Source Code To Google Authentication System Stolen

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

Paranoid about security?

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

Re:Paranoid about security?

[WrongSizeGlass]

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

What they meant was your privacy didn't matter to them.

Re:Paranoid about security?

[coolgeek]

Really, this shouldn't matter, unless they are doing something they should not be doing.

Re:Paranoid about security?

[d'baba]

Am agreeing here. Am reminded of article which said. "Microsoft is a bunch of arrogant business people. Google is a bunch of arrogant engineers."
If security depends on code it is insecure. Period.
If security depends on people it is insecure. Period.
It is insecure. Period.
----
Hypertext isn't what it's marked up to be.

Re:Paranoid about security?

[drsmithy]

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

No, they said if you willingly broadcast your life all over the intarclouds they you have no grounds to complain about your privacy being violated when others (ab)use that information.

Re:Paranoid about security?

Please understand the context of a quote before referencing said quote. Eric Schmidt said:

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

Have a nice day.

Re:Paranoid about security?

[martin-boundary]

Except that when others (some journalists from CNET) (ab)used the data about Eric Schmidt that was broadcast far and wide on the intarclouds, Google complained and blackballed everybody from CNET for a year.

Who knew they only meant that we shouldn't overreact?

Re:Paranoid about security?

[Ofloo]

I agree with the above why should our privacy/private data be less important then theirs, rather then debating what attackers might achieve with this code we should be worrying about how much google is screwing up lately. This isn't the first attack where an attacker got in. And some of you might trust google which I don't btw, but is our private data safe with them anyway, from hackers that is, or are they pissed that the attackers didn't pay for the data they got :p

Re:Paranoid about security?

[pizzap]

That's not insightful, that's funny.

Re:Paranoid about security?

[Daengbo]

OK, more context:

Q: People are treating Google like their most trusted friend. Should they be?

A: I think judgement matters If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. But if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.”

In this context, "doing it" now refers to "treating Google like their most trusted friend" because otherwise, the phrase would be "shouldn't have it."

People are too political about this issue and refuse to actually think. Screw grammar. The meaning is quite clear in context. If you don't want someone to find out about something you're doing, don't do it through Google (or any other search engine). They all keep records and can all be subpoenaed. Use some other method.

So, yeah, don't trust GOOG with your darkest secrets. Schmidt said it, himself. Also, if you're smoking pot, do it in you house and not in the public park.

Re:Paranoid about security?

[elrous0]

This isn't about privacy, it's about Google's proprietary source code (i.e., their real money-maker and most protected trade secrets). That's the REAL story behind Google's spat with China. Google wanted to portray themselves as standing up to an oppressive regime, as striking a blow for human rights, etc. But the truth is that it's really about China threatening their bottom line by stealing a hunk of their valuable source code. Google was more than happy to cooperate with China on censorship and handing over information until Chinese hackers crossed the line and actually stole Google source code. It was only then that Google suddenly decided they were going to be crusaders for human rights. Of course early reports out of Google only mentioned the attempted break-in to gmail accounts, it was only later that we learned that the *real* target of the attacks was source code, not information about dissedents.

Re:Paranoid about security?

[geekoid]

Wow, you manged a 3 step program to nonsense. Most people just get to profit.

I don't think you even know what security is.

Trees can fossilize. Period
Tress grow in dirt. Period.
Trees are stones. Period.

And we know what a period is! Exclamation mark. Period~ Snark.Period

Re:Paranoid about security?

[thetoadwarrior]

Putting things on the public internet for a search engine to crawl and who has to follow the government law and then expecting your privacy is completely different from keeping your source code private and expecting no one to see it.

It doesn't take a genius to figure out the difference. Don't worry, it'll sink in eventually.

Re:Paranoid about security?

[Meski]

Now we find out if Google were using security through obscurity.

Sauce?

tar.gz or it didn't happen

Re:Sauce?

[binarylarry]

On the contrary, this sound like a job for

CAPTAIN PLANET!

Re:Sauce?

CAPTAIN PLANET!

Sorry kid, you got AIDS.

Yeah, from a blood transfusion... I guess you could call it that.

You have the superpower of being able to kill people painfully long after you are dead.

Now go to that evil petrol sheik's room and do your job! Death to polluters!

More Eyes

[Daengbo]

More eyes make the bugs shallow, right? ;)

Re:More Eyes

[thoughtsatthemoment]

Unless the bug have developed an invisibility cloak.

Re:More Eyes

[Soilworker]

That's why you need to look at it from a 45 degree angle.

Re:More Eyes

[Thanshin]

But then the bugs will appear to be in IE8.

Re:More Eyes

[Monchanger]

If I were to go find a copy and then find a bug in it, would Google accept my patch or would black helicopters show up above my house?

These aren't the helicopters you're looking for. Google's covert-op choppers are colorful and their secret agents pack paintball guns.

On a serious note: they might take a look and even incorporate it if it passes a Trojan Horse test. If so, they'd likely make sufficient changes on the path to production code where anyone who saw your patch would still not be able to use it to their advantage.

Re:More Eyes

[thoughtsatthemoment]

And Microsoft sues the bugs for patent infringement.

Many eyes = problem?

[choongiri]

So, Schmidt is worried because google was relying on security through obscurity?

Re:Many eyes = problem?

[Gamer_2k4]

So, Schmidt is worried because google was relying on security through obscurity?

Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

Re:Many eyes = problem?

I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

Re:Many eyes = problem?

[choongiri]

He can't help it, you intolerant faggot. He's an American.

Last time I checked I was definitely not American. However you, sir, are most definitely a troll.

Re:Many eyes = problem?

[spazdor]

that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

Re:Many eyes = problem?

[macshit]

that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

No, it doesn't. There's a big difference between relying on obscurity -- which google, apparently, was not -- and simply being concerned because the bad guys have more ability to search for flaws.

The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

Re:Many eyes = problem?

[JackieBrown]

No. It is the one company that refused to turn over its user's data without the appropriate warrants.

Re:Many eyes = problem?

[Vellmont]

and simply being concerned because the bad guys have more ability to search for flaws.

Much of the world relies on security systems that are completely open and available to everyone. One of the prime examples is openSSH. Another prime example in openSSL. I don't hear too many people worried that these systems are more vulnerable because attackers have access to the code.

The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

Panic and stupidity are also natural human reactions. Since when did something being "natural" become a justification for something? I can understand the reaction, but that doesn't mean it's right.

It's pretty stupid to rely on code remaining secret. Code is something that's very difficult to make secret as it gets copied all over the place. How many people at Google already have access to it? It seems to me that if Google really wants to be secure they should just release the damn code so "the good guys" also have access to it, since apparently "the bad guys" already do.
   

Re:Many eyes = problem?

[fred911]

Did you forget Verizon?

Re:Many eyes = problem?

[InlawBiker]

They found Google's secret sauce.

    If Request.Form("password") = "JOSHUA" Then
    Response.Write("Greetings, Professor Falken")
    Set Godmode=1

Re:Many eyes = problem?

[Jeremy+Erwin]

We already know that Google missed something. The attackers got in. Now Google has to figure out what else it missed, and fix those bugs post haste.

Open source software works best when the code is publishable; when the millions of eyes can understand it and contribute back to it. Getting the code into publishable shape takes time and manpower, and right now, Google can spare neither.

Re:Many eyes = problem?

[jewps]

Just because there hasn't been any breach in security or security advisories for the latest OpenSSH flaws doesn't mean it's secure. I'm sure there are zero day exploits. The question is, how should one use it when such a flaw is found?

Being open source means a lot of things, but if I can hide one key element in my web infrastructure by closing off the source, even if I know the code is perfect, this is a step I will take. If there is such a source code breach at Google, it wouldn't be a bad idea for them to open it up for the rest to use.

Re:Many eyes = problem?

[someone1234]

Other than they missed open sourcing it?
I don't really see how a big company like them could prevent source leaks.
They surely got lots of employees that had right to look at the code.

Re:Many eyes = problem?

[anarche]

Yes they missed something, from TFA

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer...

How google missed a stupid employee? "But" (you yell) " there had to be a flaw that let them gain access!". Yes, there was a flaw:

The attacks took advantage of a flaw in Internet Explorer 6 that was quickly patched, although the damage had been done.

So a google employee in China was using IE6 and clicking on links from someone who claimed to be another employee who wished to remain anonymous?

They missed an idiot. Pure and simple.

Re:Many eyes = problem?

[JWSmythe]

Wow, that's almost identical to the code in everything I do, except it's:

        If Request.Form("password") = "1234" Then
        Response.Write("superuser access granted")
        Set Godmode=1

    I knew I must have been doing something right, if that's what they did too. :)

Re:Many eyes = problem?

[jimthehorsegod]

if I can hide one key element in my web infrastructure by closing off the source, even if I know the code is perfect, this is a step I will take.

But you can't close off the source - you have to accept the possibility that someone to whom you've granted access to the source could be hostile to you - in which case you have this exact same situation again (only you possibly don't even know it) It is true, however it might go against a natural reaction to keep your cards close to your chest, that if you rely on the 'bad guys' not seeing your code then you are relying on security through obscurity, and that means that outside the ring of trust, the only people who will *ever* see that code (if anyone) will be hostile

If there is such a source code breach at Google, it wouldn't be a bad idea for them to open it up for the rest to use.

Well quite - but seeing as you'll potentially never know if someone with malicious intent had already gained access, you might the best option is openness from the start...

Re:Many eyes = problem?

[Rogerborg]

Getting the code into publishable shape takes time and manpower

ORLY? I would have thought it'd take, what, 5 minutes to publish the same source that's already been shared[*]. Since that's the code that's causing them concern, they'd only harm themselves by trying to massage it before publishing.

[* Copying information is "sharing", right, not theft?]

Re:Many eyes = problem?

[DrXym]

Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

Hmm, I think Google's security team (and virtually any other) would disagree. You could follow best practice with regards to the design of a security and still not wish to advertise it to all and sundry. Why give the attacker the advantage of knowing what database / backends are involved, or the internal IPs, or the names of the developers who wrote the code, or the format of the payload inside some encrypted cookie, or any other detail that might show up in the source.

In an ideal world, perhaps it wouldn't matter if those things leaked out because security would be so perfect to withstand anything. But it isn't an ideal world, and sometimes secrecy is an extra layer of defence in its own right.

Re:Many eyes = problem?

[tehcyder]

So a google employee in China was using IE6 and clicking on links from someone who claimed to be another employee who wished to remain anonymous?

They missed an idiot. Pure and simple.

No, the employee who wished to remain anonymous was the one with knowledge of the subsequent internal inquiry, not the original person who sent the link.

Re:Many eyes = problem?

[fastest+fascist]

Google is concerned about the security implications of their source code ending up in hostile hands. I don't see how you can infer anything else from that than that they were relying on obscurity. If they weren't, it wouldn't matter whether someone sees their code or not, because their security approach would be one that didn't rely on the code remaining secret.

Re:Many eyes = problem?

[SharpFang]

I worked at a big portal, and I can say it was not possible to protect our apps from -everything-.
Some things are not possible - like keeping IPs of all the users ever vs every page in the portal visited ever. Too much data, simply.

We depended on obscurity - keeping the code secret - in several cases:
  - make the attacker believe the attack succeeded while it didn't, to make them continue this vector instead of trying something harder which could actually succeed
  - short-lived, statistical blacklists. If you knew you got blacklisted, you'd mitigate it, say, by switching IP.
  - caches that make your results unverifiable. Even if you affected the page on current page, you'll get result from one of 100 random nodes in the cluster, which was unaffected and thus you won't see results of your attack and decide it's not working.
  - volatile personal caches. If you really want, you can change the way the site behaves - for you. Nothing and nobody else will be affected.
  - bulletproof pages - several levels of fallback in case of error. If you manage to DoS one service, the page falls back to its alternative, quietly and transparently. It looks like your attack didn't work. It did, but we won't let you know it.

This is an efficient deceit that kills 99% of attacks dead in their tracks. Reading the sources by 3rd party would reveal it, and we'd be pretty much fucked - implementing -proper- security would cost a fortune, increase the cluster load by good 30%, and hold back current projects by months. But currently the site is built on a million of small white lies, so that if you try to break something, you never know if you succeeded or not.

Re:Many eyes = problem?

[Ash+Vince]

Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

I know that many people on slashdot would scream that obscurity provides no security at all this is actually not the case. It should never be the only method of security being relied on but it can be a single element of a wider secure system.

Keeping your source code secret does not actually preclude many eyes from looking at it since you can hunt out the best in the field of code security and get them to sign an NDA before looking at the code. I know this is more work that just open sourcing the code, but it is certainly an approach that has merit for large companies with deep pockets who also worry about protecting their ideas from copying.

Open Disclosure has it merits, but it is not the be all and end all of creating a secure system since it relies on the people who notice holes being honest about reporting them. Some people will always have an interest in just sitting on a possible flaw until they can exploit it, this is especially true for government spooks.

Basically, there are perfectly valid arguments for and against the concept of security through obscurity so it is not quite as clear cut as you make out that it should not be used at all.

I have not actually seen the source code that Google had stolen so this all purely theoretical as to whether it was secure or not. I am only saying that the idea that the fact they want to now change code that they know has been compromised does not necessarily make it insecure by design.

PS - I just went searching on Google and found a cool old Slashdot link posted by Cmdr Taco: http://tech.slashdot.org/article.pl?sid=01/07/23/2043209&mode=thread&threshold=1

Re:Many eyes = problem?

[Ash+Vince]

They missed an idiot. Pure and simple.

All companies have idiots, this is not something that can be helped. Being an idiot is not grounds for dismissal so you just have to limit the damage they can do, but sometimes they need the ability to do a certain amount of damage in order to do their job. You cannot also just downgrade someones role because they cannot do not do it perfectly, you need to try and educate them how to do it first.

I recently had to clean up a virus infection caused by an employee who clicked on a dodgy link in an email. It was first thing on a Friday morning and he just made a legitimate mistake. He realised what he had done immediately and pulled the network lead out of his PC but by then the damage was done. I know that in a perfect world you would only employ people who could do their job before they started work but in the real world you often employ people who make mistakes, they are human after all.

Re:Many eyes = problem?

[Vellmont]

It sounds like most of what you call obscurity isn't. The other parts someone could already figure out what you're doing without access to the code. Do you really think switching IPs isn't something an 8th grader could figure out in under 5 minutes?

As far as real security "costing a fortune", my guess is that's because you've painted yourself in a corner. Why does it have to cost a fortune if your infra-structure was setup properly and your code was maintainable to begin with?

If what you say is true, access to the code means you're fucked.. well, you're already fucked since insiders naturally have access to your code, and changing the code isn't like just changing passwords.

Re:Many eyes = problem?

[SharpFang]

Any 8-grader can figure out switching IPs, but they won't if they see the site reply with "Authorization successful" to attempt to log in with a blacklisted IP. All queries will go to the site, will enter the memcache and won't ever get written to disk cache, and as they are gone a hour later, the 8th-grader will guess "moderators noticed and removed everything".

If the site replied with "Access denied", he'd switch IP, clear cookies, and we'd have to deal with him again.

Re:Many eyes = problem?

[geekoid]

NICE..well done.

Re:Many eyes = problem?

[Vellmont]

Heh. What a lot of work for so little in return. I'm sure it works for you, but I think you're underestimating the average 8th grader. Playing the guessing game of how you think people will react is a losing game. What I just can't fathom is why you don't just put in real security to begin with rather than play these bizarre games which actually sound more complicated, convoluted, and difficult to maintain than just having done it right in the first place.

Re:Many eyes = problem?

[macshit]

Google is concerned about the security implications of their source code ending up in hostile hands. I don't see how you can infer anything else from that than that they were relying on obscurity.

Because "relying" implies a fundamental and strong connection (if you're relying on something, you believe that thing is critical to success); "being concerned" with something is a far weaker, and often not entirely rational, connection.

It is very common for humans to "be concerned" about an event even when they have made proper efforts to prevent it becoming a problem.

Re:Many eyes = problem?

[SharpFang]

You seem to have never worked in 10k+ clicks per second environment.

A farm of several hundreds of servers works at between 80 and 100% load at all times. The developer costs are minor/negligible comparing to hardware, electricity and bandwidth costs. A man-month to optimize size of a single page by 1% is well worth the investment.

Increase of server load by 30% to remove another 0.1% of attacks is completely unacceptable. We don't care if 1% of users won't see the page. When the farm peaks in the rush hours about 5-10% won't anyway. So we're more concerned about these 5-10% than about that 1%. The core systems are properly secured - the main database and all script pages are 100% read-only from the frontend side. Devs and editors access it through dedicated link, which is properly secured. The only vulnerable parts are user-editable extras - fora, blogs, comments, polls, galleries. They are the first to cut off when the system peaks, they are sandboxed safely away so breaking them won't break the main articles, and honestly, if some of them get hacked from time to time - like someone takes over someone else's account, someone injects rude posts into someone's blog through some XSS, some poll gets skewed - nobody cares.

The beauty of the "deceitful" methods is that they cost nothing. A 401 error page would have to be displayed anyway, what costs us to replace it with a fake 200? A lookup into memcache brings necessary user ID along with blacklist status and then actually -saves- us a costly commit to disk. A proxy is there to protect the front servers from the traffic, the side effect of confusing the attacker is a desirable but not essential consequence. These counter-measures are okay because they cost only developer effort (cheap) and no server load (expensive).

Also, with Google eating up the lion share of the market, profit margins got much more narrow. It's not just a matter of buying another 500 servers. It's a matter of staying 3% above the break-even line, instead of 3% below. And if it comes to cutting costs, developers will be the first to cut.

Re:Many eyes = problem?

[Ol+Olsoc]

If Google had nothing to hide, they have nothing to worry about.

Gar, that just rolls off the tongue.....

Re:Many eyes = problem?

[Vellmont]

You seem to have never worked in 10k+ clicks per second environment.

Like the other 99.99% of the people out their. No.

It still sounds like your architecture wasn't really built to handle your current load, and it's more evolutionary than anything else. If 3% cost increase kills you in the IT world, your business is going to fail soon anyway. 3% returns are what happens in extremely mature markets, not ever changing never mature market of the internet.

Don't change it, release it

[Logos]

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

Re:Don't change it, release it

[dr-alves]

Not a rip off if you give it away and gain money/increase the readiness of the possible worker candidate pool out of it.

Re:Don't change it, release it

[TubeSteak]

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

There's probably a whole lot of stuff in that source code that is either a trade secret or gives clues to trade secrets google would rather keep private.

The most realistic course of action would be for them to hire some 3rd party pen testers and auditors to pick apart their code under a microscope.

Re:Don't change it, release it

[MikeFM]

Their sign-on sucks so they can't have much to hide. It's one of the worst I've seen and I'm constantly having users run into issues with it such as accidentally creating a new account for a sub-account login. It has a lot of issues related to Google Apps too. It's clearly not engineered to handle the many different systems that they now use.

Re:Don't change it, release it

[mr_stinky_britches]

they already have security geniuses at google. I know for a fact that they do not feel much need to hire external parties.

Re:Don't change it, release it

[noidentity]

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

The code was stolen, so they're going to have to rewrite it from scratch. You'd think Google would have had a backup somewhere, but maybe they stole that too.

Cloud security?

[HockeyPuck]

I thought the cloud was secure?

Re:Cloud security?

[siddesu]

the cloud is secure. it is the dev workstations that are in danger :)

Re:Cloud security?

[GNUALMAFUERTE]

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

As usual, the problem wasn't in the servers, or in the code, but in the people accessing it.

And, as usual also, Microsoft was involved.

Re:Cloud security?

[MorderVonAllem]

By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

Re:Cloud security?

[thetartanavenger]

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

I wouldn't say Microsoft was directly involved, but back when I used Windows XP and Window Live Messenger, no matter what I did I could never get Windows Live Messenger to open up a link in anything other than IE. It's been a while so things might have changed, but this "feature" could make them at least indirectly involved.

Re:Cloud security?

[GNUALMAFUERTE]

Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it. Except I sudo su and chmod +x $file and ./$file nothing is going to happen. But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc. Or just connecting on the wrong LAN. Clicking on a link IS NOT supposed to give ANYTHING any kind of execute permissions. I don't browse with Flash, but I do keep a Firefox-altern dir with Flash installed in case I really really need to check out something that requires Flash. I can't believe how invasive that thing is, and how many privileges it automatically grants to random content on the web. Same thing for JS. The simple fact that 'last measure' still works is living proof of how stupidly insecure certain technologies are.

And, no, it's not the user's fault for clicking on a link.

Re:Cloud security?

[causality]

By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

Messenger was just a way to launch the system default web browser to load the URL. Loading the browser independently and then typing that same URL into the address bar would have done the same thing. The browser and its vulnerability to the malicious contents of that URL are at issue here. My bet is that the OS was Windows and the browser was IE, in which case it's perfectly reasonable to say that Microsoft and its products were involved here. Unfortunately the article does not specify the browser that was used, but Microsoft Messenger does strongly indicate a Windows system so IE was at least available.

Re:Cloud security?

[Demonantis]

It is the tired and true issue of running everything as an administrator. Why do you need those rights when accessing a webpage. Does not make any sense and yet windows often makes it necessary. UAC does fix it for the most part, but windows it self has trained users the easy path of running as a power user all the time so most people turn it off. I'm not sure if it is as much technology as it is users now a days.

Re:Cloud security?

[AHuxley]

Microsoft was the way in and out.
What the google code was running on or stored in/as is not really the point.
MS consumer grade software was the hole that exposed the goggle work to the world.

Re:Cloud security?

[jpmorgan]

Unless, of course, that website that opens in your browser exploits a vulnerability in Firefox to take over your user account. From there on, if you're using Ubuntu for example, they could hijack your menus and next time you open up a control panel they use a fake gksudo dialog to steal your password, and then have complete control of your computer. Which is basically what happened to this fellow.

The only reason that doesn't happen to you and it happens to Windows users is obscurity.

Re:Cloud security?

[wvmarle]

Now that is true security by obscurity.

I mean: ever been in an aircraft flying through the clouds? Nothing much to see, the cloud obscures it all!

Re:Cloud security?

[GNUALMAFUERTE]

Except that Firefox's vulnerabilities are patched on average less than 24 hours after they have been discovered, that is, according to statistics, 15x faster than for micro$oft's IE.

On the other hand, I wasn't JUST complaining about "microsft software", I was complaining about insecure setups in general. Windows only allows an insecure setup. That's it. There is only one way to use it, and it's insecure by default. Any person with administrative access to any kind of important system (like this guy had), should be running sandboxed apps in a secure environment.

Extensive use of thoroughly configured SELinux/PaX should be mandatory on such a workstation. Stricter file permissions, app sandboxing, well thought iptable rules.

Most Unix systems are very secure on a default install. You can VERY EASILY harden a Unix system to be very very very secure. If you take enough measures, you can make a system virtually impenetrable. Windows, on the other hand, is absolutely insecure by default, with the chance of spending an enormous effort to turn it into (at most) a sort of insecure system.

Re:Cloud security?

[ashridah]

... Until they use an attack against one of the plugins that you have installed that have the same vulnerability on any platform: like, say, flash, which has insanely deep market penetration. If they were targeting you specifically (as is the case with a targeted attack against a specific company, which is what happened here), then they'll use whatever means they can to figure out what you're running.
Then they'll tailor the attack to take over flash (which on linux is no more sandboxed than it is on windows XP), and from there, they mess with your profile to the point where doing something that wants admin chains through their own thing, or they use a local vulnerability you haven't patched yet, and wait.
And all you would know is that flash crashed firefox once again, and you blithely restarted firefox.

Re:Cloud security?

[poppycock]

Cross-site request forgery or Cross-site scripting may be the culprit, which of course renders the browser mostly irrelevant, except to the extent that modern browsers, IE8 included, have a certain degree of protection against badly-implemented web sites.

Re:Cloud security?

[spidr_mnky]

I agree with your point. The very notion of "dangerous sites" sounds to me something like "dangerous newspaper articles". There's something wrong with the concept.

That said, I will point out that it's not necessary to root the machine to leave a back door, and it's not even necessary to gain arbitrary execution as the user to gather private details, passwords to online accounts, etc.

Re:Cloud security?

[RzUpAnmsCwrds]

Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it

Your attitude of invincibility is both dangerous and stupid. Firefox, like all web browsers, is complex software that has a long history of vulnerabilities. One buffer overflow vulnerability (and Firefox has a history of such vulnerabilities) is enough to run arbitrary code on your system.

Except I sudo su and chmod +x $file and ./$file nothing is going to happen.

Not true. The software you use every day almost certainly has security vulnerabilities that may allow code execution. History has shown that determined hackers have little trouble finding one.

But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc.

No, mostly we hear those stories from people who don't know what the hell they're talking about. If you download and run some arbitrary executable, well, yeah, you can get infected. The same could happen if you went and installed a malicious deb/rpm.

Those people who truly *were* infected by "just clicking on a fucking URL" (and not by deliberate acts of stupidity on their part) are victims of software vulnerabilities. And those vulnerabilities exist on every platform.

Oh, except it was microsoft's operating system, and microsoft's messenger.

Neither Microsoft's OS nor their messenger software had anything to do with this hole, although Internet Explorer might. Neither the messenger software nor the OS were vulnerable; the vulnerability was most likely either in the web browser or a plugin like Flash.

Re:Cloud security?

[jimthehorsegod]

Except that Firefox's vulnerabilities are patched on average less than 24 hours after they have been reported to mozilla

FTFY

Re:Cloud security?

[LinuxAndLube]

Are you ready to put your money where your mouth is? If you agree, I will set up a Windows Server 2008 machine with default settings and give you the IP address. You have 24 hours to compromise the machine. If you succeed, I give you 1000 USD. If you don't, you give me 1000 USD. If you do not accept this challenge, I can only conclude that you're full of shit.

Re:Cloud security?

[Bungie]

That is hell, even without administrator access, since it can still delete your documents or hold them for ransom, or log into the source control system pretending to be you and send whatever it finds there to a remote server.

No, it can't. With UAC Internet Explorer runs at a lower integrity level which doesn't have high enough privileges to access your user files. It can only write to a few locations, and even those are abstracted to "Low" versions. But none of that matters, since the person in question was running IE6.

Re:Cloud security?

[roman_mir]

It is more secure, look, no airplanes are flying so there is less risk of dying in a crash.

Whoever came up with the idea of the 'cloud' has nothing on that volcano.

Re:Cloud security?

[GNUALMAFUERTE]

Please, please, read the post you are replying to.

From my post:

I don't browse with Flash, but I do keep a Firefox-altern dir with Flash installed in case I really really need to check out something that requires Flash. I can't believe how invasive that thing is, and how many privileges it automatically grants to random content on the web. Same thing for JS. The simple fact that 'last measure' still works is living proof of how stupidly insecure certain technologies are.

So, yeah, Flash is insecure. That's why I browse Flash-less, and I have a separate firefox install in another directory, that runs under nobody:nobody, with Flash installed. So, yes, that Flash is a lot more protected than a random Flash running on your average XP machine. It is not run regularly, only when I really need flash for something, and in that case it runs under another user with no privileges whatsoever. I have access to several important systems from this machine, and I'm not going to compromise that security. Off course, I access all of those services form a different account than I use for web surfing.

Re:so, how long

[siddesu]

That's not the American way, that's the responsible way.

"Source Code [...] Stolen"

[Animaether]

Stolen?

What.. they are no longer in possession of the source code?

Re:"Source Code [...] Stolen"

[LingNoi]

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

Re:"Source Code [...] Stolen"

They took the Movie without paying for MPAA consent, hence they stole it.

We like to change the meaning of the words when it's convenient for us

Re:"Source Code [...] Stolen"

[Animaether]

My point exactly - no matter how much it's modded "Off-topic" currently :D /karma

Re:"Source Code [...] Stolen"

[BC+Guy]

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.

Re:"Source Code [...] Stolen"

[houghi]

Many would call it copyright infringement. At least in other discussions it is called that way.

Re:"Source Code [...] Stolen"

[LingNoi]

Your book analogy isn't a similar situation at all. You didn't write the book, you weren't trying to keep it secret and the person possessing a copy doesn't negatively effect the original holder.

All of these things apply in Google's situation. Also my definition of steal is accurate, they broke in and copied the code without consent from Google. The copying part isn't the problem it is the without their consent part which makes it stealing.

Re:"Source Code [...] Stolen"

[LingNoi]

We like to change the meaning of the words when it's convenient for us

Yes, downloading shit for free off the internet is stealing too. Also who is the "We" you're talking about.

Re:"Source Code [...] Stolen"

[LingNoi]

That's a different issue really. Copyright Infringement would be re-distributing copyright without permission of the owner, etc.

This code theft is taking copyright that they had no permission to take.

Re:"Source Code [...] Stolen"

[Animaether]

The "we" would be the majority of those who bother to comment on such stories.

There's very few who argue the opposite, such as yourself.

My own take on it can be gleaned from my comment history, but my original comment was mainly aimed at those who shout the loudest that 'copyright infringement isn't theft!' in the usual story comments threads :)

Re:"Source Code [...] Stolen"

[metacell]

Loosely speaking, you can call it "stealing". Legally, it's "copyright infringement".

Re:"Source Code [...] Stolen"

[metacell]

P.S. It may also be industrial espionage and a number of other felonies.

Re:"Source Code [...] Stolen"

[metacell]

You don't need to re-distribute a copyrighted work to commit copyright infringement. Making a single copy for yourself constitutes copyright infringement.

Re:"Source Code [...] Stolen"

[Hurricane78]

You got your definition of “stealing” wrong. Because you mixed up meatspace physics (reality) and bitspace physics (the realm of ideas/information).

The crucial point, is that when you steal something, the original owner does not have it anymore.
Something that is physically impossible as an atomic action in bitspace. You can copy. You can not move.
Hence you can not remove.

Because of those rules, anyone who isn’t delusional does not pass on information he does want to control.
So this is a security breach. Plain and simple. And nothing else.
Goggle stored its information somewhere not safe enough, and someone was good enough to get it. After that, everything was the same as with every other freely accessible information (like music, movies, text, etc) out there.

Please take off the MAFIAA FUD glasses. Thank you.

Re:"Source Code [...] Stolen"

[LingNoi]

So you're saying they have stolen Google's right to control their information, but at the same time they have not stolen anything?

Re:"Source Code [...] Stolen"

[GuldKalle]

The key word is "take". Source code is a subset of the concept of information. You cannot take information.

Re:"Source Code [...] Stolen"

[gknoy]

hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

You're right. One might say they infringed the copyright of Google's source code... depending on how you define copying. That said, "stealing" fits just fine here as a means of communicating an idea. The secret source code was precious of it, and they are now deprived of that secrecy. Moreover, every single reader here, when seeing "stolen", understood exactly what happened, and it's pretty pedantic of us to be arguing over the meaning of stolen.

Re:"Source Code [...] Stolen"

[mjwx]

"This author stole entire paragraphs from my dissertation"

That one is plagiarism, not theft. Stolen is the colloquial term, plagiarism is the legal term

They took the code without Google's consent, hence they stole it.

Technically this isn't theft either, it's infringement, corporate espionage, breaking into a computer system without authorisation and fraud. Steal, again is the colloquial term, the criminals in this case, if ever caught will not be charged with theft.

The English language is a funny thing, this is stealing in the same way that to say this [cheap item] was "a steal" to indicate the extremely low price for which I purchased it, not to indicate that I had committed theft to acquire it. BTW, colloquial definitions are in the dictionary.

Re:"Source Code [...] Stolen"

[tftp]

Also my definition of steal is accurate, they broke in and copied the code without consent from Google.

Several people noted that theft requires taking something away. Google still has their code. However it's probably correct to say that Google's trade secrets were stolen because Google doesn't have them any more.

Re:"Source Code [...] Stolen"

[L4t3r4lu5]

Your examples are spurious.

"Someone stole my wallet on the train" is fine. A person is deprived of a property of service which is rightfully theres by another person not authorised to do so.

"This author stole entire paragraphs from my dissertation" is a falicy. The original author still has the full dissertation, and was not deprived of anything. This is not theft, it is copyright infringement.

Google still has the code which was copied.

You should probably work for the music industry.

Re:"Source Code [...] Stolen"

[L4t3r4lu5]

If I take a picture of your house without your consent, I'm not stealing your house.
If I walk across your lawn without your consent, I'm not stealing your lawn.
If I scrape my key across your car without your consent, I'm not stealing your car.

Really, the two parts of the definition must be fulfilled for theft to occur: A deprivation of a good or service, and that deprivation of good or service to be without the proper owners consent. Your definition is still incorrect.

Re:"Source Code [...] Stolen"

[LingNoi]

I simply took the definition from Google.

http://www.google.com/search?hl=en&site=&q=define:stolen&btnG=Search

You should probably work for the music industry.

Just because I don't conform to your world view I'm suddenly working for the music industry? Grow up.

Re:"Source Code [...] Stolen"

[weicco]

Here's my two (not stolen) cents about this. I think the word "steal" is a little encumbered nowadays and needs clarification or we need to come up with a new word.

Photographing my books, even if I personally wrote them, is not stealing because I still have those books in my posession and there's no direct harm to me. Taking them so I wouldn't have them anymore on the other hand would be stealing and robber would have caused monetary harm to me (maybe I could've sold those books). But my "common sense" tells me that in the first part, while I've not suffered any monetary loss, the robber has got unjustified benefit over me: I paid for the books, robber didn't.

Now I would be willing to expand the word "stealing" to comprehend this kind of acts where victim does not suffer any direct harm but actor get unjustified enrichement. I'm not sure what other implications this could bring, maybe there are some bad side effects and my idea is just a dumb one, but I really don't like that someone can use my stuff to get some benefits I had to pay for (with money or time).

Re:"Source Code [...] Stolen"

[timmarhy]

it isn't theft, it's infringement, since when i buy an album they only grant me a license, not any kind of ownership. hence anyone sharing or downloading music is infringing on the original license granted.

in the case of google's code they haven't granted anyone any kind of license, they just came in and took it, so yes, it's stealing.

complex i know, but try to understand...

Re:"Source Code [...] Stolen"

[L4t3r4lu5]

I didn't say that you were working for the music industry. I suggested that, considering you both hold a disjointed view of the definition of the word "steal", you may wish to seek gainful employment with them.

FWIW, Google is not a dictionary
1. to take (the property of another or others) without permission or right, esp. secretly or by force
2. to appropriate (ideas, credit, words, etc.) without right or acknowledgment.

You might think that 2. fits your description. It does not. Nothing was appropriated (to take without permission or consent; seize; expropriate:) It was duplicated. Google still retains the code.

I grow tired of making this distinction on every single post which deals with an infringement of copyright or other licensed work.

Re:"Source Code [...] Stolen"

[LingNoi]

I grow tired of making this distinction on every single post which deals with an infringement of copyright or other licensed work.

Then perhaps you should just stop fighting a losing battle trying to "educate" everyone on what you think words should mean. Language and laws are formed by agreement from the majority. If the vast majority call it stealing then it is.

You don't happen to also spam threads telling people to use the term "cracker" instead of "hacker" as well do you?

Re:"Source Code [...] Stolen"

[weicco]

Well, maybe "malicious enrichment" would be better term :)

Re:"Source Code [...] Stolen"

[L4t3r4lu5]

The legal definition is in line with the definition I gave, so it really is "everyone else" who is wrong.

Calling illegal copying "theft" is a sign of stupidity, and joining in with the mouth-breathing, brainwashed swathes of Daily Mail-reading, Fox News-absorbing troglodytes of the world makes you one of them. When the law says that illegal copying = theft, I'll change my mind. Until that point, it's still just copyright infringement.

Enjoy your time with the popular crowd. I'm not sure you fit in here anymore.

Re:"Source Code [...] Stolen"

[SharpFang]

Yep, the distinction is valid, even concerning data. Credit card data of customers is often being stolen from small stores. Yes, stolen, as in the thief breaks in, removes the hard drive from the Point of Sale unit and runs away with it. THAT is stealing data.

Re:"Source Code [...] Stolen"

[Abstrackt]

You don't need to re-distribute a copyrighted work to commit copyright infringement. Making a single copy for yourself constitutes copyright infringement.

I thought that constituted fair use.

Re:"Source Code [...] Stolen"

[L4t3r4lu5]

Yep! I've spent my time explaining the difference between theft and copying on one of the few websites on the internet where everyone should know the distinction.

Boy, do I feel duped.

Re:"Source Code [...] Stolen"

[bigrockpeltr]

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

the sourcecode was not stolen. a the sourcecode was copied and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.

fixed that for u

Re:"Source Code [...] Stolen"

[Kijori]

the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

I think your post inadvertantly makes an interesting point about the silliness of the whole stealing vs copying debate. You write that "a copy of the sourcecode was stolen" - but it wasn't; a copy of the sourcecode was simply made. The copy never belonged to Google, Google didn't lose anything, and so - absolutely technically speaking - it wasn't stolen.

The point here is that despite the fact that you had the definitions of "to steal" and "to take" in front of you, and despite the fact that you were actively thinking about the difference between copying and stealing, you still used the word "stolen" to describe what happened. The fact of the matter is that even if they didn't lose any physical goods Google was deprived of something - the control they had over who saw their sourcecode and who didn't. This isn't a situation that comes up very often in the physical world (unless you're a spy - and even then they "steal secrets") so people turn to a metaphor that makes sense to them: stealing. And they do it, as shown by your post, even if they are trying to claim there's a qualitative difference between stealing and copying, which suggests that the metaphor fits our cognitive model of what's happened rather well.

An interesting (he says modestly!) thought experiment: consider the source code not as one copy but as an infinite number of copies that all currently occupy the same space. If I take one of those copies I don't actually deprive Google of anything - they have no fewer copies than they had before, for such is the nature of infinity - but it would still be a stolen copy. Perhaps this is an apt model to explain people are so quick to describe it as stealing, even when they are trying to avoid using the word: it seems fair to us that Google should be able to control the copies as well as the original (while they control the only copy, anyway), and by seeing the copies as existent, if unactualised, we can find a more familiar way of understanding why it is unfair to take a copy.

Re:"Source Code [...] Stolen"

[Animaether]

Tell that to the RIAA / slashbots ;)

In your model, the only person actually infringing upon anything would be the person who does have a license (presumably by buying the album) but then creates unauthorized copies. The people downloading wouldn't be doing anything in breach of a license, not stealing, and not copyright infringement.

That's neither the way the RIAA looks at it, nor the way the aforementioned 'we' look at it.

That -is- actually the way it is in NL, though (but doesn't apply to programs/books/etc. so in this case a downloader would still be in violation of law)

Re:"Source Code [...] Stolen"

[steelfood]

Well, it'd be the same if it was something you wrote like your journal or something about others like Harriet's notebook.

Took it, made a photocopy, and the put the original back. That sums up copyright infringement right there. Oh wait, it is copyright infringement. But it isn't stealing.

Re:"Source Code [...] Stolen"

[Battle_Ratt]

By your definition it would be impossible to steal a trade secret. The very nature of
That in itself just doesn't make sense.

There needs to be a very fundamentally different view on how theft is perceived in cases where the information itself was never to be publicly released. This is not copyright, as nobody but the author was supposed to have a copy.

That makes it "theft".

Re:"Source Code [...] Stolen"

[dissy]

We like to change the meaning of the words when it's convenient for us

It isn't exactly our fault that the word 'steal' has two very very different definitions, one in English, one in US Law.

In this particular case, it is an english use, so steal is correct, as that fits the dictionary definition.

The other cases are mostly referring to legal results (IE court cases) in which case if you use the dictionary, you will be wrong.
Or more correctly, if you use the legal dictionary, it will be defined to mean something totally different.

It is the submitters at fault for using the english definition in a legal context incorrectly.

Re:"Source Code [...] Stolen"

[noidentity]

So if I make a copy of your Slashdot post without your consent, I have stolen it (even though the post will still be on Slashdot)?

Re:"Source Code [...] Stolen"

[metacell]

I'm not sure how it works in the USA, but in my jurisdiction (Sweden), fair use is only applicable to published works. For unpublished works (like a company's internal source code), you may not even make a single copy for yourself without permission of the copyright holder.

Open source it

[ka9dgx]

They should open source it, since a copy is out on the loose anyway. This could work to their advantage.

I still think capability based security is the only workable long term solution..

Re:so?

[3p1ph4ny]

http://www.slashcode.com/

Re:so?

[Urza9814]

i'd love to see /. put their source out there, money where their mouth is so to speak.

...You mean like http://www.slashcode.com/about.shtml ?

Re:so?

[ooshna]

Oh shit buuurrrrnnn!!1!!

Re:so?

[Peach+Rings]

Wut?

Re:so?

[LingNoi]

How retarded do you have to be to not notice the about -> code link that's been on slashdot for years? Well just look at the parent!

It's all about leverage

[el_flynn]

From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

Re:It's all about leverage

[ebonum]

Don't worry. When your medical records are put into databases, they will be secure.

Honestly. If you want it secure, keep it offline.

Re:It's all about leverage

[causality]

Cause we all know doctor's offices are impenetrable.

Two things about that:

One, someone who wants to break-and-enter into a doctor's office is going to leave behind physical evidence. It's the sort of crime likely to be solved through old-fashioned police work. It also can't be done from halfway around the world.

Two, that doesn't permit anyone to gain massive numbers of medical records. A thief who breaks into a doctor's office to obtain medical records is going to get the records for that doctor's patients only. With each break-in to each office, the chances of the thief getting caught increase substantially. Compare to a large centralized online database where potentially millions of records could be obtained in a single compromise by an attacker located anyplace there is an Internet connection.

Re:It's all about leverage

From what I read back when news of this first broke, usually when these attacks are successful, the infiltration lasts for years, because the goal is to quietly and relatively slowly pilfer things like that source code, not make a big mess as quickly as possible. If they are undetected, the attack is a lot more successful. The fact that Google caught this in 2 days speaks well for their security team.

Re:It's all about leverage

[AaxelB]

I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels".

I sincerely doubt this is anything near a "crown jewel" for Google. From TFA:

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

Yes, a useful piece of software, and it probably works better than most every other site's login system. An important trade secret of Google's worth freaking out about? No. It also doesn't really seem like Google is freaking out. If they're making changes to the program, it's probably primarily to placate the panicky masses/press (or maybe panicky managers who don't really understand what's going on).

Honestly, this whole story seems like a non-issue. Google is pretty damn good with security (this attack was the exception that proves the rule), and I'd be very surprised if their login system couldn't stand on its own without the veil of obscurity. Their real crown jewels (some of the algorithms in the backend and, more importantly, their massive stores of user data and history) are safe and well behind the front lines. What's making them "paranoid about security" is that they were hacked and it's public knowledge. That shit is embarrassing.

Re:It's all about leverage

[Daengbo]

I think Schmidt said the same thing. ;)

If you are specifically targeted by a diligent and well-funded attacker, god help you.

Re:It's all about leverage

[badzilla]

How do they know this about the poisoned MSN conversation? It's hard to imagine that some huge break-in could (days or weeks afterwards) be traced back to such a specific entry point.

Re:It's all about leverage

[jvkjvk]

I sincerely doubt this is anything near a "crown jewel" for Google. From TFA:

Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

So, you don't think that being able to find vulnerabilities in a piece of Internet or Intranet facing software that controls access to other systems is important?

There's more than just IP in a kingdoms crown jewels. Such as not having your authentication methods compromised.

Regards.

Re:Security through obscurity

lol like Microsoft would even admit to this happenning to them

Thank goodness

[NEDHead]

This explains all those sexy emails my girlfriend has been getting from all kinds of different guys in her gmail account

Re:Thank goodness

[whovian]

This explains all those sexy emails my girlfriend has been getting from all kinds of different guys in her gmail account

Don't blame us, blame Google. It goes to show how googling "NEDHead's girlfriend" and hitting the I'm Feeling Lucky button is really that good.

Re:Thank goodness

[tgetzoya]

Don't blame us, blame Google. It goes to show how googling "NEDHead's girlfriend" and hitting the I'm Feeling Lucky button is really that good.

So I was bored and searched "NEDHead's girlfriend" with the I'm Feeling Lucky button....I got http://www.ndnation.com/misc/ultimate_br_thread.html

I can only assume by this:

1) Nedhead does not have a girlfriend
2) Every joke I see on the internet has or will be on Bash.org
3) ???
4) Profit?

Re:Security through obscurity

Google hasn't complained the security system got cracked, nor is it buggy, nor is it said anywhere it's buggy. Troll, much?

Is it time to change passwords?

[el_flynn]

"The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions."

"Does not appear" falls kinda short of a satisfactory statement. Considering the intruders took two days to get the source code, one wonders what else they were up to in that period of time. I'm changing my gmail password now..

Re:Is it time to change passwords?

"Does not appear" falls kinda short of a satisfactory statement. Considering the intruders took two days to get the source code, one wonders what else they were up to in that period of time. I'm changing my gmail password now..

Umm. Any company worth their salt doesn't keep plaintext passwords around, and has random salts for making sure that rainbow tables don't work either. How amateur do you think Google is?

Re:Security through obscurity

[dudpixel]

there was no mention of whether their security system is buggy or not. The attack was made through a hacked internet site, with the help of an internal employee, not by someone "hacking into" the system. The weak link in the chain is always people, not software.

wasn't this same attack linked to MS internet explorer 6? had to bring that up...of course I could be wrong.

Anyone know of any large company opening up the source code to their security systems?

Star Wars

[BarlowBrad]

...the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future.

Many Bothans died to bring you this information...

Re:Star Wars

[Mr+Stubby]

The greatest unsung hero of Star Wars universe is Manny Bothans.

Re:so?

[Lehk228]

my guess is GP was trying to be funny, but mix a little off-axis humor with humorless gits holding mod points and look what happens

Re:Security through obscurity

[Illogical+Spock]

Nobody needs the source code to exploit Microsoft software...

Wrong security model

[kocsonya]

"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

As Bruce Schenier said, security through obscurity does not work...

Re:Wrong security model

[nomadic]

As Bruce Schenier said, security through obscurity does not work...

That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.

Re:Wrong security model

[grcumb]

"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

As Bruce Schenier said, security through obscurity does not work...

Are you sure he said that, or did he say that it was wrong to rely on security through obscurity? Obscurity (i.e. not telling tales out of school) is one valid element of an overall security model.

Re:Wrong security model

[causality]

As Bruce Schenier said, security through obscurity does not work... That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.

If you want a more clear example, do some research on encryption algorithms and what it takes before they are considered secure enough for general use.

Re:Wrong security model

[Jeremy+Erwin]

Bruce Schneier: Secrecy, Security, and Obscurity

Re:Wrong security model

Bruce Schneier was just trying to explain Kerckhoff's principle, which is that all security must be assumed to lie in the token and not in the algorithm, because the problem space for algorithms is very, very small, while the problem space for tokens (eg, keys) can be made arbitrarily large. In other words, if Google's algorithm relied on its secrecy for its effectiveness, they weren't doing it right.

Re:Wrong security model

[wvmarle]

Obscurity may work for a while. Until someone discovers it: by accident or by trying.

For example a hidden web page: www.example.com/secret that is not published or linked to anywhere. Secure because it's obscure - works great until someone guesses the URL. Or finds it by an accidental typo.

If you want something to be proven secure, obscurity has no place. If you want to keep something hidden (but don't care too much if ends up out in public) then keeping it obscure is good enough.

Re:Wrong security model

[geekoid]

That's not what he said. I suggest you read his stuff. Obscurity is an aspect of security.

Not knowing where a pirate buried his gold is a pretty good way to reduce the chance of anyone finding it. It's no guarantee.

Rememberer: all security can be broken with enough time and resources. You could put your car in a bank vault and then drop it to the bottom of the ocean. Given enough time and money, I could still steal it.

Re:Wrong security model

[Battle_Ratt]

Technically speaking, even in good cryptography, there is obscurity. The private key is an obscure piece of information that only one person/system should know.

This piece of obscure information is required, but once it is known, everything is out in the open. The reference is therefore about how the algorithm uses this obscure piece of information. That is what needs to be open.

Re:Wrong security model

[kocsonya]

"That's not what he said. I suggest you read his stuff. Obscurity is an aspect of security."

I *did* read his stuff. He says that one can argue that using obscurity increases your security because it is an other step that your adversary has to overcome. However, if you keep reading, he shows that the above argument has many problems. In the last paragraph of his famous 2002 article he says:

"Kerckhoffs' Principle generalizes to the following design guideline: minimize the number of secrets in your security system. To the extent that you can accomplish that, you increase the robustness of your security. To the extent you can't, you increase its fragility."

In the same article he points out cases where keeping algorithms secret has a place. Not because it increases your security, for it does not. But keeping the algorithm secret might have benefits *other than cryptographic security* that outweigh the cryptographic security benefits of publishing the algorithm. One of his examples is missile guidance systems. The benefits of publishing your algorithms is nil, but it would give information to your enemies, which has zero or negative benefit. So you keep it secret. However, that does *NOT* make your guidance system more secure. You must assume that the enemy does know the algorithm. If without that assumption your system is vulnerable, then it is flawed. You use obscurity so that you inconvenience the enemy, not because you believe that that makes the system safe.

So, yes, he said that. Security by obscurity does not work. Obscurity is not part of security. Obscurity is a different concept, which may or may not be beneficial for your overall goal, but it is not beneficial for your security. As I mentioned, I read his stuff and it's there.

Paranoia

[Internetuser1248]

This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

Re:Paranoia

[causality]

This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.

Re:Stolen

[t0y]

It's easy to be confused. If it wasn't released and kept "secret", it's stealing.
Copyright doesn't even make sense in this case.

the level of interest and sophistication

[circletimessquare]

matched the target

that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you

and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google

the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure

I have to say this...

[coolgeek]

In Soviet Google, privacy discloses you.

Not quite as "insightful" as the mods think.

[neiras]

They took the code without Google's consent, hence they stole it.

Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.

  1. Was the property provably taken without consent?
  2. Was the property provably taken with the intent of depriving its rightful owner of said property?

If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.

Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.

"Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.

Re:Not quite as "insightful" as the mods think.

[LingNoi]

Would you be so kind as to cite an example?

Re:Not quite as "insightful" as the mods think.

[LingNoi]

So I've looked at this some more and this is what US law states on deprive:

3. "Deprive." To "deprive" another of property means (a) to withhold it or cause it to be withheld from him permanently or for so extended a period or under such circumstances that the major portion of its economic value or benefit is lost to him, or (b) to dispose of the property in such manner or under such circumstances as to render it unlikely that an owner will recover such property.

Since Google could quite successfully argue in court that their closed source code has lost value it's theft.

Re:Not quite as "insightful" as the mods think.

[metacell]

1. Was the property provably taken without consent?
2. Was the property provably taken with the intent of depriving its rightful owner of said property?

Are you sure about the second criterion? For example, if I steal an apple from someone, the intent is not to deprive the other person of an apple, it's merely to get an apple for myself.

Re:Not quite as "insightful" as the mods think.

[metacell]

Plagiarism isn't theft, it's just plagiarism.

Downloading a copyrighted mp3 is not theft, it's copyright infringement.

Using someone elses patented invention isn't theft, it's patent infringement.

And so on.

Re:Not quite as "insightful" as the mods think.

[Animaether]

Since Google could quite successfully argue in court that their closed source code has lost value it's theft.

Slow down there, cowboy :)

They would have to argue successfully that the major portion of its economic value or benefit is lost to him (does it really use 'him'? how quaint)

I would argue that most of the world could have the source code and there's no real economic value loss to Google unless their shares dropped for a few seconds or somesuch since this became public knowledge. I can take slashcode, for example, but I'm not going to succeed in removing 'the major portion of slashcode's economic value or benefit' as it'd take a miracle, not the source code, to make my site popular enough that advertisers and the like would pay substantially less to Slashdot.
Similarly... Google has the networks, the contracts, the installed userbase, etc. the code, in part, enables the the economic value.. but it isn't the emodiment thereof. They could replace it with any other ol' code that'd be a drop-in replacement (as apparently they're doing, in part) and the economic value wouldn't be altered (unless they make it inferior).

Re:Not quite as "insightful" as the mods think.

[metacell]

According to the definition of deprivation you quote, it's not enough to cause the property to lose value. You have to withhold it from the rightful owner so that it loses value. And the hackers weren't able to withhold Googles own source code from them.

Re:Not quite as "insightful" as the mods think.

[neiras]

1. Was the property provably taken without consent?

2. Was the property provably taken with the intent of depriving its rightful owner of said property?

Are you sure about the second criterion? For example, if I steal an apple from someone, the intent is not to deprive the other person of an apple, it's merely to get an apple for myself.

Intention to permanently deprive is defined at s.73(12) of the Australian Crimes Act as treating property as if it belongs to the accused, rather than the owner.

It's all definitions. Even "intent" might legally mean something other than you'd expect, depending on where you live.

There's a quick rundown on the encyclopedia in the sky if you're interested.

Re:Not quite as "insightful" as the mods think.

[vadim_t]

I don't see why.

First, I don't think it lost its value. It's not like I can legally go and torrent it. It's still copyrighted. It's still illegal for me to use it without Google's permission. So if somebody wanted to license it, just because it's somewhere out there doesn't mean they don't have to anymore.

Now, maybe you're trying to say that value was lost because there's more information about it than before, or because the ability to look at it somehow uncovers something that makes it less valuable. But that's nonsensical, because by this logic a negative review would be theft as well, since it reduces the value of something in the eyes of the public.

Also value could be lost because somebody else made something better, or it became obsolete. Is that theft as well?

Re:Not quite as "insightful" as the mods think.

[LingNoi]

Also value could be lost because somebody else made something better, or it became obsolete. Is that theft as well?

It could be if someone wrote something better using the stolen source code.

Re:Not quite as "insightful" as the mods think.

[vadim_t]

What do you mean by "using the code"?

It's theft if I look at the internals of the system and make something better, but not theft if I examine the system externally? Or it's only if the source was integrated into a new program? But that last case is a very clear one of copyright infringement, no need to bring "theft" into it.

Re:Not quite as "insightful" as the mods think.

[dissy]

Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.

That word implies you are using a legal context to define theft.

If that was what anyone else but you was doing here, you would be right.

The statement was not made in any legal context, so why would you randomly choose that definition knowing it is the worst possible fit?

In writing, one uses English, not law. In that case you DO use the English dictionary, which defines theft both as taking something tangible, and copying words.

As the speaker was writing, it only makes sense they would use words as writers use them, and thus the usage is correct.

Re:Not quite as "insightful" as the mods think.

[metacell]

He he, I can give any even better reason to call the media industry "thieves".

Assume that copyright really is a form of property, like its proponents usually claim. The law of the land dictates that the first 50/75/95/whatever years of usage of a copyrighted work should belong to the author. After that the work enters public domain, and its usage belongs to the public.

Retroactively extending copyright then means that the media industry is *stealing* usage time from the public - for the sole reason of being able to sell it back to us, in small pieces, at high prices.

Re:Not quite as "insightful" as the mods think.

[neiras]

In writing, one uses English, not law. In that case you DO use the English dictionary, which defines theft both as taking something tangible, and copying words.

I just quoted you by copying your words. Oh shit, I'm a thief now! Society would be so awesome if the dictionary was the final arbiter of meaning.

Seriously though, the original poster claimed that copying code was theft, and I provided some legal context. That's called expanding the conversation, and it adds value - something your pedantic nitpicking does not.

As the speaker was writing, it only makes sense they would use words as writers use them, and thus the usage is correct.

So what you're saying is, you think that conversations that begin with a narrow-minded and potentially untrue statement in a limited context should be constrained to that context? Kind of a polished, facile, and locked-down colloquy?

You must be a writer. Or an Apple customer.

Re:Not quite as "insightful" as the mods think.

[dissy]

You must be a writer. Or an Apple customer.

Better than a troll.

If you truly think pointless insults are adding to a conversation, your conversation is not something i need to see. Foed.

I'm not worried

[Evil_Ether]

It's only my face book and Gmail at risk and I keep all my secret plans to stop China's world domination on my secret server.

Why is production source code available online?

[mikein08]

And if it's not directly available online, why is it anywhere near where a hacker can get to it, esp. code this sensitive. I truly dumbfounded. Heads should roll for this, and I mean heads way up there in the hierarchy. But otherwise, why isn't Google's password authentication software secure enough to withstand being stolen. VMS uses a one-way hashing routine for password authentication. So even if you have the code in question, it won't help you. Which, I suppose, is yet another reason that VMS is the best OS.

Re:so?

[Soilworker]

"If you mod me down, I will become more powerful than you can imagine...."

I've noticed a lot of hacked accounts....

[zoid.com]

I've been sent spam recently from quite a few people who's gmail accounts have been hacked. Look at the gmail forums....

http://www.google.com/support/forum/p/gmail/label?lid=65ac3f0a8251ca2d&hl=en

Filled with spam from hacked account messages. Coincidence?

Re:I've noticed a lot of hacked accounts....

[MrBippers]

I've gotten one such email recently and another friend had 3 separate incidents from different contacts in the past month. It seems more probably than a massive increase it the success of brute force attacks.

Re:I've noticed a lot of hacked accounts....

[RichM]

This happened to me as well.
The worst part is, they kept my entire address book in the To: line, so everybody could see what my address book contained.
It included the addresses of a few high-class escorts (for innocent reasons, mind you) and the email address for my department at work who also received the spam - I had some quick explaining to do on that one...

Re:I've noticed a lot of hacked accounts....

[eulernet]

Do not use your gmail password on another site !

I think your gmail account has been hacked because you provided your gmail address, and created an account with your gmail password on another site.

When your account is compromised, don't forget to check the Settings/Accounts and Imports, to verify that no account has been added here.

Re:So what's great about Gaia?

[AHuxley]

Depends who gets what and in what time frame.
Would the NSA get https in real time 24/7 from day 0?
Would some local taskforces or feds get a backdoor with a court order re US porn, fraud, threats?
Did China want the same for its issues with Tibet, Xinjiang, Tiananmen Square,
CIA backed cults, officials talking to NGO's, evil journalists, local human rights workers, environmentalists ect.
Did Google play the court order game too long and something had to give.
Someone needed data fast on some issue and China took it.
China should learn from the USA. You dont request information from private networks, you *are* the only network and allow others to transverse it on your terms.
Play nice and enjoy wealth for all, make problems and feel the full force of the federal gov in every aspect of your life with 100% downtime later on.

Google needs to move to two factor authentication

[Mattpw]

A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?

Re:Stolen

[Jeremy+Erwin]

The value of a copyright lies in its exclusivity-- it is a legitimate monopoly on the right to publish. When a work is pirated, that monopoly is infringed and stolen away.

Re:More Eyes - if you publish

[rtfa-troll]

Yes; well the truth is that only if those eyes are looking (I'm sure the crackers will be). But still, it's yet another example that not publishing your source code just means that the only eyes looking other than your own are hostile eyes. Google should now publish the source code to this system and more of their other internal stuff that others could use and share.

Yes, coincidence, and much worse than spam

[Aargau]

Targeted zero day attacks to steal source code are worth 1000x more than an account to send spam on. Root at google? This is actually a big deal, above the realm of small bot shops, this is superpowers in a cyber arms race. Very strong implications on the security of cloud computing as the provisioning company can be the vector of attacks to any company it hosts.

Re:Security through obscurity

[jonaskoelker]

The weak link in the chain is always people, not software.

They way I heard it, a person clicked on a link in Messenger; doing so opened a browser, IE presumably; viewing the page linked to in IE triggered a security baddie in IE, letting the site pwn the local machine in question.

So people are the weak link, because they click on links? Or because they don't download all their web pages in wget and analyze them for IE exploits first?

If so, loads of spare time spent tinkering and six years at a university studying CS doesn't make me quite as computer savvy as I thought :-(

Re:so?

[mr_stinky_britches]

Ya, and have you ever tried to perform a slashcode install? It is a fucking nightmare, and there is little help. The slashcode available isn't even the current version used to power /., as far as I was able to tell. Hence why you don't see much slashdot slashcode clone sites..

If you know I'm wrong then please feel free to enlighten me..

Re:Security through obscurity

[bjourne]

Well, for the record, Google's security system IS BUGGY. There has been scattered reports across the internet about how users accidentally have been able to login to other peoples accounts. The problem has been reported to google multiple times on their mailing lists, but google has never given a proper response to it. They are likely afraid of the public PR disaster that would occur if people found out how insecure their google accounts really are.

References: http://answers.yahoo.com/question/index?qid=20100321162016AAZnwCC, http://talk.maemo.org/showthread.php?t=48382, http://www.google.pl/support/forum/p/gmail/thread?tid=13d02f7a7404e5f6&hl=en, http://www.google.com/support/forum/p/youtube/thread?tid=4426cc7a854b727d&hl=en, http://www.davidnaylor.co.uk/my-google-account-is-showing-someone-elses-adsense-account.html, http://www.google.com/support/forum/p/Google+Docs/thread?tid=65ca8c56386ded1e&hl=en

Copied! Not stolen! Big difference!

[Hurricane78]

You can not steal information. You can copy it. But then the original owner still owns it. Sometimes you can also overwrite the copy that is not stored in people’s minds. But it is a very big difference. Because the one is meatspace, and the other bitspace.
Stealing in only applicable to real physical meatspace objects. Everything else is MAFIAA FUD.

Re:Copied! Not stolen! Big difference!

[geekoid]

IN a complex system, it's not all in one person's minds. Small; bits is in a lot of peoples mind. Have you every worked on a system with millions of lines of code written from people all around the world? Can you recite it verbatim?

If someone stole the computers it was housed on, then they have stolen the code.

Some of the verbiage in the article implies something physical was stolen; however I suspect it's shoddy writing.

Something's fishy about the whole thing

[melted]

Things just don't match up. I don't think this is in any way related to the Chinese government.

More likely, hackers have pals within Google China, and those pals helped them install a rootkit and blamed it on Windows and Messenger for the sake of plausible deniability.

And the hackers will probably use whatever vulnerabilities they discover (if any) to send spam on behalf of the compromised user accounts, and maybe pay for stuff using Google Checkout linked credit cards (although it will be tricky to get the sellers to ship it to China :-).

Re:Stolen

[metacell]

Copyright is applicable to this case. By downloading the data from Google's servers, the hackers manufactured an unauthorized copy of it in their own computers, i.e, copyright infringement.

However, there may be laws against hacking and industrial espionage which make more sense to prosecute with.

Re:Stolen

[metacell]

Depriving someone of potential profits is not theft. The loss of potential profits may be part of the reason we have copyright laws, but the person who makes unauthorised copies only breaches the copyright laws, not any laws against stealing.

This has got to be a joke...

[3seas]

What would China possible want with this code?

Kinda makes me hope a major sun flare (emp) hits earth directly.
It'd certainly solve the spam problem.

Well, duh!

[flajann]

A "secure system" that depends on the secrecy of the code for its security is not secure. One should take it as read that the code has been (will be) released to the world. How does one design a secure system with that in mind?

Yes, even the best security code can have design flaws, but a company the size of Google should be able to afford a security audit team to hunt down those very vulnerabilities.

The fact that Google is paranoid speaks volumes.

Re:More Eyes - if you publish

[jimthehorsegod]

If the only eyes looking other than your own are hostile eyes...

The point being made was that this is the case only when you don't publish your code, and therefore the only way it gets out is if it's stolen - thus, now you have access and the person who stole it has access. If on the other hand you publish the code, then everyone, good and bad has access, and hopefully count(good) > count(bad)

tar.gz or it didn't happen

[Barryke]

I can imagine Google decides to replace Gaia. They might opensource parts of authentication or encryption code. A public audit if you will.

They should publish the code immediately

[jw3]

Since the bad guys have the code anyways, they should immediately publish the code as Open Source. Chances are, someone from the community will find the exploits before the guys who have stolen it.

This incident might also be used as an argument for open sourcing even critical code.

j.

ITU & INTERPOL

[Max_W]

It is high time that the international community makes such hackers' attacks a priority. The perpetrators should be aggressively persecuted.

There are the international organizations already for this task: ITU International Telecommunication Union www.itu.int , part of the UN, and INTERPOL www.interpol.int

It is not possible to protect anything, anything, by only passive measures. One can break any steel reinforced door with a sledgehammer for 10 minutes, explode any bridge, no matter how strong or well constructed, etc.

It is the combination of passive and active measures, which provides security.

The privacy and security of millions are under question. And what make the governments, whose profession is the protection of the population, - nothing. Not a single move.

Someone can steal my and your private information, commit an identity theft, break in into the accounts of minors, etc. and it seems to be of no concern whatsoever to anyone, except of some high-forehead engineers.

But it is the job of not only engineers, but for the police officers with badges, handcuffs, and guns. By a keyboard only it is not possible to handle this evil, which threatens the modern global infrastructure.

Such hackers should be placed into the correction institutions for years, where there is not access to computers and network, and re-trained into non-computing vocations: woodworking, sewing, etc.

Re:ITU & INTERPOL

[geekoid]

exactly why electronic money will fail.

BTW - What group is this that will go into someone else country, and grab people? What country would agree to that? How do you handle events backed by a discernment? Who goes after people in poor countries that want tom protect their sovereignty but does have the money to find people?

"Such hackers should be placed into the correction institutions for years,"
be be paid for by....?

I mean, you seem to have solved a problem no one else has every dealt with, so I am just assuming you have answered all these very basic questions. Later, we can discuss the difficult problems~

No nonviolent criminal should ever go to jail. There are better and more productive ways to punish. Don't believe the 3 strikes crap that the CCPOA feeds everyone. FYI they lobby in other states and federal, so their impact is not just Ca.

Re:ITU & INTERPOL

[Max_W]

No nonviolent criminal should ever go to jail.

Taking money from others' credit cards, breaking into accounts of minors, disrupting companies' business operations seem to me violent enough.

be be paid for by....?

As I said, it should gradually become a priority and handled by an international effort. We rely heavily on computer networks. Most of money, by the way, is electronic already. People, who are to work in the air, in aircraft, I am sure, not amused when someone try to break into their systems. And role of computer networks will be only growing.

Damaging the network and servers should be viewed as a crime against humanity. It is sort of a weapon of mass destruction.

The cost of isolating and re-training malicious "programmers" can be minimized by a good old outsourcing. For example, in Russian Federation's northern parts there are places where a camp can be organized without an expensive fence and perimeter guards. It is just impossible to walk away from there.

I listen to a radio show where they talked about it. How young German convicts are being sent nowadays to serve some of their time in remote areas of Siberia.

Open source it..

[crivens]

Open source it and then no-one will care.

Oh... Ok then.

[Colin+Smith]

Nothing to worry about.

I'm so relieved you pointed out the way things should and should not be for the rest of us. We can just go ahead and keep storing our corporate data in google apps keep all our personal info in google mail and not worry about identity theft, corporate espionage etc.

And back on planet earth. You have to be taking the piss. If the real world worked the way your ideal one did then they would never have been hacked in the first place. Of course they are doing things that ,"they should not be doing".

capital letters are redundant

[circletimessquare]

they provide no extra information. they are the grammatical equivalent of wearing a suit: uncomfortable, extra effort, pointless. you understood what i wrote perfectly

yes, certain brittle fragile minds can't deal with novel formatting. this drives brittle fragile minds away from my words. and so i win, because then i don't have to wade through mediocre comment replies from brittle fragile minds

its a simple and effective form of social filtration

why do some people cover themselves in tattoos? for some people, dealing with someone covered in tattoos is like a ringing inside their head: they simply can't deal with it. for other people, if you're covered in tattoos, so what? i deal with you as well and as easily and as honestly as someone wearing a suit. so the tattoo covered person has a convenient social filter against the mediocre in their society

the mediocre mind trusts suits, but doesn't trust tattooed people. and plenty of snake oil salesman, demagogues, and charlatans throughout history have presented themselves as perfect specimens of respectability, manipulating the simple social cues, all the while lying their asses off, and yet mediocre minds listen, because they trust to the social convention, rather than the actual words

if you want poisoned prose, deal with the guy who writes his placid lies in sterling pointless grammatical convention. if you want the ugly truth, deal with me. i'm not here to impress you or cater to your comfort

Re:capital letters are redundant

[dylan_-]

yes, certain brittle fragile minds can't deal with novel formatting.

Oh please! Nearly everyone tries "novel" forms of writing without capital letters, without punctuation, or of some other kind at least once. Usually when they're teenagers and they usually grow out of it when they realise it's nowhere near as "novel" as they first thought.

Capital letters are not redundant. They are incredibly useful due to the way we read. Once you're reached a certain level of proficiency in reading, you don't read one word at a time. You read whole sentences - sometimes several, or a short paragraph - in one go. You find the beginning, skip to the end, and look over the whole thing finding the meaning. This is a much quicker way of reading than a single word at a time.

Capital letters provide a very useful visual clue that quickly let you find the end of the sentence or block you wish to read and let you read it quickly. When they're absent, it slows you down and makes reading the text much more difficult and frustrating than it needs to be. It's simply poor communication.

Re:More Eyes - if you publish

[slprice]

Also, published code tends to be better quality because of the extra scrutiny it gets before letting others see it.

This whole mess could have been avoided

[aoshi73]

In my opinion, this whole mess could have been avoided if Google would have made the use of Chrome, their own browser, madatory for all their employees. Why do they push Chrome as not only a web browser, but as an OS platform and not use it themself?

Re:so?

[Daengbo]

No one wants to install Slashcode. The Slashdot site itself sucks, and always did. Years ago people came here because all the smart and intelligent folk in IT were here. Now we just come out of habit. The site still sucks though.

cyberwar: engage

[h00manist]

Unknown Chinese operatives steal password-check code to major US corporation. Political leverage for anyone to say cyberwar is ON. Since the are no real bodies or injured, it's all at the espionage level, and the media and public doesn't even have to know what happens. Secret wars are funny. On the same wire there's Warcraft, IRC, and unknown hand-crafted spy packets, in the real world, in one apt there's a quiet dinner, in the next some enemy asset is being administered a natural-heart-attack.

what's so secretive about authentication?

[Punto]

fetch the password, compare it. if there's anything else in it, it doesn't belong there, and it'll have bugs

poor brittle fragile brain ;-)

[circletimessquare]

here's the shocking truth about your brain and your language:

Aoccdrnig to a rscheearch at an Elingsh uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht frist and lsat ltteer is at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae we do not raed ervey lteter by it slef but the wrod as a wlohe. ceehiro.

http://www.languagehat.com/archives/000840.php

thrs smthng ls ntrstng y shld knw abt nglsh:

y dnt vn nd vwls t ndrstnd wht m wrtng

y cn rd ths lmst s fst s rglr txt

snt tht mzng?

http://brian.teeman.net/mister-men/do-we-need-vowels.html

Re:poor brittle fragile brain ;-)

[dylan_-]

Yes, I know about that. I heard about it many years ago (and well before that "research at an English University" article).

So what? Frankly, that post is *easier* to read than yours generally are, because it has capital letters. The mess you leave at the end is nowhere near as coherent. Yes, it's easy enough to decipher, but it can't be read in a flowing manner. So my point remains.

Is your poor, brittle, fragile brain having difficulty coping with the concept you might be wrong?

Re:A "fine performance" by Roman_Mir (NOT!) - lmao

[roman_mir]

I love it, apparently some trolling AC subscribed to my newsletter and is reading my every comment and needs to reply to all of them multiple times even. Excellent, next thing I know I have my own TV news station.

Stolen or copied?

[geekoid]

It reads as if someone went in and raided the offices, but it's unclear. I think it was just copied.
Another reason why people need to be clear when talking about software.

this line was a hoot:
“It’s obviously a real issue if you can understand how the system works.”

If understanding the security system puts the system at risk, then it was a broken security system to begin with.

Google should really know better.

Re:Security through obscurity

[geekoid]

"The weak link in the chain is always people, not software."
incorrect.

People are a weak link, but so is software. I have accessed systems by forcing a software crash.

Incorrect.

[geekoid]

False.

They did not take it, they copied it. When you can copy someone wallet and contents perfectly, then your attitude will be justified. Until that time, you are an ass AND incorrect.

Take - To capture physically; seize:
Take - To grasp with the hands; grip

Neither of those can be done with software.

The closest definition of steal would be:To present or use (someone else's words or ideas) as one's own. However, that's not what is happening here.

It's wrong, but it's trespassing and copyright infringement. Ah, but those words don't sound bad enough. Like how I rapped my software but stuffing my large code into it and then murdered it by deletion. ba ba BAAAAA~

Re:so?

[geekoid]

But we didn't come for the pretty site, we came for the great intellectual conversations about how a petrified Nattlie Portman could be covered in grits.

Yep, the good ol' days of smart and intelligent conversion.. a regular freaking palace of enlightenment.

Re:Stolen

[Jeremy+Erwin]

Depriving someone of potential profits is not theft.

Why not? Consider a copy shop. It owns lots of equipment--printers, copiers, scanners-- and rents out use of that equipment. If a third party removes the equipment from the store, the copy shop loses out on the potential income it could have earned from rents.

Re:so?

[Daengbo]

You know what? Even the trolls were better then Now, all we get is recycled stuff from ten years ago or "This!" and "FTFY."

Re:Stolen

[metacell]

In that case, it's not the loss of potential profits that constitutes theft, it's the removal of property.

It would make no difference whatsoever if the shop owner had already decided to throw away the stuff the next day - taking it is still theft.

Re:How do you infringe copyright

[metacell]

Copyright is the exclusive right to make copies.

Re:Security through obscurity

[dudpixel]

I see what you're saying but I'm not sure how google is therefore responsible?

Maybe they need to update their blacklists? or possibly enforce better security policies?

Surely this kind of attack is equally applicable to any company...unless I'm missing something.

In response to your last point, I find that the more I know about computers, the more I realise there is to know...

Re:so?

[Peach+Rings]

"Nattlie" Portman covered in grits? The meme went that I would pour hot grits down my pants to see Natalie Portman naked and petrified.

Re:Security through obscurity

[dudpixel]

I stand corrected. cheers.

Re:More Eyes - if you publish

[rtfa-troll]

I said another because exactly the same thing (leak of the source code against Microsoft's will) has happened to Windows previously. Another 30 companies were included in this recent Google break in. I know that a company I worked for had similar problems a while ago.

Basically, you can assume that your "enemy" already has the source code. The only question is, can you get more friends to read it? If you don't publish then the only other eyes will be hostile sice friendly eyes won't have access. If you do publish you have a reasonable chance be able to get friendly eyes to help.

weird things going on with gmail

[vaporland]

I've been seeing some weird things going on with gmail lately.

One big one: I started receiving Google Alerts exactly like those I've set up previously, but marked by gmail as spam and not formatted exactly like real Google Alerts. They also have the warning that the email may not be from the source that it seems to be, though they 'seem' to come from google.

Another strange thing: while checking gmail a few days ago, all of the inline ad text turned to chinese for about five minutes - I have a screen shot.

I think the intrusion goes deeper than we've been led to believe...