When alleged Chinese hackers infiltrated Google's internal systems in December, they lifted source code for a password system that controls access to almost all of the company's web services, according to a report citing a person with direct knowledge of Google's investigation into the matter. The New York Times reports that the …
The course sode may be causy, that's the cause of the course, of source
How Embarrassing - will they ever live it down
If the employees not only don't use Google Talk, but also don't use any of the open source "universal" clients (pidgin, etc), and go with MS Messenger... wow. Or was this person trying to maintain an sideband communication channel? Of course, this is assuming that MS Messenger isn't used in China as a matter of course; more money to the Chinese gov to allow passage across the Great Firewall and all that...
However, this does show that while Google employees may be provided a Linux desktop, this one was running Windows - MS does not provide a MS Messenger client for Linux.
Violation of corporate policy? In China? Naw....
The fault isn't that they were running MSN (or any other messenger system), it was that the user clicked on the link they received and were C&Ced by the website it directed them to. In the original press release, the exploit vector was IE6, so one would assume they clicked a link from MSN Messenger on their Win(XP?) box and their IE6 popped up and faithfully bent over and took a malicious datastream up the <insert nether-region here>.
Either way, fail on Google for not enforcing Linux+Chrome on their users. Fail to the firewall jocks that allowed the malicious site through. Fail to software vendors for not supporting IE7+ (or even better FF/Chrome/etc). And, of course, fail to MS for allowing a C&C bot to install/hide on a WinPC by simply viewing a website in what should have been a next-to-not privileged app.
This will always be a fun story for the shear amount of fail.
One other side note: If [the hackers] stole the Gaia code, and Google figured it out (presumably from the source repo logs), why not just pilfer a checked-out version instead (which wouldn't have an audit trail)? Or does the source repo not actually check-out code to a workstation, but is web-based and allows for remote editing of a virtual "checked-out" copy?
Even more embarassing...
The fact that the "hack" surely began when the aforementioned employee clicked on one of those oh-so-common links that botnets send, like "WATCH MY NUDE PICS!" or "TSUNAMI HITS! WATCH VIDEO!".
That is one of the reasons my missus doesn't have an Admin account on my home PC ... her defunct laptop used to get hit by those links. Mind you, I blame those annoying "Tap to Click" trackpads, too easy to click when you don't want to click.
If I were King...
I would cut China off from the Internet.
These guys are 100% untrustworthy.
Off with their <head>
You, Sir are and idiot
And shouldn't be working in IT.
The iKing &...
If you were 'King' you'd be the first put to the guillotine.
"If a man should happen to reach perfection in this world, he would have to die immediately to enjoy himself."
Have fun exorcising all them '100% untrustworthy' parts from your computer. After you retrieve your head from the basket that is.Obviously.
Oh lighten up Francis
You guys need a humour transplant...
FW Security Review
You would think a company of this size would have a default stance of blocking IM at the corporate firewall. I guess maybe the employee was working via a home adsl or something??
Time to connect up the mighty google fibre to its own employees houses and direct all traffic through its hub!
Sounds far more like a criminal raid or a corporate espionage raid with the Chinese dissident emails being a faint.
Well they had to reverse-engineer the incumbents as part of normal practise right?
damn sure that MS emplyees have chrome and toolbar puke ratting out all sorts of demons.
single sign on.
What could go wrong with that idea. Users love it.
Seriously WTF with IM from *outside* the corporate firewall.
IM, as in popular C&C channel for malware.
If all the got was the code for the password system...
... then maybe Google should open-source it?
After all isn't peer-review of security code supposed to be a good thing?
There's no such thing as security by obscurity and all that :)
Of all the source code to go for, that is really a clever acquisition. It's amazing that they caught it. Tells me that they keep a close watch on the source repositories.
security through obscurity and firewalls
first off. I question how strong a "corporate firewall" google has. They aren't a normal corp, they have mass r&d and collect the types of ppl who would want a full internet connection at their desks. They have a standard linux desktop but last i heard let minions run what they'd like.
as for this code theft, it shouldn't be a problem -- unless they find flaws, the code surely doesn't rely on obscurity to operate, it should operate on sound and well known cryptographic principles where knowing the code gains nothing. See ssh and openssl.
If I were a goddess, and someone named something after me, I would either be pleased or displeased. If I were displeased, I would smite them.
If, not being displeased with the recognition, someone UN-named a thing after me, I'd be SURE to smite them.
I think what we have here is proof positive of the power of the Earth Goddess.
Is this anything like lifting the source code for an encryption algorithm? Doesn't mean you can crack it, does it?
Still, why didn't it take Trojans upon Trojans to get to things that should be locked up and not connected to this Internet thing we keep hearing about? At least, it shouldn't be accessible in one piece without bits missing.