They use the same broken software we all do. ssh, written in C. Perforce, written in C. Find a single memory management error in one of those programs, and Google's source code is yours.
huh? you'll need to get behind corporate firewall first. And this is non-trivial part. Once you inside, it may be easier to just get this particular bit of source code from incorrectly secured employee's computer.
I dont see what the source can get you. In fact, given that Google reuses a lot of open source, the source code is probably out in public already.
I think for Google, their data would be far more valuable. For their password systems, I guess it is safely secured with a salt+hash somewhere so someone would have needed to hijack an admin's account.
And where do you suppose the salt is stored? (EDIT: Not to suggest Google would be so naive as to use a single static salt value with N hashing iterations. I really hope there's something smarter at play than that. The question is, does the source code contain all the information needed to perform dictionary attacks, or is some element of it externalized? And does anyone even know if user 'passwords' (in whatever hashed form they exist) were compromised?)
I think sriramk's point is that having the source for this system isn't that much of a benefit if you don't have access to the data itself or the systems involved.
10 comments
[ 184 ms ] story [ 2171 ms ] threadI think for Google, their data would be far more valuable. For their password systems, I guess it is safely secured with a salt+hash somewhere so someone would have needed to hijack an admin's account.