Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
How are you doing today? On this episode of Mornings with Mark, we're gonna tackle something that you may have thought slipped my notice. It did not, I had a bunch of other things I wanted to tackle this week, but now I want to talk about the Google Plus shutdown.
Now, Google had a project called Strobe that they were working on, that was a root and branch review of the privacy and security impacts of a bunch of API S associated with Google Plus and your Google account. Now, this is a fantastic idea.
Um You should be regularly reviewing the impact of your decision because what you design it changes over time, right? So you design something, you figure out the privacy and security scheme around an API around a product and then you rarely go back and do a complete review after you've made changes, sprint after sprint after sprint.
So this is a great move by Google, but the big news was that they uh had a vulnerability that could have impacted half a million users um because there was about 430 plus applications that were connecting to these vulnerable API S that exposed more information than they should have.
Now, in Google's estimation, they didn't need to disclose this and it didn't actually impact any users. It was a vulnerability that was not exploited and we'll come back to that in a second. The real scandalous part of this is that, um, Google, uh, a memo leaked that said they had decided not to disclose this at the time because they weren't legally required to nothing wrong with that.
Um But also because they were afraid of uh additional scrutiny and the regulatory impact, they were afraid to be called to the carpet given the current political climate in the US and around the world around user privacy and that is not, OK.
That should not be a reason for not disclosing something. The reason you should evaluate disclosure is around impact to the users. If you have a security risk, that's your problem. You don't try to mitigate the reputational risk by putting your users at risk.
It's easy as that your users come before you. I know it's hard, it's really difficult, it goes against most companies response platforms um or normal stances, but that's how it has to be. Users always come first. Now that being said, what's not called out in the Google Post or in any article around this is that Google is probably one of the top three, if not, probably arguably the top at monitoring their infrastructure at monitoring API calls.
OK. So they are in the top three on the planet. Um They started the entire SREs site reliability engineer graze. Um They have uh externalized a bunch of their internal tools which are top notch around monitoring and operational monitoring and api usage.
So when Google says there's no evidence that anybody abuse these API s to exploit this vulnerability. I am leaning towards believing them. OK. Now the challenge is, and this is I think part of the reason why Google uh decided not to disclose that it doesn't matter.
Everybody says that in the event of a breach, everyone says, oh, there's no evidence unless there's explicit evidence. Um but the lack of evidence doesn't mean it didn't happen because most companies don't or uh don't monitor at sufficient levels to actually detect a breach or to properly map out the impact of a breach.
Now, in Google's case, that's not true. They have this world class monitoring infrastructure in place and they are well aware of the usage of their infrastructure. So I tend to believe them when they say there's no evidence and they have a very good chance of having that evidence if in fact, it was breached.
Now, the end result is they've shut down Google Plus. Now a lot of people are drawing the conclusions that oh, privacy breach has um shut down Google plus. Google plus was a failing product. Um As much as Google wanted it to be a social network that people cared about just simply wasn't, this is the last straw, the one that broke the camel's back, they are shutting it down simply because it's not worth the risk.
Now it's had a reputational impact. Um And it's just not used. So, um the interesting thing, takeaways here are really, you know, do a root branch, um which just means super thorough, starting from the core concepts and working out um review of your, of your API S because that's absolutely critical.
And what you designed initially in your architecture phase rarely stays untouched, sprint after sprint after sprint. So um you should be doing security reviews for every piece of code that hits production, but also every once in a while, it's good to kind of step back and go, oh hold on a second.
What does all this stuff look like? OK, that's a good review. We know what our exposures are and then take action. Uh On the disclosure side, I always err in favor of disclosing to users. I know that can be really, really difficult.
Um But you know, uh and then there's this tricky balance of it was a vulnerability and they have pretty solid evidence that was never exploited. How do you manage that? I would have bought it if they had said we decided based on our advanced monitoring and observations of our platform that there was no exposure and it wasn't worth worrying people over a non event.
But the fact that they were worried about the political impact that just makes it look bad. It's really hard to understand the climate. I understand the challenges but still always err on the side of the users. What do you think? Let me know, hit me up online at marknca for those of you on the vlog in the comments down below.
Um and on the podcast, the podcast listeners, you can always hit me up at as well as everywhere else. me@markn.ca. Um What do you think about uh Google's disclosure? What do you think about shutting down Google plus?
Will you miss it? Are you one of the 10 people who used it? Um Anyway, what do you think about how they've handled this? Let me know, let's have a chat about it. Have a fantastic day. I will see you on the show tomorrow.
