

Hackers Stole Source Code of Google's Global Password System - fnid2
http://www.wired.com/threatlevel/2010/04/google-hackers

======
sriramk
I dont see what the source can get you. In fact, given that Google reuses a
lot of open source, the source code is probably out in public already.

I think for Google, their _data_ would be far more valuable. For their
password systems, I guess it is safely secured with a salt+hash somewhere so
someone would have needed to hijack an admin's account.

~~~
newobj
And where do you suppose the salt is stored? (EDIT: Not to suggest Google
would be so naive as to use a single static salt value with N hashing
iterations. I really hope there's something smarter at play than that. The
question is, does the source code contain all the information needed to
perform dictionary attacks, or is some element of it externalized? And does
anyone even know if user 'passwords' (in whatever hashed form they exist) were
compromised?)

~~~
brown9-2
I think sriramk's point is that having the source for this system isn't that
much of a benefit if you don't have access to the data itself or the systems
involved.

~~~
eli
Well, if I were planning to hack into a system to steal its data, I would
definitely prefer to have the source beforehand.

------
pibefision
I cannot believe this. Google is a very bright company in security, I don't
beleive a flaw on SCM's security fence.

~~~
jrockway
They use the same broken software we all do. ssh, written in C. Perforce,
written in C. Find a single memory management error in one of those programs,
and Google's source code is yours.

~~~
pyre
So you feel that ssh should be written in Perl?

~~~
Radix
That's a disingenuous way to say c is a fine language for ssh.

