

Google China hackers stole source code - rmorrison
http://uk.news.yahoo.com/22/20100303/ttc-uk-china-google-fe50bdd.html

======
hazzen
Does anyone else feel that this article is both poorly written and furthermore
just bad reporting? I was curious about the original source, which I tracked
down to a blog post by George Kurtz and several links on it [1].

It seems to only claim that source control services are a good target and are
frequently configured with no security (which is A Bad Thing), but does not
blame Perforce as an attack vector. The article implies, however, that
Perforce was used as an attack vector which does not appear to be the case. Of
course, it is very hard to discern what the article actually says when they
spend one sentence per idea, with no further explanation or investigation.

[1]: [http://siblog.mcafee.com/cto/source-code-repositories-
target...](http://siblog.mcafee.com/cto/source-code-repositories-targeted-in-
operation-aurora/)

------
rmorrison
Stuff like this is why it's important for all developers to study computer
security. It is possible to create computer systems such that malicious users
are unlikely to break into them, even if they have the entire system's source
code. For example, look at heavily used open source software.

It seems like a lot of developers write closed source, commercial systems with
the assumption that malicious users will never see it.

~~~
yesimahuman
Perhaps they don't have enough of an incentive to make it bullet proof. That
or they aren't given enough time to do so. Let's admit it, we all make
mistakes, and if you aren't given enough time to analyze your code, security
issues might very well make it into production.

------
dirtbox
While reading that, for a moment I though that Google were using McAfee
security and seriously pondered the wisdom in using their services anymore.

~~~
ErrantX
Nothing wrong with Mcafee enterprise. :-)

~~~
mfukar
It's only trivial to bypass, nothing else wrong with it.

------
jrockway
It's not really stealing if Google still has the source code. Unless reading a
book is now called "stealing a book".

~~~
Groxx
Just like "stealing" company secrets isn't stealing? Are you implying that
intellectual property can't be stolen?

~~~
jrockway
Implying? No.

~~~
Groxx
So, hypothetically speaking, you wouldn't mind if I broke into your house,
duplicated every bit of data on your computer, and put everything not
copyrighted by another company onto the internet for everyone to see?

~~~
jrockway
Nobody said I would or wouldn't mind this, I just said it's not stealing. It's
"looking".

But anyway, feel free to go ahead with your plan. But it might be a waste of
your time; the bits on my hard drive are already public:
<http://github.com/jrockway/>.

~~~
Groxx
(not trying to start a fight, just pointing out) note that my point implies
_all_ private communication as well. Cookies, email, chat transcripts.

------
u238
Why is Google storing source code on 3rd party servers?!

~~~
mkelly
The article never said that; just that they use Perforce.

