Weekly Edition
Return to the Security page
| |||||||||||||
Google: a new approach to China
It may be a little off the LWN topic, but Google's a new approach to China is worth a read for anybody who hasn't yet seen it. It's a reminder of how important security practices are and what the risks of storing important data in "the cloud" can be. "Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties."
(Log in to post comments)
SMT training class? Posted Jan 13, 2010 3:41 UTC (Wed) by dmarti (subscriber, #11625) [Link] I hope the UC extension in Mountain View, California starts offering a class on how to do surface-mount soldering. They're going to have to make all those Google phones somewhere. (On the other hand, (1) great signaling move by Google--they're showing off an advantage of the company's two classes of stock, and (2) gaining more in recruiting than they'll lose in business in the PRC.)
SMT training class? Posted Jan 13, 2010 3:56 UTC (Wed) by ncm (subscriber, #165) [Link]
I think Taiwan has some manufacturing facilities.
An announcement is one thing, and actual pullout is another.
Google: a new approach to China Posted Jan 13, 2010 4:46 UTC (Wed) by jamesmrh (guest, #31622) [Link]
Currently, they are still censoring search results:
http://www.google.cn/search?hl=zh-CN&q=tiananmen+square
At the bottom of the page, there's a message in Chinese which google translates as:
"According to local laws, regulations and policies, some search results are not shown."
I'm glad Google seem to have realized what they're doing, but why did it take so long?
Google: a new approach to China Posted Jan 13, 2010 5:26 UTC (Wed) by ncm (subscriber, #165) [Link]
It's a public company. They risk being sued if they are seen abandoning profits. China could easily buy a big chunk of it, maybe a controlling chunk. Wouldn't that be fun?
Google: a new approach to China Posted Jan 13, 2010 5:39 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] Such a suit would be unlikely to be successful. Even if Google couldn't get it thrown out, they could insist on a jury trial, where the plaintiffs could do their best to get an American jury to rule that Google must submit to Chinese Communist censorship to make a few more bucks, while Google's lawyers engage in not-so-subtle red-baiting.
Google: a new approach to China Posted Jan 13, 2010 8:23 UTC (Wed) by donbarry (guest, #10485) [Link]
Please. PRC has never been communist in a Marxist sense and hasn't even been communist
according to the odd Maoist model since the mid 80s when the "socialism with chinese characteristics" (i.e., capitalism under control of the bureaucracy) was implemented by Deng Xiaoping at the head of a bunch of political pragmatists. Trotsky predicted in the late 1920s that if the degenerated workers state system of the Soviet Union was not reversed (and it was not) it was only a matter of a generation or two before the nomenclatura (bureaucracy) determined that a more effective and profitable way to exploit the working class was to make peace with the international bourgeoisie. And so it happened in China as well, though with different twists and turns.
The Chinese system is authoritarian. That is an entirely different axis to left vs. right. The
Google: a new approach to China Posted Jan 13, 2010 9:29 UTC (Wed) by epa (subscriber, #39769) [Link]
For any single communist country you can name, there will be those who pop up and say 'but country X is/was not communist in the true sense of the word...'
Yes, and you could even strengthen that statement Posted Jan 13, 2010 9:45 UTC (Wed) by edmundo (guest, #616) [Link]
For example, I think it is probably true that most people who freely and willingly call themselves communists (so this excludes people living under an authoritarian regime that calls itself "communist") would say that there has never been a communist country. I met a communist who said that the closest there has been to a communist country is Sweden.
There's always someone who says that East Germany was by definition communist because it called itself communist, but East Germany also officially called itself democratic ...
Yes, and you could even strengthen that statement Posted Jan 13, 2010 10:24 UTC (Wed) by fandom (subscriber, #4028) [Link]
Here in Spain communists starting saying 'well, but they weren't real
communist countries' after Berlin's wall had fallen, up until then those countries were shining examples of what we should be.
And of course, they are still praising Cuba's regime every chance they
Yes, and you could even strengthen that statement Posted Jan 15, 2010 21:15 UTC (Fri) by donbarry (guest, #10485) [Link]
For the record, Trotskyists have said consistently since the early 1930s that the
only communist implementation was the Soviet Union, and then only until 1926 when it devolved into a deformed workers state where the bureaucracy had seized the power properly taken up by the working class. They (we, because I'm a Trotskyist) critiqued the Soviet satellite states, and continue to critique Cuba, Venezuela, China, and other states dominated by opportunist thinking and cults of personality.
So no, not all "communists" held up Eastern Europe as shining examples. And Trotskyists
Google: a new approach to China Posted Jan 13, 2010 18:56 UTC (Wed) by leoc (subscriber, #39773) [Link]
Many people say some thing similar when you point out how unregulated capitalism can cause problems as well.
Google: a new approach to China Posted Jan 18, 2010 21:44 UTC (Mon) by mikov (subscriber, #33179) [Link]
This discussion is ridiculous. None of the former socialist countries claimed they were communist. They were officially "working towards achieving communism", but even then and there communism was viewed as an utopia.
For example, it was commonly believed that there would be no need for money in communism (hello, Star Trek!). Nobody, and I mean, nobody even the official party, thought or said that communism had been achieved.
The label "communist countries" is inaccurate at best, and can be offensive to people who consider themselves communists. It is similar to calling China and Cuba "democratic countries".
Google: a new approach to China Posted Jan 13, 2010 12:54 UTC (Wed) by dunlapg (subscriber, #57764) [Link] It's certainly true that the whole free-speech thing is more about government control than about "true" communism. However, I was under the impression that Marx pretty much agreed with Plato, that control of public discourse (aka censorship and propaganda) was a duty of the state (for everyone's own good, of course). If that's so, then although the current authoritarian regimes may or may not be "Marxist", any Marxist regime would be authoritarian.
Google: a new approach to China Posted Jan 13, 2010 14:10 UTC (Wed) by clugstj (subscriber, #4020) [Link]
Karl Marx was a crack-smoking idiot.
Marx Posted Jan 13, 2010 14:38 UTC (Wed) by danielpf (subscriber, #4723) [Link]
Are you sure an idiot could write thick books convincing intellectuals and millions of people in many countries to start revolutions?
Marx Posted Jan 13, 2010 14:41 UTC (Wed) by corbet (editor, #1) [Link] This sort of thing is even more off the LWN topic than the original post was...and I know that, from experience, discussions along these lines tend not to prove helpful for LWN readers. Maybe it would be a good idea to cut this conversation short?
Marx Posted Jan 13, 2010 17:16 UTC (Wed) by nybble41 (subscriber, #55106) [Link]
It wouldn't be the first time. See also: religion.
Google: a new approach to China Posted Jan 13, 2010 10:27 UTC (Wed) by __alex (subscriber, #38036) [Link]
Unsubstantiated rumor coming out of the Wikileaks twitter account atm suggests that the real
reason Google are upset is due to the CPC infiltrating the Shanghai office and trying to poke around their repositories.
That effectively makes withdrawal from China a damage limitation exercise rather than 'abandoning
Google might not be perfect but they definitely aren't stupid and you can bet that this was a very
Google: a new approach to China Posted Jan 13, 2010 16:51 UTC (Wed) by iabervon (subscriber, #722) [Link]
A suit by stockholders claiming that Google is abandoning short-term profits in favor of maintaining their reputation would be laughed out of court, because Google's prospectus states that they will abandon short-term profits in favor of maintaining their reputation. A public company doesn't have to maximize its stockholder returns; it has to do what its prospectus says it will do. Normally, prospectuses say that they'll maximize investor returns, because that is generally considered attractive to investors, but Google stated up front that their strategy involved leaving money on the table if they feel taking it would not be the right thing for the company.
On the other hand, if Google seemed to be abandoning its morals, stockholders could sue on that basis. Of course, it would be a kind of pointless suit, since they couldn't really ask for anything that the court could give them, unless the long-term returns suffer from a revelation of immoral activities.
Where's Yahoo? Posted Jan 13, 2010 6:05 UTC (Wed) by NightMonkey (subscriber, #23051) [Link]
The stark contrast between Gaoogle and Yahoo's behavior in CHina shows that modern companies can gain a competitive advantage from making aggressively ethical moves where there is actual financial risk involved. Will Yahoo join Google and stop *actively* assisting the PRC to stifle dissent?
Where's Yahoo? Posted Jan 13, 2010 8:12 UTC (Wed) by AlexHudson (guest, #41828) [Link]
Yahoo aren't trying to shift users onto a web-based business suite. That's what this is *really* about - the thing about search is Google just flipping the bird at China. I'm sure they make decent advertising revenue from China, but I bet it's not something they'd lose sleep over at this point.
What has set them off is China attempting to access Gmail. Sod human rights activists; if *businesses* get whiffs of China doing this, they're not going to trust Gmail with their mail, or Google apps with their documents, etc. That's no good for the business model Google are trying to execute, and they already have some big businesses with some really tasty IP already signed up to their system: those customers could assume that putting this data on there basically risks exporting it to China, where a string of knock-offs would suddenly appear. Google simply cannot risk that.
Google: a new approach to China Posted Jan 13, 2010 7:15 UTC (Wed) by yokem_55 (subscriber, #10498) [Link] The most interesting aspect of the attack isn't that they were after Human right's activists emails, it the other stuff they were after. The NYTimes article mentions that internal source code repositories were accessed and the article at Ars strongly implies that the hackers were affiliated with Chinese intelligence (spy) agencies. So it looks like we have a case of state sponsored corporate/industrial espionage. Lovely.
Google: a new approach to China Posted Jan 13, 2010 9:53 UTC (Wed) by Aissen (subscriber, #59976) [Link]
Wired seems to concur, and they have more details:
http://www.wired.com/threatlevel/2010/01/google-hack-attack/
Apparently, they came in through an Adobe (PDF) Reader zero-day exploit
Now is Google fighting back to help chinese and europeean activists or
Google: a new approach to China Posted Jan 13, 2010 10:45 UTC (Wed) by cesarb (subscriber, #6266) [Link]
If that was the way they used to get in, one has to wonder why Google was not using a PDF reader with less of a history of security vulnerabilities.
Google: a new approach to China Posted Jan 13, 2010 13:14 UTC (Wed) by vonbrand (subscriber, #4458) [Link] Because 99.5% of people just use whatever is most convenient ATM? Really security-consicious people are far in between, and it takes just one vulnerable target... just take a look at the dancing pigs.
Google: a new approach to China Posted Jan 13, 2010 13:20 UTC (Wed) by cesarb (subscriber, #6266) [Link]
But we are not talking about 99.5% of people.
We are talking about Google.
Google: a new approach to China Posted Jan 13, 2010 18:31 UTC (Wed) by ncm (subscriber, #165) [Link] I think Sturgeon's Law applies here. And maybe Cipolla's Laws of Stupidity, with their enigmatic constant σ: the fraction of any population, chosen by any means whatsoever, that is stupid*.* Cipolla has a technical definition for "stupid" that contrasts it with each of "intelligent", "hapless", and "crooked", on the classic two-axis system.
Google: a new approach to China Posted Jan 13, 2010 14:02 UTC (Wed) by tialaramex (subscriber, #21167) [Link]
Adobe's reader is known to have a history of problems, but the same is true of the engine used by most (all?) of the Free Software viewers. Nobody is in any position to throw stones here as far as I know.
Google: a new approach to China Posted Jan 13, 2010 16:04 UTC (Wed) by epa (subscriber, #39769) [Link]
The only secure way to do things would be to have the PDF viewer software sandboxed to forbid filesystem access or at the very least forbid *writes* to the filesystem. AFAIK, most PDF documents include their own fonts, so there is no need for a PDF renderer to access the disk or network at all once it has started up and read its config file.
Indeed I think that talk of 'sandboxing' particular applications is the wrong way to look at it. Instead, we need to think in terms of running every application with the least privilege possible, and explicitly 'granting' extra permissions to do things like write to the user's home directory.
Of course fixing the rendering engine is important, but if the only line of defence is to rely on writing perfect C and C++ code with no memory trampling bugs, it's only a matter of time before being 0wned.
Google: a new approach to China Posted Jan 13, 2010 18:02 UTC (Wed) by midg3t (guest, #30998) [Link] Font-embedding is optional, it just tends to be enabled by default for consistent viewing.
Google: a new approach to China Posted Jan 13, 2010 18:36 UTC (Wed) by drag (subscriber, #31333) [Link]
Well how do you restrict access to a user account for that user's software
without 'sandbox'ing it?
As far as I know there are only a few ways to put up that sort of
So far the simplest is just to stuff it in a container.
Your going to run into these issues for any sort of application that
Google: a new approach to China Posted Jan 13, 2010 22:17 UTC (Wed) by cmccabe (guest, #60281) [Link]
> Indeed I think that talk of 'sandboxing' particular applications is the
> wrong way to look at it. Instead, we need to think in terms of running > every application with the least privilege possible, and explicitly > 'granting' extra permissions to do things like write to the user's home > directory.
Congrats, you just re-invented seLinux. SELinux policies tell the system how different apps on the system can interact and use resources (like files and network connections.)
Unfortunately, people immediately turn it off as soon as /usr/bin/dancing-pigs has a problem. :)
Hopefully once distros have better selinux policies in place, that won't happen so often...
Google: a new approach to China Posted Jan 13, 2010 22:55 UTC (Wed) by rahvin (subscriber, #16953) [Link]
Security is hard. The only real solution is the one used in Chrome which is to assume every binary is malicious. Only by assuming everything the system runs is a malicious code can you possibly prevent all exploits. The problem is that taking that level of security greatly reduces user experience. So we invent SELinux which literally needs a full time person to manage.
What surprising to me is that with a company the size of Google that they don't have a full time security person ensuring all these systems are secure enough to prevent 0-day exploits while maintaining full usability by their users.
Google: a new approach to China Posted Jan 14, 2010 8:57 UTC (Thu) by epa (subscriber, #39769) [Link]
My point is that we tend to have applications unrestricted by default, unless you write an SELinux policy to constrain them. Rather, it would be better (though certainly more work) to have defaults such as 'no home directory access' and 'no network access' for all applications, unless a policy has specifically been written to enable it.
If this is how SELinux is typically configured these days, then my apologies.
Google: a new approach to China Posted Jan 14, 2010 10:52 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]
In Fedora, these days several hundreds of programs are constrained by
SELinux by default. These keep increasing over time.
http://danwalsh.livejournal.com/33287.html
Google: a new approach to China Posted Jan 15, 2010 17:37 UTC (Fri) by epa (subscriber, #39769) [Link] these days several hundreds of programs are constrained by SELinux by default.Yes, I use Fedora and I appreciate the extra layer of security provided by SELinux. But we are talking about a different meaning of 'by default'. What I meant was, by default, if no policy file has been written for this application, run with a fairly restrictive set of permissions. A policy to allow, say, network access would have to be explicitly written and bound to that application. In Fedora, if you run a new program which has not received special attention from the Fedora SELinux team, by default it runs with the full permissions of your user account.
Google: a new approach to China Posted Jan 14, 2010 9:48 UTC (Thu) by dmk (subscriber, #50141) [Link]
i wonder if that "highly sophisticated attack" looked smth like that:
http://media.ccc.de/browse/congress/2009/26c3-3596-de-cat... ?
Google: a new approach to China Posted Jan 14, 2010 11:37 UTC (Thu) by caliloo (subscriber, #50055) [Link]
Hello,
As stated in the wired article it strikes me that what people should be worried about when google announces that source has been stolen is not what kind of IP related problem it involves, but what the attackers learn about the systems they attacked.
Obviously this attack is part of a war and not a standalone thing. This source code is very important tactical knowledge to know what system to target next in this electronic war. They didn't get to the content of emails this time ? Well they will be one step closer next time !
Particularly worrying when you think that companies like banks and other chemical suppliers have been targeted. These are notoriously less reactive and well informed than google when it comes to cyberwars. (Their first reaction was to cover up the mess!). Put this into relation with all the IT companies targeted last summer, and you start getting a picture of somebody well organized, and determined into gaining access to a vast spectrum of systems.
Brgds.
|
|||||||||||||