funsec mailing list archives

Re: All your database (and email) are belong to us ...

From: chris () blask org
Date: Sun, 26 Jul 2009 07:02:06 -0700 (PDT)


--- On Sat, 7/25/09, security curmudgeon <jericho () attrition org> wrote:

I'd be happy to bet against you on this.

Incident occurred. Lesson: Single factor SSO authentication
can bite you in the ass (access to mail, calendar, docs, apps, more).


I did at least qualify my comment.  I allow it is possible that due to typical organizational FUBAR they can avoid 
learning lessons, too.

I bet we don't see them change this to require (or even
allow) unique  passwords for each part. I bet we don't see them change to
two-factor  authentication, even if it remains SSO.


I wouldn't bet either way, but two-factor remains something they should be motivated to provide for paying customers so 
they (or a competitor) could implement it once and thereby increase security for N sites, as opposed to the same N 
sites all managing to implement two-factor spontaneously.

If they spend a portion of those billions of dollars on
security, sure.  But like most companies, security doesn't seem to be any
more 'built in from the ground up' than the next company.


They don't need to spend billions, just a tiny fraction. Having the potential to afford the budget makes it more likely 
than all those N sites all managing to come up with the individual budgets (which, of course, would add up to way more 
than Google would spend doing it once).  For Google it is a Cost Of Goods Sold line item, for LA etc it is an 
additional expense.  Unlike LA, Google could make money by spending those few bucks.

More than an argument in favor of Google (or any other single company) the point in support is in support of off-siting 
instead of hosting locally.  The best argument against is the "monoculture" argument which - while it stands pretty 
well regardless - can be mitigated by diligence and best practices.

-chris 


      
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

All your database (and email) are belong to us ... Rob, grandpa of Ryan, Trevor, Devon & Hannah (Jul 25)
- Re: All your database (and email) are belong to us ... Jarrod Frates (Jul 29)
- <Possible follow-ups>
- Re: All your database (and email) are belong to us ... chris (Jul 25)
  - Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
    - Re: All your database (and email) are belong to us ... chris (Jul 25)
    - Re: All your database (and email) are belong to us ... security curmudgeon (Jul 25)
    - Re: All your database (and email) are belong to us ... chris (Jul 26)
    - Re: All your database (and email) are belong to us ... Young, Keith (Jul 28)
    - Re: All your database (and email) are belong to us ... Ali, Saqib (Aug 14)
    - Re: All your database (and email) are belong to us ... Rich Kulawiec (Jul 27)
  - Re: All your database (and email) are belong to us ... der Mouse (Jul 25)
- Re: All your database (and email) are belong to us ... Ali, Saqib (Aug 14)
  - Re: All your database (and email) are belong to us ... Valdis . Kletnieks (Aug 15)
    - Re: All your database (and email) are belong to us ... Hubbard, Dan (Aug 21)
    - Re: All your database (and email) are belong to us ... Rich Kulawiec (Aug 21)
    - Re: All your database (and email) are belong to us ... Alex Lanstein (Aug 21)
    - Re: All your database (and email) are belong to us ... Young, Keith (Aug 21)