Google Shares Its Security Secrets 106
Stony Stevenson writes "Google presents a big fat target for would-be hackers and attackers. At the RSA conference Google offered security professionals a look at its internal security systems. Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained how the company handles constant pressure and scrutiny from attackers. In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value.' The program includes mandatory security training for developers, a set of in-house security libraries, and code reviews by both Google developers and outside security researchers."
The advantage of being an internet company (Score:3, Insightful)
I was going to say something smart about Microsoft, Mac etc, but then Google do have the advantage that they were founded on the internet, once the benefits but also the threats of networking computers had been fully understood.
I'd be surprised if any from-scratch operating system designed for internet-facing use today, didn't also have 'security as a culture'.
But hey, there's always Vista ;)
So, explain ... (Score:4, Insightful)
Code Reviews and Coding Conventions (Score:5, Insightful)
A little thing to be sure... until you realize that it's one of many such rules, and they actually are followed.
Re:So, explain ... (Score:5, Insightful)
If you are stuck on a Captcha or equivalent, spam people, pretend the Captcha is yours, and offer free porn to anyone who solves it.
Preventing this is virtually impossible.
Re:It's that darn preset target (Score:5, Insightful)
The only part of the connection that is "more secure" is the authentication phase, since they had to use two factors to log in (their token code and their password).
See Two-factor Authentication [wikipedia.org]
Re:So, explain ... (Score:5, Insightful)
Re:Pathetic Article (Score:2, Insightful)
I almost never RTFA here or elsewhere until I've read the first few comments. Its saved me so much time that I highly recommend it.
I understand Slashdot and other sites need to throw up news ever hour or so to keep us clicking their ads, but do they ever read this stuff to see if its worth posting?
Re:So, explain ... (Score:3, Insightful)
Re:Code Reviews and Coding Conventions (Score:3, Insightful)
However, the world isn't so simple... so Microsoft has to pay the price.
It's like out-running a bear. (Score:3, Insightful)
The guy says, in case a bear attacks our camp during the night.
The other guy is skeptical. With sneakers or without, there's no way you can out-run a bear.
The guy replies, I don't need to out-run the bear. I just need to out-run you.
I suspect Google security is pretty much the same way, with a twist. Why try to hack Google, when I can use Google to find credit card numbers, unsecured plain text password files, servers running old, unpatched versions of vulnerable software, etc.
I'd think the hacker going after Google would be as popular as the kid who rats out the teacher who buys the kids beer.
How many of us ping google? (Score:4, Insightful)
I still find it surprising that it ICMP_ECHO_REPLYs my ICMP_ECHO_REQUESTs. Why?
A lot of sites disable ping because, years ago, The Ping of Death could crash a server by sending maliciously-crafted ping packets.
And you can DOS a server by flooding it with pings.
I'd be interested to know just how many pings Google receives, and replies to each day.
And how many of those are maliciously encoded, only to be defeated by the ub3rh4x0r5 at Google.
Re:Code Reviews and Coding Conventions (Score:3, Insightful)
True, to professionals in the field, it's often easy to be appalled at what we see as incompetence.
(And I'm not speaking to the management/sales, just the tech side of Microsoft)
But given the same goals, constraints and budgets, I bet that most assembled teams would produce software of no greater quality than what they have produced.
Hear me out.
1. Look at the SimCity example. This is a great anecdote to illustrate what we already know: MSFT has historically put great premium on backwards compatability. And I'll tell ya what.. when I was 15 years old installing SimCity on my new Win95 box, I'd have been damn upset if it crashed. To people like that--call them, "regular users," CONSISTENCY is incredibly valuable.
2. So to accomplish that you're going to be including a great deal of legacy code from one release to the next. (Virtualization wasn't really an option when the high-end box is a P75 w/ 8MB RAM)
3. Paradigms change. Microsoft kept re-packaging old code that was written a time when networks, let alone the internet, were a rarity. ESPECIALLY at home. And even when it did become more pervasive, it was 28.8k dialup connections.
Which brings me to my point:
This is not an easy job. Especially when your software is so widely installed on all systems running all manor of other devices on all sorts of different hardware.
In fact, in this regard, Microsoft HAS NO PEER. You cannot compare what they did w/ what Apple did. For a number of reasons. Mostly beacuse if Apple had the same success Microsoft had in the 90's, they'd have been forced to make different, sometimes troubling technology decisions, too. Jobs has a great mind for this stuff, but if Apple was one of the most profitable companies in the world and that profitability was put at serious risk because a decision was made to break backwards compat. for Biz customers, he'd have to explain himself to the Board and it he probably wouldn't win that argument.
I mean, to a geek on here, the notion that Microsoft has THOUSANDS of comments like:
and
makes us want to go scrub ourselves in the chemical shower.
But to a home user, that's CUSTOMER SERVICE. That's making their Birthday or Christmas AWESOME by being able to hook up their expensive gifts and USE them.
Re:Code Reviews and Coding Conventions (Score:3, Insightful)
I don't disagree that it's 'hard'. I disagree that there was no choice in going that route. They chose poorly and we, the consumers, are left to deal with it. Just because the customer thinks they will be happy with a choice doesn't mean it was the right choice, or even that the customer will indeed be happier with it. Sometimes you have to make the hard choices for your customer knowing they aren't equipped to make it themselves.