funsec mailing list archives
Re: All your database (and email) are belong to us ...
From: security curmudgeon <jericho () attrition org>
Date: Sat, 25 Jul 2009 20:25:10 +0000 (UTC)
On Sat, 25 Jul 2009, chris () blask org wrote: : --- On Sat, 7/25/09, Rob, grandpa of Ryan, Trevor, Devon & Hannah <rMslade () shaw ca> wrote: : : > As long as you trust them, Google can probably keep the systems more : > secure than a bunch of random sysadmins who may or may not have : > training ... : : That right there is a heck of a point. I'll be devil's advocate on this one. I say it isn't much better, at least, not right now. - The recent "twitter breach" in which an attacker gained control of a gmail account, allowed for what is essentially SSO access to Google Apps, Google Docs, Google Calendars, etc. Is this any different or better than an admin using the same password across all production systems? I'm not saying Google was at fault for the breach, but they certainly opted for convenience over security for many aspects of their offerings. Oh sorry, it's 2009, their "cloud offerings". - Google has innovators, and they have some talented security folks. However, they still haven't demonstrated they can turn that talent inward. Since September 2008, there have already been at least 43 vulnerabilities in Google Chrome. Their vulnerability handling early on was dismal to say the least, and only after a bit of public pressure (and presumably common sense), they improved. - In addition to Chrome, vulnerabilities have been reported in Google Gears, Google Apps SAML Single Sign-on (SSO), Google Talk, Google Android, Google Picasa, Google Search Appliance, Google Desktop Search, Google Toolbar, etc. Some of these are regular overflows, cross-site scripting and other types of vulnerabilities you would expect Google to weed out better than the average developer. To me, this doesn't indicate a company you can trust on security any more than another random company. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- All your database (and email) are belong to us ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 25)
- Re: All your database (and email) are belong to us ... Jarrod Frates (Jul 29)
- <Possible follow-ups>
- Re: All your database (and email) are belong to us ... chris (Jul 25)
- Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
- Re: All your database (and email) are belong to us ... chris (Jul 25)
- Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
- Re: All your database (and email) are belong to us ... chris (Jul 26)
- Re: All your database (and email) are belong to us ... Young, Keith (Jul 28)
- Re: All your database (and email) are belong to us ... Ali, Saqib (Aug 14)
- Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
- Re: All your database (and email) are belong to us ... Rich Kulawiec (Jul 27)
- Re: All your database (and email) are belong to us ... Valdis . Kletnieks (Aug 15)
- Re: All your database (and email) are belong to us ... Hubbard, Dan (Aug 21)