‘Google’ Hackers Had Ability to Alter Source Code

“Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,” the paper states. “It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree. . . . As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.”<p>---<p>Forgive me but isn't this the function of a SCM? What other models are there?

"I sorta find it amusing that McAfee released a PDF of the white paper, considering that Abode’s PDF Reader is also a popular attack vector. It’s like railing again IE6 being insecure, but using it to post the message that IE6 is insecure."<p>-From the comments in the original article.<p>I found the above interesting because it suggests to me one of the fundamental principles of security: we must necessarily try to improve our security from inside of systems which are already insecure.<p>We could say that no one should ever use an IE with a zero-day vulnerability. And that no one should use pdf because it can be an attack vector. Or view jpegs because there have been embedded executable code vulnerabilities. Or run executable code because sometimes it is malicious.<p>Security is always a matter of trade-offs. One can never build a house which cannot be broken into but one can build a house that is not worth breaking into.<p>Sounds like there were a number of vulnerabilities here. It also sounds like improving default settings is one of the best solutions here. But it's clearly not a justification for no longer using SCM, or pdf. Perhaps for old IE.

Why are we taking McAfee's word on what happened again? They never claim to have directly investigated Google, and from what I can tell Google isn't their client. They are purely extrapolating based on other companies they work with.<p>This just sounds like they are trying to scare everyone about what happened to Google so that they can sell them <i>McAfee Security</i>, which as we all know will fix all your problems.

Duh... headline should replace hackers with crackers.<p>On first sight I really thought that it was about regular Google employees who developed something new during their blessed self-time.

If I had a local working copy of a git (or any of the dvcs's) repository and a hacker attempted to taint the "master" copy, would that show up as a diff between my copy and the master?<p>With SVN, a hacker could inject changes into the repo on the server which would show up as a incoming change to my local repository.<p>In both cases, we could detect an intrusion if someone was vigilant enough to take a look at all incoming/outgoing changes and diffs -- or am I missing something?

“It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree. . . . "<p>Well, doh. How would it work otherwise?

At the time of the initial report, I suspected that a reason Google seemed so angry was that the hackers had tried to inject new vulnerabilities into Google software that would then damage third-party Google users (either via browser compromises of downloads of Google-distributed client software, like Desktop/Toolbar/Chrome/etc.).<p>Stealing 'secret algorithms' is in one category of transgression. It's still somewhat flattering to the target. It's driven by curiosity, not always a bad thing. To the extent such theft-of-secrets enables competitors to increase market share by improving their own operations, it hurts the target, yes, but might still be net-beneficial to society in a dynamic long-term analysis. It's theft, but not really violence. A victim will adopt countermeasures, and might expect compensation/damages, but may not be moved to retaliate in-kind. A rational weighing of costs and benefits tends to dominate the choice of responses.<p>On the other hand, to try to corrupt a company's offerings to damage their customers -- and possibly destroy the company's reputation as a trusted source of downloadable software -- moves into another more serious category. It's malicious and destructive. The victim may feel existentially threatened, and feel obligated to retaliate using any means available. A rational weighing of options may not matter; there is a urge to punish, even incurring large costs in the process.<p>Google's initial response made me think they viewed the China breaches in the latter category, despite the limited details.

Nice counter-example for anyone claiming expensive enterprise products (Perforce) are more secure than widely used open source products (git/subversion).