Slashdot Mirror

← Back to Stories (view on slashdot.org)

Source Code To Google Authentication System Stolen

Posted by kdawson on from the crown-jewels dept.

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

28 of 306 comments (clear)

  1. Paranoid about security? by Anonymous Coward · · Score: 5, Insightful

    Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

    1. Re:Paranoid about security? by WrongSizeGlass · · Score: 5, Insightful

      Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

      What they meant was your privacy didn't matter to them.

    2. Re:Paranoid about security? by coolgeek · · Score: 4, Insightful

      Really, this shouldn't matter, unless they are doing something they should not be doing.

      --

      cat /dev/null >sig
    3. Re:Paranoid about security? by Anonymous Coward · · Score: 5, Informative
      Please understand the context of a quote before referencing said quote. Eric Schmidt said:

      If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

      Have a nice day.

    4. Re:Paranoid about security? by martin-boundary · · Score: 5, Insightful
      Except that when others (some journalists from CNET) (ab)used the data about Eric Schmidt that was broadcast far and wide on the intarclouds, Google complained and blackballed everybody from CNET for a year.

      Who knew they only meant that we shouldn't overreact?

    5. Re:Paranoid about security? by Daengbo · · Score: 5, Informative

      OK, more context:

      Q: People are treating Google like their most trusted friend. Should they be?

      A: I think judgement matters If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. But if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.”

      In this context, "doing it" now refers to "treating Google like their most trusted friend" because otherwise, the phrase would be "shouldn't have it."

      People are too political about this issue and refuse to actually think. Screw grammar. The meaning is quite clear in context. If you don't want someone to find out about something you're doing, don't do it through Google (or any other search engine). They all keep records and can all be subpoenaed. Use some other method.

      So, yeah, don't trust GOOG with your darkest secrets. Schmidt said it, himself. Also, if you're smoking pot, do it in you house and not in the public park.

      --
      Put identity in the browser.
  2. Sauce? by Anonymous Coward · · Score: 5, Funny

    tar.gz or it didn't happen

  3. More Eyes by Daengbo · · Score: 5, Funny

    More eyes make the bugs shallow, right? ;)

    --
    Put identity in the browser.
    1. Re:More Eyes by Thanshin · · Score: 4, Funny

      But then the bugs will appear to be in IE8.

  4. Many eyes = problem? by choongiri · · Score: 5, Insightful

    So, Schmidt is worried because google was relying on security through obscurity?

    1. Re:Many eyes = problem? by Gamer_2k4 · · Score: 5, Insightful

      So, Schmidt is worried because google was relying on security through obscurity?

      Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

    2. Re:Many eyes = problem? by Anonymous Coward · · Score: 5, Insightful

      I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

    3. Re:Many eyes = problem? by Vellmont · · Score: 4, Interesting


      and simply being concerned because the bad guys have more ability to search for flaws.

      Much of the world relies on security systems that are completely open and available to everyone. One of the prime examples is openSSH. Another prime example in openSSL. I don't hear too many people worried that these systems are more vulnerable because attackers have access to the code.

      The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

      Panic and stupidity are also natural human reactions. Since when did something being "natural" become a justification for something? I can understand the reaction, but that doesn't mean it's right.

      It's pretty stupid to rely on code remaining secret. Code is something that's very difficult to make secret as it gets copied all over the place. How many people at Google already have access to it? It seems to me that if Google really wants to be secure they should just release the damn code so "the good guys" also have access to it, since apparently "the bad guys" already do.
         

      --
      AccountKiller
  5. Don't change it, release it by Logos · · Score: 5, Insightful

    Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

    --
    We are agents of the free
    1. Re:Don't change it, release it by TubeSteak · · Score: 4, Interesting

      Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

      There's probably a whole lot of stuff in that source code that is either a trade secret or gives clues to trade secrets google would rather keep private.

      The most realistic course of action would be for them to hire some 3rd party pen testers and auditors to pick apart their code under a microscope.

      --
      [Fuck Beta]
      o0t!
  6. Cloud security? by HockeyPuck · · Score: 4, Funny

    I thought the cloud was secure?

    1. Re:Cloud security? by MorderVonAllem · · Score: 4, Insightful

      By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

      Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

    2. Re:Cloud security? by GNUALMAFUERTE · · Score: 5, Interesting

      Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it. Except I sudo su and chmod +x $file and ./$file nothing is going to happen. But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc. Or just connecting on the wrong LAN. Clicking on a link IS NOT supposed to give ANYTHING any kind of execute permissions. I don't browse with Flash, but I do keep a Firefox-altern dir with Flash installed in case I really really need to check out something that requires Flash. I can't believe how invasive that thing is, and how many privileges it automatically grants to random content on the web. Same thing for JS. The simple fact that 'last measure' still works is living proof of how stupidly insecure certain technologies are.

      And, no, it's not the user's fault for clicking on a link.

      --
      WTF am I doing replying to an AC at 5 A.M on a Friday night?
    3. Re:Cloud security? by RzUpAnmsCwrds · · Score: 4, Insightful

      Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it

      Your attitude of invincibility is both dangerous and stupid. Firefox, like all web browsers, is complex software that has a long history of vulnerabilities. One buffer overflow vulnerability (and Firefox has a history of such vulnerabilities) is enough to run arbitrary code on your system.

      Except I sudo su and chmod +x $file and ./$file nothing is going to happen.

      Not true. The software you use every day almost certainly has security vulnerabilities that may allow code execution. History has shown that determined hackers have little trouble finding one.

      But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc.

      No, mostly we hear those stories from people who don't know what the hell they're talking about. If you download and run some arbitrary executable, well, yeah, you can get infected. The same could happen if you went and installed a malicious deb/rpm.

      Those people who truly *were* infected by "just clicking on a fucking URL" (and not by deliberate acts of stupidity on their part) are victims of software vulnerabilities. And those vulnerabilities exist on every platform.

      Oh, except it was microsoft's operating system, and microsoft's messenger.

      Neither Microsoft's OS nor their messenger software had anything to do with this hole, although Internet Explorer might. Neither the messenger software nor the OS were vulnerable; the vulnerability was most likely either in the web browser or a plugin like Flash.

  7. Open source it by ka9dgx · · Score: 4, Insightful

    They should open source it, since a copy is out on the loose anyway. This could work to their advantage.

    I still think capability based security is the only workable long term solution..

  8. Re:so? by 3p1ph4ny · · Score: 5, Funny

    http://www.slashcode.com/

  9. Re:so? by Urza9814 · · Score: 5, Insightful

    i'd love to see /. put their source out there, money where their mouth is so to speak.

    ...You mean like http://www.slashcode.com/about.shtml ?

  10. It's all about leverage by el_flynn · · Score: 5, Insightful

    From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

    I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

    And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

    --
    The Wknd Sessions - Malaysian and South East Asia independent music
  11. the level of interest and sophistication by circletimessquare · · Score: 4, Insightful

    matched the target

    that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you

    and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google

    the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  12. Re:"Source Code [...] Stolen" by Anonymous Coward · · Score: 5, Insightful

    They took the Movie without paying for MPAA consent, hence they stole it.

    We like to change the meaning of the words when it's convenient for us

  13. Not quite as "insightful" as the mods think. by neiras · · Score: 4, Informative

    They took the code without Google's consent, hence they stole it.

    Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.

      1. Was the property provably taken without consent?
      2. Was the property provably taken with the intent of depriving its rightful owner of said property?

    If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.

    Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.

    "Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.

    1. Re:Not quite as "insightful" as the mods think. by metacell · · Score: 4, Insightful

      Plagiarism isn't theft, it's just plagiarism.

      Downloading a copyrighted mp3 is not theft, it's copyright infringement.

      Using someone elses patented invention isn't theft, it's patent infringement.

      And so on.

  14. Re:"Source Code [...] Stolen" by BC+Guy · · Score: 4, Informative

    Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

    steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

    They took the code without Google's consent, hence they stole it.

    hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

    the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

    a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.