undefined | Better HN

0 pointsoculusthrift7y ago0 comments

Sadly the strategy is working. not seeing much mention of breach on HN

0 comments

When did "there was a vulnerability" become "there was a breach" ?

I don't understand why it's being reported as a breach.

Google's official statement also doesn't rule out the possibility of a breach.

I think the bigger issue here us that Google did not report the vulnerability/breach when they discovered it. This could be looked into by SEC.

dangerface7y ago

Because breaches come from public vulnerabilities, unless you can prove there was no breach, you should treat it as a breach. This is common information security practice.

Google are unable to prove there was no breach because they didn't keep sufficient logs, which is also not acceptable in modern security practice.

staticassertion7y ago

> This is common information security practice.

No it isn't.

If every vulnerability in every product turned into a "We've been breached" disclosure the industry would be a disaster.

Yeah, they didn't keep sufficient logs and they fucked up really badly there. Still silly to call it a breach.

1 more reply

jacquesm7y ago

Nice they spent so much time on keeping Microsoft honest. Would have been better if they aimed their sights on their own products a bit longer.

lucb1e7y ago

I must have skimmed over it in the article, I only know because it's in the comments. That should have been the headline, imo. Own up to it like other vendors do. I thought Google was good with security, this is a good way to get one of the few positive points about this monolith changed.

j / k navigate · click thread line to collapse

0 comments

staticassertion7y ago

When did "there was a vulnerability" become "there was a breach" ?

I don't understand why it's being reported as a breach.

gandutraveler7y ago

Google's official statement also doesn't rule out the possibility of a breach.

I think the bigger issue here us that Google did not report the vulnerability/breach when they discovered it. This could be looked into by SEC.

dangerface7y ago

Because breaches come from public vulnerabilities, unless you can prove there was no breach, you should treat it as a breach. This is common information security practice.

Google are unable to prove there was no breach because they didn't keep sufficient logs, which is also not acceptable in modern security practice.

staticassertion7y ago

> This is common information security practice.

No it isn't.

If every vulnerability in every product turned into a "We've been breached" disclosure the industry would be a disaster.

Yeah, they didn't keep sufficient logs and they fucked up really badly there. Still silly to call it a breach.

1 more reply

jacquesm7y ago

Nice they spent so much time on keeping Microsoft honest. Would have been better if they aimed their sights on their own products a bit longer.

lucb1e7y ago

j / k navigate · click thread line to collapse