back to article Cyberattack lifted Google password system code, says report

When alleged Chinese hackers infiltrated Google's internal systems in December, they lifted source code for a password system that controls access to almost all of the company's web services, according to a report citing a person with direct knowledge of Google's investigation into the matter. The New York Times reports that …


This topic is closed for new posts.
  1. MarkieMark1

    Of source!

    The course sode may be causy, that's the cause of the course, of source

  2. Optymystic

    Microsoft Messaging?

    How Embarrassing - will they ever live it down

    1. I didn't do IT.

      Better dogfood?

      If the employees not only don't use Google Talk, but also don't use any of the open source "universal" clients (pidgin, etc), and go with MS Messenger... wow. Or was this person trying to maintain an sideband communication channel? Of course, this is assuming that MS Messenger isn't used in China as a matter of course; more money to the Chinese gov to allow passage across the Great Firewall and all that...

      However, this does show that while Google employees may be provided a Linux desktop, this one was running Windows - MS does not provide a MS Messenger client for Linux.

      Violation of corporate policy? In China? Naw....

    2. Ammaross Danan


      The fault isn't that they were running MSN (or any other messenger system), it was that the user clicked on the link they received and were C&Ced by the website it directed them to. In the original press release, the exploit vector was IE6, so one would assume they clicked a link from MSN Messenger on their Win(XP?) box and their IE6 popped up and faithfully bent over and took a malicious datastream up the <insert nether-region here>.

      Either way, fail on Google for not enforcing Linux+Chrome on their users. Fail to the firewall jocks that allowed the malicious site through. Fail to software vendors for not supporting IE7+ (or even better FF/Chrome/etc). And, of course, fail to MS for allowing a C&C bot to install/hide on a WinPC by simply viewing a website in what should have been a next-to-not privileged app.

      This will always be a fun story for the shear amount of fail.

      One other side note: If [the hackers] stole the Gaia code, and Google figured it out (presumably from the source repo logs), why not just pilfer a checked-out version instead (which wouldn't have an audit trail)? Or does the source repo not actually check-out code to a workstation, but is web-based and allows for remote editing of a virtual "checked-out" copy?

    3. Daniel B.

      Even more embarassing...

      The fact that the "hack" surely began when the aforementioned employee clicked on one of those oh-so-common links that botnets send, like "WATCH MY NUDE PICS!" or "TSUNAMI HITS! WATCH VIDEO!".

      That is one of the reasons my missus doesn't have an Admin account on my home PC ... her defunct laptop used to get hit by those links. Mind you, I blame those annoying "Tap to Click" trackpads, too easy to click when you don't want to click.

  3. Winkypop Silver badge

    If I were King...

    I would cut China off from the Internet.

    These guys are 100% untrustworthy.

    Off with their <head>

    1. Anonymous Coward
      Anonymous Coward

      You, Sir are and idiot

      And shouldn't be working in IT.

    2. Anonymous Coward
      Paris Hilton

      The iKing &...

      If you were 'King' you'd be the first put to the guillotine.

      "If a man should happen to reach perfection in this world, he would have to die immediately to enjoy himself."

      Have fun exorcising all them '100% untrustworthy' parts from your computer. After you retrieve your head from the basket that is.Obviously.

    3. Winkypop Silver badge

      Oh lighten up Francis

      You guys need a humour transplant...

  4. Anonymous Coward

    FW Security Review

    You would think a company of this size would have a default stance of blocking IM at the corporate firewall. I guess maybe the employee was working via a home adsl or something??

    Time to connect up the mighty google fibre to its own employees houses and direct all traffic through its hub!

  5. Anonymous Coward
    Anonymous Coward


    Sounds far more like a criminal raid or a corporate espionage raid with the Chinese dissident emails being a faint.

  6. Pete 8


    Well they had to reverse-engineer the incumbents as part of normal practise right?

  7. Pete 8


    damn sure that MS emplyees have chrome and toolbar puke ratting out all sorts of demons.

  8. John Smith 19 Gold badge

    single sign on.

    What could go wrong with that idea. Users love it.

    Seriously WTF with IM from *outside* the corporate firewall.

    IM, as in popular C&C channel for malware.

  9. Tim Brown 1

    If all the got was the code for the password system...

    ... then maybe Google should open-source it?

    After all isn't peer-review of security code supposed to be a good thing?

    There's no such thing as security by obscurity and all that :)

  10. BuckBrinkley


    Of all the source code to go for, that is really a clever acquisition. It's amazing that they caught it. Tells me that they keep a close watch on the source repositories.

  11. Henry Wertz 1 Gold badge

    security through obscurity and firewalls

    first off. I question how strong a "corporate firewall" google has. They aren't a normal corp, they have mass r&d and collect the types of ppl who would want a full internet connection at their desks. They have a standard linux desktop but last i heard let minions run what they'd like.

    as for this code theft, it shouldn't be a problem -- unless they find flaws, the code surely doesn't rely on obscurity to operate, it should operate on sound and well known cryptographic principles where knowing the code gains nothing. See ssh and openssl.

  12. Bucky 2

    Blessed Be

    If I were a goddess, and someone named something after me, I would either be pleased or displeased. If I were displeased, I would smite them.

    If, not being displeased with the recognition, someone UN-named a thing after me, I'd be SURE to smite them.

    I think what we have here is proof positive of the power of the Earth Goddess.

  13. wsm

    Source code?

    Is this anything like lifting the source code for an encryption algorithm? Doesn't mean you can crack it, does it?

    Still, why didn't it take Trojans upon Trojans to get to things that should be locked up and not connected to this Internet thing we keep hearing about? At least, it shouldn't be accessible in one piece without bits missing.

This topic is closed for new posts.

Other stories you might like