back to article Cyberattack lifted Google password system code, says report

When alleged Chinese hackers infiltrated Google's internal systems in December, they lifted source code for a password system that controls access to almost all of the company's web services, according to a report citing a person with direct knowledge of Google's investigation into the matter. The New York Times reports that the …

COMMENTS

This topic is closed for new posts.
Happy

Of source!

The course sode may be causy, that's the cause of the course, of source

3
0

Microsoft Messaging?

How Embarrassing - will they ever live it down

3
0
Badgers

Better dogfood?

If the employees not only don't use Google Talk, but also don't use any of the open source "universal" clients (pidgin, etc), and go with MS Messenger... wow. Or was this person trying to maintain an sideband communication channel? Of course, this is assuming that MS Messenger isn't used in China as a matter of course; more money to the Chinese gov to allow passage across the Great Firewall and all that...

However, this does show that while Google employees may be provided a Linux desktop, this one was running Windows - MS does not provide a MS Messenger client for Linux.

Violation of corporate policy? In China? Naw....

0
0
FAIL

Correction

The fault isn't that they were running MSN (or any other messenger system), it was that the user clicked on the link they received and were C&Ced by the website it directed them to. In the original press release, the exploit vector was IE6, so one would assume they clicked a link from MSN Messenger on their Win(XP?) box and their IE6 popped up and faithfully bent over and took a malicious datastream up the <insert nether-region here>.

Either way, fail on Google for not enforcing Linux+Chrome on their users. Fail to the firewall jocks that allowed the malicious site through. Fail to software vendors for not supporting IE7+ (or even better FF/Chrome/etc). And, of course, fail to MS for allowing a C&C bot to install/hide on a WinPC by simply viewing a website in what should have been a next-to-not privileged app.

This will always be a fun story for the shear amount of fail.

One other side note: If [the hackers] stole the Gaia code, and Google figured it out (presumably from the source repo logs), why not just pilfer a checked-out version instead (which wouldn't have an audit trail)? Or does the source repo not actually check-out code to a workstation, but is web-based and allows for remote editing of a virtual "checked-out" copy?

0
0
Silver badge
Boffin

Even more embarassing...

The fact that the "hack" surely began when the aforementioned employee clicked on one of those oh-so-common links that botnets send, like "WATCH MY NUDE PICS!" or "TSUNAMI HITS! WATCH VIDEO!".

That is one of the reasons my missus doesn't have an Admin account on my home PC ... her defunct laptop used to get hit by those links. Mind you, I blame those annoying "Tap to Click" trackpads, too easy to click when you don't want to click.

0
0
Silver badge
Pirate

If I were King...

I would cut China off from the Internet.

These guys are 100% untrustworthy.

Off with their <head>

0
2
Anonymous Coward

You, Sir are and idiot

And shouldn't be working in IT.

2
1
Paris Hilton

The iKing &...

If you were 'King' you'd be the first put to the guillotine.

"If a man should happen to reach perfection in this world, he would have to die immediately to enjoy himself."

Have fun exorcising all them '100% untrustworthy' parts from your computer. After you retrieve your head from the basket that is.Obviously.

0
0
Silver badge
WTF?

Oh lighten up Francis

You guys need a humour transplant...

0
0
FAIL

FW Security Review

You would think a company of this size would have a default stance of blocking IM at the corporate firewall. I guess maybe the employee was working via a home adsl or something??

Time to connect up the mighty google fibre to its own employees houses and direct all traffic through its hub!

1
0
Anonymous Coward

sounds

Sounds far more like a criminal raid or a corporate espionage raid with the Chinese dissident emails being a faint.

2
0
Pint

msmsngr

Well they had to reverse-engineer the incumbents as part of normal practise right?

0
0

and

damn sure that MS emplyees have chrome and toolbar puke ratting out all sorts of demons.

0
0
Gold badge
FAIL

single sign on.

What could go wrong with that idea. Users love it.

Seriously WTF with IM from *outside* the corporate firewall.

IM, as in popular C&C channel for malware.

0
0
Welcome

If all the got was the code for the password system...

... then maybe Google should open-source it?

After all isn't peer-review of security code supposed to be a good thing?

There's no such thing as security by obscurity and all that :)

0
1

Clever

Of all the source code to go for, that is really a clever acquisition. It's amazing that they caught it. Tells me that they keep a close watch on the source repositories.

0
1
Gold badge

security through obscurity and firewalls

first off. I question how strong a "corporate firewall" google has. They aren't a normal corp, they have mass r&d and collect the types of ppl who would want a full internet connection at their desks. They have a standard linux desktop but last i heard let minions run what they'd like.

as for this code theft, it shouldn't be a problem -- unless they find flaws, the code surely doesn't rely on obscurity to operate, it should operate on sound and well known cryptographic principles where knowing the code gains nothing. See ssh and openssl.

2
0
Pint

Blessed Be

If I were a goddess, and someone named something after me, I would either be pleased or displeased. If I were displeased, I would smite them.

If, not being displeased with the recognition, someone UN-named a thing after me, I'd be SURE to smite them.

I think what we have here is proof positive of the power of the Earth Goddess.

1
0
wsm

Source code?

Is this anything like lifting the source code for an encryption algorithm? Doesn't mean you can crack it, does it?

Still, why didn't it take Trojans upon Trojans to get to things that should be locked up and not connected to this Internet thing we keep hearing about? At least, it shouldn't be accessible in one piece without bits missing.

0
0
This topic is closed for new posts.

Forums