Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Source Code To Google Authentication System Stolen

kdawson posted more than 4 years ago | from the crown-jewels dept.

Google 306

Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."

cancel ×

306 comments

Sorry! There are no comments related to the filter you selected.

well i'll tell you the truth (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31905436)

i broke into google systems.
that's how i got this frost piss.

Watch out, bitches...Trolltalk is back! (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31905494)

Niggerwhat? [slashdot.org]

Re:Watch out, bitches...Trolltalk is back! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31906052)

hax your anus, you fucking jigaboo coon porchmonkey moon cricket darkie motherfackrel

Re:Watch out, bitches...Trolltalk is back! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31906216)

...and nothing of value is gained.

Paranoid about security? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31905438)

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

Re:Paranoid about security? (5, Insightful)

WrongSizeGlass (838941) | more than 4 years ago | (#31905580)

Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

What they meant was your privacy didn't matter to them.

Re:Paranoid about security? (4, Insightful)

coolgeek (140561) | more than 4 years ago | (#31906146)

Really, this shouldn't matter, unless they are doing something they should not be doing.

Re:Paranoid about security? (3, Insightful)

d'baba (1134261) | more than 4 years ago | (#31906362)

Am agreeing here. Am reminded of article which said. "Microsoft is a bunch of arrogant business people. Google is a bunch of arrogant engineers."
If security depends on code it is insecure. Period.
If security depends on people it is insecure. Period.
It is insecure. Period.
----
Hypertext isn't what it's marked up to be.

First the iPhone and now this? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#31905448)

I'm going to start using Microsoft products from now on because no one wants their trade secrets.

Sauce? (5, Funny)

Anonymous Coward | more than 4 years ago | (#31905454)

tar.gz or it didn't happen

Re:Sauce? (1)

binarylarry (1338699) | more than 4 years ago | (#31905812)

On the contrary, this sound like a job for

CAPTAIN PLANET!

More Eyes (5, Funny)

Daengbo (523424) | more than 4 years ago | (#31905466)

More eyes make the bugs shallow, right? ;)

Re:More Eyes (2, Informative)

thoughtsatthemoment (1687848) | more than 4 years ago | (#31906066)

Unless the bug have developed an invisibility cloak.

Re:More Eyes (3, Funny)

Soilworker (795251) | more than 4 years ago | (#31906340)

That's why you need to look at it from a 45 degree angle.

Many eyes = problem? (5, Insightful)

choongiri (840652) | more than 4 years ago | (#31905478)

So, Schmidt is worried because google was relying on security through obscurity?

Re:Many eyes = problem? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31905528)

You're retarded. Stop trying to make everything fit your worldview.

Re:Many eyes = problem? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31905584)

He can't help it, you intolerant faggot. He's an American.

Re:Many eyes = problem? (1, Offtopic)

choongiri (840652) | more than 4 years ago | (#31905940)

He can't help it, you intolerant faggot. He's an American.

Last time I checked I was definitely not American [carroll.org.uk] . However you, sir, are most definitely a troll.

Re:Many eyes = problem? (0, Offtopic)

causality (777677) | more than 4 years ago | (#31906060)

He can't help it, you intolerant faggot. He's an American.

Last time I checked I was definitely not American [carroll.org.uk] . However you, sir, are most definitely a troll.

Does that mean you're knowingly feeding them?

Re:Many eyes = problem? (0)

Anonymous Coward | more than 4 years ago | (#31906260)

No, he's binspamming them, and us..

Re:Many eyes = problem? (5, Insightful)

Gamer_2k4 (1030634) | more than 4 years ago | (#31905764)

So, Schmidt is worried because google was relying on security through obscurity?

Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

Re:Many eyes = problem? (-1, Offtopic)

choongiri (840652) | more than 4 years ago | (#31905854)

Yeah, and whoever modded me redundant also caught you in the crossfire. I'm starting to think there should be a simple exam before you can mod. If, say, two comments are posted within a minute or so of each other and you mod them redundant, then you fail and never get to mod.

Re:Many eyes = problem? (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31905934)

I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

Re:Many eyes = problem? (1, Insightful)

spazdor (902907) | more than 4 years ago | (#31906032)

that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

Re:Many eyes = problem? (3, Insightful)

macshit (157376) | more than 4 years ago | (#31906116)

that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

No, it doesn't. There's a big difference between relying on obscurity -- which google, apparently, was not -- and simply being concerned because the bad guys have more ability to search for flaws.

The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

Re:Many eyes = problem? (4, Interesting)

Vellmont (569020) | more than 4 years ago | (#31906426)


and simply being concerned because the bad guys have more ability to search for flaws.

Much of the world relies on security systems that are completely open and available to everyone. One of the prime examples is openSSH. Another prime example in openSSL. I don't hear too many people worried that these systems are more vulnerable because attackers have access to the code.

The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

Panic and stupidity are also natural human reactions. Since when did something being "natural" become a justification for something? I can understand the reaction, but that doesn't mean it's right.

It's pretty stupid to rely on code remaining secret. Code is something that's very difficult to make secret as it gets copied all over the place. How many people at Google already have access to it? It seems to me that if Google really wants to be secure they should just release the damn code so "the good guys" also have access to it, since apparently "the bad guys" already do.
   

Re:Many eyes = problem? (2)

Michael Kristopeit (1751814) | more than 4 years ago | (#31905826)

a hardcoded key to a remote procedure call server is not security through obscurity.

Re:Many eyes = problem? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31905992)

Isn't this the company and CEO who keep insisting that privacy and exclusivity is waaaay overrated when it comes to other people's property, surveillance, copyrighted material, etc? "If you need that much privacy maybe you're doing something you shouldn't be, heh-heh-heh". There's one standard for Google's stuff, and another for everyone else's.

Re:Many eyes = problem? (1)

JackieBrown (987087) | more than 4 years ago | (#31906338)

No. It is the one company that refused to turn over its user's data without the appropriate warrants.

Re:Many eyes = problem? (1)

fred911 (83970) | more than 4 years ago | (#31906464)

Did you forget Verizon?

Linux machine connected to the 'Net (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31906176)

rooted in 5 minutes. Intellectual property siphoned away in 5 more minutes.

But they saved $150 when they didn't buy Vista 7 Business!

Don't change it, release it (5, Insightful)

Logos (80812) | more than 4 years ago | (#31905486)

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

Re:Don't change it, release it (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31905758)

Yeah Google! Open it up so the open source fags don't have to go through the work of ripping you off by other means like they have with everything else.

Open Sores != Innovation.

Re:Don't change it, release it (2, Interesting)

dr-alves (1612081) | more than 4 years ago | (#31906050)

Not a rip off if you give it away and gain money/increase the readiness of the possible worker candidate pool out of it.

Re:Don't change it, release it (4, Interesting)

TubeSteak (669689) | more than 4 years ago | (#31906386)

Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

There's probably a whole lot of stuff in that source code that is either a trade secret or gives clues to trade secrets google would rather keep private.

The most realistic course of action would be for them to hire some 3rd party pen testers and auditors to pick apart their code under a microscope.

Cloud security? (4, Funny)

HockeyPuck (141947) | more than 4 years ago | (#31905504)

I thought the cloud was secure?

Re:Cloud security? (3, Funny)

siddesu (698447) | more than 4 years ago | (#31905538)

the cloud is secure. it is the dev workstations that are in danger :)

Re:Cloud security? (1, Troll)

GNUALMAFUERTE (697061) | more than 4 years ago | (#31905662)

The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

As usual, the problem wasn't in the servers, or in the code, but in the people accessing it.

And, as usual also, Microsoft was involved.

Re:Cloud security? (4, Insightful)

MorderVonAllem (931645) | more than 4 years ago | (#31905710)

By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

Re:Cloud security? (1)

thetartanavenger (1052920) | more than 4 years ago | (#31906148)

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

I wouldn't say Microsoft was directly involved, but back when I used Windows XP and Window Live Messenger, no matter what I did I could never get Windows Live Messenger to open up a link in anything other than IE. It's been a while so things might have changed, but this "feature" could make them at least indirectly involved.

Re:Cloud security? (5, Interesting)

GNUALMAFUERTE (697061) | more than 4 years ago | (#31906164)

Oh, except it was microsoft's operating system, and microsoft's messenger. I don't understand this concept of computing where you can click in "the wrong link". I can click in whatever link I want, and that is not supposed to destroy my computer. I use Pidgin on GNU/Linux. I can click on ANY link that I want. Clicking on the link won't do anything besides opening it on a browser, or asking me to download it. Except I sudo su and chmod +x $file and ./$file nothing is going to happen. But we hear all the time from windows users getting randomly infected with malware by just clicking on a fucking URL, or going to the wrong site, etc. Or just connecting on the wrong LAN. Clicking on a link IS NOT supposed to give ANYTHING any kind of execute permissions. I don't browse with Flash, but I do keep a Firefox-altern dir with Flash installed in case I really really need to check out something that requires Flash. I can't believe how invasive that thing is, and how many privileges it automatically grants to random content on the web. Same thing for JS. The simple fact that 'last measure' still works is living proof of how stupidly insecure certain technologies are.

And, no, it's not the user's fault for clicking on a link.

Re:Cloud security? (1)

Demonantis (1340557) | more than 4 years ago | (#31906324)

It is the tired and true issue of running everything as an administrator. Why do you need those rights when accessing a webpage. Does not make any sense and yet windows often makes it necessary. UAC does fix it for the most part, but windows it self has trained users the easy path of running as a power user all the time so most people turn it off. I'm not sure if it is as much technology as it is users now a days.

Re:Cloud security? (0)

Anonymous Coward | more than 4 years ago | (#31906470)

>It is the tired and true issue of running everything as an administrator.
Wrong. It can make existing problems worse, but it doesn't cause them. The problem is that the operating system, browser or browser plug-in contained a security vulnerability that allowed arbitrary code to run. That is hell, even without administrator access, since it can still delete your documents or hold them for ransom, or log into the source control system pretending to be you and send whatever it finds there to a remote server.
Of course, if you use Google Chrome, the browser process runs under a pseudo-account with even less permissions than the logged on user, and that *can* help. But the employee in question wasn't using Chrome, and it doesn't protect against bugs in the operating system access control and it doesn't protect against bugs in plug-ins either since plug-ins cannot presently run in such a restricted environment.

Re:Cloud security? (1)

jpmorgan (517966) | more than 4 years ago | (#31906482)

Unless, of course, that website that opens in your browser exploits a vulnerability in Firefox to take over your user account. From there on, if you're using Ubuntu for example, they could hijack your menus and next time you open up a control panel they use a fake gksudo dialog to steal your password, and then have complete control of your computer. Which is basically what happened to this fellow.

The only reason that doesn't happen to you and it happens to Windows users is obscurity.

Re:Cloud security? (1)

causality (777677) | more than 4 years ago | (#31906182)

By clicking on a link and connecting to a "poisoned" Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google's headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team.

Unless it's a flaw directly within the messenger software rather than the user who clicked the link...Microsoft wasn't really involved...

Messenger was just a way to launch the system default web browser to load the URL. Loading the browser independently and then typing that same URL into the address bar would have done the same thing. The browser and its vulnerability to the malicious contents of that URL are at issue here. My bet is that the OS was Windows and the browser was IE, in which case it's perfectly reasonable to say that Microsoft and its products were involved here. Unfortunately the article does not specify the browser that was used, but Microsoft Messenger does strongly indicate a Windows system so IE was at least available.

Re:Cloud security? (1)

AHuxley (892839) | more than 4 years ago | (#31906384)

Microsoft was the way in and out.
What the google code was running on or stored in/as is not really the point.
MS consumer grade software was the hole that exposed the goggle work to the world.

so, how long (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31905532)

until they blame this on the Chinar as well? because that's the American way - it's always someone else's fault ;)

Re:so, how long (1)

siddesu (698447) | more than 4 years ago | (#31905552)

That's not the American way, that's the responsible way.

so? (0, Troll)

timmarhy (659436) | more than 4 years ago | (#31905540)

isn't it /. that always promotes that closed source doesn't improve security? i'd love to see /. put their source out there, money where their mouth is so to speak.

Re:so? (5, Funny)

3p1ph4ny (835701) | more than 4 years ago | (#31905588)

http://www.slashcode.com/ [slashcode.com]

Re:so? (1)

ooshna (1654125) | more than 4 years ago | (#31905616)

Oh shit buuurrrrnnn!!1!!

Re:so? (0)

Anonymous Coward | more than 4 years ago | (#31905600)

You mean like slash [slashcode.com] , or is there something I'm missing?

Re:so? (5, Insightful)

Urza9814 (883915) | more than 4 years ago | (#31905604)

i'd love to see /. put their source out there, money where their mouth is so to speak.

...You mean like http://www.slashcode.com/about.shtml [slashcode.com] ?

Re:so? (1)

Peach Rings (1782482) | more than 4 years ago | (#31905620)

Wut? [sourceforge.net]

Re:so? (1)

LingNoi (1066278) | more than 4 years ago | (#31905654)

How retarded do you have to be to not notice the about -> code link that's been on slashdot for years? Well just look at the parent!

Re:so? (1)

Lehk228 (705449) | more than 4 years ago | (#31905800)

my guess is GP was trying to be funny, but mix a little off-axis humor with humorless gits holding mod points and look what happens

Re:so? (0)

Anonymous Coward | more than 4 years ago | (#31905692)

And today's Slashtard award goes to timmarhy [youtube.com] . It was a late entrant but he certainly earned it. Congratulations, timmarhy.

Re:so? (1)

Soilworker (795251) | more than 4 years ago | (#31906360)

"If you mod me down, I will become more powerful than you can imagine...."

Share the code (0)

Anonymous Coward | more than 4 years ago | (#31905542)

Release the code. So it will be useless for the bad guys.

"Source Code [...] Stolen" (3, Interesting)

Animaether (411575) | more than 4 years ago | (#31905554)

Stolen?

What.. they are no longer in possession of the source code?

Re:"Source Code [...] Stolen" (3, Insightful)

LingNoi (1066278) | more than 4 years ago | (#31905672)

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

Re:"Source Code [...] Stolen" (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31906018)

They took the Movie without paying for MPAA consent, hence they stole it.

We like to change the meaning of the words when it's convenient for us

Re:"Source Code [...] Stolen" (3, Insightful)

Animaether (411575) | more than 4 years ago | (#31906270)

My point exactly - no matter how much it's modded "Off-topic" currently :D /karma

Not quite as "insightful" as the mods think. (4, Informative)

neiras (723124) | more than 4 years ago | (#31906246)

They took the code without Google's consent, hence they stole it.

Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.

  1. Was the property provably taken without consent?
  2. Was the property provably taken with the intent of depriving its rightful owner of said property?

If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.

Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.

"Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.

Re:"Source Code [...] Stolen" (4, Informative)

BC Guy (657285) | more than 4 years ago | (#31906392)

Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

They took the code without Google's consent, hence they stole it.

hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.

Open source it (4, Insightful)

ka9dgx (72702) | more than 4 years ago | (#31905564)

They should open source it, since a copy is out on the loose anyway. This could work to their advantage.

I still think capability based security is the only workable long term solution..

Security through obscurity (-1, Flamebait)

2Bits (167227) | more than 4 years ago | (#31905592)

Right, so Google is relying on a buggy security system, and complains when it is cracked. If they are so paranoid about security, as they said it, why not opening up the source code for security scrutiny?

Oh, I forgot, this is a company cherished by /.ers. If this were Microsoft, everyone would be ROFL.

Re:Security through obscurity (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31905708)

lol like Microsoft would even admit to this happenning to them

Re:Security through obscurity (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31905730)

Google hasn't complained the security system got cracked, nor is it buggy, nor is it said anywhere it's buggy. Troll, much?

Re:Security through obscurity (3, Interesting)

dudpixel (1429789) | more than 4 years ago | (#31905752)

there was no mention of whether their security system is buggy or not. The attack was made through a hacked internet site, with the help of an internal employee, not by someone "hacking into" the system. The weak link in the chain is always people, not software.

wasn't this same attack linked to MS internet explorer 6? had to bring that up...of course I could be wrong.

Anyone know of any large company opening up the source code to their security systems?

Re:Security through obscurity (1)

Illogical Spock (1058270) | more than 4 years ago | (#31905808)

Nobody needs the source code to exploit Microsoft software...

It's all about leverage (5, Insightful)

el_flynn (1279) | more than 4 years ago | (#31905702)

From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

Re:It's all about leverage (1)

ebonum (830686) | more than 4 years ago | (#31905798)

Don't worry. When your medical records are put into databases, they will be secure.

Honestly. If you want it secure, keep it offline.

Re:It's all about leverage (0)

Anonymous Coward | more than 4 years ago | (#31905874)

Cause we all know doctor's offices are impenetrable.

Re:It's all about leverage (1)

causality (777677) | more than 4 years ago | (#31906098)

Cause we all know doctor's offices are impenetrable.

Two things about that:

One, someone who wants to break-and-enter into a doctor's office is going to leave behind physical evidence. It's the sort of crime likely to be solved through old-fashioned police work. It also can't be done from halfway around the world.

Two, that doesn't permit anyone to gain massive numbers of medical records. A thief who breaks into a doctor's office to obtain medical records is going to get the records for that doctor's patients only. With each break-in to each office, the chances of the thief getting caught increase substantially. Compare to a large centralized online database where potentially millions of records could be obtained in a single compromise by an attacker located anyplace there is an Internet connection.

Re:It's all about leverage (0)

Anonymous Coward | more than 4 years ago | (#31906280)

Honestly, you're barking up the wrong tree. If you're worried about someone hacking into your medical records, get a life. If they're gonna hack into a system, they don't give a crap about your medical records. They're after things that are worth something, not whether or not you've had chicken pox.

The trick with keeping medical information private is to prevent scummy, but "legit", people using it, like insurance companies or employers. And it isn't worth it to either of them to pull off a sophisticated hack like this to get at it.

the level of interest and sophistication (4, Insightful)

circletimessquare (444983) | more than 4 years ago | (#31906014)

matched the target

that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you

and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google

the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure

Re:the level of interest and sophistication (0)

Anonymous Coward | more than 4 years ago | (#31906220)

Why do you hate your shift key?

Re:It's all about leverage (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31906112)

From what I read back when news of this first broke, usually when these attacks are successful, the infiltration lasts for years, because the goal is to quietly and relatively slowly pilfer things like that source code, not make a big mess as quickly as possible. If they are undetected, the attack is a lot more successful. The fact that Google caught this in 2 days speaks well for their security team.

Re:It's all about leverage (0)

Anonymous Coward | more than 4 years ago | (#31906444)

MSFT itlsef has already been hit by a similar attack [tomshardware.com] .

Thank goodness (3, Funny)

NEDHead (1651195) | more than 4 years ago | (#31905718)

This explains all those sexy emails my girlfriend has been getting from all kinds of different guys in her gmail account

Re:Thank goodness (1)

whovian (107062) | more than 4 years ago | (#31905918)

This explains all those sexy emails my girlfriend has been getting from all kinds of different guys in her gmail account

Don't blame us, blame Google. It goes to show how googling "NEDHead's girlfriend" and hitting the I'm Feeling Lucky button is really that good.

Is it time to change passwords? (1)

el_flynn (1279) | more than 4 years ago | (#31905746)

"The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions."

"Does not appear" falls kinda short of a satisfactory statement. Considering the intruders took two days to get the source code, one wonders what else they were up to in that period of time. I'm changing my gmail password now..

Star Wars (1)

BarlowBrad (940854) | more than 4 years ago | (#31905778)

...the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future.

Many Bothans died to bring you this information...

Re:Star Wars (1)

Mr Stubby (1122233) | more than 4 years ago | (#31906262)

The greatest unsung hero of Star Wars universe is Manny Bothans.

Wrong security model (1)

kocsonya (141716) | more than 4 years ago | (#31905866)

"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

As Bruce Schenier said, security through obscurity does not work...

Re:Wrong security model (2, Interesting)

nomadic (141991) | more than 4 years ago | (#31906020)

As Bruce Schenier said, security through obscurity does not work...

That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.

Re:Wrong security model (1)

causality (777677) | more than 4 years ago | (#31906124)

As Bruce Schenier said, security through obscurity does not work... That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.

If you want a more clear example, do some research on encryption algorithms and what it takes before they are considered secure enough for general use.

Re:Wrong security model (3, Insightful)

grcumb (781340) | more than 4 years ago | (#31906040)

"theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

As Bruce Schenier said, security through obscurity does not work...

Are you sure he said that, or did he say that it was wrong to rely on security through obscurity? Obscurity (i.e. not telling tales out of school) is one valid element of an overall security model.

Paranoia (2, Interesting)

Internetuser1248 (1787630) | more than 4 years ago | (#31905896)

This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

Re:Paranoia (3, Insightful)

causality (777677) | more than 4 years ago | (#31906136)

This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.

Stolen (0)

Anonymous Coward | more than 4 years ago | (#31905924)

I thought copyright infringement wasn't stealing

Re:Stolen (0)

Anonymous Coward | more than 4 years ago | (#31906000)

This case is more stealing, though. Someone (singular or plural?) broke into their computer system and took their code, without their consent. That actually fits stealing. Above, someone already went through this about a half hour before your post [slashdot.org] . It's not the same as someone copying around bits from someone else who consents to them copying those bits. It's apparently a thin line that, from the posts on /. today, is apparently too thin for more than just the RIAA/MPAA/MS/etc. to see...

Re:Stolen (1)

t0y (700664) | more than 4 years ago | (#31906010)

It's easy to be confused. If it wasn't released and kept "secret", it's stealing.
Copyright doesn't even make sense in this case.

So what's great about Gaia? (0)

Anonymous Coward | more than 4 years ago | (#31906064)

Last I checked, authentication systems were a dime a dozen.

Re:So what's great about Gaia? (1)

AHuxley (892839) | more than 4 years ago | (#31906484)

Depends who gets what and in what time frame.
Would the NSA get https in real time 24/7 from day 0?
Would some local taskforces or feds get a backdoor with a court order re US porn, fraud, threats?
Did China want the same for its issues with Tibet, Xinjiang, Tiananmen Square,
CIA backed cults, officials talking to NGO's, evil journalists, local human rights workers, environmentalists ect.
Did Google play the court order game too long and something had to give.
Someone needed data fast on some issue and China took it.
China should learn from the USA. You dont request information from private networks, you *are* the only network and allow others to transverse it on your terms.
Play nice and enjoy wealth for all, make problems and feel the full force of the federal gov in every aspect of your life with 100% downtime later on.

I have to say this... (1)

coolgeek (140561) | more than 4 years ago | (#31906154)

In Soviet Google, privacy discloses you.

I'm not worried (1)

Evil_Ether (1200695) | more than 4 years ago | (#31906306)

It's only my face book and Gmail at risk and I keep all my secret plans to stop China's world domination on my secret server.

Why is production source code available online? (1)

mikein08 (1722754) | more than 4 years ago | (#31906314)

And if it's not directly available online, why is it anywhere near where a hacker can get to it, esp. code this sensitive. I truly dumbfounded. Heads should roll for this, and I mean heads way up there in the hierarchy. But otherwise, why isn't Google's password authentication software secure enough to withstand being stolen. VMS uses a one-way hashing routine for password authentication. So even if you have the code in question, it won't help you. Which, I suppose, is yet another reason that VMS is the best OS.

I've noticed a lot of hacked accounts.... (2, Interesting)

zoid.com (311775) | more than 4 years ago | (#31906388)

I've been sent spam recently from quite a few people who's gmail accounts have been hacked. Look at the gmail forums....

http://www.google.com/support/forum/p/gmail/label?lid=65ac3f0a8251ca2d&hl=en [google.com]

Filled with spam from hacked account messages. Coincidence?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?