapre (http://en.wikipedia.org/wiki/Don_Lapre) this is the joke I'm referencing for all those who think I'm utterly without humor... I guess you had to be there...

    4. Re:More PHD Cowbell by Tanktalus · · Score: 2

      I suspect that Google was going to be a big target regardless of whether they kept quiet about their attempts or not...

  2. The advantage of being an internet company by adpsimpson · · Score: 2, Insightful

    I was going to say something smart about Microsoft, Mac etc, but then Google do have the advantage that they were founded on the internet, once the benefits but also the threats of networking computers had been fully understood.

    I'd be surprised if any from-scratch operating system designed for internet-facing use today, didn't also have 'security as a culture'.

    But hey, there's always Vista ;)

    --
    Is crushing a suspect's child's testicles illegal?
    John Yoo: "No, [if] the President thinks he needs to do that."
    1. Re:The advantage of being an internet company by morgan_greywolf · · Score: 4, Informative

      I'd be surprised if any from-scratch operating system designed for internet-facing use today, didn't also have 'security as a culture'. Yeah. It's called OpenBSD.

      --
      My blog
    2. Re:The advantage of being an internet company by ouder · · Score: 2, Interesting

      Google's security consciousness comes not only from being founded on the Internet, but also from the fact that they know that they have to compete. Microsoft had itself in a monopoly situation before network security became an issue. MS only takes notice of security when it appears to threaten its monopoly status. Our security people would love to see us go to Linux (granted, still security holes, but they are more controllable). However, we can't because users would whine about noting being able to use their MS-only software. In short, MS doesn't care about security because they don't have to. Mac's don't have the monopoly situation, they just think they do. Another part of the fantasy world the Mac community lives in says that their systems are secure. As long as Apple can keep their loyal core of Mac users happy they don't have to worry about security, either.

    3. Re:The advantage of being an internet company by mrsteveman1 · · Score: 2, Funny

      Netcraftsayswhat?

  3. So, explain ... by PPH · · Score: 3, Insightful

    ... why so much spam comes from gmail, or usenet spam from Google groups.

    --
    Have gnu, will travel.
    1. Re:So, explain ... by Starrk · · Score: 5, Insightful

      Because distinguishing bots from humans is an unsolved problem. Even before Captcha's were broken by computers, there was an easier solution:

      If you are stuck on a Captcha or equivalent, spam people, pretend the Captcha is yours, and offer free porn to anyone who solves it.

      Preventing this is virtually impossible.

    2. Re:So, explain ... by speculatrix · · Score: 4, Insightful

      I've had very little spam that actually came from googlemail, maybe two items in a year. I've had a lot of spam that purported to come from googlemail, but examination of the headers quickly revealed it was simply faking the origin.

    3. Re:So, explain ... by Dada+Vinci · · Score: 3, Insightful

      This isn't about spam and Google groups. It's about preventing a malicious cracker from accessing the vast quantities of data that Google has about every single Google user. These days, a full identity (SSN + bank account) sells on the black market for $14-$18, depending. Google has tens of millions of users. Not all of them have their SSNs in their Gmail, but I'll bet that a fair bit have at least one credit card number or bank password in their email archives, their search history, or elsewhere within Google's control. Plus, think of the blackmail possibilities if there were a full-scale data breach? Remember the AOL search history breach? A full-scale crack of Google's security would be several times worse.

    4. Re:So, explain ... by Sancho · · Score: 2, Interesting

      Short timeouts on the captcha and/or using javascript to generate the images might help. I don't know if it's really this bad, but many captchas I've run across virtually never expire (they might expire when the PHP session does, but I've hit a page with a captcha, gone to the restroom and to get a soda, and come back to a still-valid captcha.)

      If you had a reasonable time limit in which to solve the captcha, it would certainly make it harder to farm out.

      Of course, Google's captcha was broken algorithmically, wasn't it?

  4. It's that darn preset target by Dekortage · · Score: 4, Funny

    Google presets a big fat target for would-be hackers and attackers.

    Must be a new Google appliance. I'm glad it is preset, and does not need any end-user configuration.

    In any case, I commute on the train with Google guys in NY. They use their laptops to work on the train, but have those little wireless security devices that generate random passwords for them when they want to log in, so their connection is fully encrypted.

    --
    $nice = $webHosting + $domainNames + $sslCerts
    1. Re:It's that darn preset target by illegibledotorg · · Score: 5, Insightful

      FWIW, their connection isn't any more encrypted than a standard VPN.

      The only part of the connection that is "more secure" is the authentication phase, since they had to use two factors to log in (their token code and their password).

      See Two-factor Authentication

    2. Re:It's that darn preset target by BlowChunx · · Score: 3, Funny

      "Those Who Sacrifice Liberty For Security Deserve Neither." - Benjamin Franklin

      "Those who sacrifice security for liberty deserve neither, either." -- BlowChunx

    3. Re:It's that darn preset target by jollyreaper · · Score: 5, Funny

      "Those Who Sacrifice Liberty For Security Deserve Neither." - Benjamin Franklin

      "Those who sacrifice security for liberty deserve neither, either." -- BlowChunx "Those who sacrifice virgins to volcanoes are missing the point of what virgins are for." -- Me
      --
      Kwisatz Haderach
      Sell the spice to CHOAM
      This Mahdi took Shaddam's Throne
  5. Code Reviews and Coding Conventions by Starrk · · Score: 5, Insightful

    How many buffer overrun exploits have been found in other people's software because the coders are just lazy? Google also tries to prevent this by explicit rules that everyone must follow no matter what: for example, you are not allowed to check in code using sprintf instead of snprintf.

    A little thing to be sure... until you realize that it's one of many such rules, and they actually are followed.

    1. Re:Code Reviews and Coding Conventions by kevin_conaway · · Score: 4, Informative

      Tools like PMD help with this .

      We ended up getting bitten by bugs like unsynchronized access to static DateFormat object so we wrote used a PMD rule to fail our build if anyone does such a thing. We have other rules that curb the use of IOUtils.copy (instead of copyLarge).

      I highly recommend using some sort of static analysis as part of your CI process

    2. Re:Code Reviews and Coding Conventions by Shados · · Score: 2, Informative

      What the previous poster was refering to is that serious development shops will use code analysis tools to inforce it: that is, the code will not be allowed to be checked in (or to be integrated to the trunk, or whatever) if the rules are not followed, and they are inforced at the source control level (or something).

      Variations include having the code analysis tool throw "compiler" warnings, and make the compilation to consider warnings as errors and fail the build.

      Once you start working in an environment that does such things, you don't go back: the code quality goes up 10x.

    3. Re:Code Reviews and Coding Conventions by Shados · · Score: 2, Insightful

      MS actually stops these things from getting into the build now, using tools such as FxCops and variations. The issue comes from legacy code that is still part of their newer products (and refactoring such mammoth code bases doesn't happy overnight), on top of deep architectural issues that cannot be caught by simple rules... If they started from scratch enforcing their current policies, it would be much better.

      However, the world isn't so simple... so Microsoft has to pay the price.

    4. Re:Code Reviews and Coding Conventions by encoderer · · Score: 2, Insightful

      I remember that story. I think it was mentioned on The Old New Thing? ..Ya know, this is what bugs me about the bum rap that Microsoft gets.

      True, to professionals in the field, it's often easy to be appalled at what we see as incompetence.

      (And I'm not speaking to the management/sales, just the tech side of Microsoft)

      But given the same goals, constraints and budgets, I bet that most assembled teams would produce software of no greater quality than what they have produced.

      Hear me out.

      1. Look at the SimCity example. This is a great anecdote to illustrate what we already know: MSFT has historically put great premium on backwards compatability. And I'll tell ya what.. when I was 15 years old installing SimCity on my new Win95 box, I'd have been damn upset if it crashed. To people like that--call them, "regular users," CONSISTENCY is incredibly valuable.

      2. So to accomplish that you're going to be including a great deal of legacy code from one release to the next. (Virtualization wasn't really an option when the high-end box is a P75 w/ 8MB RAM)

      3. Paradigms change. Microsoft kept re-packaging old code that was written a time when networks, let alone the internet, were a rarity. ESPECIALLY at home. And even when it did become more pervasive, it was 28.8k dialup connections.

      Which brings me to my point:

      This is not an easy job. Especially when your software is so widely installed on all systems running all manor of other devices on all sorts of different hardware.

      In fact, in this regard, Microsoft HAS NO PEER. You cannot compare what they did w/ what Apple did. For a number of reasons. Mostly beacuse if Apple had the same success Microsoft had in the 90's, they'd have been forced to make different, sometimes troubling technology decisions, too. Jobs has a great mind for this stuff, but if Apple was one of the most profitable companies in the world and that profitability was put at serious risk because a decision was made to break backwards compat. for Biz customers, he'd have to explain himself to the Board and it he probably wouldn't win that argument.

      I mean, to a geek on here, the notion that Microsoft has THOUSANDS of comments like: /* Special SimCity MALLOC/FREE fix */

      and /* WordPerfect 2.2 Buffer Overflow Fix */

      makes us want to go scrub ourselves in the chemical shower.

      But to a home user, that's CUSTOMER SERVICE. That's making their Birthday or Christmas AWESOME by being able to hook up their expensive gifts and USE them.

    5. Re:Code Reviews and Coding Conventions by ballwall · · Score: 2, Insightful

      I don't disagree with any of the points you've made, other than the fact that they chose this path in order to keep their dominance. Yes, keeping backwards compatibility for increasingly diverse environments is hard. But they figured it was the easiest way to keep people on their platform. To say that this somehow releases them from the commitment of making their hacks and fixes *work* is another issue entirely.

      I don't disagree that it's 'hard'. I disagree that there was no choice in going that route. They chose poorly and we, the consumers, are left to deal with it. Just because the customer thinks they will be happy with a choice doesn't mean it was the right choice, or even that the customer will indeed be happier with it. Sometimes you have to make the hard choices for your customer knowing they aren't equipped to make it themselves.

  6. Security secrets? by illegibledotorg · · Score: 5, Informative

    TFA is a little scant on "security secrets."

    What is covered is some general security policy and philosophy.

    And here I was, waiting to read all about GIDS and GFirewall. Thanks, ITNews, for instead educating be about archiving security logs for later review!

    1. Re:Security secrets? by Peter+Cooper · · Score: 3, Funny

      Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained to attendees at the RSA conference how the company handles constant pressure and scrutiny from attackers.

      I guess Google shared some secrets, and that's the news. Not that we get to read the secrets. Still, this is Slashdot.. :)

    2. Re:Security secrets? by street+struttin' · · Score: 2, Funny

      TFA is a little scant on "security secrets." Well duh. They're secrets.
  7. Pathetic Article by Safiire+Arrowny · · Score: 2, Funny

    That article literally had no content whatsoever. In fact I think it was so content free that I might know less about how Google does security now.

    Is there a page two I'm missing?

    1. Re:Pathetic Article by bteeter · · Score: 2, Insightful

      I almost never RTFA here or elsewhere until I've read the first few comments. Its saved me so much time that I highly recommend it.

      I understand Slashdot and other sites need to throw up news ever hour or so to keep us clicking their ads, but do they ever read this stuff to see if its worth posting?

  8. malware infiltrates google searches by McFly777 · · Score: 3, Interesting
    I submitted this a couple of days ago but, hey, it didn't get picked up.

    This article at the San Francisco Chronicle doesn't tell me exactly what is going on, but apparently there is the potential for 7 of 10 search results to return malware.

    My mother heard about this on the TV news, but the above was all I could find. Anyone else have any more detail?

    --

    McFly777
    - - -
    "What do people mean when they say the computer went down on them?" -Marilyn Pittman
  9. It's like out-running a bear. by mcmonkey · · Score: 2, Insightful

    Two guys are out camping. They get ready to bed down, and guy is putting on his sneaker before getting into his sleeping bag. The other guy inquires, what's up with that?

    The guy says, in case a bear attacks our camp during the night.

    The other guy is skeptical. With sneakers or without, there's no way you can out-run a bear.

    The guy replies, I don't need to out-run the bear. I just need to out-run you.

    I suspect Google security is pretty much the same way, with a twist. Why try to hack Google, when I can use Google to find credit card numbers, unsecured plain text password files, servers running old, unpatched versions of vulnerable software, etc.

    I'd think the hacker going after Google would be as popular as the kid who rats out the teacher who buys the kids beer.

  10. Punch "gmail xss" into your search bar... by davidbrit2 · · Score: 2, Interesting

    I get 1.6 million hits from Google themselves. They may be overestimating their security practices just a wee bit.

  11. How many of us ping google? by MichaelCrawford · · Score: 3, Insightful
    C'mon, I know you do it too: when I want to see if my Internet is working, I "ping www.google.com".

    I still find it surprising that it ICMP_ECHO_REPLYs my ICMP_ECHO_REQUESTs. Why?

    A lot of sites disable ping because, years ago, The Ping of Death could crash a server by sending maliciously-crafted ping packets.

    And you can DOS a server by flooding it with pings.

    I'd be interested to know just how many pings Google receives, and replies to each day.

    And how many of those are maliciously encoded, only to be defeated by the ub3rh4x0r5 at Google.

    --
    Request your free CD of my piano music.
  12. physical security by Kartoffel · · Score: 2, Informative

    What about physical security for Google facilities? Last time I was in Mountain View I took a leisurely stroll right through the middle of the Googleplex, right past the life sized dinosaur skeleton, right past the sand volleyball court and hot tub and right through a couple of their office buildings. I like how the Googleplex is set up like an academic campus, but it's pretty trivial for a bad guy to bypass the card access doors by piggybacking behind somebody else.

    Also, the whole place is made out of floor to ceiling glass windows. Would be really simple to shoulder surf somebody's display through a telescopic lens or listen against a windows with a laser mic. There's a reason high security buildings tend to resemble windowless block houses. Hopefully, anybody with a window seat at the Googleplex never processes sensitive data.

  13. That's kinda scary by Jay+L · · Score: 3, Interesting

    I'm a bit down on Postini lately. A few months ago, they started marking my personal e-mails to Postini customers as spam. Which is kinda ironic. And pretty damned annoying, since my lawyer, my broker, my apartment manager and my chiropractor are all on Postini servers. But hey, that happens. I went over my server with a fine-tooth comb, I set up SPF, DomainKey, DKIM, no luck. I even switched servers. No matter. My e-mail, now digitally signed in triplicate, was still being scored as 90% probable spam.

    So I tried to get in touch with their postmaster group. Only they don't have one. And I tried to check their feedback loop. Only they don't have one. As a shareholder, I even wrote to Investor Relations. No response. In the process, I found out that they have a universally awful reputation among the mail delivery community.

    In the end, all they could tell me was that their system decided my mail was spam because - I kid you not - their system had, previously, decided my mail was spam. Which, of course, increases my spamminess score. And so on, and so on, until we're all using the same shampoo.

    So, to recap: The guy in charge of keeping Google secure, Scott Petry, is the guy who invented a system that bit-buckets your e-mail, with absolutely no accountability, no sanity checks, no industry best practices... because of guilt by association WITH YOURSELF.

    Be afraid. Be very afraid.

  14. NCC 1701G by mrsteveman1 · · Score: 5, Funny

    "Scott Petry, director of Google's Enterprise"

    The big secret? apparently google is developing a starship

  15. Any competently run site is pingable. by Medievalist · · Score: 4, Informative

    C'mon, I know you do it too: when I want to see if my Internet is working, I "ping www.google.com".
    I still find it surprising that it ICMP_ECHO_REPLYs my ICMP_ECHO_REQUESTs. Why? I find it surprising that you find it surprising! :)

    A lot of sites disable ping because, years ago, The Ping of Death could crash a server by sending maliciously-crafted ping packets. The "Ping of Death" gained fame because any chump could create one from a totally generic Windows system using the broken ping that Microsoft was shipping at the time. The technique is applicable to any IP protocol, not just ICMP echo. You can make an SMTP of Death fairly trivially. Just fake up a datagram with a total length greater than 65,535 by abusing the fragment offset field of the IP header, and if the target system does not check total length for validity you can overflow memory and hose the system. If that didn't make sense to you, just remember the "Ping of Death" has NOTHING TO DO WITH PING - it's an IP vulnerability that used to exist for ALL protocols in the IP stacks of certain vendors (IBM, Sun, Cisco, etc.) and is now fixed.

    And you can DOS a server by flooding it with pings. And you can do it more easily with practically any other type of packet. If you plan to block all traffic that can be used for DOS, you must block all traffic, period.

    Ping is a service we all should provide to our internal networks from individual hosts, and to the Internet at large at the network edge. Configure your routers to respond to pings for your hosts instead of passing them through the firewalls. Ping is how people who need to test their ability to reach your hosts or site can do so. It is a simple tool that consumes a minimal amount of bandwidth to get the job done.

    I'd be interested to know just how many pings Google receives, and replies to each day. They might tell you if you ask. If it ever gets out of hand they'll just respond with normal traffic shaping techniques.

    And how many of those are maliciously encoded, only to be defeated by the ub3rh4x0r5 at Google. There's nothing dangerous about ping. Nothing... you can tell if a network is competently administered just by pinging it, my friend. I'd never hire anyone who had an unpingable net.

    Hmmm... where's BadAnalogyGuy when you need him? OK, look, blocking ping is like saying that you've seen a guy killed by an Isuzu truck, so you think you can prevent all fatal accidents by banning Isuzu trucks from the highway. In reality, all you will do is prevent beer deliveries to my house, since my beer distributor uses Isuzus. This will make me hate you, just like people hate clueless firewall admins who block ICMP. Or wait, you saw a guy get bludgeoned to death with a hammer so you will ban all hammers while allowing people with large wrenches, razor knives and screwdrivers to pass without comment. That was pretty bad I think.
    1. Re:Any competently run site is pingable. by jbpro · · Score: 2, Funny

      Any competently run site is pingable.

      Result of trying to ping slashdot.org:

      $ ping slashdot.org

      PING slashdot.org (66.35.250.150) 56(84) bytes of data.

      --- slashdot.org ping statistics ---
      9 packets transmitted, 0 received, 100% packet loss, time 8010ms
    2. Re:Any competently run site is pingable. by MadMidnightBomber · · Score: 2, Funny

      Hmmm... where's BadAnalogyGuy when you need him? OK, look, blocking ping is like saying that you've seen a guy killed by an Isuzu truck, so you think you can prevent all fatal accidents by banning Isuzu trucks from the highway.

      Ooh, ooh, and turning off all ICMP, hence killing PMTU discovery, is like taking the number off your front door to stop your house getting burgled and then wondering why you aren't receiving as much snail mail as you used to.

      --
      "It doesn't cost enough, and it makes too much sense."