Source Code To Google Authentication System Stolen

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

Paranoid about security?

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

Re:Paranoid about security?

[WrongSizeGlass]

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

What they meant was your privacy didn't matter to them.

Re:Paranoid about security?

[martin-boundary]

Except that when others (some journalists from CNET) (ab)used the data about Eric Schmidt that was broadcast far and wide on the intarclouds, Google complained and blackballed everybody from CNET for a year.

Who knew they only meant that we shouldn't overreact?

Many eyes = problem?

[choongiri]

So, Schmidt is worried because google was relying on security through obscurity?

Re:Many eyes = problem?

[Gamer_2k4]

So, Schmidt is worried because google was relying on security through obscurity?

Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

Re:Many eyes = problem?

I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

Don't change it, release it

[Logos]

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

Re:so?

[Urza9814]

i'd love to see /. put their source out there, money where their mouth is so to speak.

...You mean like http://www.slashcode.com/about.shtml ?

It's all about leverage

[el_flynn]

From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

Re:"Source Code [...] Stolen"

They took the Movie without paying for MPAA consent, hence they stole it.

We like to change the meaning of the words when it's convenient for us