Slashdot Mirror
Source Code To Google Authentication System Stolen
Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."
Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?
So, Schmidt is worried because google was relying on security through obscurity?
Seriously, the bad guys already have it, so enlist the help of the security community to improve it.
We are agents of the free
They should open source it, since a copy is out on the loose anyway. This could work to their advantage.
I still think capability based security is the only workable long term solution..
i'd love to see /. put their source out there, money where their mouth is so to speak.
...You mean like http://www.slashcode.com/about.shtml ?
Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..
They took the code without Google's consent, hence they stole it.
From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."
I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".
And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.
The Wknd Sessions - Malaysian and South East Asia independent music
lol like Microsoft would even admit to this happenning to them
By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.
Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...
Google hasn't complained the security system got cracked, nor is it buggy, nor is it said anywhere it's buggy. Troll, much?
matched the target
that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you
and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google
the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
They took the Movie without paying for MPAA consent, hence they stole it.
We like to change the meaning of the words when it's convenient for us
"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"
As Bruce Schenier said, security through obscurity does not work...
Are you sure he said that, or did he say that it was wrong to rely on security through obscurity? Obscurity (i.e. not telling tales out of school) is one valid element of an overall security model.
Crumb's Corollary: Never bring a knife to a bun fight.
This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.
So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.
It is a miracle that curiosity survives formal education. - Einstein
My point exactly - no matter how much it's modded "Off-topic" currently :D /karma
A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?
Yes; well the truth is that only if those eyes are looking (I'm sure the crackers will be). But still, it's yet another example that not publishing your source code just means that the only eyes looking other than your own are hostile eyes. Google should now publish the source code to this system and more of their other internal stuff that others could use and share.
=~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
Your book analogy isn't a similar situation at all. You didn't write the book, you weren't trying to keep it secret and the person possessing a copy doesn't negatively effect the original holder.
All of these things apply in Google's situation. Also my definition of steal is accurate, they broke in and copied the code without consent from Google. The copying part isn't the problem it is the without their consent part which makes it stealing.
That's a different issue really. Copyright Infringement would be re-distributing copyright without permission of the owner, etc.
This code theft is taking copyright that they had no permission to take.
Targeted zero day attacks to steal source code are worth 1000x more than an account to send spam on. Root at google? This is actually a big deal, above the realm of small bot shops, this is superpowers in a cyber arms race. Very strong implications on the security of cloud computing as the provisioning company can be the vector of attacks to any company it hosts.
"Does not appear" falls kinda short of a satisfactory statement. Considering the intruders took two days to get the source code, one wonders what else they were up to in that period of time. I'm changing my gmail password now..
Umm. Any company worth their salt doesn't keep plaintext passwords around, and has random salts for making sure that rainbow tables don't work either. How amateur do you think Google is?
I agree with your point. The very notion of "dangerous sites" sounds to me something like "dangerous newspaper articles". There's something wrong with the concept.
That said, I will point out that it's not necessary to root the machine to leave a back door, and it's not even necessary to gain arbitrary execution as the user to gather private details, passwords to online accounts, etc.
Plagiarism isn't theft, it's just plagiarism.
Downloading a copyrighted mp3 is not theft, it's copyright infringement.
Using someone elses patented invention isn't theft, it's patent infringement.
And so on.
Your attitude of invincibility is both dangerous and stupid. Firefox, like all web browsers, is complex software that has a long history of vulnerabilities. One buffer overflow vulnerability (and Firefox has a history of such vulnerabilities) is enough to run arbitrary code on your system.
Not true. The software you use every day almost certainly has security vulnerabilities that may allow code execution. History has shown that determined hackers have little trouble finding one.
No, mostly we hear those stories from people who don't know what the hell they're talking about. If you download and run some arbitrary executable, well, yeah, you can get infected. The same could happen if you went and installed a malicious deb/rpm.
Those people who truly *were* infected by "just clicking on a fucking URL" (and not by deliberate acts of stupidity on their part) are victims of software vulnerabilities. And those vulnerabilities exist on every platform.
Neither Microsoft's OS nor their messenger software had anything to do with this hole, although Internet Explorer might. Neither the messenger software nor the OS were vulnerable; the vulnerability was most likely either in the web browser or a plugin like Flash.
Slow down there, cowboy :)
They would have to argue successfully that the major portion of its economic value or benefit is lost to him (does it really use 'him'? how quaint)
I would argue that most of the world could have the source code and there's no real economic value loss to Google unless their shares dropped for a few seconds or somesuch since this became public knowledge. I can take slashcode, for example, but I'm not going to succeed in removing 'the major portion of slashcode's economic value or benefit' as it'd take a miracle, not the source code, to make my site popular enough that advertisers and the like would pay substantially less to Slashdot.
Similarly... Google has the networks, the contracts, the installed userbase, etc. the code, in part, enables the the economic value.. but it isn't the emodiment thereof. They could replace it with any other ol' code that'd be a drop-in replacement (as apparently they're doing, in part) and the economic value wouldn't be altered (unless they make it inferior).
According to the definition of deprivation you quote, it's not enough to cause the property to lose value. You have to withhold it from the rightful owner so that it loses value. And the hackers weren't able to withhold Googles own source code from them.
I simply took the definition from Google.
http://www.google.com/search?hl=en&site=&q=define:stolen&btnG=Search
Just because I don't conform to your world view I'm suddenly working for the music industry? Grow up.
Bruce Schneier was just trying to explain Kerckhoff's principle, which is that all security must be assumed to lie in the token and not in the algorithm, because the problem space for algorithms is very, very small, while the problem space for tokens (eg, keys) can be made arbitrarily large. In other words, if Google's algorithm relied on its secrecy for its effectiveness, they weren't doing it right.
Oh please! Nearly everyone tries "novel" forms of writing without capital letters, without punctuation, or of some other kind at least once. Usually when they're teenagers and they usually grow out of it when they realise it's nowhere near as "novel" as they first thought.
Capital letters are not redundant. They are incredibly useful due to the way we read. Once you're reached a certain level of proficiency in reading, you don't read one word at a time. You read whole sentences - sometimes several, or a short paragraph - in one go. You find the beginning, skip to the end, and look over the whole thing finding the meaning. This is a much quicker way of reading than a single word at a time.
Capital letters provide a very useful visual clue that quickly let you find the end of the sentence or block you wish to read and let you read it quickly. When they're absent, it slows you down and makes reading the text much more difficult and frustrating than it needs to be. It's simply poor communication.
Igor Presnyakov stole my hat