Slashdot Mirror

← Back to Stories (view on slashdot.org)

Source Code To Google Authentication System Stolen

Posted by kdawson on from the crown-jewels dept.

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

16 of 306 comments (clear)

  1. Paranoid about security? by Anonymous Coward · · Score: 5, Insightful

    Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

    1. Re:Paranoid about security? by WrongSizeGlass · · Score: 5, Insightful

      Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

      What they meant was your privacy didn't matter to them.

    2. Re:Paranoid about security? by Anonymous Coward · · Score: 5, Informative
      Please understand the context of a quote before referencing said quote. Eric Schmidt said:

      If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

      Have a nice day.

    3. Re:Paranoid about security? by martin-boundary · · Score: 5, Insightful
      Except that when others (some journalists from CNET) (ab)used the data about Eric Schmidt that was broadcast far and wide on the intarclouds, Google complained and blackballed everybody from CNET for a year.

      Who knew they only meant that we shouldn't overreact?

    4. Re:Paranoid about security? by Daengbo · · Score: 5, Informative

      OK, more context:

      Q: People are treating Google like their most trusted friend. Should they be?

      A: I think judgement matters If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. But if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.”

      In this context, "doing it" now refers to "treating Google like their most trusted friend" because otherwise, the phrase would be "shouldn't have it."

      People are too political about this issue and refuse to actually think. Screw grammar. The meaning is quite clear in context. If you don't want someone to find out about something you're doing, don't do it through Google (or any other search engine). They all keep records and can all be subpoenaed. Use some other method.

      So, yeah, don't trust GOOG with your darkest secrets. Schmidt said it, himself. Also, if you're smoking pot, do it in you house and not in the public park.

      --
      Put identity in the browser.
  2. Sauce? by Anonymous Coward · · Score: 5, Funny

    tar.gz or it didn't happen

  3. More Eyes by Daengbo · · Score: 5, Funny

    More eyes make the bugs shallow, right? ;)

    --
    Put identity in the browser.
  4. Many eyes = problem? by choongiri · · Score: 5, Insightful

    So, Schmidt is worried because google was relying on security through obscurity?

    1. Re:Many eyes = problem? by Gamer_2k4 · · Score: 5, Insightful

      So, Schmidt is worried because google was relying on security through obscurity?

      Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

    2. Re:Many eyes = problem? by Anonymous Coward · · Score: 5, Insightful

      I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

  5. Don't change it, release it by Logos · · Score: 5, Insightful

    Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

    --
    We are agents of the free
  6. Re:so? by 3p1ph4ny · · Score: 5, Funny

    http://www.slashcode.com/

  7. Re:so? by Urza9814 · · Score: 5, Insightful

    i'd love to see /. put their source out there, money where their mouth is so to speak.

    ...You mean like http://www.slashcode.com/about.shtml ?

  8. It's all about leverage by el_flynn · · Score: 5, Insightful

    From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

    I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

    And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

    --
    The Wknd Sessions - Malaysian and South East Asia independent music
  9. Re:"Source Code [...] Stolen" by Anonymous Coward · · Score: 5, Insightful

    They took the Movie without paying for MPAA consent, hence they stole it.

    We like to change the meaning of the words when it's convenient for us

  10. Re:Cloud security? by GNUALMAFUERTE · · Score: 5, Interesting

    Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it. Except I sudo su and chmod +x $file and ./$file nothing is going to happen. But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc. Or just connecting on the wrong LAN. Clicking on a link IS NOT supposed to give ANYTHING any kind of execute permissions. I don't browse with Flash, but I do keep a Firefox-altern dir with Flash installed in case I really really need to check out something that requires Flash. I can't believe how invasive that thing is, and how many privileges it automatically grants to random content on the web. Same thing for JS. The simple fact that 'last measure' still works is living proof of how stupidly insecure certain technologies are.

    And, no, it's not the user's fault for clicking on a link.

    --
    WTF am I doing replying to an AC at 5 A.M on a Friday night?