Why do we never hear of Google security problems?
Having in view the latest Facebook security blunders, I have no memory of ever seeing a news as big about Google.
A company that big has an almost 100% chance of making a security mistake at least once, so why don't we hear about it?
Yes, I am implying that they maybe use their internet search dominion to censor these news (among other things), but I am open to changing my mind. What do you guys think?
35 comments
[ 3.1 ms ] story [ 87.0 ms ] threadMy only thought was that it was extremely rare hash collision.
Oh I see they mean Google's chairs and keyboards. That makes sense.
https://www.google.com/about/appsecurity/reward-program/
They also seem to keep a wall of fame for bug hunters.
https://bughunter.withgoogle.com/rank/hof
https://www.facebook.com/whitehat https://www.facebook.com/notes/facebook-bug-bounty/2017-high...
Not sure how big it would be compared to Facebook's issues though as no user data was comprised.
(1) https://www.davidnaylor.co.uk/google-webmasters-flaw-allows-...
Can't find the link now but someone in Japan/China Google was hacked by a good old PDF zero day.
[0] https://www.washingtonpost.com/world/national-security/nsa-i...
[1] https://www.washingtonpost.com/world/national-security/googl...
(I don't have access to links you've posted).
One story I do remember though was that the introduction of Google Buzz leaked your contact list to all of your contacts.
I mean they have now found Shellshock, Spectre, Cloudbleed, Heartbleed, Meltdown among others.
https://www.nytimes.com/2010/01/13/world/asia/13beijing.html
The Cambridge analytica thing wasn't really a breach IMO.
1 large breach vs 0 over however many years does not seem statistically significant.
There was also a strong defense-in-depth culture, where we'd strive to avoid introducing security bugs in the JS, but the frameworks would also defend against them, and the GFEs (load balancers) would themselves detect intrusion attempts, as would the webservers, which would be architected so that bad data would be rejected & logged rather than triggering undefined behavior, and so on. So if a bug was discovered, it usually wouldn't be exploitable, and the whole time the hacker is trying to exploit it they have Google's security team working against them (and potentially calling up their ISP saying "The user with IP address xxx.xxx.xxx.xxx is trying to hack us, could you kick them off the Internet so we don't have to block your whole IP range?")
I can guess the answer - maybe it is a trust issue, they want to minimize the number of people with rollback privileges.
That said, when I was there many teams of smaller, riskier, or less critical services actually did have engineers carry the pager, sometimes with reduced SLAs (and an interlock built into the code so that an outage in their service wouldn't eg. take down websearch).
I think the biggest difference is that Facebook stores much more sensitive personal data, and stores more of it in a complicated product with a large surface area of possible vulnerabilities. In the search engine part of Google, the vast majority of data isn't even private. There's no point to hacking into Google search. Gmail does contain personal data, but it has far less surface area than the Facebook product. With Facebook, almost every new feature involves your personal data in some way, so all of those features have some security risk.
There is also a related selection bias. If a service gets hacked, you might or might not hear about it. But if there is something like the communications of celebrities that are now made public, or the social media account of a celebrity that a hacker posted a message to, it's just much more exciting news than your average vulnerability. The nature of Facebook's product means that Facebook security issues often have this kind of highly-visible outcome.
I would disagree with you that Facebook stores more sensitive data. I mean just look at all the services Google offers, which might have way more critical data and lots of more data in general.
If someone would just have access to one of my co-workers Google account he would've access to his phone numbers, addresses, names (contacts); access to all his private appointment's (calendar); mail; and maybe even critical documents and other files (gdrive + docs, ...); All of his searches, even voice commands (Google now); music, book, movie, game - preferences (Google play store) and not to forget social media (G+ and YouTube).
The difference to Facebook is, that on social media you choose what you want to display in public, or to a certain group. (Verification methods are an exception here) When you use your private phone/Computer, you expect that the information will stay private until you share it somewhere.
Of course it's hard to generalize that, everyone uses these services differently
TL;Dr I think a Google account linked to an android phone of a "normal user" would be more valuable than a "normal" Facebook account.
Google.com registered for a minute by someone else: http://time.com/4199940/google-domain-sanmay-ved/
Government backdoor (not just Google): https://en.wikipedia.org/wiki/PRISM_(surveillance_program)
Google DNS: https://techcrunch.com/2018/04/24/myetherwallet-hit-by-dns-a...