Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Google The Internet

Google Shares Its Security Secrets 106

Posted by kdawson from the cultural-values dept.
Stony Stevenson writes "Google presents a big fat target for would-be hackers and attackers. At the RSA conference Google offered security professionals a look at its internal security systems. Scott Petry, director of Google's Enterprise and founder of security firm Postini, explained how the company handles constant pressure and scrutiny from attackers. In order to keep its products safe, Google has adopted a philosophy of 'security as a cultural value.' The program includes mandatory security training for developers, a set of in-house security libraries, and code reviews by both Google developers and outside security researchers."
This discussion has been archived. No new comments can be posted.

Google Shares Its Security Secrets More

Google Shares Its Security Secrets

Comments Filter:

  • Frankly, they haven't impressed me (Score:1, Interesting)

    by Anonymous Coward on Thursday April 10, 2008 @01:10PM (#23026600)
    I've run into a several Google security people at conferences like Blackhat and RSA. They've always struck me as rather arrogant, self absorbed, and poorly informed. One of them actually went on a tirade about how nothing could compare to the risk of an XSS bug in Google's homepage. In the same conversation he also showed a complete failure to grasp how a heap overflow occurs or how process isolation works.

    I admit, that guy was the worst of the bunch, but but I continue to be unimpressed by their security people. It's a shame too. I know for a fact they have some really bright people, but none of them appear to be in the security space.

  • malware infiltrates google searches (Score:4, Interesting)

    by McFly777 ( 23881 ) on Thursday April 10, 2008 @01:27PM (#23026822) Homepage
    I submitted this a couple of days ago but, hey, it didn't get picked up.

    This article at the San Francisco Chronicle [sfgate.com] doesn't tell me exactly what is going on, but apparently there is the potential for 7 of 10 search results to return malware.

    My mother heard about this on the TV news, but the above was all I could find. Anyone else have any more detail?

  • Punch "gmail xss" into your search bar... (Score:2, Interesting)

    by davidbrit2 ( 775091 ) on Thursday April 10, 2008 @01:52PM (#23027228) Homepage
    I get 1.6 million hits from Google themselves. They may be overestimating their security practices just a wee bit.

  • Re:The advantage of being an internet company (Score:2, Interesting)

    by ouder ( 1080019 ) on Thursday April 10, 2008 @01:53PM (#23027244)
    Google's security consciousness comes not only from being founded on the Internet, but also from the fact that they know that they have to compete. Microsoft had itself in a monopoly situation before network security became an issue. MS only takes notice of security when it appears to threaten its monopoly status. Our security people would love to see us go to Linux (granted, still security holes, but they are more controllable). However, we can't because users would whine about noting being able to use their MS-only software. In short, MS doesn't care about security because they don't have to. Mac's don't have the monopoly situation, they just think they do. Another part of the fantasy world the Mac community lives in says that their systems are secure. As long as Apple can keep their loyal core of Mac users happy they don't have to worry about security, either.

  • Programmers don't care about security (Score:1, Interesting)

    by cjonslashdot ( 904508 ) on Thursday April 10, 2008 @01:59PM (#23027374)
    In my experience as CTO of a respected software development company (Digital Focus), and since then as a consultant in the field of assurance and methodology, I have found that in general developers are not interested in security. E.g., my book, High-Assurance Design [assuredbydesign.com], which looks at application architecture from a security and reliability perspective, sells in very low numbers, while my Java books sold in very high numbers. "Hacker" books sell well because many developers want a "quick fix" to their apps, without really understanding security. And consumers are not interested in security either. Just look at Vista: its primary value proposition is that it is more secure. As a result, it is slower, and some drivers and apps don't work. (If you make things more secure, some things will break.) Witness the tremendous push-back by people, claiming that Vista is a "step backward". I myself use a Mac most of the time, but even given Vista's ill-conceived attempts at content protection, I find it interesting that people do not recognize the core value of Vista over XP (security). To me, it proves my point: people don't value security, until something bad happens to them personally.

  • Re:More PHD Cowbell (Score:3, Interesting)

    by jgarra23 ( 1109651 ) on Thursday April 10, 2008 @02:24PM (#23027732)
    so is Don Lapre (http://en.wikipedia.org/wiki/Don_Lapre) this is the joke I'm referencing for all those who think I'm utterly without humor... I guess you had to be there...

  • That's kinda scary (Score:4, Interesting)

    by Jay L ( 74152 ) * <jay+slash&jay,fm> on Thursday April 10, 2008 @02:42PM (#23027952) Homepage
    I'm a bit down on Postini lately. A few months ago, they started marking my personal e-mails to Postini customers as spam. Which [ncl.ac.uk] is [aol.com] kinda [aol.com] ironic [google.com]. And pretty damned annoying, since my lawyer, my broker, my apartment manager and my chiropractor are all on Postini servers. But hey, that happens. I went over my server with a fine-tooth comb, I set up SPF, DomainKey, DKIM, no luck. I even switched servers. No matter. My e-mail, now digitally signed in triplicate, was still being scored as 90% probable spam.

    So I tried to get in touch with their postmaster group. Only they don't have one [postini.com]. And I tried to check their feedback loop [emaillabs.com]. Only they don't have one. As a shareholder, I even wrote to Investor Relations [google.com]. No response. In the process, I found out that they have a universally awful reputation among the mail delivery community.

    In the end, all they could tell me was that their system decided my mail was spam because - I kid you not - their system had, previously, decided my mail was spam. Which, of course, increases my spamminess score. And so on, and so on, until we're all using the same shampoo.

    So, to recap: The guy in charge of keeping Google secure, Scott Petry, is the guy who invented a system that bit-buckets your e-mail, with absolutely no accountability, no sanity checks, no industry best practices... because of guilt by association WITH YOURSELF.

    Be afraid. Be very afraid.

  • Re:So, explain ... (Score:3, Interesting)

    by Sancho ( 17056 ) * on Thursday April 10, 2008 @03:01PM (#23028162) Homepage
    Short timeouts on the captcha and/or using javascript to generate the images might help. I don't know if it's really this bad, but many captchas I've run across virtually never expire (they might expire when the PHP session does, but I've hit a page with a captcha, gone to the restroom and to get a soda, and come back to a still-valid captcha.)

    If you had a reasonable time limit in which to solve the captcha, it would certainly make it harder to farm out.

    Of course, Google's captcha was broken algorithmically, wasn't it?

Slashdot Top Deals

The key elements in human thinking are not numbers but labels of fuzzy sets. -- L. Zadeh

Close