funsec mailing list archives
Re: All your database (and email) are belong to us ...
From: chris () blask org
Date: Sun, 26 Jul 2009 07:02:06 -0700 (PDT)
--- On Sat, 7/25/09, security curmudgeon <jericho () attrition org> wrote:
I'd be happy to bet against you on this.
Incident occurred. Lesson: Single factor SSO authentication can bite you in the ass (access to mail, calendar, docs, apps, more).
I did at least qualify my comment. I allow it is possible that due to typical organizational FUBAR they can avoid learning lessons, too.
I bet we don't see them change this to require (or even allow) unique passwords for each part. I bet we don't see them change to two-factor authentication, even if it remains SSO.
I wouldn't bet either way, but two-factor remains something they should be motivated to provide for paying customers so they (or a competitor) could implement it once and thereby increase security for N sites, as opposed to the same N sites all managing to implement two-factor spontaneously.
If they spend a portion of those billions of dollars on security, sure. But like most companies, security doesn't seem to be any more 'built in from the ground up' than the next company.
They don't need to spend billions, just a tiny fraction. Having the potential to afford the budget makes it more likely than all those N sites all managing to come up with the individual budgets (which, of course, would add up to way more than Google would spend doing it once). For Google it is a Cost Of Goods Sold line item, for LA etc it is an additional expense. Unlike LA, Google could make money by spending those few bucks. More than an argument in favor of Google (or any other single company) the point in support is in support of off-siting instead of hosting locally. The best argument against is the "monoculture" argument which - while it stands pretty well regardless - can be mitigated by diligence and best practices. -chris _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- All your database (and email) are belong to us ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 25)
- Re: All your database (and email) are belong to us ... Jarrod Frates (Jul 29)
- <Possible follow-ups>
- Re: All your database (and email) are belong to us ... chris (Jul 25)
- Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
- Re: All your database (and email) are belong to us ... chris (Jul 25)
- Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
- Re: All your database (and email) are belong to us ... chris (Jul 26)
- Re: All your database (and email) are belong to us ... Young, Keith (Jul 28)
- Re: All your database (and email) are belong to us ... Ali, Saqib (Aug 14)
- Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
- Re: All your database (and email) are belong to us ... Rich Kulawiec (Jul 27)
- Re: All your database (and email) are belong to us ... Valdis . Kletnieks (Aug 15)
- Re: All your database (and email) are belong to us ... Hubbard, Dan (Aug 21)
- Re: All your database (and email) are belong to us ... Rich Kulawiec (Aug 21)
- Re: All your database (and email) are belong to us ... Alex Lanstein (Aug 21)
- Re: All your database (and email) are belong to us ... Young, Keith (Aug 21)