Slashdot Mirror
Source Code To Google Authentication System Stolen
Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."
Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?
tar.gz or it didn't happen
More eyes make the bugs shallow, right? ;)
Put identity in the browser.
So, Schmidt is worried because google was relying on security through obscurity?
Seriously, the bad guys already have it, so enlist the help of the security community to improve it.
We are agents of the free
I thought the cloud was secure?
isn't it /. that always promotes that closed source doesn't improve security? i'd love to see /. put their source out there, money where their mouth is so to speak.
If you mod me down, I will become more powerful than you can imagine....
Release the code. So it will be useless for the bad guys.
That's not the American way, that's the responsible way.
Stolen?
What.. they are no longer in possession of the source code?
They should open source it, since a copy is out on the loose anyway. This could work to their advantage.
I still think capability based security is the only workable long term solution..
From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."
I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".
And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.
The Wknd Sessions - Malaysian and South East Asia independent music
lol like Microsoft would even admit to this happenning to them
This explains all those sexy emails my girlfriend has been getting from all kinds of different guys in her gmail account
Google hasn't complained the security system got cracked, nor is it buggy, nor is it said anywhere it's buggy. Troll, much?
"The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions."
"Does not appear" falls kinda short of a satisfactory statement. Considering the intruders took two days to get the source code, one wonders what else they were up to in that period of time. I'm changing my gmail password now..
The Wknd Sessions - Malaysian and South East Asia independent music
there was no mention of whether their security system is buggy or not. The attack was made through a hacked internet site, with the help of an internal employee, not by someone "hacking into" the system. The weak link in the chain is always people, not software.
wasn't this same attack linked to MS internet explorer 6? had to bring that up...of course I could be wrong.
Anyone know of any large company opening up the source code to their security systems?
This seemed like a reasonable sig at the time.
...the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future.
Many Bothans died to bring you this information...
Nobody needs the source code to exploit Microsoft software...
--- Illogical Spock
"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"
As Bruce Schenier said, security through obscurity does not work...
This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.
I thought copyright infringement wasn't stealing
matched the target
that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you
and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google
the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Last I checked, authentication systems were a dime a dozen.
In Soviet Google, privacy discloses you.
cat
They took the code without Google's consent, hence they stole it.
Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.
1. Was the property provably taken without consent?
2. Was the property provably taken with the intent of depriving its rightful owner of said property?
If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.
Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.
"Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.
It's only my face book and Gmail at risk and I keep all my secret plans to stop China's world domination on my secret server.
If taxation is legalized theft, then Capitalism is a prolonged rape followed by a slow death.
And if it's not directly available online, why is it anywhere near where a hacker can get to it, esp. code this sensitive. I truly dumbfounded. Heads should roll for this, and I mean heads way up there in the hierarchy. But otherwise, why isn't Google's password authentication software secure enough to withstand being stolen. VMS uses a one-way hashing routine for password authentication. So even if you have the code in question, it won't help you. Which, I suppose, is yet another reason that VMS is the best OS.
I've been sent spam recently from quite a few people who's gmail accounts have been hacked. Look at the gmail forums....
http://www.google.com/support/forum/p/gmail/label?lid=65ac3f0a8251ca2d&hl=en
Filled with spam from hacked account messages. Coincidence?
Zoid.com
Think about this incident and the dozens (hundreds? Thousands?) of others not reported next time you do business with China. As I said before, I divested all my holdings in Chinese companies, I wish I could stop buying Chinese made products but since I'm a techno junkie that's well-nigh impossible.
I'm posting as AC because I'm lazy (and a teensy bit worried this will bite me back when our Han rulers come into power).
A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?
Yes; well the truth is that only if those eyes are looking (I'm sure the crackers will be). But still, it's yet another example that not publishing your source code just means that the only eyes looking other than your own are hostile eyes. Google should now publish the source code to this system and more of their other internal stuff that others could use and share.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Targeted zero day attacks to steal source code are worth 1000x more than an account to send spam on. Root at google? This is actually a big deal, above the realm of small bot shops, this is superpowers in a cyber arms race. Very strong implications on the security of cloud computing as the provisioning company can be the vector of attacks to any company it hosts.
The weak link in the chain is always people, not software.
They way I heard it, a person clicked on a link in Messenger; doing so opened a browser, IE presumably; viewing the page linked to in IE triggered a security baddie in IE, letting the site pwn the local machine in question.
So people are the weak link, because they click on links? Or because they don't download all their web pages in wget and analyze them for IE exploits first?
If so, loads of spare time spent tinkering and six years at a university studying CS doesn't make me quite as computer savvy as I thought :-(
Well, for the record, Google's security system IS BUGGY. There has been scattered reports across the internet about how users accidentally have been able to login to other peoples accounts. The problem has been reported to google multiple times on their mailing lists, but google has never given a proper response to it. They are likely afraid of the public PR disaster that would occur if people found out how insecure their google accounts really are.
References: http://answers.yahoo.com/question/index?qid=20100321162016AAZnwCC, http://talk.maemo.org/showthread.php?t=48382, http://www.google.pl/support/forum/p/gmail/thread?tid=13d02f7a7404e5f6&hl=en, http://www.google.com/support/forum/p/youtube/thread?tid=4426cc7a854b727d&hl=en, http://www.davidnaylor.co.uk/my-google-account-is-showing-someone-elses-adsense-account.html, http://www.google.com/support/forum/p/Google+Docs/thread?tid=65ca8c56386ded1e&hl=en
Football Odds
Another example?
The only reason these "hostile" eyes are looking in this case is because they were able to get the source code, similar to what publishing your source code achieves.
If the only eyes looking other than your own are hostile eyes, that would be an argument *against* publishing your code.
I.O.U One Sig.
You can not steal information. You can copy it. But then the original owner still owns it. Sometimes you can also overwrite the copy that is not stored in people’s minds. But it is a very big difference. Because the one is meatspace, and the other bitspace.
Stealing in only applicable to real physical meatspace objects. Everything else is MAFIAA FUD.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Things just don't match up. I don't think this is in any way related to the Chinese government.
More likely, hackers have pals within Google China, and those pals helped them install a rootkit and blamed it on Windows and Messenger for the sake of plausible deniability.
And the hackers will probably use whatever vulnerabilities they discover (if any) to send spam on behalf of the compromised user accounts, and maybe pay for stuff using Google Checkout linked credit cards (although it will be tricky to get the sellers to ship it to China :-).
What would China possible want with this code?
Kinda makes me hope a major sun flare (emp) hits earth directly.
It'd certainly solve the spam problem.
of their login script was moved onto the attackers computer and then they hung up. Google was forced to rewrite the script from scratch before they could log in properly...
heh. Don't let a poorly worded title turn into another "infringement != stealing" debate.
Yes, even the best security code can have design flaws, but a company the size of Google should be able to afford a security audit team to hunt down those very vulnerabilities.
The fact that Google is paranoid speaks volumes.
Ruby Neural Evolution of Augmenting Topologies
If the only eyes looking other than your own are hostile eyes...
The point being made was that this is the case only when you don't publish your code, and therefore the only way it gets out is if it's stolen - thus, now you have access and the person who stole it has access. If on the other hand you publish the code, then everyone, good and bad has access, and hopefully count(good) > count(bad)
I can imagine Google decides to replace Gaia. They might opensource parts of authentication or encryption code. A public audit if you will.
Hivemind harvest in progress..
News: Google single sign on goes open source!
Since the bad guys have the code anyways, they should immediately publish the code as Open Source. Chances are, someone from the community will find the exploits before the guys who have stolen it.
This incident might also be used as an argument for open sourcing even critical code.
j.
Remember, stolen is not theft, although all thefts have something stolen.
Really? That so? So if you steal my apple, it's fine if I just eat it anyway?
No, you intend to have the apple that I can no longer have it.
If you're taking my apple and then letting me eat it, it's called "holding on to it for me", not "theft".
It is high time that the international community makes such hackers' attacks a priority. The perpetrators should be aggressively persecuted.
There are the international organizations already for this task: ITU International Telecommunication Union www.itu.int , part of the UN, and INTERPOL www.interpol.int
It is not possible to protect anything, anything, by only passive measures. One can break any steel reinforced door with a sledgehammer for 10 minutes, explode any bridge, no matter how strong or well constructed, etc.
It is the combination of passive and active measures, which provides security.
The privacy and security of millions are under question. And what make the governments, whose profession is the protection of the population, - nothing. Not a single move.
Someone can steal my and your private information, commit an identity theft, break in into the accounts of minors, etc. and it seems to be of no concern whatsoever to anyone, except of some high-forehead engineers.
But it is the job of not only engineers, but for the police officers with badges, handcuffs, and guns. By a keyboard only it is not possible to handle this evil, which threatens the modern global infrastructure.
Such hackers should be placed into the correction institutions for years, where there is not access to computers and network, and re-trained into non-computing vocations: woodworking, sewing, etc.
How do you infringe copyright without redistributing the source code? Since copyright is merely the exclusive right to distribute a copyrighted work, it cannot be copyright infringement to take and not distribute a copy.
Open source it and then no-one will care.
Nothing to worry about.
I'm so relieved you pointed out the way things should and should not be for the rest of us. We can just go ahead and keep storing our corporate data in google apps keep all our personal info in google mail and not worry about identity theft, corporate espionage etc.
And back on planet earth. You have to be taking the piss. If the real world worked the way your ideal one did then they would never have been hacked in the first place. Of course they are doing things that ,"they should not be doing".
Deleted
they provide no extra information. they are the grammatical equivalent of wearing a suit: uncomfortable, extra effort, pointless. you understood what i wrote perfectly
yes, certain brittle fragile minds can't deal with novel formatting. this drives brittle fragile minds away from my words. and so i win, because then i don't have to wade through mediocre comment replies from brittle fragile minds
its a simple and effective form of social filtration
why do some people cover themselves in tattoos? for some people, dealing with someone covered in tattoos is like a ringing inside their head: they simply can't deal with it. for other people, if you're covered in tattoos, so what? i deal with you as well and as easily and as honestly as someone wearing a suit. so the tattoo covered person has a convenient social filter against the mediocre in their society
the mediocre mind trusts suits, but doesn't trust tattooed people. and plenty of snake oil salesman, demagogues, and charlatans throughout history have presented themselves as perfect specimens of respectability, manipulating the simple social cues, all the while lying their asses off, and yet mediocre minds listen, because they trust to the social convention, rather than the actual words
if you want poisoned prose, deal with the guy who writes his placid lies in sterling pointless grammatical convention. if you want the ugly truth, deal with me. i'm not here to impress you or cater to your comfort
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I can take your ideas and expand them. Ooops.
Also, published code tends to be better quality because of the extra scrutiny it gets before letting others see it.
In my opinion, this whole mess could have been avoided if Google would have made the use of Chrome, their own browser, madatory for all their employees. Why do they push Chrome as not only a web browser, but as an OS platform and not use it themself?
http://nyewin.org http://nyexug.com http://nycsqlusergroup.com http://nylug.org
Roman_Mir didn't do so well here http://developers.slashdot.org/comments.pl?sid=1622780&cid=31904240 just judging by his lame off topic trolling reply, as well as his inability to disprove what was written there.
Who knew they only meant that we shouldn't overreact?
Oh I did!
Unknown Chinese operatives steal password-check code to major US corporation. Political leverage for anyone to say cyberwar is ON. Since the are no real bodies or injured, it's all at the espionage level, and the media and public doesn't even have to know what happens. Secret wars are funny. On the same wire there's Warcraft, IRC, and unknown hand-crafted spy packets, in the real world, in one apt there's a quiet dinner, in the next some enemy asset is being administered a natural-heart-attack.
Build your own energy sources from scratch. http://otherpower.com/
fetch the password, compare it. if there's anything else in it, it doesn't belong there, and it'll have bugs
--
Stay tuned for some shock and awe coming right up after this messages!
here's the shocking truth about your brain and your language:
http://www.languagehat.com/archives/000840.php
thrs smthng ls ntrstng y shld knw abt nglsh:
y dnt vn nd vwls t ndrstnd wht m wrtng
y cn rd ths lmst s fst s rglr txt
snt tht mzng?
http://brian.teeman.net/mister-men/do-we-need-vowels.html
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I love it, apparently some trolling AC subscribed to my newsletter and is reading my every comment and needs to reply to all of them multiple times even. Excellent, next thing I know I have my own TV news station.
You can't handle the truth.
It reads as if someone went in and raided the offices, but it's unclear. I think it was just copied.
Another reason why people need to be clear when talking about software.
this line was a hoot:
“It’s obviously a real issue if you can understand how the system works.”
If understanding the security system puts the system at risk, then it was a broken security system to begin with.
Google should really know better.
The Kruger Dunning explains most post on
"The weak link in the chain is always people, not software."
incorrect.
People are a weak link, but so is software. I have accessed systems by forcing a software crash.
The Kruger Dunning explains most post on
False.
They did not take it, they copied it. When you can copy someone wallet and contents perfectly, then your attitude will be justified. Until that time, you are an ass AND incorrect.
Take - To capture physically; seize:
Take - To grasp with the hands; grip
Neither of those can be done with software.
The closest definition of steal would be:To present or use (someone else's words or ideas) as one's own. However, that's not what is happening here.
It's wrong, but it's trespassing and copyright infringement. Ah, but those words don't sound bad enough. Like how I rapped my software but stuffing my large code into it and then murdered it by deletion. ba ba BAAAAA~
The Kruger Dunning explains most post on
I see what you're saying but I'm not sure how google is therefore responsible?
Maybe they need to update their blacklists? or possibly enforce better security policies?
Surely this kind of attack is equally applicable to any company...unless I'm missing something.
In response to your last point, I find that the more I know about computers, the more I realise there is to know...
This seemed like a reasonable sig at the time.
I stand corrected. cheers.
This seemed like a reasonable sig at the time.
I said another because exactly the same thing (leak of the source code against Microsoft's will) has happened to Windows previously. Another 30 companies were included in this recent Google break in. I know that a company I worked for had similar problems a while ago.
Basically, you can assume that your "enemy" already has the source code. The only question is, can you get more friends to read it? If you don't publish then the only other eyes will be hostile sice friendly eyes won't have access. If you do publish you have a reasonable chance be able to get friendly eyes to help.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
I've been seeing some weird things going on with gmail lately.
One big one: I started receiving Google Alerts exactly like those I've set up previously, but marked by gmail as spam and not formatted exactly like real Google Alerts. They also have the warning that the email may not be from the source that it seems to be, though they 'seem' to come from google.
Another strange thing: while checking gmail a few days ago, all of the inline ad text turned to chinese for about five minutes - I have a screen shot.
I think the intrusion goes deeper than we've been led to believe...
Ask Me About... The 80's!
"I love it, apparently some trolling AC subscribed to my newsletter and is reading my every comment and needs to reply to all of them multiple times even. Excellent, next thing I know I have my own TV news station." - by roman_mir (125474) on Tuesday April 20, @10:58AM (#31910300) Homepage
http://developers.slashdot.org/comments.pl?sid=1622780&cid=31904240 it would appear that a quote has you shown trolling others, first no less, right in that url I just put up. Also, per my subject-line above: Face the music there in that URL link then. If you don't then everyone knows your skills & knowledge in the field of computing is shockingly limited, and also that you screwed up badly also by avoiding "facing the music" in that url there. If you do face the music, then your show's going to have to be a comedy is my guess because it's going to be funny watching you "eat your own words" roman_mir in that url I put up here, because you are just another dime a dozen "web developer" (that's a joke) and not truly a computer programmer is all.