Slashdot Mirror
The Breach That Killed Google+ Wasn't a Breach At All (theverge.com)
An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
The true shock is that their was as many as 500k users of google+, I guess even a flea infested mangy dog attracts some people.
The company that thinks it's okay to censor US citizens, and now Chinese citizens, build weapons for the US government, track every citizen on the planet, also has no problem covering up leaks of... tracking every citizen on the planet?
Tim "Don't-be-Evil is was the stupidest rule ever." Cook
Color me surprised.
I like how they try to tie it to the Cambridge Analytics scandal to get a rise out of the community. Yes, Google is not required to report every bug they fix when no breach occurred. There's nothing wrong with that. As for for shutting down Google+, it was as good a time as any. If they're going to start having to worry about bad press over a dead product they're going to finish killing it.
This reads like a hit piece on google. I can't imagine why.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Just Google offering access to the information it collects from its users to its actual customers. Yeah, that makes it all better.
Let’s remember this the next time Project Zero broadcasts the shortcomings of some other companies’ products.
#DeleteChrome
In the clear? You can bet your fucking ass that if this was Microsoft or Facebook, Google would have jumped up and down reporting it.
Lost in all this discussion is the ineptitude of Google's engineers, security auditors, API designers, testers and who knows who else that would let something like this slip through unnoticed for so long. I no longer question Googel's ethics (they're bad) but more and more I'm questioning what kind of tech sweatshop they're running.
And what else is lurking out there that will (un?)intentionally give those of us pause that have already absolved ourselves of everything G.
Ha! Proof of time travel: Here I am on the east coast of the US at 6:56pm, and this story was posted at 7:40pm. Unless BeauHD is on a ship in the Atlantic, I call shenanigans!
(Ireland isn't close enuf for only 5 posts since then...)
On the one hand you take life too seriously, and on the other, you do not take playful existence seriously enough. Seth
Google keeps server logs, so they have the ability to find out who accessed this data.
They kill products off with no consideration for it's users. They just lose interest.
Not a way to engender trust.
Jews lying? Why, I never...
But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.
As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.
In this particular case, it seems they would need to provide evidence that no data was accessed, rather than saying that they see no evidence that data was accessed.
I for one want to know what our resident google dick sucker swillden has to say about the matter. But where is he? He cannot possibly be doing his day job of securing the Swiss cheese that is android.
There are zero consequences for these corporate PII losses and security breaches, so the rational Friemanite response for a corporation and its fiduciaries is to ignore them. Pay a small fine here and there; admit no fault. Good to go.
Providing APIs in order to give developer access to private information? This is literally not breach.
Meh, it was never any good and its like robbing a empty building, nothing there to steel anyway.
Why remain quiet and be open if nothing bad happened? Especially when openness is valued?
There were 400 people who could have accessed a list og names and email addresses if they figured out how, and there is no reason to believe any of them did.
If that's the standard for a situation that has to be reported, nearly every company in the world has a situation to report, because there are 400 people who can access customer data, if they figure out how.
For every large company, 400 employees have some access to customer data. For all the smaller companies, half of the attendees at Defcon (7,000 people) could access their data - and that's 7,000 people just in one room.
Actually never mind hackers, have you ever heard of a phone book? That's a much larger list of names, and the phone book even includes physical addresses. It's delivered to everyone, not just available to a few hundred people.
If it were credit card information, as opposed to phone book information, that would have been different. My company once had a potential vulnerability that could, in theory, expose credit cards, though that was unlikely. I personally called every customer who could have been affected and let them know they should check their credit card statement just in case.
They're awash is cash that allows them to dither in pet projects, virtue signal etc. All the while their moral bankruptcy continues.
The speed at which they've gone from the cool anti-microsoft, to a rudder less money machine is astounding. Google on a resume would be a red flag now.
Someone could have walked in and robbed you blind.
They didn't, but they could have.
google sucks and everyone knows it.
It always frustrated me how "cool" it became to dig on Google+. Journalists, podcasts, etc... it seemed once it caught on that "we all hate Google+ now" it seemed everyone was falling over themselves to make fun of Google+, but without any real substantial reason other than it was the popular thing to do.
The truth is, there was a LOT about Google+ that was better than Facebook. The Circles thing was extremely smart and useful. Nevermind that the average user is too fucking stupid and/or lazy to bother to learn or make use of it... that doesn't make the feature any less good. It's a failing of the userbase, not the service.
Honestly one of the real things that killed Google+ early on was the lack of any sort of events feature. This is BIG on Facebook, and in fact many users maintain a FB profile for no other reason than to be notified and invited to events. These people don't post nor read posts. For whatever reason, Google refused to add events into Google+ and this was a huge reason why people who dipped their toes into it early on became disenchanted and never came back. It couldn't replace FB if it lacked a major feature of FB that they cared about.
Even to this day though Google+ has had the advantage of being a community with far less BS, trolling and spam than Facebook. The signal-to-noise ratio for the Google+ communities I participate in is exponentially better than anything on Facebook. This will be a great loss.
so, someone leaked the internal memo -- probably someone from Sen. Feinstein's office. dam.... isn't anything marked internal stay internal?
and there is no reason to believe any of them did.
That's a slippery sentence to make. We have no evidence either way, of course. So anyone's belief on this matter must just be based on their personal understanding of industry trends about vulnerability exploitation, extrapolated to this case.
If you'd just said "I have no reason to believe" then that would have been an easy statement to make: that your understanding of industry trends doesn't provide reason for you to believe that the vulnerability was exploited.
But you actually made a startlingly strong assertion that there exists no reason to believe that it was exploited -- in other words, you know the relevant set of background industry trends well, and that extrapolating them will lead everyone to the conclusion that there was no exploitation in this case.
(I respect your other comparisons about what other companies would have to report, but that of course doesn't have bearing on your assertion that I quoted above.)
Yes, but the situation is a little more shady than that. It's not really 438 people, it's 438 third-party applications and therefore 438 organisations. How many people behind those organisations ?
Furthermore, it appears that Google only keeps the log of the third-party API access for two weeks. Given the time window of this vulnerability, it seems quite misleading to go out and say that there is no evidence that this was used.
I agree with you that the information leaked seems pretty benign. Therefore, they should have had no problems in disclosing the vulnerability... And furthermore, the phone book example you gave is interesting, because it seems that combining the information available within it with the information potentially leaked would give a good basis for identity theft. So, I do not know if this should be considered so benign.
As per googles statement, they supposedly keep the API’s log data for only two weeks. (Which is bullshit, google backs up logs)
That means that its 438 applications in 2 weeks.
It wasn't a bug, that's also bullshit - SHM.
Timing with Cambridge Analytica is because they realised how fucked they were is it got out.
Why are people being sheep about this. I mean, reporting by The Verge is what you take as gospel? Literally the most corporatism news and technology site in America.
Looking at the comments is like looking at small fluffy animals in a large fenced paddock.
What difference does this event make?
> It's not really 438 people, it's 438 third-party applications and therefore 438 organisations.
Good point. I guess some organizers could have made more than one app, so technically up to 438 organizations, but your point stands.
> it seems quite misleading to go out and say that there is no evidence that this was used.
I've been doing cybersecurity professionally for fifteen years. Every day I and my team find thousands of vulnerabilities. Essentially every company has vulnerabilities. Two days ago was patch Tuesday. Microsoft released fixes for 37 new vulnerabilities, just like they do every month. Everybody using Windows is vulnerable to all kinds of stuff, dozens of new ones every month.
Heck, it would probably be accurate to say 95% of all software applications have vulnerabilities. So if you want to know roughly how many vulnerabilities your organization has, count up how many software applications you use. That's probably about how many vulnerabilities you have, within an order of magnitude.
So roughly all of our customers were vulnerable to at least some of Windows vulnerabilities that were released Tuesday. How many were breeched? Approximately none. Our company also does intrusion detection, and successful breeches are orders of magnitude less common than vulnerabilities. As a professional, these are two very, very different findings I can make:
1. A company has a specific vulnerability (much like all the vulnerabilities every other company has).
2. There is evidence of an actual breech.
These are very different things. One is as common as water, the other is a major event. It would be very misleading to conflate the two.
https://www.youtube.com/watch?v=LTq8TrA3hb4
Agree that tying it into YouTube wasn't such a good idea.
There should really be a universally interoperational social networking platform standard that isn't controlled by any single corporation or country.
Sir Timothy John Berners-Lee OM KBE FRS FREng FRSA FBCS just launched such a platform standard:
- https://www.inrupt.com/blog/one-small-step-for-the-web
- https://solid.inrupt.com/
- https://github.com/solid/userguide
- https://tech.slashdot.org/story/18/09/30/1122238/tim-berners-lee-announces-solid-an-open-source-project-which-would-aim-to-decentralize-the-web
Captcha: unionize