Forgot your password?
typodupeerror
Google Security

Source Code To Google Authentication System Stolen 306

Posted by kdawson
from the crown-jewels dept.
Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."
This discussion has been archived. No new comments can be posted.

Source Code To Google Authentication System Stolen

Comments Filter:
  • by Anonymous Coward on Monday April 19, 2010 @10:09PM (#31905438)

    Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

    • by WrongSizeGlass (838941) on Monday April 19, 2010 @10:25PM (#31905580)

      Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

      What they meant was your privacy didn't matter to them.

    • by coolgeek (140561) on Monday April 19, 2010 @11:48PM (#31906146) Homepage

      Really, this shouldn't matter, unless they are doing something they should not be doing.

    • Re: (Score:3, Insightful)

      by d'baba (1134261)
      Am agreeing here. Am reminded of article which said. "Microsoft is a bunch of arrogant business people. Google is a bunch of arrogant engineers."
      If security depends on code it is insecure. Period.
      If security depends on people it is insecure. Period.
      It is insecure. Period.
      ----
      Hypertext isn't what it's marked up to be.
    • Re: (Score:3, Insightful)

      by drsmithy (35869)

      Strange - didn't you guys say if I had nothing to hide, privacy didn't matter?

      No, they said if you willingly broadcast your life all over the intarclouds they you have no grounds to complain about your privacy being violated when others (ab)use that information.

    • by Anonymous Coward on Tuesday April 20, 2010 @01:46AM (#31906792)
      Please understand the context of a quote before referencing said quote. Eric Schmidt said:

      If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.

      Have a nice day.

  • Sauce? (Score:5, Funny)

    by Anonymous Coward on Monday April 19, 2010 @10:10PM (#31905454)

    tar.gz or it didn't happen

  • More Eyes (Score:5, Funny)

    by Daengbo (523424) <daengbo@nospaM.gmail.com> on Monday April 19, 2010 @10:11PM (#31905466) Homepage Journal

    More eyes make the bugs shallow, right? ;)

  • by choongiri (840652) on Monday April 19, 2010 @10:13PM (#31905478) Homepage Journal
    So, Schmidt is worried because google was relying on security through obscurity?
    • by Gamer_2k4 (1030634) on Monday April 19, 2010 @10:50PM (#31905764)

      So, Schmidt is worried because google was relying on security through obscurity?

      Whoever modded you Flamebait was dead wrong. Open disclosure is one of the major principles of security, and security through obscurity is an awful thing to trust in. It's true that openly available systems can be more susceptible to attacks, but a sufficiently robust system should be able to stand up to the scrutiny.

      • by Anonymous Coward on Monday April 19, 2010 @11:11PM (#31905934)

        I can appreciate that security through obscurity is false, but I kinda got the impression that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed. Can you say with absolute certainty that any open source software is absolute bulletproof? Even OpenSSH and OpenSSL have released numerous minor revisions to fix potential security exploits. Being open source doesn't automatically mean it's more secure, but when you've got a ton riding on some piece of software I think a bit of paranoia is justified.

        • Re: (Score:2, Insightful)

          by spazdor (902907)

          that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

          That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

          • Re: (Score:3, Insightful)

            by macshit (157376)

            that they weren't really relying on obscurity, rather the enemy now has that much better a chance of finding something they missed

            That's called relying on obscurity. If having the source code lets you find something Google missed, that means Google missed something.

            No, it doesn't. There's a big difference between relying on obscurity -- which google, apparently, was not -- and simply being concerned because the bad guys have more ability to search for flaws.

            The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

            • by Vellmont (569020) on Tuesday April 20, 2010 @12:35AM (#31906426)


              and simply being concerned because the bad guys have more ability to search for flaws.

              Much of the world relies on security systems that are completely open and available to everyone. One of the prime examples is openSSH. Another prime example in openSSL. I don't hear too many people worried that these systems are more vulnerable because attackers have access to the code.

              The latter is a pretty natural human reaction to an event like this, regardless of how well designed their security system is, because all designs, and all code, potentially contains flaws, even if designed and implemented by the most brilliant security researchers.

              Panic and stupidity are also natural human reactions. Since when did something being "natural" become a justification for something? I can understand the reaction, but that doesn't mean it's right.

              It's pretty stupid to rely on code remaining secret. Code is something that's very difficult to make secret as it gets copied all over the place. How many people at Google already have access to it? It seems to me that if Google really wants to be secure they should just release the damn code so "the good guys" also have access to it, since apparently "the bad guys" already do.
                 

              • Re: (Score:3, Interesting)

                by SharpFang (651121)

                I worked at a big portal, and I can say it was not possible to protect our apps from -everything-.
                Some things are not possible - like keeping IPs of all the users ever vs every page in the portal visited ever. Too much data, simply.

                We depended on obscurity - keeping the code secret - in several cases:
                - make the attacker believe the attack succeeded while it didn't, to make them continue this vector instead of trying something harder which could actually succeed
                - short-lived, statistical blac

          • We already know that Google missed something. The attackers got in. Now Google has to figure out what else it missed, and fix those bugs post haste.

            Open source software works best when the code is publishable; when the millions of eyes can understand it and contribute back to it. Getting the code into publishable shape takes time and manpower, and right now, Google can spare neither.

            • Re: (Score:3, Informative)

              by anarche (1525323)

              Yes they missed something, from TFA

              The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.

              By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer...

              How google missed a stupid employee? "But" (you yell) " there had to be a flaw that let them gain access!". Yes, there was a flaw:

              The attacks took advantage of a flaw in Internet Explorer 6 that was quickly patched, although the damage had been done.

              So a google employee in China was using IE6 and clicking on links from someone who claimed to be another employee who wished to remain anonymous?

              They missed an idiot. Pure and simple.

    • by InlawBiker (1124825) on Tuesday April 20, 2010 @01:15AM (#31906644)

      They found Google's secret sauce.

          If Request.Form("password") = "JOSHUA" Then
          Response.Write("Greetings, Professor Falken")
          Set Godmode=1

  • by Logos (80812) on Monday April 19, 2010 @10:14PM (#31905486)

    Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

    • by TubeSteak (669689) on Tuesday April 20, 2010 @12:29AM (#31906386) Journal

      Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

      There's probably a whole lot of stuff in that source code that is either a trade secret or gives clues to trade secrets google would rather keep private.

      The most realistic course of action would be for them to hire some 3rd party pen testers and auditors to pick apart their code under a microscope.

      • by MikeFM (12491)
        Their sign-on sucks so they can't have much to hide. It's one of the worst I've seen and I'm constantly having users run into issues with it such as accidentally creating a new account for a sub-account login. It has a lot of issues related to Google Apps too. It's clearly not engineered to handle the many different systems that they now use.
      • they already have security geniuses at google. I know for a fact that they do not feel much need to hire external parties.

    • Re: (Score:3, Funny)

      by noidentity (188756)

      Seriously, the bad guys already have it, so enlist the help of the security community to improve it.

      The code was stolen, so they're going to have to rewrite it from scratch. You'd think Google would have had a backup somewhere, but maybe they stole that too.

  • by HockeyPuck (141947) on Monday April 19, 2010 @10:17PM (#31905504)

    I thought the cloud was secure?

    • by siddesu (698447) on Monday April 19, 2010 @10:20PM (#31905538)
      the cloud is secure. it is the dev workstations that are in danger :)
    • by wvmarle (1070040)

      Now that is true security by obscurity.

      I mean: ever been in an aircraft flying through the clouds? Nothing much to see, the cloud obscures it all!

  • by Animaether (411575) on Monday April 19, 2010 @10:22PM (#31905554) Journal

    Stolen?

    What.. they are no longer in possession of the source code?

    • by LingNoi (1066278) on Monday April 19, 2010 @10:36PM (#31905672)

      Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

      steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

      They took the code without Google's consent, hence they stole it.

      • by Anonymous Coward on Monday April 19, 2010 @11:27PM (#31906018)

        They took the Movie without paying for MPAA consent, hence they stole it.

        We like to change the meaning of the words when it's convenient for us

        • Re: (Score:3, Insightful)

          by Animaether (411575)

          My point exactly - no matter how much it's modded "Off-topic" currently :D /karma

        • by LingNoi (1066278)

          We like to change the meaning of the words when it's convenient for us

          Yes, downloading shit for free off the internet is stealing too. Also who is the "We" you're talking about.

          • The "we" would be the majority of those who bother to comment on such stories.

            There's very few who argue the opposite, such as yourself.

            My own take on it can be gleaned from my comment history, but my original comment was mainly aimed at those who shout the loudest that 'copyright infringement isn't theft!' in the usual story comments threads :)

      • by neiras (723124) on Tuesday April 20, 2010 @12:06AM (#31906246)

        They took the code without Google's consent, hence they stole it.

        Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.

          1. Was the property provably taken without consent?
          2. Was the property provably taken with the intent of depriving its rightful owner of said property?

        If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.

        Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.

        "Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.

        • by LingNoi (1066278)

          Would you be so kind as to cite an example?

        • by LingNoi (1066278)

          So I've looked at this some more and this is what US law states on deprive:

          3. "Deprive." To "deprive" another of property means (a) to withhold it or cause it to be withheld from him permanently or for so extended a period or under such circumstances that the major portion of its economic value or benefit is lost to him, or (b) to dispose of the property in such manner or under such circumstances as to render it unlikely that an owner will recover such property.

          Since Google could quite successfully argue in

          • Re: (Score:3, Insightful)

            by Animaether (411575)

            Since Google could quite successfully argue in court that their closed source code has lost value it's theft.

            Slow down there, cowboy :)

            They would have to argue successfully that the major portion of its economic value or benefit is lost to him (does it really use 'him'? how quaint)

            I would argue that most of the world could have the source code and there's no real economic value loss to Google unless their shares dropped for a few seconds or somesuch since this became public knowledge. I can take slashcode,

          • by metacell (523607) on Tuesday April 20, 2010 @02:22AM (#31906972)
            According to the definition of deprivation you quote, it's not enough to cause the property to lose value. You have to withhold it from the rightful owner so that it loses value. And the hackers weren't able to withhold Googles own source code from them.
        • by metacell (523607)

          1. Was the property provably taken without consent?
          2. Was the property provably taken with the intent of depriving its rightful owner of said property?

          Are you sure about the second criterion? For example, if I steal an apple from someone, the intent is not to deprive the other person of an apple, it's merely to get an apple for myself.

      • by BC Guy (657285) on Tuesday April 20, 2010 @12:30AM (#31906392)

        Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..

        steal - take without the owner's consent; "Someone stole my wallet on the train"; "This author stole entire paragraphs from my dissertation"

        They took the code without Google's consent, hence they stole it.

        hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."

        the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.

        a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.

        • Re: (Score:3, Insightful)

          by LingNoi (1066278)

          Your book analogy isn't a similar situation at all. You didn't write the book, you weren't trying to keep it secret and the person possessing a copy doesn't negatively effect the original holder.

          All of these things apply in Google's situation. Also my definition of steal is accurate, they broke in and copied the code without consent from Google. The copying part isn't the problem it is the without their consent part which makes it stealing.

      • by houghi (78078)

        Many would call it copyright infringement. At least in other discussions it is called that way.

        • Re: (Score:3, Insightful)

          by LingNoi (1066278)

          That's a different issue really. Copyright Infringement would be re-distributing copyright without permission of the owner, etc.

          This code theft is taking copyright that they had no permission to take.

  • Open source it (Score:5, Insightful)

    by ka9dgx (72702) on Monday April 19, 2010 @10:23PM (#31905564) Homepage Journal

    They should open source it, since a copy is out on the loose anyway. This could work to their advantage.

    I still think capability based security is the only workable long term solution..

  • by el_flynn (1279) on Monday April 19, 2010 @10:41PM (#31905702) Homepage

    From TFA: "By clicking on a link [sent on Microsoft Messenger] and connecting to a 'poisoned' Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer and then to the computers of a critical group of software developers at Google’s headquarters in Mountain View, Calif. Ultimately, the intruders were able to gain control of a software repository used by the development team."

    I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels". Are their security practises that lax over there in Google China? And, considering that this happened to Google - a leading Tech-savvy company - how many other corporations and conglomerates have already been hit by a similar attack? Banks? Military? Oil and Gas? Heck, MSFT?? After all, TFA reported that it was a "lightning raid that lasted less than two days".

    And yeah, while TFA sounds like Luddite fear-mongering, I think it's a valid concern for everyone.

    • by ebonum (830686)

      Don't worry. When your medical records are put into databases, they will be secure.

      Honestly. If you want it secure, keep it offline.

    • matched the target

      that is, the economics of the attack is not a common one: your average podunk company offers what, exactly? and i'm not even talking in terms of financial possibilities, i'm talking in terms of corporate and political espionage, which the chinese government is interested in, not common robbery. because with google, if you break in, you get such a huge payoff in terms of strategic intelligence, unlike any other exploitable entity. so somewhere in china, a stable of minds are focused like a laser on you

      and structurally, security wise, the problem is the same as terrorism: the good guys have to be vigilant all the time, they can't fail ever. while the bad guys: they can screw up time and again, that's ok. they learn even. they only need to get in once. so even if you are google, no, ESPECIALLY if you are google because you're such a fabled target, you are at a strategic disadvantage, even with all your resources, to be hacked. those who want to hack you are ready to invest heavily into hacking you: its a good investment, because the payoff is gargantuan, the economics of the security situation works against google

      the REAL lesson is for us, the common joe blows of the world: don't put all of your eggs in one basket. have an ecosystem of interdepndent accounts with different companies. don't do EVERYTHING at google, or their exposure is your exposure

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      From what I read back when news of this first broke, usually when these attacks are successful, the infiltration lasts for years, because the goal is to quietly and relatively slowly pilfer things like that source code, not make a big mess as quickly as possible. If they are undetected, the attack is a lot more successful. The fact that Google caught this in 2 days speaks well for their security team.

    • by AaxelB (1034884)

      I don't know about you, but I'm quite shocked at how an innocuous thing like this can lead to the theft of "one of Google's crown jewels".

      I sincerely doubt this is anything near a "crown jewel" for Google. From TFA:

      The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

      Yes, a useful piece of software, and it probably works better than most every other site's login system. An important trade secret of Google's worth freaking out about? No. It also doesn't really seem like Google is freaking out. If they're making changes to the program, it's probably primarily to placate the panicky masses/press (or maybe panicky managers who don't really understand what's going on).

      Honestly, this whole story

  • by NEDHead (1651195)
    This explains all those sexy emails my girlfriend has been getting from all kinds of different guys in her gmail account
  • "The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions."

    "Does not appear" falls kinda short of a satisfactory statement. Considering the intruders took two days to get the source code, one wonders what else they were up to in that period of time. I'm changing my gmail password now..

  • "theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

    As Bruce Schenier said, security through obscurity does not work...

    • Re: (Score:3, Interesting)

      by nomadic (141991)
      As Bruce Schenier said, security through obscurity does not work...

      That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.
      • by causality (777677)

        As Bruce Schenier said, security through obscurity does not work... That has been a mantra on slashdot since it started and I have never been convinced that it's necessarily true. There are plenty of examples where a security hole was discovered in 10+ years old open source code. On the other hand, there's no way of knowing how many security holes are never exploited because the company whose systems have it keeps quiet.

        If you want a more clear example, do some research on encryption algorithms and what it takes before they are considered secure enough for general use.

    • by grcumb (781340) on Monday April 19, 2010 @11:29PM (#31906040) Homepage Journal

      "theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future"

      As Bruce Schenier said, security through obscurity does not work...

      Are you sure he said that, or did he say that it was wrong to rely on security through obscurity? Obscurity (i.e. not telling tales out of school) is one valid element of an overall security model.

  • Paranoia (Score:2, Interesting)

    This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.
    • Re:Paranoia (Score:4, Insightful)

      by causality (777677) on Monday April 19, 2010 @11:45PM (#31906136)

      This sounds very very bad to me, the worst fact being that security and paranoia always lead to bad decisions and breaches of rights. Even if we believe google's do no evil policy if they are pushed far enough they will become something we don't want.

      So don't use their services except perhaps for their search engine, and even then in a highly controlled fashion (NoScript, no cookies, no redirections, no HTTP Ping, no Google Analytics, etc). It's how I deal with my concerns about them.

  • In Soviet Google, privacy discloses you.

  • by zoid.com (311775) on Tuesday April 20, 2010 @12:29AM (#31906388) Homepage Journal

    I've been sent spam recently from quite a few people who's gmail accounts have been hacked. Look at the gmail forums....

    http://www.google.com/support/forum/p/gmail/label?lid=65ac3f0a8251ca2d&hl=en [google.com]

    Filled with spam from hacked account messages. Coincidence?

    • Targeted zero day attacks to steal source code are worth 1000x more than an account to send spam on. Root at google? This is actually a big deal, above the realm of small bot shops, this is superpowers in a cyber arms race. Very strong implications on the security of cloud computing as the provisioning company can be the vector of attacks to any company it hosts.
    • by RichM (754883)
      This happened to me as well.
      The worst part is, they kept my entire address book in the To: line, so everybody could see what my address book contained.
      It included the addresses of a few high-class escorts (for innocent reasons, mind you) and the email address for my department at work who also received the spam - I had some quick explaining [digit4l.net] to do on that one...
  • A cheap two factor solution like passwindow.com where the user tokens cost nothing to produce would be the best solution for mass deployment and more secure than most of the basic OTP electronic tokens which the trojans like Zeus are bypassing with MITB attacks. Anyone have any better ideas?

"Love is an ideal thing, marriage a real thing; a confusion of the real with the ideal never goes unpunished." -- Goethe

Working...