There are some interesting tidbits coming out about the Chinese hack of Google. Apparently the source code to Google’s SSO technology was a target (although this is misstated in the headline as a “password system”). It’s unknown at this point what source code (if any) was taken, but this highlights the nightmare scenario of the SSO world.
If a vulnerability is found in your token generation code such that someone can spoof a token, then your SSO system and every system connected to it is compromised.
Of course just having the source code is not in itself a problem. Typically there is a private key that is used to encrypt or sign the token. But protecting that private key is the issue and that is where the source code is key. If you think your key has been compromised you can replace it. But the code that authenticates the user and generates the token needs to get the private key to do the encryption (or signing (or both)). If the secret algorithm to access that key is compromised, then the attacker can then attempt to penetrate the system where that key lives and get the key. With the key and token generating code in hand the attacker can then access any SSO protected system.
And here is an ugly secret. If the SSO technology is public key encryption, they key on needs to exist where the token is initially generated. If it’s based on symmetric key encryption then the key has to exist on every server in the SSO environment.
So just use public key encryption, that solves the problem right? Not so fast. One critical aspect of SSO is inactive session timeout. That requires the token to be “refreshed” when used so that it expired based on inactivity. Refreshing the token at every server in the SSO system (every PEP if you will) requires either that server to have the key, or it make a remote calls to a common authentication service to refresh the token.
There are pluses and minuses to both approaches. One puts the keys to the kingdom in more locations but the other adds overhead to the token refresh. When security and performance collide, who do you think usually wins?
These kinds of trade offs are what make SSO so interesting to me.
Note that I am not talking about federated SSO (SAML or openid) or intranet SSO (Kerberos) as they present a different set of challenges.
Phil Windley posts about Google’s recent moves in China and describes them as a result of conflict between Google’s desired to do what’s right (not censor) and doing what it needs to do to stay in business in one of the largest markets in the world. That’s an interesting take on it, but it doesn’t wash with recent history.
To be clear, Google was fine with doing evil for several years now. The lived with the government restrictions and did business up until recently when they were penetrated (reportedly badly) by hackers that no one seriously believes aren’t at least backed by the Chinese government. Also the decision to buck the government was also made easier by Google’s own lagging competitive position in China.
If the real story ever comes out I’m sure it will be fascinating. Until then I’m not sold on Google’s altruistic motives in this dispute.
Nico Popp suggests that incidents such as the recent Google hack may lead to governments and large corporations adopting a form of Mutually Assured Destruction cyber defense.
On one hand there is a lot of sense in this, especially for governments. However I suspect retaliation would be more of a economic (or worst case military) nature.
At some level that’s exactly what is going on with the Google case. Google obviously believes that the Chinese government is behind the attack and Google has retaliated by threatening to stop censoring content in China, even at the risk of getting thrown out of the country. Of course now they seem to be backing down and both sides are now looking for a face saving compromise.
But one problem with the MAD theory of cyber-warfare is that you most often don’t have any idea who to retaliate against. At least not with sufficient degree of certainty.
So for now, MAD looks pretty unlikely in the cyber-warfare game.
I usually find what’s not being said far more interesting than the platitudes that are uttered. According to this article Google and China are negotiating a face saving compromise to allow Google to remain in China. What is being said is that this is about the level of censorship. What is not being said, and what is probably really the truth is that this is really all about the Chinese government hacking Google.
I mean seriously. Google China censored content from day one and now it all of a sudden decided to “do less evil”? As Corporal Nobbs likes to say “pull the other one, it has bells on it”.
No, what changed is that the government has hacked Google and gotten caught doing it, and probably affected some high-level Google execs.
Here is my prediction; the face saving compromise will involve a little easing of the censorship rules, a promise not to hack Google any more, and Google quietly giving some sweetheart deals to some high-level Chinese officials.
Posted in Censorship, China, Cyber-warfare, Freedom, Google, Hacking, Security
Tagged Censorship, China, Google, Hacking, Security
Bruce Schneier writes this, in which he lays the blame for the Chinese hack of Google on the US Government. His reasoning is that since Google put in a back door surveillance mechanism to enable the US to eavesdrop on Google users, it is then the US’s fault that Chinese hackers used that mechanism to hack Google accounts.
This is a little like me blaming my employer if I have an accident on the way to work.
While I agree that companies should not be making it easy for governments to spy on people, when legally required to do so it is also their responsibility to make sure that this done in as secure a manner as possible.
Also note the interesting linguistic phrase that most journalist have used in this issue. The hacking of Google is usually described as being done by “Chinese hackers”. That’s not wrong, but it missing the most important point. No one seriously believes that the attacks were not done at the behest of the Chinese government itself. That is a very important distinction.
Is a slave with a wise master better off than a free man that makes bad decisions?
Thomas Friedman would say yes according to this jaw dropping editorial in which he praises the Chinese government because it is in his words “enlightened”. I kid you not. Read it for yourself. He favorably compares a despotic regime with the US democracy because they are willing to ignore the will of the people and implement unpopular decisions.
Democracies aren’t perfect. But to refer to a country like China as “enlightened” is an insult to the thousands of its citizens who have been arrested, jailed, tortured, and killed for the crime of wanting freedom.
Of course Mr. Friedman is free to say whatever he wants in this country. An irony that is sadly lost on him.
This article lists 10 reason companies may resist adopting cloud services. There some good points here but number 6 is just silly. Even if you are a believer in anthropogenic global warming (as opposed to what is caused by the giant fusion reactor in the sky), you would sill be better off employing cloud services. Unless your company that has very sophisticated power management technology you won’t be able to run a service as efficiently on a per-user basis as a company that host services for a living. Power usage for that service is a much bigger cost item for them than for you and they have much more incentive to minimize it.
Number 7 is a good point but vastly understates the problem. It isn’t so important where the servers live but where your provider has a legal presence or does business. For example if your provider does business in China it will need to bow to their whims regardless of where the servers physically reside. Really US privacy laws (or the lack there of) are really the least of your worries in regards to your data.