Google chief 'paranoid' on security after China attack Google's chief exec said the search engine giant is paranoid about further security attacks in the wake of a high-profile assault it blames on hackers in China late last year. Answering questions following an presentation before 400 chief information officers at the Atmosphere 2010 cloud technology conference on Monday, Eric …
The bit of this story that still appears to be missing, is that this room appe0ars to have at least 30 other blue-chip elephants standing in it, but no one particularly wants to talk about them.
Yes, we know Google was hacked, and we have some idea what sort of stuff was targeted from them, but who are those other 30 companies? What did they lose? Are they even secured, now?
What do we have to do? Start guessing? Try to imagine what might have been stolen from HP, IBM, Microsoft, Arbornet (Working from the purely hypothetical premise that - as blue-chip companies trading in China - they could, therefore, possibly be one of our elephants)?
What does a country like China steal off you, when you won't sell them it?
Basically, what has been proven for years is that the web, and all the technologies involved are flawed, and are wholly inadaquate for the task.
To change this, entirely re-engineering both the internet and how software is made and developed is required, and that is not likely to happen any time soon.
Computing in general, and the entire industry builds things with licenses that state in most cases complete refusal for any responsibility at all in software. If it sets fire to equipment, not our fault. If it eats all your data, and you go bust, not our fault. If it crashes your warship into the harbour not our fault.
This is not real world. In the real world, if someone makes a bridge and it falls down, or someone makes a car and the wheels fly off, its not accepted. In computing, people can build a browser, and a function, and never give a crap about security.
The only way you will ever change things is by making security in at least some systems totally paramount by design. Not nice, or easy to do, but required.
Proposition: "the web, and all the technologies involved are flawed, and are wholly inadaquate for the task."
That depends what you consider the task to be. If it is "securely transferring customers' data and your own while testing for information relevant to national security, and managing the tools for same", then Google failed.
For that matter, despite best efforts, it seems that individual accounts are created for misuse on Google services every day - such as a GMail account used to send spam e-mail.
"Computing in general, and the entire industry builds things with licenses that state in most cases complete refusal for any responsibility at all in software."
At shrinkwrap level, yes; when our business relationships are more sophisticated, no. I assume that an enterprise support contract such as with Linux or cloud computing does carry guarantees and penalty clauses, for instance on integrity of backups.
As a software engineer I know that it is very hard - bordering on the impossible - to create even a 100-lines program that is 100% correct (according to a specification).
Maybe even the specification is imcomplete or even ambigous ! And please don't tell me that it is possible to make it "formal". Apart from the fact that for a lot of stuff there does not exist a useful formal spec language, also formal specs can contain bugs !
Now, real programs can easily have 100.000 or even a couple of millions line of code. They are developed under extreme pressure to meet a deadline and cram in plenty of new features and bugfixes. Because that is what customers care first and foremost - features and apparent (!) robustness.
Also, the accepted "industry standard" is C and C++ as the language. My guess is that more than 50% of security issues are a result of the non-existent safeguards of that language. Most Unixes had a bug in the ping handler that allowed an attacker to remotely shoot down the OS with an oversized ping paket - for probably 20 years !
Recently an older bug was discovered in the yacc compiler generator. And this code has been looked at by many, many skilled people.
But even with safer languages it is all too easy to make simple and more complex mistakes that are exploitable by a hacker.
The bottom line is that A) customers have to put pressure on software suppliers to use better languages, tools and processes; B) pressure operating system suppliers to create sandbox systems like AppArmor or Sandboxy and C) you have to defend your network and spend a lot of money and labour on that. Managed Security Companies can help with that.
And/Or disconnect critical stuff (like new design data, source code etc) completely from the internet.
My two cents:
Cent 1: You can't trust ANY govt to NOT poke it's fingers into other people's pies. It's human nature and a survival trait -- now i'm not saying it's either right or wrong.
Cent 2: Leaving such a promising market with it's tail tucked between it's legs says all sorts of bad things about Google -- one of them being that they're unable to guarantee the safety of your information in world of information that's becoming more complex every day.
Pre-assault = Labile and Dangerously Naive.
Post-assault = Resistant and Post-Traumatically Distressed.
Caveat: Post-traumatic dissociative symptoms may mimic those of degenerative schizophrenia, which is a different condition entirely. Accurate differential diagnosis is essential to the successful outcome.
I have to interface to US government and Massachusetts State government web sites all of the time, and it amazes me that they still all require/request that you use IE, usually IE6. It just highlights the fact that there is a whole subindustry of 2nd rate software companies that sell only to Government. They could not make it in the commercial sector.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
