Cyberattack on Google Said to Hit Password System

Source: New York Times

By John Markoff
updated 4 minutes ago

Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.

The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services.

The intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.

The new details seem likely to increase the debate about the security and privacy of vast computing systems such as Google’s that now centralize the personal information of millions of individuals and businesses. Because vast amounts of digital information are stored in one place, popularly referred to as “cloud” computing, a single breach can lead to disastrous losses.

Read more: http://www.nytimes.com/2010/04/20/technology/20google.html?hp

I have been discussing this for about 20 years now, both as a senior prefessional and as a philosophical commentator.
Now past the point of even ranting about this.

This is why John Markoff should stop writing about tech, he consistently manages to get it so wrong, and thus becomes incredibly misleading.

Gaia wasn't attacked. Gaia's source code was possibly looked at, because an infected machine had a copy of the code.

Those are two *vastly* different things.

"But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said." is kind of iffy too. Independent computer experts would probably agree that sooner or later, given enough time, money, and motivation, anything can be broken into.

The wording of that sentence makes it sound like your credit card information is going to be stolen the next time some script kiddie finds out how to create buffer overflows or something.

I guarantee that millions of eyeballs will audit it, and find any holes.... the wording chosen seems to think that uncompiled "secret" code is somehow more secure.

Security by obscurity is generally laughed at.

Your claim that "I guarantee that millions of eyeballs will audit it, and find any holes" is not supported by evidence. (Assumes the common meaning "find any holes" as "find any and all holes".) While I am a strong supporter of OS, it falls far short of the claims made for it. You can guarantee all you want, but there will still be holes.

Security of all sorts is generally laughed at.

I have known a few relatively secure systems over the past 40+ years. Mostly in locked rooms, with guards. Among the more accessible commercial systems are ones like OpenVMS, where sources for nearly everything is available to licensees but is not an OSS environment.

The best assumptions going forward are that nothing is secure, nothing is secret, no entity should be considered as trusted.

That being said, I'd rather have 10,000,009 engineers audit my code than... 2. or 1024.

The numbers are arbitrary, but the point is simple: peer-review works better than other existing systems.

(FWIW, OpenVMS, unlicensed, source code has been out there since the 90's (if not earlier).)

It's damn good code.

Point being that closed code offers no better security than open source.

There were distributed originally on microfiche and did not quite include everything. Certain critical sections were not provided in the regular distribution.

More important than the number of people looking at the code would be the quality of those people. Probably fewer than one thousand of the ten million actually make much impact.

Having developed in both open and closed environments for over 40 years, I have rather strong opinions about what is important. There is one critical area where a product like OpenVMS can be at great advantage over OSS. That is in the enforcement of design and standards.

The most important aspects of large-scale, robust, reliable systems are the interface design and enforcement (checking of arguments to system calls, etc.), attention to security as key to every design decision, saying NO to new features (one of biggest problems with most open source projects, competing technologies is a dangerous path for everyone), enforcement of design and documentation standards, etc.

The first question should be "Should this function be automated at all? Be a web application? etc."

The default answer should be NO. Just because something can be done, is not sufficient justification that it should be done.

Most of my "hard knocks" came from web-app work, where daily releases were expected. 3-5 compile/QA cycles a day.

I'm back at a "monthly release" company now. Much nicer. We have a beer keg and discuss implications of *every* line of code.

The most amusing trend I've seen lately is a philosophy to start back at the origins, and re-write. For example, eliminating SQL from the the workflow. Because databases are complex for holding....data.

Turns out that we had a system that used an internal API, to point to a framework, to point to an API, to point to script libraries (which were then compiled), to point to binary libraries, which then pointed to.... files.

To get a key:value pair.

*sigh*

As a 8Mhz guy (I was still in school before then), seeing such things on 64-core 2.8Ghz monsters just makes me sad.

I'm guessing they would have made you homicidal.

No need to genuflect, my child. It is enough that you carry forth the wisdom of a Master.

All kidding aside, I have had a long and interesting journey on the bleeding edges of technology and social changes involving a wide range of disciplines. The earliest computers I worked with were disk/drum memory systems (instructions were read from the disk and executed directly, there was not even "core memory" or main memory of any sort. I also worked with tab/card equipment based on card reader/punches or tabulating posting machines.

I could claim a fair number of "firsts", "earliest", and "novel" achievements over these many years, have known many of those who are much more creative than I every was or could be. Unfortunately, most everything in computing before about 1980 is nearly unknown by anyone under 40, by few, older. I see an important part of my remaining years being devoted to documented and conveying my large collection of computers and software to an appropriate preservationist.

Probably over half of the documents in my archive are not available anywhere online.

A relatively lucrative sideline for me is invalidating software patents by showing prior art. In probably 80% of the cases, I know the prior art immediately upon reading the subject patent. Most of the others require only a few hours to invalidate. I get considerable personal satisfaction on multiple levels from this work.

I also try to document a little of the history that can easily get overlooked. For example, when there was all the stories last fall celebrating the so-called "40th anniversary of the Internet", I wrote a couple of articles about the networks that had existed long before that. For example, the NCREN network at that time 40-years-ago linked over 50 colleges and universities in NC in daily operations for teaching and research. Giant timesharing networks linked hundreds of thousands of users over shared networks.

These postings are at DU, salon.com, and theregister.co.uk. They all use the unc70 username. Be glad to give more details in private mail.

I come from origins in the paper tape world, mocking the silly punchcards and their inability to maintain sequence, without the "draw a line trick". (*This joke is much funnier to those who have repaired tape, or a card sequence*).

I'm under 40 by a hair, and there are preservationists (and people who had a different set of schooling) out there... I was doing paper tape (as part of programmer training) as late as 1999. Seriously.

For comparison, I assume most US folks in 1998 were Java/OO/PopularParadigm wonks.... but people who learned from the ground up still *do* exist... at least I still do.

Here's how I reflect upon it:
--
A carpenter needs a saw and a hammer.

A modern construction worker needs pneumatic lines, power breakouts, power saws, power drills, power hammers, pre-made parts, porta-potties, blueprints, inspections, foremen, etc.

So, am I a worker, or a carpenter?
--

On history:

Have you thought about working with one of the computing museums?

Dayum, I just realized that *I* should probably start preserving this information, as well...

Several items from early places I worked went to early museum efforts, with less than desired outcomes. Part of my ongoing issues with getting the right repository is that I have a large collection of computer systems still in operational condition going back roughly 40 years. (Those that went to museuems were older.)

While none of these systems are particularly rare, few places have this many varieties all operational with printed documentation and all the software, full licensed. Most are networked together and are still used on an occassional basis.

In addition to these items still in an office/lab environment, I have a large storage unit packed to the ceiling. All of these items are from my own personal history. I have not done any specific collecting, I just don't throw away these types of items.

BTW I think I still have a working fan-fold paper tape reader. During my early days, over a two year period I wrote roughly 180,000 lines of code (3-gen-language compiler, run-time libraries, assembler, linking loader with overlays, two operating systems (one TS, one RT), and applications), with only a teletype as a printer until well into the second year.

Here is a link to my letter in a thread from some years back at another site. You might find the entire thread rather interesting, more so than the OP that triggered it.

http://letters.salon.com/books/int/2007/02/03/leonard/view/index13.html?show=all


Yes you should be archiving and preserving as you go along. It was impressed upon me at an early stage in my profession, first from seeing major milestone computers being dismantled and sold for scrap and second from how quickly the industry "winners" were able to erase almost all mention of competitiors and their achievements. Rarely do you see the history preserved of companies that are acquired by others.

I read Brooks early in my career, I totally understand the small surgical team/strike force style of programming, having seen many projects fail, or grind to a halt, when more labor was thrown at a project.

It got a lot of rather thoughtful responses at various levels. Most of those posting seemed to have something serious to contribute, with relatively little of the typical name calling or nitpicking.

BTW I still see Brooks a few times a year. Hard to believe that I worked for him over 40(!) years ago.