Google+ & Infrastructure Monitoring

10 minute read | Last updated 11-Oct-2018 |  Security, Privacy

Watch the episode on YouTube

Join the discussion on LinkedIn

Share on Twitter

Bad Robot Transcript

How you doing today on this episode of mornings with Mark? We’re going to tackle something that you may have thought slit my noticed it did not I had a bunch of other things. I wanted to tackle this week. But now I want to talk about the Google Plus shutdown the Google how to project called strobe that they were working on that was a root and Branch review of the privacy and security impacts of a bunch of apis associated with Google Plus in your Google account.

Now, that’s a fantastic idea. You should be regular reviewing the impact of your decisions because what you design that changes over time, right, so you design something you figure out the privacy and security scheme around API around a product and then you rarely go back and do a complete review after you’ve made changes fridge after Sprint after Sprints is a great move by Google.

The big news was that they had a vulnerability that could have been impacted half a million users because there is about 430 + applications that were connecting to be vulnerable apis that expose more information than they should have. They didn’t need to disclose this and it didn’t actually impact any uses.

It was a bummer ability that was not exported. I will come back to that in a second the real scandalous part of this is that Google memo leaked that said they had decided not to disclose at the time because they weren’t legally required to nothing wrong with that but also because they were afraid of additional scrutiny and the regulatory impact they were afraid to be called to the carpet given the current political climate in the US have been around the world around user privacy and that is not okay.

That should not be a reason for not disclosing something. You’re the reason why you should have value. Play disclosure is around impact to the users. If you have a security risk, that’s your problem. You don’t try to mitigate the reputational risk by putting your users at risk easy that your users come before you.

I know it’s hard. It’s really difficult. It goes against most companies response platforms and more normal stances, but that’s how it has to be used to always come first. Now that being said what’s not called out in the Google post or in any article around this is that Google is probably one of the top three if not probably arguably the top at monitoring their infrastructure at monitoring API calls.

Okay, so they are in the top three on the planet and they started the entire SRE slight site reliability engineer craze. They have externalize the bunch of their internal tools which are top-notch around monitoring and operational monitoring and API usage. So when There’s no evidence that anybody abuses apis to exploit this Runner bility.

I am leaning towards believing them gain of the challenges. And this is I think part of the reason why Google I decided not to disclose that it doesn’t matter. Everybody says that in the event of a breach of us is all there’s no evidence explicit evidence, but the lack of evidence doesn’t mean it didn’t happen because most companies don’t order.

I don’t monitor at sufficient levels actually detect a breach order to properly map of the impact of a breach now Google’s case that’s not true. They have this world-class monitoring of the structure in place and they are well aware of the usage of their infrastructure. So I tend to believe them and they say there’s no evidence have and have a very good chance of having that happens.

If in fact it was breached results as they shut down Google Plus. Now a lot of people drawing the conclusions with o privacy breach has shut down Google Plus Google Plus product as much as I wanted it to be a social network that people care. Just simply wasn’t this is the last straw the one that broke the camel’s back.

They are shutting it down simply because it’s not worth the risk. Now. It’s had a reputation will impact how to manage is not used. So the interesting thing to take away is here are really you don’t do a root and branch which just means super third row is starting for The Core Concepts and working out.

I’m review of you earlier apis because that’s absolutely critical and what you design initially near architecture phase rarely stays untouched Sprint up for Sprint over to Sprint. So you should be doing Security reviews for every piece of code that hits collection but also every once awhile to get that kind of stuff Bangalore.

Hold on a second. What is all this stuff look like? Okay, that’s a good review. We know what our exposures are and then take action on the disclosure side. I always are in favor of disclosing to users. I know that can be really really difficult. But you know, and then there’s this tricky balance of it was a vulnerability and they have pretty solid evidence.

That was never Exploited. How do you manage that? I would have bought it if they had said we decided based on our Advanced monitoring and observations of our platform that there was no explosion. It wasn’t worth worrying people over a non-event. But the fact that they were worried about the political impact that just makes it look bad if it’s really hard to understand that the climate I understand the challenges but still always are in the side of these are what do you think? Let me know at me up online at Mark NCAA for those who don’t have log in the comments down below and on the podcast the podcast listeners you can always hit me up as well as everybody else meet at Mark n.

CA. What do you think about Google’s disclosure? What do you think about shutting down Google Plus? Will you miss it for you? One of the 10 people who used it? Anyway, what do you think about how they handle this? Let me know. Let’s have a chat about it. Have a fantastic day.

I will see you on the show tomorrow. How you doing today on this episode of mornings with Mark? We’re going to tackle something that you may have thought slit my noticed it did not I had a bunch of other things. I wanted to tackle this week. But now I want to talk about the Google Plus shutdown the Google how to project called strobe that they were working on that was a root and Branch review of the privacy and security impacts of a bunch of apis associated with Google Plus in your Google account.

Now, that’s a fantastic idea. You should be regular reviewing the impact of your decisions because what you design that changes over time, right, so you design something you figure out the privacy and security scheme around API around a product and then you rarely go back and do a complete review after you’ve made changes fridge after Sprint after Sprints is a great move by Google.

The big news was that they had a vulnerability that could have been impacted half a million users because there is about 430 + applications that were connecting to be vulnerable apis that expose more information than they should have. They didn’t need to disclose this and it didn’t actually impact any uses.

It was a bummer ability that was not exported. I will come back to that in a second the real scandalous part of this is that Google memo leaked that said they had decided not to disclose at the time because they weren’t legally required to nothing wrong with that but also because they were afraid of additional scrutiny and the regulatory impact they were afraid to be called to the carpet given the current political climate in the US have been around the world around user privacy and that is not okay.

That should not be a reason for not disclosing something. You’re the reason why you should have value. Play disclosure is around impact to the users. If you have a security risk, that’s your problem. You don’t try to mitigate the reputational risk by putting your users at risk easy that your users come before you.

I know it’s hard. It’s really difficult. It goes against most companies response platforms and more normal stances, but that’s how it has to be used to always come first. Now that being said what’s not called out in the Google post or in any article around this is that Google is probably one of the top three if not probably arguably the top at monitoring their infrastructure at monitoring API calls.

Okay, so they are in the top three on the planet and they started the entire SRE slight site reliability engineer craze. They have externalize the bunch of their internal tools which are top-notch around monitoring and operational monitoring and API usage. So when There’s no evidence that anybody abuses apis to exploit this Runner bility.

I am leaning towards believing them gain of the challenges. And this is I think part of the reason why Google I decided not to disclose that it doesn’t matter. Everybody says that in the event of a breach of us is all there’s no evidence explicit evidence, but the lack of evidence doesn’t mean it didn’t happen because most companies don’t order.

I don’t monitor at sufficient levels actually detect a breach order to properly map of the impact of a breach now Google’s case that’s not true. They have this world-class monitoring of the structure in place and they are well aware of the usage of their infrastructure. So I tend to believe them and they say there’s no evidence have and have a very good chance of having that happens.

If in fact it was breached results as they shut down Google Plus. Now a lot of people drawing the conclusions with o privacy breach has shut down Google Plus Google Plus product as much as I wanted it to be a social network that people care. Just simply wasn’t this is the last straw the one that broke the camel’s back.

They are shutting it down simply because it’s not worth the risk. Now. It’s had a reputation will impact how to manage is not used. So the interesting thing to take away is here are really you don’t do a root and branch which just means super third row is starting for The Core Concepts and working out.

I’m review of you earlier apis because that’s absolutely critical and what you design initially near architecture phase rarely stays untouched Sprint up for Sprint over to Sprint. So you should be doing Security reviews for every piece of code that hits collection but also every once awhile to get that kind of stuff Bangalore.

Hold on a second. What is all this stuff look like? Okay, that’s a good review. We know what our exposures are and then take action on the disclosure side. I always are in favor of disclosing to users. I know that can be really really difficult. But you know, and then there’s this tricky balance of it was a vulnerability and they have pretty solid evidence.

That was never Exploited. How do you manage that? I would have bought it if they had said we decided based on our Advanced monitoring and observations of our platform that there was no explosion. It wasn’t worth worrying people over a non-event. But the fact that they were worried about the political impact that just makes it look bad if it’s really hard to understand that the climate I understand the challenges but still always are in the side of these are what do you think? Let me know at me up online at Mark NCAA for those who don’t have log in the comments down below and on the podcast the podcast listeners you can always hit me up as well as everybody else meet at Mark n.

CA. What do you think about Google’s disclosure? What do you think about shutting down Google Plus? Will you miss it for you? One of the 10 people who used it? Anyway, what do you think about how they handle this? Let me know. Let’s have a chat about it. Have a fantastic day.

I will see you on the show tomorrow.