Senators Demand Google Hand Over Internal Memo Urging Google+ Cover-Up(zdnet.com)
zdnet.com
Senators Demand Google Hand Over Internal Memo Urging Google+ Cover-Up
https://www.zdnet.com/article/senators-demand-google-hand-over-internal-memo-urging-google-cover-up/
51 comments
Previously: https://news.ycombinator.com/item?id=18212759.
Since the "memo" is part of a discussion between lawyers and execs wouldn't the memo be considered privileged?
That doesn't mean that Senators can't ask, but if you set the expectation of handing out privileged information whenever you're asked it kinda makes "privileged" communication not mean anything.
Google admitted that they don't keep any logs around. So in the absence of logs, I am not sure how they are making the claim that their API was not abused. So there is definitely more transparency required about their internal investigation and how they are so certain. Just because Google has a great security team, I would not put my blind faith on them.
>Google admitted that they don't keep any logs around.
They didn't say that, they stated that in the logs they had, which were not fully comprehensive, there was no evidence of abuse.
> am not sure how they are making the claim that their API was not abused.
They didn't claim this.
But one could, for example, set up a honeypot and monitor any suspicious activity going forward, then if anyone attempted to abuse the vulnerability before it was publicized, they would know it might have been abused, but lack of use over a long timescale could give reasonable certainty that no one took advantage of the vuln.
(I work at Google, but not on G+ and not on security).
They didn't say that, they stated that in the logs they had, which were not fully comprehensive, there was no evidence of abuse.
> am not sure how they are making the claim that their API was not abused.
They didn't claim this.
But one could, for example, set up a honeypot and monitor any suspicious activity going forward, then if anyone attempted to abuse the vulnerability before it was publicized, they would know it might have been abused, but lack of use over a long timescale could give reasonable certainty that no one took advantage of the vuln.
(I work at Google, but not on G+ and not on security).
Its somewhat a miss-leading title....
Can you cover-up legal activity? No, of course not..non-story here
Can you cover-up legal activity? No, of course not..non-story here
Please, do hand over that memo. I'll be watching this closely. I'd love to read the entire thing, not just the parts that WSJ selected.
I have found over and over and over that when I read "memos" or "screeds" or whathaveyou coming from the tech industry I inevitably find that a huge portion of the media is pushing a narrative that is so uniform and so disjoint from the actual content I have a hard time imagining how it wasn't coordinated journo-pros-style.
I have never worked at any company that publishes every security bug discovered internally. This is ridiculous.
Same.
But the users whose data was emitted should have been immediately notified. That's (a) law in some places, (b) common decency if one party holds another's PII and then fails to keep it private.
But the users whose data was emitted should have been immediately notified. That's (a) law in some places, (b) common decency if one party holds another's PII and then fails to keep it private.
> But the users whose data was emitted should have been immediately notified.
If we’re still talking about the same bug… I thought that there was no evidence that anybody’s data was exfiltrated through this vulnerability? Granted, absence of evidence is not evidence of absence, but who, exactly, are you saying should be notified?
I would say yes, if some person’s PII data was improperly disclosed, yes, disclose the breach to that person. But if there is not any evidence that some particular person’s data was exposed here, do you go around telling people that their data “could have” been accessed, “if”?
Physical security analogy—let’s say I found out that the window was unlocked. It’s been unlocked for three years, and I pull security tapes. Nobody is on tape coming in through the window, but the old tapes have been erased. I don’t have any evidence that anybody came in through the window, and yet I can’t disprove it either.
If we’re still talking about the same bug… I thought that there was no evidence that anybody’s data was exfiltrated through this vulnerability? Granted, absence of evidence is not evidence of absence, but who, exactly, are you saying should be notified?
I would say yes, if some person’s PII data was improperly disclosed, yes, disclose the breach to that person. But if there is not any evidence that some particular person’s data was exposed here, do you go around telling people that their data “could have” been accessed, “if”?
Physical security analogy—let’s say I found out that the window was unlocked. It’s been unlocked for three years, and I pull security tapes. Nobody is on tape coming in through the window, but the old tapes have been erased. I don’t have any evidence that anybody came in through the window, and yet I can’t disprove it either.
Google was able to finger a specific number of accounts that had data marked as private that may have been shared with third parties. The thing that makes this issue unique and interesting is that Google is claiming is that they deleted all the relevant logs, so they can't confirm whether the private information was indeed shared or not. This is a big problem since if this becomes a valid way of deferring responsibility or accountability, it creates a major incentive for companies to copy Google's claim here.
That doesn’t sound especially unique or interesting, I would expect API access logs to expire after a time and without more knowledge of the specifics, two weeks seems reasonable to me. I would assume that the logs themselves contain PII so increasing the retention has a risk, too. Speaking of retention, given GDPR I would expect the logs to be expired after some known amount of time just for regulatory compliance reasons.
If you go too hard towards forcing disclosures you get pathological incentives to not retain the logs in the first place, the same way people at large companies these days will keep some discussions out of email so they can’t get subpoenaed. That’s not an excuse for bad behavior, but if you force companies to retain more logs for audit purposes, and you force companies to have PII retention policies that limit the retention period, you can easily force a company into a position where the cheapest way out is to reduce the detail in the logs to the point where they’re not useful for security audits any more (if this has the primary purpose of PII retention compliance).
If you go too hard towards forcing disclosures you get pathological incentives to not retain the logs in the first place, the same way people at large companies these days will keep some discussions out of email so they can’t get subpoenaed. That’s not an excuse for bad behavior, but if you force companies to retain more logs for audit purposes, and you force companies to have PII retention policies that limit the retention period, you can easily force a company into a position where the cheapest way out is to reduce the detail in the logs to the point where they’re not useful for security audits any more (if this has the primary purpose of PII retention compliance).
Logs with personal information anonymized are still just as useful for security and other system audits. You would be able to clearly see unauthorized access of A from B, even if A and B could no longer be identified.
And you're ignoring the biggest risk here. If this defense of claiming 'we see there was a trivially exploited issue to allow unauthorized access to data users had marked as private, but we threw away all logs so we can't be expected to see if it was exploited, or be held to any level of accountability' passes for acceptable, it's going to set a far worse precedent than any sort of legal action. Get hacked? Worried about regulatory requirements? No problem, just migrate to a two week cycle of completely deleting all logs, patch it, and stall for 2 weeks. There, you can now hoenstly say you have 'no evidence this attack ever happened.'
And you're ignoring the biggest risk here. If this defense of claiming 'we see there was a trivially exploited issue to allow unauthorized access to data users had marked as private, but we threw away all logs so we can't be expected to see if it was exploited, or be held to any level of accountability' passes for acceptable, it's going to set a far worse precedent than any sort of legal action. Get hacked? Worried about regulatory requirements? No problem, just migrate to a two week cycle of completely deleting all logs, patch it, and stall for 2 weeks. There, you can now hoenstly say you have 'no evidence this attack ever happened.'
You're right! There are laws in some places requiring notification in the event of a breach. California has one of these, and some provisions of GDPR are similar.
With that said, I don't think any of these require notification in the event of the abstract possibility, unsupported by any evidence, of a data breach. This is because there is a substantial difference between data that was emitted (factually sent somewhere) and exposed (could have been sent somewhere), and laws tend to trigger on the former.
If you're aware of relevant laws I have missed, I would love to know!
With that said, I don't think any of these require notification in the event of the abstract possibility, unsupported by any evidence, of a data breach. This is because there is a substantial difference between data that was emitted (factually sent somewhere) and exposed (could have been sent somewhere), and laws tend to trigger on the former.
If you're aware of relevant laws I have missed, I would love to know!
It's disappointing to see people defending Google on this.
Whether the vulnerability was discovered internally or not, they were leaking people's data, and the responsible thing to do is tell them. Even if it's only a possibility, people have the right to know.
Whether the vulnerability was discovered internally or not, they were leaking people's data, and the responsible thing to do is tell them. Even if it's only a possibility, people have the right to know.
There is no evidence that they were leaking people's data.
I don't think that's up for debate. Both the WSJ and Google's own engineers came to the conclusion that they were. If the data wasn't leaking there wouldn't be anything for Google to cover up in their memo.
The only question left is who was affected, and Google doesn't know because they deleted the logs. The responsible thing to do would be notify everybody using that part of the service.
The only question left is who was affected, and Google doesn't know because they deleted the logs. The responsible thing to do would be notify everybody using that part of the service.
I agree that it is not up for debate. They did not lose any information. The google announcement here https://www.blog.google/technology/safety-security/project-s... says that they looked for leakages and We found no evidence that any developer was aware of this bug, or abusing the API, and we found no evidence that any Profile data was misused.
The difference is between data being exposed and data being leaked. The difference is quite critical.
The difference is between data being exposed and data being leaked. The difference is quite critical.
First, I don't think the difference between exposed and leaked matters with respect to whether they need to notify users about it.
In any case, I don't believe their answer. Once the API response leaves the server with extra information there's no way for them to know which fields the caller looked at because it's all done client side.
In any case, I don't believe their answer. Once the API response leaves the server with extra information there's no way for them to know which fields the caller looked at because it's all done client side.
They only "know" the data didn't leak in the 2 weeks prior to them finding out about it.
Would you be surprised by legislation or insurance regulations that required such disclosures?
Yes. E.g. did you find a whiteboard facing an open window? Did leave a confidential document sitting on their desk? Did someone forget to close the filing cabinet to sensitive documents? Has anyone ever been able to access confidential information at your company without permission?
Of course we can pick and choose analogies (hint: we'll never get it right, but that's what happens when comparisons are asked for). But if we're asking for disclosures for security holes that could lead (or have lead) to unauthorized access, I expect to see a seemingly interminable list.
Of course we can pick and choose analogies (hint: we'll never get it right, but that's what happens when comparisons are asked for). But if we're asking for disclosures for security holes that could lead (or have lead) to unauthorized access, I expect to see a seemingly interminable list.
None of those examples remotely resemble the G+ issues and subsequent shuttering.
No, they don't: they're all more severe than what happened at G+ with this vulnerability. Vulnerabilities of the kind we're discussing are utterly routine, and would probably merit a sev:low in an external assessment.
I appreciate the feedback.
Would you think that a company ought to publish at least the security bugs that make them end the service? Your straw man is ridiculous.
Depends on the industry. E.g. if you're working in defense or healthcare, then just the possibility of a data leak might be something you're obligated to report on. And a Google- or Facebook-size company might easily fall into the category where even "near miss" events should be disclosed.
Basically you have to conduct an internal risk evaluation and depending on the overall risk assessment, you need or don't need to publicly report on it. Of course the bar is much lower than 'certain data leak'.
Basically you have to conduct an internal risk evaluation and depending on the overall risk assessment, you need or don't need to publicly report on it. Of course the bar is much lower than 'certain data leak'.
I won't do work for the Federal government, but I've worked with companies of all sizes in healthcare, manufacturing, finance, and utilities, and at none of them was it a norm that internal vulnerabilities be disclosed publicly.
People keep saying that there are certain kinds of companies where you have to disclose, and I have come to the conclusion that they are simply making that up because it sounds good to them.
People keep saying that there are certain kinds of companies where you have to disclose, and I have come to the conclusion that they are simply making that up because it sounds good to them.
I have worked in healthcare related systems before that needs to be HIPAA compliant, even for those systems public disclosure of a vulnerability is not a requirement. No software is bug free, and many seemingly benign bugs are security vulnerabilities.
Try and name one company that reports all their bugs (security/non security) discovered internally.
Try and name one company that reports all their bugs (security/non security) discovered internally.
With respect to just the possibility of a data leak might be something you're obligated to report on, I haven't heard of this being a real requirement. I would be curious to see links or evidence to the contrary.
> Three Republican senators have sent a letter to Google today demanding the company hand over an internal memo based on which Google decided to cover up a Google+ data leak instead of going public as most companies do.
That's a loaded first sentence. Here's another way of writing it: "Three Republican senators have sent a letter to Google today asking the company to please provide internal memo based on which Google decided to not disclose a Google+ bug that could have leaked data instead of going public as very few companies would."
Or break it up if that's too wordy. ZDNet and the writer of this article should be ashamed of themselves. How much more clearly can you out yourself as biased garbage?
To the contents of the letter itself [0], just answer the 8 questions straight up, and give the memo. Doesn't appear like a witch hunt quite yet. On questions 3, 4, and 5 just make it clear that software bugs are rampant, many have the ability to get bad things when exploited, and on 6 either inundate them with a deluge of security bugs or explain that there are probably thousands. On #7, the answer better be an emphatic "yes" or I will be very disappointed.
If it becomes more political, there needs to be legal requirements for disclosing all security vulns (instead of just exploited ones) or they need to recognize it's untenable to ask for them. Can't have it both ways and just pick a company's vuln because of an article about them and not ask other companies for theirs.
0 (PDF) - https://www.commerce.senate.gov/public/_cache/files/4852b311...
That's a loaded first sentence. Here's another way of writing it: "Three Republican senators have sent a letter to Google today asking the company to please provide internal memo based on which Google decided to not disclose a Google+ bug that could have leaked data instead of going public as very few companies would."
Or break it up if that's too wordy. ZDNet and the writer of this article should be ashamed of themselves. How much more clearly can you out yourself as biased garbage?
To the contents of the letter itself [0], just answer the 8 questions straight up, and give the memo. Doesn't appear like a witch hunt quite yet. On questions 3, 4, and 5 just make it clear that software bugs are rampant, many have the ability to get bad things when exploited, and on 6 either inundate them with a deluge of security bugs or explain that there are probably thousands. On #7, the answer better be an emphatic "yes" or I will be very disappointed.
If it becomes more political, there needs to be legal requirements for disclosing all security vulns (instead of just exploited ones) or they need to recognize it's untenable to ask for them. Can't have it both ways and just pick a company's vuln because of an article about them and not ask other companies for theirs.
0 (PDF) - https://www.commerce.senate.gov/public/_cache/files/4852b311...
> out yourself as biased garbage?
Biased based on your opinion.
I personally think this is a very big deal and I don't see anything wrong in that sentence. If you think Google is innocent, just look at the facts.
1) They had an internal memo discouraging public disclosure. 2) They only came clean with the leak after WSJ reached out for comment before the publication of a story. 3) They buried the "leak" announcement in a gigantic blog post. The blog post was meant to announce a new project, but about halfway through the middle they disclosed a data-leaking bug. I'd say the tone of the article is in response to Google's observed and recorded actions.
Yeah, I'd say the article and letter's tone is just about right.
Biased based on your opinion.
I personally think this is a very big deal and I don't see anything wrong in that sentence. If you think Google is innocent, just look at the facts.
1) They had an internal memo discouraging public disclosure. 2) They only came clean with the leak after WSJ reached out for comment before the publication of a story. 3) They buried the "leak" announcement in a gigantic blog post. The blog post was meant to announce a new project, but about halfway through the middle they disclosed a data-leaking bug. I'd say the tone of the article is in response to Google's observed and recorded actions.
Yeah, I'd say the article and letter's tone is just about right.
There are two separate items, just in the first sentence quoted, that can reasonably be challenged as unfair.
First, there's no evidence to date that the vulnerability in question actually resulted in a data breach. This is distinct from there being actual, affirmative evidence supporting the idea that there was a breach. Here, I am using "vulnerability" to mean there was potential for exploitation and "breach" to mean an actual exploitation and exfiltration of data. I understand that some might opt regard this as a distinction without difference.
Second, it is not a common practice to make a loud media-friendly disclosure of every potentially-exploitable vulnerability. I've personally closed dozens of vulnerabilities, potentially exploitable vulnerabilities, in a variety of software packages for a variety of companies over the past decade. Of these, exactly one turned into a public notification of any sort. Hosted service companies in particular are unlikely to create what they would view as an undue media circus around bugs they find and fix internally.
With these items in mind, I submit that some people might find it reasonable that the phrasing of the article and the factual claims it makes might be at the very least unfair and potentially possessed of an opportunity to come into greater alignment with evidence-based reality.
First, there's no evidence to date that the vulnerability in question actually resulted in a data breach. This is distinct from there being actual, affirmative evidence supporting the idea that there was a breach. Here, I am using "vulnerability" to mean there was potential for exploitation and "breach" to mean an actual exploitation and exfiltration of data. I understand that some might opt regard this as a distinction without difference.
Second, it is not a common practice to make a loud media-friendly disclosure of every potentially-exploitable vulnerability. I've personally closed dozens of vulnerabilities, potentially exploitable vulnerabilities, in a variety of software packages for a variety of companies over the past decade. Of these, exactly one turned into a public notification of any sort. Hosted service companies in particular are unlikely to create what they would view as an undue media circus around bugs they find and fix internally.
With these items in mind, I submit that some people might find it reasonable that the phrasing of the article and the factual claims it makes might be at the very least unfair and potentially possessed of an opportunity to come into greater alignment with evidence-based reality.
Your first point is actually the main problem here- according to Google's internal memo they didn't have the logging data to support a full investigation and have no way of knowing whether a breach occurred or not. If you find a vulnerability and there's no way to prove it hasn't been exploited then the responsible thing to do is treat it as if it had been.
Rarely is it ever the case that you can conclusively rule out exploitation (ever) of a discovered vulnerability. Most of the time, companies don't even check; they fix the problem and get on with their lives. That Google even bothered to figure out the limits of what they could conclude about the vulnerability is already above the standard response in the industry.
How do you feel about the log retention period?
I don't care about the log retention period. My assumption is that Google does a better job of real-time log monitoring than most other tech firms, and that they are between a rock and a hard place with respect to retention owing to privacy concerns. Either way: it's simply not a real-world norm to conduct a forensics investigation after the internal discovery a vulnerability, so any work they did in that regard easily clears the industry bar.
You're absolutely right! That's very much the responsible thing to do for internal purposes.
That said, it might be slightly less than maximally honest for press outlets to claim that the one scenario is factually identical to the other to a public that is ill-equipped to appreciate the point you have so wisely made.
At this juncture, I think it's fair to say that Google's internal worries about public response were well-founded. They're being publicly crucified for going above and beyond the common standards of responsible behavior here.
That said, it might be slightly less than maximally honest for press outlets to claim that the one scenario is factually identical to the other to a public that is ill-equipped to appreciate the point you have so wisely made.
At this juncture, I think it's fair to say that Google's internal worries about public response were well-founded. They're being publicly crucified for going above and beyond the common standards of responsible behavior here.
> I personally think this is a very big deal [...] Yeah, I'd say the article[...]'s tone is just about right.
That an article needs a "tone", and that it's right/wrong based on how big of a deal the reader thinks it is, is the issue. I await robot news that is a bulleted list of facts. We could argue about fact selection/placement, but I'll take that over arguing a particular organization's collective side of the bed they wake up on.
To your point, we disagree there wrt internal discussions of disclosure. What will be real scary is when there is a chilling effect to even performing rational discussion around these things. There is no such thing as disclose all, and when there is no such thing as talking about it either, you'll wish these rules were codified in law instead of applied selectively to issues you are ok with.
That an article needs a "tone", and that it's right/wrong based on how big of a deal the reader thinks it is, is the issue. I await robot news that is a bulleted list of facts. We could argue about fact selection/placement, but I'll take that over arguing a particular organization's collective side of the bed they wake up on.
To your point, we disagree there wrt internal discussions of disclosure. What will be real scary is when there is a chilling effect to even performing rational discussion around these things. There is no such thing as disclose all, and when there is no such thing as talking about it either, you'll wish these rules were codified in law instead of applied selectively to issues you are ok with.
>I await robot news that is a bulleted list of facts.
Interesting that you mention this, I'm not convinced that this will be a silver bullet. A couple of concerns that come to mind:
1. Something must bridge the robot to the physical world. The selection of which facts to include and exclude in this data source can create bias.
2. From the data source, the robot then would make its own decision about to to present facts, presumably performing some filtration of its own. Such a robot can have bias [0].
To be clear, I definitely agree that robojournalism could be an improvement. But we can't forget how it works and how it could be manipulated.
[0] - For example http://blog.conceptnet.io/posts/2017/how-to-make-a-racist-ai...
Interesting that you mention this, I'm not convinced that this will be a silver bullet. A couple of concerns that come to mind:
1. Something must bridge the robot to the physical world. The selection of which facts to include and exclude in this data source can create bias.
2. From the data source, the robot then would make its own decision about to to present facts, presumably performing some filtration of its own. Such a robot can have bias [0].
To be clear, I definitely agree that robojournalism could be an improvement. But we can't forget how it works and how it could be manipulated.
[0] - For example http://blog.conceptnet.io/posts/2017/how-to-make-a-racist-ai...
I await robot news that is a bulleted list of facts.
I've got just the thing for you: cat news.txt | sed 's/\. /.\n * Reportedly, /'>Biased based on your opinion...
All bias is based on opinion.
It's possible for everyone making a comment, including you and I, to be biased. In fact, in any political argument the chances that a commenter is unbiased are vanishingly small.
You have your bias. Kodablah has his/her own bias. There's nothing wrong with that. It certainly doesn't negate either of your arguments. Kodablah's point remains just as valid to consider.
All bias is based on opinion.
It's possible for everyone making a comment, including you and I, to be biased. In fact, in any political argument the chances that a commenter is unbiased are vanishingly small.
You have your bias. Kodablah has his/her own bias. There's nothing wrong with that. It certainly doesn't negate either of your arguments. Kodablah's point remains just as valid to consider.
Anyone want to take bets that those senators are using OS/email systems that have security vulnerabilities bugs that will be fixed (announced or not) over the next 12 months? Do they have sufficient logging/security that they will be able to demonstrate that their communications were not compromised?
I don't have confidence that their staff don't have direct access to their accounts, their passwords are remotely strong, or they have any real OpSec. Hopefully, they have been forced to use something resembling 2FA.
I don't have confidence that their staff don't have direct access to their accounts, their passwords are remotely strong, or they have any real OpSec. Hopefully, they have been forced to use something resembling 2FA.
It's funny how picky and particular HN gets over the wording or sources whenever the story is about Google. In nearly every article you see comments like this upvoted to the top within 10 minutes of posting.
Any other topic or company: the wording or journalistic techniques are an unimportant aside, if they get mentioned at all.
Any other topic or company: the wording or journalistic techniques are an unimportant aside, if they get mentioned at all.
No, I have consistently been against media-driven fervor against tech companies for a while now without regard to the company. It's how they build terrorists, druggies, communists, etc. I think you're confusing my comment with HN in general, or attempting to derive too much sentiment out of comment votes.
> How much more clearly can you out yourself as biased garbage?
Are you really surprised, or are you just pretending to be?
This is par for the course for every major journalism outfit - from Fox to MSNBC down to NPR and PBS. There isn't a single major outlet, irrespective of funding model or platform, that isn't blatantly biased.
Are you really surprised, or are you just pretending to be?
This is par for the course for every major journalism outfit - from Fox to MSNBC down to NPR and PBS. There isn't a single major outlet, irrespective of funding model or platform, that isn't blatantly biased.