Philosophically Secure » google

Google vs. China

eugenekogan — Wed, 13 Jan 2010 01:08:01 +0000

This is a rather interesting development…

Google believes its systems are being attacked by China, in order to gain information on Chinese human rights activists who happen to use Gmail. Well, duh. What prominent company or government isn’t being targeted by Chinese state-sponsored hackers? (Perhaps the nation of Togo.)

The interesting part is Google’s response: a threat to stop doing business in China. That would mean closing its office there, and shutting down Google.cn (the Chinese version of its search engine, with government-friendly censored results). If Google follows through on this threat, it will send a simple message: play nice or we’ll take our ball and go home. Hopefully they will also release more details about the attacks, so that the rest of us can learn to better defend ourselves.

Of course, China’s economy is huge, and the loss of business with one foreign company probably wont have a measurable impact (unless it’s Walmart). However, it’s still a powerful symbolic gesture. If China wants to be treated as a serious member of our modern global society, they need to stop acting like Mongol invaders from the 13th century.

Maybe if more companies took a similar stance (and followed through), then China would rethink its hostile cyber strategies. Or would they just be sneakier about it?

Web Security

eugenekogan — Mon, 12 May 2008 20:50:54 +0000

Google has some good content about web security available on their Google Code University portal. There’s introdutory course material, and even some videos. The one titled “How to Break Web Software” is pretty interesting.

G-Archiver is evil

eugenekogan — Wed, 12 Mar 2008 23:12:36 +0000

This is a great lesson in why not to blindly trust random software that you find on the Internet. G-Archiver, a program created to help users locally save their Gmail messages, has a piece of code in it that sends your Gmail login and password to the author. You can see a scary screen shot of his inbox, since the guy had his own Gmail credentials hard coded right into the program, which was obviously discovered.

The details are at SANS ISC (source code) and Coding Horror (screen shot).

Interview with Vint Cerf

eugenekogan — Mon, 12 Mar 2007 17:22:18 +0000

This short interview with Vint Cert, by Dark Reading, gives an inside look at Vint’s daily life. He talks a lot about his role at Google, as well as his many other responsibilities. I’m always amazed at how someone can be actively and productively involved in several organizations, all at once. He also mentions some of his personal hobbies and aspirations beyond work, as well as his opinion on improving Internet security. For example, the one person Vint says he would love to meet is Richard Dawkins. That alone should give you some insight into his beliefs.

Google Business Apps More Secure?

eugenekogan — Sun, 25 Feb 2007 18:17:29 +0000

According to SC Magazine, the newly released Google business application suite provides greater security than locally controlled applications, such as MS Office. I agree with some of their points. It’s true that application patches to Google’s offerings will be applied automatically by Google. However, how do you, as the customer, know that these patches wont break a feature that you rely on? Regardless, you don’t have the option to apply a patch sooner, or skip it altogether.

Since these Google applications are obviously all web-based, users now have to worry about additional exposure to web-based attacks, such as cross-site scripting. Also, are your proprietary word processor and spreadsheet documents more secure stored on a Google server, or locally? That depends on how well you do local security, but with the Google option the control is not in your hands. A business must rely on Google to keep its data confidential and out of the hands of its competitors.

As for availability, a business that is dependent on Google applications would be in serious trouble if the server went down, or if they were having Internet connectivity problems. I would say keep a frequently updated local backup is a must. Those of us who use GMail are very familiar with the occasional “server unavailable” message.

On the more positive side, I think this could be a great feature to get a business up and running with minimal infrastructure costs. As the business grows and it needs more functionality and control over its information, it could easily migrate to a standard business application suite.