Posted on 04/19/2010 7:01:38 PM PDT by for-q-clinton
Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now says that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications.
(Excerpt) Read more at nytimes.com ...
More than anything, companies need to do what we did at cisco: use an electronic one-time pad that you carry with you at all times. Every password you ever use is “burned” as soon as you use it.
Employees have to keep the OTP card with them at all times, lest they not be able to log into anything.
Other than that inconvenience, it works pretty well.
It would be safer than a password stored in a DB at least I’d have to present my private cert after being challenged for a pin number or password (not stored remotely only locally). It’s easier to protect the CA infrastructure and limit who has access to it.
Wow, we need to hurry up and get all those medical records online.
Interesting policy as long as the randomness is assured.
So you know the google machine was XP? Do you have a link to confirm that or is this just guess work?
"Riddled with security holes"... well, of course no operating system is free from flaws, only a diehard Mac fanboi would claim that, and that ain't me. But I think "riddled" is perhaps a little strong. Consider:
I'm still waiting for those Mac viruses you say are gonna happen. C'mon "for-q"... surely you know some other guys who hate Apple as much as you do, who can write viruses. Tell 'em to stop sitting around with their thumbs up their arses and start programming!
The fact is that there are around 50,000,000 Macs on the net now, none of which have even rudimentary anti-virus software, all of which are operated by users running with full administrative privilege, most of whom are not technically savvy. That's enough to build hundreds or thousands of useful botnets, if a virus could be written that would work on a Mac.
And there's no competition from other virus writers -- it's a totally open fertile field! FIFTY MILLION COMPUTERS with their legs spread wide on the Internet saying, "Take me, I'm yours!! Come on big boy!!"
What a field day!! C'mon, for-q, prove that the Mac is no longer the "impenetrable" machine the Apple fanbois say it is.
Who's gonna be the first to write a successful Mac virus??? One that self-replicates and pwns the machine without the user being any the wiser... like a typical Windows virus... it can't be that hard, right? You keep saying it's easy... "riddled with holes" you said.
C'mon, where's the virus? Where's the virus????
[crickets. nothing but freakin' crickets...]
Seriously, I can't wait for the first real Mac virus that goes out and compromises, say, half a million machines. You know why? Because it'll shut up the Mac fanbois (whom I find tiresome), and it'll mean I can finally stop having to shut up the stupid Windows fanbois like you who take every opportunity to spread FUD about the security of a Unix-based operating system.
I've really gotten quite tired of it, and yet neither you nor the other fanbois, of whatever flavor, show any signs of shutting up on your own. *sigh*
[more crickets]
WHERE ARE MY MAC VIRUSES, FOR-Q? I'M TIRED OF WAITING.
Just joking. I can wait some more, no problem... :)
I missed that too and I read the entire article. NVDAVE is saying it was windows XP but I must have missed that as well
I’m not familiar with that...is that like the RSA number generator?
Is that more secure than smart cards with pins?
But even so how does it prevent backdoor attacks? Are you saying all data is uniquely encrypted so that only the user who wrote it can read it...even if on a server?
And my banks keep begging me to “do it all online!”
Yeah. Right. I think not!!
I agree, but if the hackers installed backdoors to the data only user level encryption would protect it. But I doubt google is using user level encryption on their source so that only the user who created it has access to it.
It’s online whether you do it or not though.
Really you didn’t hear about OSX being the first one hacked at the latest round of a hacking contest? I could have sworn we had a few threads about that and you participated in it. And let’s not forget the iPhone exploits.
True. But they can’t come back and lay the blame on me that my ‘lack of security’ caused the breakin to my account. That’s all on them.
We did some stats on the generated passwords - it was pretty good. The algo was based on DES.
DES, of course, is subject to differential cryptanalysis, but that’s when used in a wholesale crypto environment. You could replace DES with SHA-1 or other one-way hash functions; it isn’t really important which algo you use, just so long as you can’t guess the next number in the sequence if you know the prior one.
DES seemed to work OK because the generated crypto-text was the same length as the DES key, the salt value and the prior key in the sequence. Differential cryptanalysis needs a bunch of data in order to start narrowing down the key search space.
good point. But I wonder how you could prove it? Assuming your account is the only one hacked?
So sha-1 being broken doesn’t impact this?
I’ve never accessed their sites - they’d have a tough time proving I was there - no logs, no passwords, nada.
I didn’t say that this particular attack was on WinXP. I said that there are known keystroke loggers on Windows XP which Microsoft has yet to respond to. They have on other more recent variants of Windows, but not XP.
In this type of attack (cross-platform, cross-site scripting), a keystroke logger is the easy way to gain access to the server. Just log the keystrokes for the user’s server password on the Windows client platform, then use that with a trojan attack. Done deal.
So do we know what client OS was used in this case. I could guess some variant of windows because they used messenger, but there are messenger clients for non-windows machines.
Heck for all I know it could be a smartphone OS that was used.
BTW: What’s the point of talking about Xp if that wasn’t the exploit vector? One could theorize about such exploits on Linus or any other OS for that matter.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.