Source Code To Google Authentication System Stolen

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

Paranoid about security?

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

Re:Paranoid about security?

[WrongSizeGlass]

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

What they meant was your privacy didn't matter to them.

Re:Paranoid about security?

[coolgeek]

Really, this shouldn't matter, unless they are doing something they should not be doing.

Re:Paranoid about security?

[d'baba]

Am agreeing here. Am reminded of article which said. "Microsoft is a bunch of arrogant business people. Google is a bunch of arrogant engineers."
If security depends on code it is insecure. Period.
If security depends on people it is insecure. Period.
It is insecure. Period.
----
Hypertext isn't what it's marked up to be.

Re:Paranoid about security?

Please understand the context of a quote before referencing said quote. Eric Schmidt said:

If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

Have a nice day.

Re:Paranoid about security?

[martin-boundary]

Except that when others (some journalists from CNET) (ab)used the data about Eric Schmidt that was broadcast far and wide on the intarclouds, Google complained and blackballed everybody from CNET for a year.

Who knew they only meant that we shouldn't overreact?

Re:Paranoid about security?

[Daengbo]

OK, more context:

Q: People are treating Google like their most trusted friend. Should they be?

A: I think judgement matters If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. But if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.”

In this context, "doing it" now refers to "treating Google like their most trusted friend" because otherwise, the phrase would be "shouldn't have it."

People are too political about this issue and refuse to actually think. Screw grammar. The meaning is quite clear in context. If you don't want someone to find out about something you're doing, don't do it through Google (or any other search engine). They all keep records and can all be subpoenaed. Use some other method.

So, yeah, don't trust GOOG with your darkest secrets. Schmidt said it, himself. Also, if you're smoking pot, do it in you house and not in the public park.

Sauce?

tar.gz or it didn't happen

More Eyes

[Daengbo]

More eyes make the bugs shallow, right? ;)

Re:More Eyes

[Soilworker]

That's why you need to look at it from a 45 degree angle.

Re:More Eyes

[Thanshin]

But then the bugs will appear to be in IE8.

Many eyes = problem?

[choongiri]

So, Schmidt is worried because google was relying on security through obscurity?

Re:Many eyes = problem?

[Gamer_2k4]

So, Schmidt is worried because google was relying on security through obscurity?

Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

Re:Many eyes = problem?

I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

Re:Many eyes = problem?

[macshit]

that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

No, it doesn't. There's a big difference between relying on obscurity -- which google, apparently, was not -- and simply being concerned because the bad guys have more ability to search for flaws.

The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

Re:Many eyes = problem?

[Vellmont]

and simply being concerned because the bad guys have more ability to search for flaws.

Much of the world relies on security systems that are completely open and available to everyone. One of the prime examples is openSSH. Another prime example in openSSL. I don't hear too many people worried that these systems are more vulnerable because attackers have access to the code.

The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

Panic and stupidity are also natural human reactions. Since when did something being "natural" become a justification for something? I can understand the reaction, but that doesn't mean it's right.

It's pretty stupid to rely on code remaining secret. Code is something that's very difficult to make secret as it gets copied all over the place. How many people at Google already have access to it? It seems to me that if Google really wants to be secure they should just release the damn code so "the good guys" also have access to it, since apparently "the bad guys" already do.
   

Re:Many eyes = problem?

[InlawBiker]

They found Google's secret sauce.

    If Request.Form("password") = "JOSHUA" Then
    Response.Write("Greetings, Professor Falken")
    Set Godmode=1

Re:Many eyes = problem?

[anarche]

Yes they missed something, from TFA

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer...

How google missed a stupid employee? "But" (you yell) " there had to be a flaw that let them gain access!". Yes, there was a flaw:

The attacks took advantage of a flaw in Internet Explorer 6 that was quickly patched, although the damage had been done.

So a google employee in China was using IE6 and clicking on links from someone who claimed to be another employee who wished to remain anonymous?

They missed an idiot. Pure and simple.

Don't change it, release it

[Logos]

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

Re:Don't change it, release it

[TubeSteak]

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

There's probably a whole lot of stuff in that source code that is either a trade secret or gives clues to trade secrets google would rather keep private.

The most realistic course of action would be for them to hire some 3rd party pen testers and auditors to pick apart their code under a microscope.

Cloud security?

[HockeyPuck]

I thought the cloud was secure?

Re:Cloud security?

[siddesu]

the cloud is secure. it is the dev workstations that are in danger :)

Re:Cloud security?

[MorderVonAllem]

By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

Re:Cloud security?

[GNUALMAFUERTE]

Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it. Except I sudo su and chmod +x $file and ./$file nothing is going to happen. But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc. Or just connecting on the wrong LAN. Clicking on a link IS NOT supposed to give ANYTHING any kind of execute permissions. I don't browse with Flash, but I do keep a Firefox-altern dir with Flash installed in case I really really need to check out something that requires Flash. I can't believe how invasive that thing is, and how many privileges it automatically grants to random content on the web. Same thing for JS. The simple fact that 'last measure' still works is living proof of how stupidly insecure certain technologies are.

And, no, it's not the user's fault for clicking on a link.

Re:Cloud security?

[RzUpAnmsCwrds]

Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it

Your attitude of invincibility is both dangerous and stupid. Firefox, like all web browsers, is complex software that has a long history of vulnerabilities. One buffer overflow vulnerability (and Firefox has a history of such vulnerabilities) is enough to run arbitrary code on your system.

Except I sudo su and chmod +x $file and ./$file nothing is going to happen.

Not true. The software you use every day almost certainly has security vulnerabilities that may allow code execution. History has shown that determined hackers have little trouble finding one.

But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc.

No, mostly we hear those stories from people who don't know what the hell they're talking about. If you download and run some arbitrary executable, well, yeah, you can get infected. The same could happen if you went and installed a malicious deb/rpm.

Those people who truly *were* infected by "just clicking on a fucking URL" (and not by deliberate acts of stupidity on their part) are victims of software vulnerabilities. And those vulnerabilities exist on every platform.

Oh, except it was microsoft's operating system, and microsoft's messenger.

Neither Microsoft's OS nor their messenger software had anything to do with this hole, although Internet Explorer might. Neither the messenger software nor the OS were vulnerable; the vulnerability was most likely either in the web browser or a plugin like Flash.

"Source Code [...] Stolen"

[Animaether]

Stolen?

What.. they are no longer in possession of the source code?

Re:"Source Code [...] Stolen"

[LingNoi]

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

Re:"Source Code [...] Stolen"

They took the Movie without paying for MPAA consent, hence they stole it.

We like to change the meaning of the words when it's convenient for us

Re:"Source Code [...] Stolen"

[Animaether]

My point exactly - no matter how much it's modded "Off-topic" currently :D /karma

Re:"Source Code [...] Stolen"

[BC+Guy]

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.

Open source it

[ka9dgx]

They should open source it, since a copy is out on the loose anyway. This could work to their advantage.

I still think capability based security is the only workable long term solution..

Re:so?

[3p1ph4ny]

http://www.slashcode.com/

Re:so?

[Urza9814]

i'd love to see /. put their source out there, money where their mouth is so to speak.

...You mean like http://www.slashcode.com/about.shtml ?

It's all about leverage

[el_flynn]

From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

Re:Security through obscurity

[dudpixel]

there was no mention of whether their security system is buggy or not. The attack was made through a hacked internet site, with the help of an internal employee, not by someone "hacking into" the system. The weak link in the chain is always people, not software.

wasn't this same attack linked to MS internet explorer 6? had to bring that up...of course I could be wrong.

Anyone know of any large company opening up the source code to their security systems?

the level of interest and sophistication

[circletimessquare]

matched the target

that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you

and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google

the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure

Re:Wrong security model

[grcumb]

"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

As Bruce Schenier said, security through obscurity does not work...

Are you sure he said that, or did he say that it was wrong to rely on security through obscurity? Obscurity (i.e. not telling tales out of school) is one valid element of an overall security model.

Re:Paranoia

[causality]

This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.

Not quite as "insightful" as the mods think.

[neiras]

They took the code without Google's consent, hence they stole it.

Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.

  1. Was the property provably taken without consent?
  2. Was the property provably taken with the intent of depriving its rightful owner of said property?

If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.

Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.

"Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.

Re:Not quite as "insightful" as the mods think.

[metacell]

Plagiarism isn't theft, it's just plagiarism.

Downloading a copyrighted mp3 is not theft, it's copyright infringement.

Using someone elses patented invention isn't theft, it's patent infringement.

And so on.

Re:Not quite as "insightful" as the mods think.

[metacell]

According to the definition of deprivation you quote, it's not enough to cause the property to lose value. You have to withhold it from the rightful owner so that it loses value. And the hackers weren't able to withhold Googles own source code from them.

Re:More Eyes - if you publish

[rtfa-troll]

Yes; well the truth is that only if those eyes are looking (I'm sure the crackers will be). But still, it's yet another example that not publishing your source code just means that the only eyes looking other than your own are hostile eyes. Google should now publish the source code to this system and more of their other internal stuff that others could use and share.