There are some interesting tidbits coming out about the Chinese hack of Google. Apparently the source code to Google’s SSO technology was a target (although this is misstated in the headline as a “password system”). It’s unknown at this point what source code (if any) was taken, but this highlights the nightmare scenario of the SSO world.
If a vulnerability is found in your token generation code such that someone can spoof a token, then your SSO system and every system connected to it is compromised.
Of course just having the source code is not in itself a problem. Typically there is a private key that is used to encrypt or sign the token. But protecting that private key is the issue and that is where the source code is key. If you think your key has been compromised you can replace it. But the code that authenticates the user and generates the token needs to get the private key to do the encryption (or signing (or both)). If the secret algorithm to access that key is compromised, then the attacker can then attempt to penetrate the system where that key lives and get the key. With the key and token generating code in hand the attacker can then access any SSO protected system.
And here is an ugly secret. If the SSO technology is public key encryption, they key on needs to exist where the token is initially generated. If it’s based on symmetric key encryption then the key has to exist on every server in the SSO environment.
So just use public key encryption, that solves the problem right? Not so fast. One critical aspect of SSO is inactive session timeout. That requires the token to be “refreshed” when used so that it expired based on inactivity. Refreshing the token at every server in the SSO system (every PEP if you will) requires either that server to have the key, or it make a remote calls to a common authentication service to refresh the token.
There are pluses and minuses to both approaches. One puts the keys to the kingdom in more locations but the other adds overhead to the token refresh. When security and performance collide, who do you think usually wins?
These kinds of trade offs are what make SSO so interesting to me.
Note that I am not talking about federated SSO (SAML or openid) or intranet SSO (Kerberos) as they present a different set of challenges.
Phil Windley posts about Google’s recent moves in China and describes them as a result of conflict between Google’s desired to do what’s right (not censor) and doing what it needs to do to stay in business in one of the largest markets in the world. That’s an interesting take on it, but it doesn’t wash with recent history.
To be clear, Google was fine with doing evil for several years now. The lived with the government restrictions and did business up until recently when they were penetrated (reportedly badly) by hackers that no one seriously believes aren’t at least backed by the Chinese government. Also the decision to buck the government was also made easier by Google’s own lagging competitive position in China.
If the real story ever comes out I’m sure it will be fascinating. Until then I’m not sold on Google’s altruistic motives in this dispute.
Nico Popp suggests that incidents such as the recent Google hack may lead to governments and large corporations adopting a form of Mutually Assured Destruction cyber defense.
On one hand there is a lot of sense in this, especially for governments. However I suspect retaliation would be more of a economic (or worst case military) nature.
At some level that’s exactly what is going on with the Google case. Google obviously believes that the Chinese government is behind the attack and Google has retaliated by threatening to stop censoring content in China, even at the risk of getting thrown out of the country. Of course now they seem to be backing down and both sides are now looking for a face saving compromise.
But one problem with the MAD theory of cyber-warfare is that you most often don’t have any idea who to retaliate against. At least not with sufficient degree of certainty.
So for now, MAD looks pretty unlikely in the cyber-warfare game.
I usually find what’s not being said far more interesting than the platitudes that are uttered. According to this article Google and China are negotiating a face saving compromise to allow Google to remain in China. What is being said is that this is about the level of censorship. What is not being said, and what is probably really the truth is that this is really all about the Chinese government hacking Google.
I mean seriously. Google China censored content from day one and now it all of a sudden decided to “do less evil”? As Corporal Nobbs likes to say “pull the other one, it has bells on it”.
No, what changed is that the government has hacked Google and gotten caught doing it, and probably affected some high-level Google execs.
Here is my prediction; the face saving compromise will involve a little easing of the censorship rules, a promise not to hack Google any more, and Google quietly giving some sweetheart deals to some high-level Chinese officials.
Posted in Censorship, China, Cyber-warfare, Freedom, Google, Hacking, Security
Tagged Censorship, China, Google, Hacking, Security
Bruce Schneier writes this, in which he lays the blame for the Chinese hack of Google on the US Government. His reasoning is that since Google put in a back door surveillance mechanism to enable the US to eavesdrop on Google users, it is then the US’s fault that Chinese hackers used that mechanism to hack Google accounts.
This is a little like me blaming my employer if I have an accident on the way to work.
While I agree that companies should not be making it easy for governments to spy on people, when legally required to do so it is also their responsibility to make sure that this done in as secure a manner as possible.
Also note the interesting linguistic phrase that most journalist have used in this issue. The hacking of Google is usually described as being done by “Chinese hackers”. That’s not wrong, but it missing the most important point. No one seriously believes that the attacks were not done at the behest of the Chinese government itself. That is a very important distinction.
Is a slave with a wise master better off than a free man that makes bad decisions?
Thomas Friedman would say yes according to this jaw dropping editorial in which he praises the Chinese government because it is in his words “enlightened”. I kid you not. Read it for yourself. He favorably compares a despotic regime with the US democracy because they are willing to ignore the will of the people and implement unpopular decisions.
Democracies aren’t perfect. But to refer to a country like China as “enlightened” is an insult to the thousands of its citizens who have been arrested, jailed, tortured, and killed for the crime of wanting freedom.
Of course Mr. Friedman is free to say whatever he wants in this country. An irony that is sadly lost on him.
This article lists 10 reason companies may resist adopting cloud services. There some good points here but number 6 is just silly. Even if you are a believer in anthropogenic global warming (as opposed to what is caused by the giant fusion reactor in the sky), you would sill be better off employing cloud services. Unless your company that has very sophisticated power management technology you won’t be able to run a service as efficiently on a per-user basis as a company that host services for a living. Power usage for that service is a much bigger cost item for them than for you and they have much more incentive to minimize it.
Number 7 is a good point but vastly understates the problem. It isn’t so important where the servers live but where your provider has a legal presence or does business. For example if your provider does business in China it will need to bow to their whims regardless of where the servers physically reside. Really US privacy laws (or the lack there of) are really the least of your worries in regards to your data.
A security flaw on the part of the Chinese partner of Skype apparently reveals the extent to which Skype is selling out its customers (from ARS Technica):
The report published yesterday, titled “BREACHING TRUST: An analysis of surveillance and security practices on China’s TOM-Skype platform” (PDF), explains that full chat text messages from TOM-Skype users were found on insecure, publicly-accessible web servers along with the encryption key required to decrypt the data (TOM Online is Skype’s operating partner in China). This-along with “millions of records containing personal information” such as IP address, usernames, and landline phone numbers-were stored along with additional data detailing Skype users outside of China who have communicated with TOM-Skype users in China.
Keep in mind that this is surveillance not only of traffic in China (which would be bad enough) but of anyone worldwide who has used Skype to communicate with anyone in China.
Unfortunately I suspect that this sort of practice is a lot more common that is believed. You just don’t usually see the mask slip like this to reveal the ugly truth.
If find EBay’s response to this to be quite risible:
When asked for comment about the findings, eBay (Skype’s parent company) spokesperson Jennifer Caukin only responded to the security implications. “The security breach does not affect Skype’s core technology or functionality,” she told the New York Times. “It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours.”
In other words they wont stop spying on you for the Chinese, they will just hide it better.
This is a big problem for SaaS vendors. As a customer you need to find out if you SaaS provider does business in China, Russia, or any other country where there rule of law is non-existant. In those countries your service provider will be forced to choose between compromising the privacy of your data or being kicked out of the country.
History has shown they will choose the former.
A clever term is coined for botnets in this eweek article by Larry Seltzer. Kevin Colman has a summary of the suspected cyber-warfare capabilities of Hezbollah and Russia. Bruce Schneier calms things down a little with a debunking of the theory that the Chinese attacked the US power grid.
Apparently the Chinese government will allow the parents of children killed or disabled in the recent earthquake to replace them, free of charge. From the Fox News article:
Those families can obtain a certificate to have another child, the Chengdu Population and Family Planning Committee in the capital of hard-hit Sichuan province said.
Just when I was used to thinking of them as despotic tyrants, they go and show their tender side. Of course there are limits to their mercy:
Chinese couples who have more than one child are commonly punished by fines.
The announcement says that if a child born illegally was killed in the quake, the parents will no longer have to pay fines for that child – but the previously paid fines won’t be refunded.
If the couple’s legally born child is killed and the couple is left with an illegally born child under the age of 18, that child can be registered as the legal child – an important move that gives the child previously denied rights including free nine years of compulsory education.
But seriously. “Appalling” doesn’t even begin to describe this.