The theft of Google’s source code is the under-appreciated and under-reported new development in Google’s big announcement of Google’s “new approach to China” and its apparent decision to withdraw its business from China if China continues to insist that Google censor search results for in-country Chinese.
- Google: “In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.” [Bold emphasis added]
- Per the original WSJ story: “Much of the data stolen from Google was its “core source code,” Mr. Mulvenon [director of a national security firm] said. “If you have the source code, you can potentially figure out how to do Google hacks that get all kinds of interesting data.” Among the data, would be the information needed to identify security flaws in Google’s systems, he said.” [Bold emphasis added](Sources of the quote are here, here, and here, but curiously the quote is no longer part of the current WSJ story, which now excludes it.)
Arguably the theft of “source code” (or master key) for the single largest repository of sensitive private information in the world, Google’s servers, is a very big deal worthy of much more attention in the press and blogosphere for two big reasons:
I. Security is not a high priority at Google:
- An examination of Google’s own public representation of its corporate philosophy and design principles shows security/safety is simply not a priority for Google.
- Google’s management philosophy/priority of “innovation without permission” rejects the need for normal corporate management, accountability, and internal controls obligations, all of which are critical for large organizations serious about protecting security/privacy.
- Google’s goal to “make the Web faster” prioritizes speed and efficiency ahead of security and privacy which generally slow things down, because consumer security/privacy protections are not efficient from an engineering perspective. Google on its website philosophy statement says: “Google believes in instant gratification.”
- Google’s approach to email makes gmail a particularly prime target for hackers, because it is free, has near unlimited archival storage, and employs a business model that has automated robots that read all emails (gmail and others involved in a gmail email string) surveiling for the usage of particular keywords.
- In short, the combination of Google’s extraordinary success and its cavalier approach to security in practice, unnecessarily puts an enormous number of people at an enormous amount of risk.
II. Google’s security vulnerabilities have long been known and gone largely unaddressed.
Greg Conti, author of the 2009 book “Googling Security: How much does Google know about you?” was very prescient about the likelihood of the current alleged China cyber-attack on Google.
From page 19 of “Googling Security:”
- “One common vulnerability could cause catastrophic destruction. Even if computers have been succesfully secured against traditional network attacks, attackers are increasingly attacking applications, particularly browser software and email applications. By creating specially crafted web pages and emails, attackers can successfully compromise many systems. Although they are hardened against attack, web browsers and email applications are still vulnerable. New attacks occur with disturbing regularity.
- The end result of these vulnerabilities is that it is almost impossible for you, your employer, and online companies to provide impervious protection against attack; therefore, your data is at risk. No one is immune, even Google. If anything, Google is an even bigger target because of the amount of data it has.”
In sum, if Google really cared about the security of its users, Google would be spending much more time, resources, effort, and PR, than they do now on cyber-security and protecting its users and their sensitive private information from known, serious, and growing cyber-security threats.
- It is particularly disturbing how Google’s “new approach to China” largely distracts user and media attention from the incident’s important implications for cyber-security and the security/safety of its users.
Previous parts of the “Why Security is Google’s Achilles Heel” Series: