Source Code To Google Authentication System Stolen 306
Aardvark writes "More details are coming out about the extent of the break-in at Google a few months ago. The NY Times is reporting that one of the things stolen was the source code to Google's single sign-on authentication system, called Gaia. Though Google is making changes to the system, the theft raises the possibility that attackers could analyze the code to find new exploits to take advantage of in the future. No wonder that Eric Schmidt recently said they've become paranoid about security."
Re:More Eyes (Score:2, Informative)
Not quite as "insightful" as the mods think. (Score:5, Informative)
They took the code without Google's consent, hence they stole it.
Not quite. In most jurisdictions, the question "Is it theft?" is answered by the following tests.
1. Was the property provably taken without consent?
2. Was the property provably taken with the intent of depriving its rightful owner of said property?
If both of those tests are true, it's theft. In this case, Google still has a copy of their code, so the crime would not be considered theft in most jurisdictions.
Of course, in the USA there is no national definition of theft, since it's defined and prosecuted at the state level. Talk about confusing.
"Theft" is a concept that really varies in meaning from place to place. I guess that's why so many people jump on their high horse, wave their hands madly, and proclaim that various petty infringements are "stealing". They are probably right in the context of some banana republic somewhere.
Re:"Source Code [...] Stolen" (Score:4, Informative)
Being positive today I'm going to go with maybe English isn't your first language. Here is a definition..
They took the code without Google's consent, hence they stole it.
hmmm. actually it sounds like you're the one with a poor grasp of what's going on here. Definition of 'take' - "to remove, capture, consume, or dispossess from someone else."
the sourcecode was not stolen. a copy of the sourcecode was stolen. and this is a crucial distinction since "steal" means to deprive from another. and while google has been violated, they most absolutely have not been deprived of any code.
a common sense analogy for you: say i break into your house and photocopy all of your books. no one would suggest that i've stolen your books. for me to have stolen you books, i would have to take then and leave you with nothing. in the google case that did not happen. hence OP's quite proper correction.
Re:Many eyes = problem? (Score:4, Informative)
They found Google's secret sauce.
If Request.Form("password") = "JOSHUA" Then
Response.Write("Greetings, Professor Falken")
Set Godmode=1
Re:Paranoid about security? (Score:5, Informative)
If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.
Have a nice day.
Re:Many eyes = problem? (Score:3, Informative)
Yes they missed something, from TFA
The theft began with an instant message sent to a Google employee in China who was using Microsoft’s Messenger program, according to the person with knowledge of the internal inquiry, who spoke on the condition that he not be identified.
By clicking on a link and connecting to a “poisoned” Web site, the employee inadvertently permitted the intruders to gain access to his (or her) personal computer...
How google missed a stupid employee? "But" (you yell) " there had to be a flaw that let them gain access!". Yes, there was a flaw:
The attacks took advantage of a flaw in Internet Explorer 6 that was quickly patched, although the damage had been done.
So a google employee in China was using IE6 and clicking on links from someone who claimed to be another employee who wished to remain anonymous?
They missed an idiot. Pure and simple.
Re:More Eyes - if you publish (Score:2, Informative)
If the only eyes looking other than your own are hostile eyes...
The point being made was that this is the case only when you don't publish your code, and therefore the only way it gets out is if it's stolen - thus, now you have access and the person who stole it has access. If on the other hand you publish the code, then everyone, good and bad has access, and hopefully count(good) > count(bad)
Re:Paranoid about security? (Score:5, Informative)
OK, more context:
Q: People are treating Google like their most trusted friend. Should they be?
A: I think judgement matters If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place. But if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.”
In this context, "doing it" now refers to "treating Google like their most trusted friend" because otherwise, the phrase would be "shouldn't have it."
People are too political about this issue and refuse to actually think. Screw grammar. The meaning is quite clear in context. If you don't want someone to find out about something you're doing, don't do it through Google (or any other search engine). They all keep records and can all be subpoenaed. Use some other method.
So, yeah, don't trust GOOG with your darkest secrets. Schmidt said it, himself. Also, if you're smoking pot, do it in you house and not in the public park.