10 comments

[ 184 ms ] story [ 2171 ms ] thread
I cannot believe this. Google is a very bright company in security, I don't beleive a flaw on SCM's security fence.
They use the same broken software we all do. ssh, written in C. Perforce, written in C. Find a single memory management error in one of those programs, and Google's source code is yours.
So you feel that ssh should be written in Perl?
That's a disingenuous way to say c is a fine language for ssh.
huh? you'll need to get behind corporate firewall first. And this is non-trivial part. Once you inside, it may be easier to just get this particular bit of source code from incorrectly secured employee's computer.
Furthermore, they have people programming. This is the biggest security hole and every company suffers/will suffer from it.
I dont see what the source can get you. In fact, given that Google reuses a lot of open source, the source code is probably out in public already.

I think for Google, their data would be far more valuable. For their password systems, I guess it is safely secured with a salt+hash somewhere so someone would have needed to hijack an admin's account.

And where do you suppose the salt is stored? (EDIT: Not to suggest Google would be so naive as to use a single static salt value with N hashing iterations. I really hope there's something smarter at play than that. The question is, does the source code contain all the information needed to perform dictionary attacks, or is some element of it externalized? And does anyone even know if user 'passwords' (in whatever hashed form they exist) were compromised?)
I think sriramk's point is that having the source for this system isn't that much of a benefit if you don't have access to the data itself or the systems involved.
Well, if I were planning to hack into a system to steal its data, I would definitely prefer to have the source beforehand.