Google Desktop Search Functions As Spyware

dioscaido writes "Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections. The Google cache feature allows all users to browse the contents of messages and files it has indexed, irrespective of who is logged in. 'This is not a bug, rather a feature,' says Marissa Mayer, Google's director of consumer Web products. 'Google Desktop Search is not intended to be used on computers that are shared with more than one person.'" Reminds me of a Neal Stephenson essay: "The Hole Hawg is dangerous because it does exactly what you tell it to. It is not bound by the physical limitations that are inherent in a cheap drill, and neither is it limited by safety interlocks that might be built into a homeowner's product by a liability-conscious manufacturer. The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it."

Tin foil hats for everyone!!

[erick99]

For God's sake, this is a long ways to go to find something to be paranoid about.

Whether or not Google intended this, I take great pause at knowing any e-mail I write or read on a PC with Google Desktop Search could be called up and read by a complete stranger.

This application is intended for single user machines which pretty much limits it, in most cases, to home machines. I don't have complete strangers roaming around my house so it is not an issue for me.

Mayer dismissed my concern that this is a security issue. She points out that you can configure Google Desktop Search not to index Web pages or specific domains. That would prevent Google Desktop Search from indexing and caching the URL "mail.yahoo.com".

So what part of that did the reporter not understand? Finally, this is not mandatory software. A user has to hunt it down, download it, and install it. So don't use it if it is a problem for your computer. Now, I am not trying to be a jerk and some of this is said with tongue planted firmly in cheek. Still, you gotta wonder why people need to find things to be upset about. I am not sure why this irks me so much, maybe I should drink less coffee.....

Re:Tin foil hats for everyone!!

[SeinJunkie]

Using the new software, I was able to bypass user names and passwords that secure Web-based e-mail programs and view personal messages sent and received on public PCs. She didn't bypass user names and passwords. She accessed unprotected files just like Windows Explorer allows. This is a non-issue. If users don't want their information to be seen, they should be protecting their profile's Documents and Settings folder.

Re:Tin foil hats for everyone!!

Jealous, are we? ;)

~m

Re:Tin foil hats for everyone!!

[kjamez]

amen. and on top of that, i would be willing to bet the google-desktop ships with a valid/working/easy un-install mechanism ... hardly SPYWARE ... you told it to install, you told it what to do, you opted to install, etc etc ...

Re:Tin foil hats for everyone!!

[jazman_777]

Still, you gotta wonder why people need to find things to be upset about. I am not sure why this irks me so much, maybe I should drink less coffee.....

It's the general discontentedness of the Good Life. You wonder, "is this all there is? No, wait, if only my Google search tool were perfect, I could be truly happy!"

Re:Tin foil hats for everyone!!

This is not Google's problem. It's a Microsoft problem. If the file system was more secure, then you wouldn't have access to Google's index. Noone has any right calling Google's software "spyware" cause it's not. If you click on start --> Search --> for file or folders ... and enter appropriate criteria, you would be able to access the same content that google's software is accessing. If their software has access to it, it wasn't protected in the first place.. People are so dumb sometimes.. um I mean most of the time. To call that spyware .. lame...

Re:Tin foil hats for everyone!!

[LnxAddct]

I'm just curious but... isn't it a flaw of the operating system that files generated by a user aren't automatically restricted to access by that user? This isn't google's fault, the same exact design ported to linux would work flawlessly.
Regards,
Steve

Re:Tin foil hats for everyone!!

[jerw134]

You've misunderstood how the system works. Google's software caches each user's files while that user is logged in, and stores the cache in a location accessible by all users. So if your wife (for example) had a bunch of documents created before you installed Google Desktop, those documents wouldn't be searchable until she logged in and the software cached the results.

Re:Tin foil hats for everyone!!

[Darthmalt]

I discovered years ago that by looking into temporary iinternet files I could see what e-mail my sister had gotten from her bf's. Google just makes it accesible for non tech savvy.

Re:Tin foil hats for everyone!!

[ImaLamer]

She accessed unprotected files just like Windows Explorer allows. This is a non-issue. If users don't want their information to be seen, they should be protecting their profile's Documents and Settings folder.

Unfortunatly Windows XP Home edition doesn't allow one to use file and folder permissions (the unfortunate part is that XP Home is the choice for most OEM builders). XP 'Pro' allows this, 2000 allows this and *nix, of course allows this.

XP Home does however limit the ability to browse other people's files from Explorer. It can be done through Control Panel by going to the "Users" application.

Re:Tin foil hats for everyone!!

[dioscaido]

Yes she did. As I understand it from other sources, the problem is when you install google desktop, you are administrator. As such, you index the whole hard drive, since the administrator has permissions to it. Later, this index is available to all users, and the cache allows for unprotected vieweing of the contents of the files.

Re:Tin foil hats for everyone!!

[kc0re]

The only issue i see with it is that apparently it opens port 4664 listening only to localhost..

We'll see..

Re:Tin foil hats for everyone!!

[vjz666]

I think it's time Slashdot stopped posting stories that are totally, completely, absolutely misleading. How does this come under 'Spyware'? Has the definition of 'Sypware' changed? Ridiculous!

Re:Tin foil hats for everyone!!

From the article, they're talking about a public access PC - so, the files were created under the same account on the computer.

The password protection that's bypassed is the password on the webmail server. But we knew that already; all this does is make it easier to read scan through the browser cache for interesting docs.

Re:Tin foil hats for everyone!!

[Dryth]

My cache is stored in: C:\Documents and Settings\[Current Account]\Local Settings\Application Data\Google\Google Desktop Search

I wasn't aware this was a publically accessible folder. I'm not allowed to access said folder under other users' accounts, on this machine, unless I run as Admin. That said, I haven't tried searching for files that would be found only under their accounts.

Re:Tin foil hats for everyone!!

[Ravadill]

Someone using a single user OS like Home shouldn't really be worried about having unprotected files against local users.

Re:Tin foil hats for everyone!!

[jhoffoss]

You can exclude URLs and directories!

This is the same old *I want my PC to do everything I tell it to, but I don't want it to possibly ever harm me* mentality...if you're going to install something, read the documentation and understand what that means.

This is not even close to spyware. Now Windows, I don't ever recall seeing documentation on Windows until after it was installed... :)

Re:Tin foil hats for everyone!!

[NeoThermic]

If you really need to get the proper 'Secuirty' tab for XP Home, look no further than:
HP Home Secuirty tab

It works, but its not enabled by default because the average user can stuff alot up (you can set deny to all, and no one can access the file (although if you own the parent folder, you can take control))

NeoThermic

Re:Tin foil hats for everyone!!

[Jugalator]

Hmm, maybe it's because the GDS indexing process runs with administrative rights and indexes other user's profile folders? :-/ That's at least the only way I can see this being a problem... Otherwise you just have a problem with your security settings on your computer.

Re:Tin foil hats for everyone!!

That's nice, I agree with you, and I've already picked up 70% flamebait, 30% underrated for agreeing with you.

However, I do have to point out that one uses "" to delineate quotations, not **.

Re:Tin foil hats for everyone!!

[Jugalator]

Hmm, although I don't have a clue of how it could run with admin rights if launched by just a regular user. Hrm...

Re:Tin foil hats for everyone!!

let's start collecting a blacklist here. you may want to put this blacklist into your google desktop preferences, if you are one of the brave guys installed google desktop like me. note that your google desktop preferences is not password protected

gmail.google.com
passport.net
passport.com
ho tmail.msn.com

does it support wildcards like (*.porn.com) or PCRE?

Re:Tin foil hats for everyone!!

[KarmaMB84]

Well, since it's a SERVER, it is likely running as a service with all the rights of the admin who installed it...which means it can do whatever it wants.

Re:Tin foil hats for everyone!!

No, the reporter is full of shit. They have no idea what they are talking about. This "test" was done on a public terminal with one user account and multiple people using the same user account.

Morons, your train is leaving.

Re:Tin foil hats for everyone!!

[fred911]

"just like Windows Explorer allows"

Or doesn't allow, depending upon how viewing prefs are set. Sometimes it's just a PITA. Easier
to see what's there with a cmd or command.com or what ever.

Come so far that it's less efficient.

Re:Tin foil hats for everyone!!

[rmdir+-r+*]

Hehe. Ah yes, that wonderful feature... you do know that if you boot up, say, Knoppix, you can read that 'encrypted' folder perfectly?

Re:Tin foil hats for everyone!!

> you do know that if you boot up, say, Knoppix, you can read that 'encrypted' folder perfectly?

Really? Demonstrate this.

Oh hey, turns out you're completely FULL OF SHIT.

Re:Tin foil hats for everyone!!

[SeinJunkie]

I believe it. After first getting XP, I encrypted my Documents folder, then had to reinstall Windows shortly thereafter. For several months, Windows XP wouldn't allow me to access my old documents folder, saying "Access is denied," but I kept it on my hard disk anyway. After a while, I was able to open the folder and view all of the files stored in there without a single problem.

I don't put any stock in it, other than to make access inconvenient novices.

Re:Tin foil hats for everyone!!

That's right; google desktop violates the security principle by taking content from an area of higher security -- the current user's home directory -- and exporting it over to an area of lower security -- a publicly accessable directory. And all that possibly without the knowledge of the currently logged user.

They should have partitioned the cache files so that information originated from the user's home directory is cached inside that directory. (And cached info coming from a password-protected directory must stay in that directory.) So it's just less-than-great implementation of a useful tool. (That by the way I won't use until it supports Mozilla mail and history.)

Re:Tin foil hats for everyone!!

[kesuki]

Windows defaults to making each account an administrator account. so, by default, every account is capable of reading all users documents and settings... so thys the article is weritten by someone using 'default' windows settings.

Re:Tin foil hats for everyone!!

As far as I can tell its not running as a service.

Re:Tin foil hats for everyone!!

[Jugalator]

Well, since it's a SERVER, it is likely running as a service with all the rights of the admin who installed it...which means it can do whatever it wants.

... and the cache is then stored into the Administrator's profile folder. (GDS stores the index in the user's profile folder)

So what's then the problem? Regular users can't read the admin profile folder.

Re:Tin foil hats for everyone!!

[yerfatma]

Word. I'm imagining a server running XP Home on a network of ME machines. The Google desktop search would be the least of their problems.

Re:Tin foil hats for everyone!!

[KhalidBoussouara]

The feature for file permissions on XP home is still there (provided NTFS is used) but microsoft don't provide a way to use it. I have managed to find a way.

I was bored one day so I picked up an old CD lying about. It was an ISP disk which happened to have an old NT service pack on it. I thought to myself, since XP home is based on the NT kernel perhaps there is something in it that allows access to advanced features not in XP home. I extracted the files (not sure how) and most of it was useless crap. However when I used the winfile.exe which was with it I found I was able to access the dialog for file permissions (click security on the menu, then permissions).

I have uploaded it to my website, as several days ago some people on another board were wondering how to do the same thing.

Shameless plug for my site, where i have the file

The irony is that it removes one of the reasons to upgrade to xp pro and it was made by microsoft.

Re:Tin foil hats for everyone!!

[lightknight]

I'll assume that your talking about NTFS file permissions...

On a Windows XP box, disable "Simple Sharing". After a quick reboot, right-clicking on a file shows the standard NTFS File & Share permissions.

Re:Tin foil hats for everyone!!

[Doppler00]

My guess is that if you attempted to install this peice of software without Administrator rights, it wouldn't have that capability. So no, I don't think thre is a flaw in the OS. If you install a peice of software as root/Admin then it automatically means it has access to all data on the drive. So, you shouldn't worry about someone else accessing your files unless they have Admin rights to your machine.

Re:Tin foil hats for everyone!!

[LadyLucky]

That's not at all correct.

It can index Outlook emails. These are protected (especially if like me you use Exchange Server at work). They are only indexable when you are logged in to Outlook. Thus the index (and the cache) is built up while you have permissions, so anyone else can see your emails.

Unless it stores a different index per user, this is a definite issue.

Re:Tin foil hats for everyone!!

Unfortunatly Windows XP Home edition doesn't allow one to use file and folder permissions (the unfortunate part is that XP Home is the choice for most OEM builders). XP 'Pro' allows this, 2000 allows this and *nix, of course allows this.

XP Home does allow you to set file and folder permissions on NTFS drives; it just doesn't provide the GUI tab you'd use in XP Professional. You've still got cacls.exe that you can use from the command-line. There are many things in Windows XP that can be controlled from the command-line that most people know about.

Re:Tin foil hats for everyone!!

[nazsco]

> This application is intended for single user machines which pretty much limits it, in most cases, to home machines. I don't have complete strangers roaming around my house so it is not an issue for me.

wait until version 2! when it will upload everything to google cache. then you can use any complete strangers from the internet ...and theres plenty

Re:Tin foil hats for everyone!!

[iamhassi]

" Still, you gotta wonder why people need to find things to be upset about. I am not sure why this irks me so much, maybe I should drink less coffee....."

seems to me like you've fulfilled your need to find things to be upset about for the day, but I do agree, I think you do need to drink less coffee.

Re:Tin foil hats for everyone!!

You're conflating NTFS encryption with NTFS access control lists. It might be useful to read up on NTFS encryption. Some useful links include the step-by-step guide to EFS and an overview of EFS in XP/2003.

To encrypt a file, a random symmetric file encryption key (FEK) is generated. This is used for the actual file encryption and this key is in turn encrypted with the user's public key (and the public keys of any designated recovery agents) so that he can use his private key to decrypt the FEK and use that to decrypt the file. A user's private key is in turn encrypted by using the user's password. This is why resetting a user's password (as an administrator) without knowing the previous one will give you dire warnings about them losing access to any encrypted files they have; the new password wouldn't be able to decrypt their private key without which they can't decrypt the FEK keys which are used to actually decrypt files.

So, failing possession of a user's password or a major break in one of the (peer-reviewed and fairly well-respected) algorithms involved, booting into Knoppix won't allow you to access the plain text of encrypted files.

Access-control lists, on the other hand, are only secure insomuch as the host OS respects them, providing no other guarantees, cryptographic or otherwise. So you could indeed set a folder to deny access to Everyone and then access it in Knoppix without any issues. Even in Windows, an administrator can change the owner of the folder to themselves and then modify the ACL as they desire.

Re:Tin foil hats for everyone!!

No it doesn't in linux you can prevent people from reading or writing to directories. Not insightful.

Re:Tin foil hats for everyone!!

[ozric99]

Hehe. Ah yes, that wonderful feature... you do know that if you boot up, say, Knoppix, you can read that 'encrypted' folder perfectly?

How was this modded anything but -5 Nonsense?

Re:Tin foil hats for everyone!!

[grazzy]

We dont wanna know.. seriously.

Re:Tin foil hats for everyone!!

[node+3]

So what part of that did the reporter not understand? Finally, this is not mandatory software. A user has to hunt it down, download it, and install it. So don't use it if it is a problem for your computer.

The thing is, most people don't understand computers well enough to know the potential for privacy issues involved when they install software. It's unreasonable to demand users to become experts before using their computer. This tool sounds like it makes things worse. Google doesn't seem to be acting very responsibly here, even if a technically astute user can mitigate the risks.

This article sounds a lot like, "Hey, dumb users such as myself, I installed the Google Desktop Search and some of my previously hidden data showed up to other users on the system. Take caution until Google addresses the issue."

Re:Tin foil hats for everyone!!

[node+3]

She didn't bypass user names and passwords. She accessed unprotected files just like Windows Explorer allows. This is a non-issue. If users don't want their information to be seen, they should be protecting their profile's Documents and Settings folder.

Why do you think a user should expected to know how to manage all of the security details of their computer? They're taught that that's what a password and broadband firewall do. There's a huge difference from the ability of someone to snoop around obscure files on someone's PCs, mining for data, and a whole other for someone to be able to run a simple Google search and have "private" data pop up.

Before Google's Desktop Search, this data was effectively secure except by direct snooping. With Desktop Search, it's no longer as well protected.

Re:Tin foil hats for everyone!!

[thepoch]

I haven't used WinXP in awhile, so correct me if I am wrong... doesn't XP have a little checkbox in the "User Accounts" dialog that says something like "Make my data private" or something to that effect? I believe it is unchecked by default. Can anyone confirm that by default XP doesn't make user folders strict, and that you have to explicitly enable this option. I'm pretty sure Windows 2000 doesn't work this way.

Just a confirmation please, and if not, a correction against what I've said.

Thanks.

Re:Tin foil hats for everyone!!

[Tony-A]

Well, since it's a SERVER, it is likely running as a service with all the rights of the admin who installed it...which means it can do whatever it wants.

Maybe that's why apache started running as nobody.
But seriously, the scope of what a server should be accessing and doing tends to be pretty limited. There should be tendency to for a service to artificially limit what it can do, to limit the effects of any bugs if nothing else. A server really should have much more restricted rights than an ordinary user.

Over and above any actual vulnerabilities, the ideas as to the scope of what a server should be allowed to do, has an extreme influence on the effective security. This is a composite of many small forces, not any single "magic bullet". Probably related to why Linux vulnerabilities never seem to amount to much.

Re:Tin foil hats for everyone!!

[rfunches]

You can check "Make my data private" under the Sharing and Security tab for the properties of something (hard drive, My Documents, etc.) but this is for network purposes if I'm not mistaken. However, you can enable encryption for folders by going to Properties and Attributes/Advanced. Don't know if this would hide data from Google, but as previously mentioned, it's an inherent security risk installing indexing software on a public terminal.

Re:Tin foil hats for everyone!!

[NoInfo]

It does store a different index per user:

C:\Documents and Settings\blah\Local Settings\Application Data\Google\Google Desktop Search

Re:Tin foil hats for everyone!!

[lachlan76]

You can, but there isn't a GUI for it. What you need to do is open a command line, and use the cacls program.

For example, to grant read access to R:\home\lachlan to 'someuser' you would use:

cacls /e /t /g someuser:r R:\home\lachlan

To revoke those privs, use:

cacls /e /t /r someuser R:\home\lachlan

/e = edit, and not replace
/t = recursive
/g user:priv = grant
/r user = revoke

I think those are the right args anyway, I've switched to linux, so it's been a while. But cacls is the right program.

Re:Tin foil hats for everyone!!

[SirTalon42]

You can access it from safe mode always, or if you do some reg editing I think

Re:Tin foil hats for everyone!!

You're just a Google lover just like everyone else on this site. It doesn't matter whether it's gmail, gds or whatever -- if it's google branded you'll jump happily up and down because google is cool. Personally I feel Google's "don't be evil" is over-used, they're just a money-hungry corporation just like Microsoft and all the other big ones.

Re:Tin foil hats for everyone!!

[civilizedINTENSITY]

Actually not FOS at all. We covered this in my Information Assurance and Computer Security class before the midterm. You boot Linux from removable media and change the Administrator password. Now you have it all.

Austrumi is a Linux bootable ISO image for recovering NT passwords and other cool tools and methods, sized for Business Card size CD media (50Mb). It allows you to change any password, including that of the Administrator, on a partition occupied by Windows NT, Windows 2000 or Windows XP. Simply boot the CD and when you get to the initial boot prompt, type: boot: nt_pass This will launch a console utility that will detect Windows partitions on the hard disk and provide you with a menu to modify any user or Administrator passwords on the Windows system. It will even give access to the Windows registry for recovery purposes. Quite a handy utility to keep in your wallet (AUSTRUMI is small enough to fit on a business card-size CD) if you are unfortunate enough to having to deal with Windows machines in your line of work.
Read more at http://sourceforge.net/projects/austrumi

Re:Tin foil hats for everyone!!

Man you suck. If you read the article they were emphasizing on how web pages could be accessed without passwords, not about stuff stored locally.

Re:Tin foil hats for everyone!!

All that lets you do is bypass access control lists. You still won't get access to encrypted files since you need the original password to decrypt a user's private key which is then used to decrypt the specific file's encryption key which is then used to decrypt the file. A reply to the great-grandparent of this post gives more details.

Re:Tin foil hats for everyone!!

It's probably nonsense, but not impossible. On a standalone default install, the root private key is stored in the registry and could be read by another OS.

A more secure setup would use a directory server or an external key.

Re:Tin foil hats for everyone!!

[Darthmalt]

Meh made her think I'd cracked her password. And gave me a great bargaining tool

Re:Tin foil hats for everyone!!

[phlyingpenguin]

Amen... what in the hell are the writers thinking?? This is a security backhole, not spyware. Tell us how you've found the desktop app sending our documents and usage statistics to Google if this is spyware!!

Re:Tin foil hats for everyone!!

[MongooseKY]

I may be incorrect on this (XP Home is evil and I won't use it) but IIRC, you can't disable simple file sharing (also evil) on Windows XP Home. For XP Pro users, your suggestion is correct though.

Re:Tin foil hats for everyone!!

this sort of 'evil' crap never helps a post, i see it often on here and it always makes me dismiss your argument straight away. a file shareing option is not evil.. an os is not evil...
rape, child abuse, genocide, ethnic cleansing, murder these are all evil. software is not.. get a sence of perspective.....

Re:Tin foil hats for everyone!!

[Maestro4k]

• I haven't used WinXP in awhile, so correct me if I am wrong... doesn't XP have a little checkbox in the "User Accounts" dialog that says something like "Make my data private" or something to that effect? I believe it is unchecked by default. Can anyone confirm that by default XP doesn't make user folders strict, and that you have to explicitly enable this option. I'm pretty sure Windows 2000 doesn't work this way.

I can confirm it, I just got done doing one clean install of XP Pro and configuration of a new Dell with XP Pro on it for work. On both machines XP asked for an administrator password, then gave an option to create individual user accounts. All accounts it creates default to null password, no option to assign one from setup or first time login. I'm really not sure what the administrator password is for as it doesn't create an administrator account.

If you go to uses under the control panel and set a password for an account it'll prompt you to see if you want to make your files private. By default they're not, and that means anyone can view your whole subdirectory under the documents and settings folder. Once it's turned on, other users with admin privledges can't view your directory. I haven't checked to see if they can reset your password and log in as you to access them, but at least it's an extra step.

On a related note, I can find no way to assign ownership to specific directories. On Win2K this was easy, under XP it doesn't appear to be possible. I had a data directory on the drive of a laptop I had to share until a new employee's computer arrives. I wanted the data to be inaccessible to them, but it's too large to just move for a week or two. I ended up setting it to be hidden so they wouldn't see the directory without fiddling with file view options. Not my preferred choice though, I was annoyed.

Re:Tin foil hats for everyone!!

[sandwiches]

The information has always been just as unsecure, but, now, it simply became readily apparent to Joe Newb.

Re:Tin foil hats for everyone!!

[Jetboy01]

I'm really not sure what the administrator password is for as it doesn't create an administrator account.

Yes it does!
Hint: press ctrl+alt+del at the login prompt, and then type administrator, and your password... Funny that, you're now logged in as admin.

Re:Tin foil hats for everyone!!

[AlphaSys]

Your point that it was always insecure is well-taken, but your notion that Joe Jobs shouldn't be expected to know how to secure their data or their PC is out-and-out dangerously flawed thinking. Basically, if you're not inclined to educate yourself on how to secure data, you should have access to none of any import, and anything that happes to your personal data, whether of value to anyone else or no, is your own fault. More to my point, if you're not keen to get steeped in how to protect your PC in some small way, I don't want you traversing the same network I do. I sure don't want you knowing my email address or such. Otherwise, I'm just the next subject of interest for your new 0wn3r.

There way a time when AOL was its own network and the users didn't affect the rest of us too much. Then they got access to NNTP and cracked w4r3z with embedded subSeven. Now look where we are.

Re:Tin foil hats for everyone!!

[node+3]

your notion that Joe Jobs shouldn't be expected to know how to secure their data or their PC is out-and-out dangerously flawed thinking

I don't mean to state that they shouldn't take measures to secure access to their computers. What I mean, simply, is that they shouldn't have to become "computer experts". They are taught that if they keep their password safe, their data is safe, and if they're lucky, they learn a bit about firewalls, spyware, and Windows Update.

What I don't find reasonable is that your average user be expected to ever have to edit the registry or manually modify permissions (until such a day that you can tell by looking at a folder what the permissions are, that you know what that means, that it's simple to change, and that the default permissions are secure). I blame MS more than the user at this point.

More to my point, if you're not keen to get steeped in how to protect your PC in some small way, I don't want you traversing the same network I do.

You can be certain there's some smug hacker who's more 1337 than you who feels just the same about you, and so on. It's just a question of how much should you expect them to know?

Windows users have too much of a burden on them regarding basic security. Right now, MS is more to blame than the user. If MS were to adopt more intelligent security standards, then it's a different story.

As for Google, it doesn't matter at all what MS does by default, it should be abundantly clear that users don't want their private data, even if it's world readable to show up in another user's query by default. Yes, the lax permissions are MS's design, and yes the user can tighten the security, but it's the Google's software that's showing the data, so they're the ones who should show some initiative.

Re:Tin foil hats for everyone!!

[msoya]

But it wasn't that - it was the local cache of the web pages, which could be accessed anyway.

Re:Tin foil hats for everyone!!

[AlphaSys]

We agree on a lot and disagree on a lot.

Yes, MS defaults are a problem. But it is well-known. Average users are really very sub-par to the level of effort they employ to get set up right. Fast implementation wins over proper configuration from the outset every time.

And RE: the 1337 smug hacker feeling the same about me... no doubt. It's not about how much I expect an user to know -- it's about how little I expect their lackadaisical approach to operating powerful machinery to affect my computing experience.

Is it wrong for me to despise zombie scans and blame the guy whose PC does it to me when he is unaware? I don't think it is. Absence of malice is just not a defense here. As much as it is in the headlights now, absolutely nobody can claim anymore "I didn't know the gun was loaded." Plainly, everybody has to know these high-powered desktops are capable of wreaking havoc on the network. My stance is, if you're going to touch the network and you don't know how to secure yourself for it, you can afford to pay somebody to help you do it. If you can afford broadband, you can afford a house call from the neighborhood geek every few months for a checkup, and you can sure as hell afford good AV software. If one doesn't do it they're being lazy and cheap. And the long and short of it is, they may deserve exactly what they get. If it were that simple and they didn't end up affecting others, it'd be a beauty of karma - not the /. kind - but the fact is the effects are wider and that's why I say learn about it or hire someone who has.

Windows users do not have too much of a burden on them regarding basic security. You know when you buy windows you're buying something harder to secure than OSX, Solaris, Linux, etc. But you weigh that against why you're buying an OS and you make a choice. I'm just asking that people be honest with themselves about the responsibility that goes with the decision and follow through with it however necessary. I do not think that unreasonable.

Finally, if anything, Google should be commended for this. They just made a marketing gaffe -- they should be billing it as a home user's security checkup tool instead of a local search novelty!

Re:Tin foil hats for everyone!!

[AnyoneEB]

In XP you have to, in any folder, go to tools --> folder options... --> view (tab) --> scroll all the way down and uncheck "Use simple file sharing (Recommended)". That will give you a "security" tab in the properties of every folder and file allowing you to set NTFS permissions from explorer.

Re:Tin foil hats for everyone!!

[i+wanted+another+nam]

My school used to run a hodgepodge network of Windows 98, 95, and Me machines. The only halfway safe thing was that the pentium 133 running NT4 acting as a gateway. Their goddamn fileserver ran Windows 95A, sharing GRADES AND PERSONAL INFORMATION over SMB. They came to me one day and asked me if I could help them out, tell them why their network was so unstable. I couldn't do anythung but laugh at these fools. To my knowledge, it's still run on the same computer 4 years later.

Re:Tin foil hats for everyone!!

[Danj2k]

Austrumi is a Linux bootable ISO image for recovering NT passwords

Er, I notice that they don't mention this capability on their web page. Is this some kind of undocumented feature, or are you referring to some sort of modified version of this thing?

Re:Tin foil hats for everyone!!

[legirons]

"This application is intended for single user machines"

Redundant. They already said it runs on Windows.

Re:Tin foil hats for everyone!!

"You know when you buy windows you're buying something harder to secure than OSX, Solaris, Linux, etc"

what the hell are you talking about? most home users do not even know that there's more than two "flavors" of computing, Wintel and Mac, and to expect housewives, old people and journalism students to learn about Solaris and Linux when all they want to do is send email and type term papers is wholly unreasonable. MS's attitude toward security is like expecting your typical minivan operator to be able to replace an engine just in case.

Re:Tin foil hats for everyone!!

[Lehk228]

be careful encrypting your data, if windows fails and you have to reinstall or boot from linux to recover files any encrypted files will be lost.

Re:Tin foil hats for everyone!!

[exaudio]

And here's a link to an linux based offline NT/2000/XP password reseter that you can fit on a bootable floppy:
http://home.eunet.no/~pnordahl/ntpasswd/

Here's an article about it:
http://www.petri.co.il/forgot_administrator_p asswo rd.htm

Re:Tin foil hats for everyone!!

[AlphaSys]

Actually, having needs that are confined to email and term papers is an excellent excuse to use linux on the desktop. And I would dare say a majority of desktop users are at least dimply aware of it. They may not be savvy enough to tweak it to its extreme, but you could say the same of them and XP.

MS's attitude toward security is like expecting your typical minivan operator to be able to replace an engine just in case.

No, that's not it. It's just that a networked computer OS capable of meeting the demads of a wide range of todays users is not an "hello, world" application. And if it's going to be capable of delivering to the demanding, it's going to be capable of confounding those with more modest needs -- either you have the modular approach like a *N*X which is utterly confusing to the simple user or you put it all under the hood to begin with, which puts them at higher risk.

Now I wasn't saying Joe Job better know how to lock down his Media Center PC. I was saying, if he doesn't, since he is able to afford a media center, he can afford an occasional house call for preventative purposes. I was also saying that as prominent as internet outbreaks are not only in the news but also at the water cooler regardless of the business you're in, the percentage of home users who don't know the threat is increasing exponentially with the stakes would have to be infinitesimal. I didn't say they should know how to fix it, just that they should know what the stakes are and what a responsible operator (cause that's what they are regardless of their skill level) should do (or who they should call) to mitigate risk.

And there are stripped down linux distros which are easy to use/maintain and also are locked down pretty good for the average joe/josie. As long as your demands are light, your previous argument is weak at best. It makes me wonder about that "stripped-down windows" we've been hearing about going to some other countries. It may well be that MS is missing a market for something like that here. I know if they offered something secure (as opposed to securable) and it was a little less feature-rich, quite a few would buy it. Are you listening, Gates?

However, you are on to something if not on target. As desktops gain in power and the ability of server apps multiplies as well, we're seeing tech creep into areas it never would have before. See, I don't know how old you are, but there used to be a time when most people didn't *need* a computer to do a job or prepare for the job market. Anyone who comes from that era but doesn't realize (a) that times have changed and (b) the consequences of those changes, well, that's just a bit myopic. And those that don't remember those days don't fully understand that this is a new set of sociological and technological problems that the majority of society didn't have to grapple with a few generations ago. And something that we all need to observe is that computing technology in general has really just begun its invasion into all facets of our daily life. Sure, a few "big" apps were out there before, but not like today and not in so many facets of life. Computing and related tech is on the march in most every office, likely a majority of living rooms and dens, almost all "playrooms", probably (I know I'll get trolled for saying it) some bedrooms, kitchens, etc. And that's just in the home. What about stores today? Even CHURCHES. I would've thought that would be kind of taboo, but, no, tech stomped right into the sanctuary too. In our cars. And the thing is, this is just the beginning, because tech still hasn't really found a groove in a lot of the markets it's really courting. And as tech creeps more and more into things like identification systems, oh man, well, I won't even get started on that! But the point is this is an evolving problem that is going to get worse before it gets better, because all of these applications of tech have risks that have to be mitigated and yet the desire is for it to all

Re:Tin foil hats for everyone!!

[AlphaSys]

Oh and the other thing.

"You know when you buy windows you're buying something harder to secure than OSX, Solaris, Linux, etc" what the hell are you talking about?

I'm talking about a default install of those others (just saying "yes" to everything asked) has the potential to be a more secure out-of-the-box experience. I couldn't care less about a default install because I know how to configure an OS but the parent's argument was it is unfair to users that Windows is more insecure out of the box (or "harder to secure"). My point was, when you have all that functionality that we want to "just work", it's gonna be insecure. We each have to decide what we want and how much of it we can have for what acceptable risk. It's all about thinking for ourselves. Neither Bill nor Linus nor anybody else is ever going to do a good job of that for us, But one Ashcroft or someone like him is sure bound to give it a go if we don't start doing it on our own and soon.

I don't even know if you're American, but reagrdless of where you live, if you can't see an international coalition shoving tech restrictions down your throat while loving it up with the tech firms in the WTO to a much greater degree than today in the name of security and "global stability" you are lacking not in imagination but plain deduction, let alone foresight. The only thing that fend it off is if people start acting more responsibly AND also stand up for their rights and their neighbor's. I just don't see enough of it going on. Barlow has had the right idea, but the scope of focus for our EFF and similar orgs is just not expanding at the same rate at the competition (i.e. the Earth, Incorporated). Not even close. And when tech stops being available to the little guy, that's when it's going to do some really terrible stuff.

Re:Tin foil hats for everyone!!

[cyberformer]

XP Home does support multiple users. I haven't tried whatever built-in security it might have, but it definitely supports several different user accounts each with their own desktop, My Cocuments, etc.

This isn't even new. Windows 98 did the same thing, though it didn't make any distinction between different users' levels of access.

Re:Tin foil hats for everyone!!

"For God's sake, this is a long ways to go to find something to be paranoid about."
"Still, you gotta wonder why people need to find things to be upset about."

Throw in "m$ sux lol" and you got Slashdot in a nutshell...

Re:Tin foil hats for everyone!!

[ImaLamer]

What? XP home is far from a "single user" OS.

Look at all the tools like Fast User Switching etc...

And why shouldn't I be worried about other users? I've got friends that come to town and they have their own accounts under Linux and XP Home, I don't want them in my files.

Re:Tin foil hats for everyone!!

[node+3]

We agree on a lot and disagree on a lot.

I suspect we are thinking of different groups of people here.

Especially when you say this:

it's about how little I expect their lackadaisical approach to operating powerful machinery to affect my computing experience

I'm not thinking of some cavalier warez d00d whose promiscuous KaZaA activities have left his computer more dangerous on the net than a N. Korean Hacker Squad * the Kaos Komputer Klub--and even with the KaZaA moron class, there's a secondary group of people who are told by the primary group of "shoulda-known-betters" that "yeah, install this and get free shit. don't worry, I've done it for years and never got a virus." The first group I think of as responsible enough to take blame, where the second group is an unwitting dupe, who deserves a good dressing down over their activity (so they don't do it again), but you can't really blame them, you know?

Pretty much everyone understands how a gun works well enough to be responsible for its misuse. Some people understand the mechanisms (which are quite simple, even so, most people actually don't understand them) in the gun, and the chemistry and physics of the cartridges (again, some do, most don't), but such knowledge isn't required.

With a computer, even fewer people really understand the basic underlying principles, and never will. I don't know if it's mostly because it's beyond them, or they're just lazy/have better things to do.

This puts us into a situation where a PC is more powerful and versatile than your average human can responsibly handle, but that it's so useful and desirable that we can't justify legally restricting their use (like we do with instruments of war).

In this situation, we're sort of "all in this together". The average user is really having a hard enough time understanding (well, not even understanding, but just muddling by) the basics of their programs (for example, I'm certain there are a lot of Windows users who do not know how to find their Word Documents except through Word's file->open dialog). They're really essentially at the limit of what they can do, for good or ill. On the other hand, Microsoft especially, but Google in this particular case, can do quite a lot.

The real annoying aspect of this situation is that Microsoft is actually in a position to benefit more by ignoring these problems (or even making them worse!).

So yeah, there's a problem, but the user I'm thinking of really can't fix the problem, whereas Microsoft certainly can and should (but won't), and Google can at least minimize their participation in exploiting these "holes" (and they should make some effort).

Re:Tin foil hats for everyone!!

git uh sence uv speling

Re:Tin foil hats for everyone!!

It's unreasonable to demand users to become experts before using their computer.

Or driving a car. Or going parachuting over your neighbourhood. Or using a gas pump. Or a jetski at your favorite beach. Or a chainsaw next door while your kids have their heads stuck over the fence.

Experts? No. Some basic idea of how to use the thing, and the principles behind its operation, yes. I'm not talking about being able to rebuild an internal combustion engine. I'm talking about knowing what different gears do, how to turn on the headlights, and that if you don't lock your doors you're more likely to have your car stolen.

Re:Tin foil hats for everyone!!

[DroopyStonx]

You people are inconsistent little hypocrites.

If Microsoft pulled this shit, you'd be all pissy, but because it's google, you say, "it's okay, I don't have strangers around my house anyway."

Mmm.. yeah, security is security, and coming from google, it shouldn't ignore or bypass a damn thing.

Re:Tin foil hats for everyone!!

So what you're saying is that you don't know any better yourself?

Re:Tin foil hats for everyone!!

[Ilgaz]

For God's sake, this is a long ways to go to find something to be paranoid about.

Whether or not Gator intended this, I take great pause at knowing any e-mail I write or read on a PC with Gator Desktop Search could be called up and read by a complete stranger.

This application is intended for single user machines which pretty much limits it, in most cases, to home machines. I don't have complete strangers roaming around my house so it is not an issue for me.

Mayer dismissed my concern that this is a security issue. She points out that you can configure Gator Desktop Search not to index Web pages or specific domains. That would prevent Gator Desktop Search from indexing and caching the URL "mail.yahoo.com".

So what part of that did the reporter not understand? Finally, this is not mandatory software. A user has to hunt it down, download it, and install it. So don't use it if it is a problem for your computer. Now, I am not trying to be a jerk and some of this is said with tongue planted firmly in cheek. Still, you gotta wonder why people need to find things to be upset about. I am not sure why this irks me so much, maybe I should drink less coffee.....

Re:Tin foil hats for everyone!!

You can always use the Windows Encrypting Filing System to guard against other users accessing your profile (including your google cache).

Security Breach? Really?

[johndiii]

From reading the article, there is no indication that protected files were actually read. In fact, pretty much everything he talks about seems to have been pulled from the web cache. With default security on Windows XP, each user's cache is accessible to the other users. As are everyone's Outlook data files. This is not great security, but that is not Google's responsibility.

So, I'd be really interested to know if the desktop search application runs as an admin process, or with system rights. Unless it does, this article is nothing but hot air. Google indexes files that you can read anyway? OMG!!! This is teh suxxorz!!!

And spyware? Hardly. Nothing in the article even comes close to suggesting that all of this indexed information is transmitted anywhere.

A problem if accessible remotely

[Disoriented]

Keep in mind that once you have physical access to the machine, all bets are off.

However...

Google's tool could be a danger if someone figures out a way to launch it remotely, by getting a user to click a link, or through some Windows exploit. If so, it's plausible that a remote attacker could gain access to the cache and use the information to gain administrative access to the machine.

---
"I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours."
-Sir Stephen Henry Roberts

Re:A problem if accessible remotely

[metlin]

Well, there you go - Windows Exploit.

The problem in that case becomes Microsoft's, not Google's. It's just using a feature (or a bug, depends on the perspective) that exists in Windows.

It's easy to blame third parties whose software can be exploited because of inherent problems in the OS, but you're passing the buck.

Maybe if the OS were more secure, the possibilities for such exploits wouldn't exist in the first place.

Re:A problem if accessible remotely

[slash-tard]

So let me see...

The hacker is going to get the user to run a program, but not a program that 0nw$ the system. Just the google desktop install. Then they will again trick the user somehow so they can see what other users on the same computer have in the cache?

Sounds a little convoluted...

Its not spyware, its not even a real google security issue. Its an issue with default file permissions which can be changed.

Re:A problem if accessible remotely

[burns210]

Simple fix... Have 2 indexes, one public, shared over the entire computer, one private, for the specific user only.

All PUBLIC data(shared documents, etc) are in the public index, and all users can see them, private data, like documents in a user's home folder are sent to the private index.

GDS would then combine the two transparently for search results.

Re:A problem if accessible remotely

[DogDude]

If there's a Windows exploit, why would the hacker bother with the Google Desktop? If you've got access to a hacked PC, just use cmd or explorer to go whatever you want. This isn't going to make any difference if you've already got a security hole.

Re:A problem if accessible remotely

[colin_n]

I have tried to access the tool remotely. It appears that it only accepts connections locally on the computer.

Re:A problem if accessible remotely

[The+Bungi]

Since documents can and should be stored in a per-user context and an NTFS drive can be easily made secure to avoid this sort of thing, how exactly do you figure this is a "windows exploit" again?

Re:A problem if accessible remotely

[einhverfr]

If I get my hands on your locate database how is this different?

Re:A problem if accessible remotely

[neoform]

yeah, unless you do like i do, and save important files to an encrypted disk image (OS X).. at which point, i'd stick with my bet.

Re:A problem if accessible remotely

[metlin]

No, I meant that as a rebuttal to the original poster's point -

Google's tool could be a danger if someone figures out a way to launch it remotely, by getting a user to click a link, or through some Windows exploit.

That was the exploit that I was talking about, I highlighted my other point clearly as a bug/feature depending on how you configure it and whom you ask.

Re:A problem if accessible remotely

[farghen]

So if somebody writes a virus that exploits a bug in windows, then the virus writer is completely innocent? After all, they are just using a feature (or bug) of windows.

Re:A problem if accessible remotely

[metlin]

Horribly wrong analogy.

If I write a software for Windows that uses a particular feature that also has the potential be exploited, do not blame the guy who wrote the software.

Blame the guy who exploits it and blame Windows.

Google has used a feature in Windows that has potential for exploit, but neither did Google write that feature nor did Google take advantage of that expoloit - Google merely used a natural feature in the OS. If someone exploits that feature of the OS, it's not Google's fault.

Get that?

Re:A problem if accessible remotely

Well, there you go - Windows Exploit.

There are different kinds of exploits. If Google's code allows local priveledge escalation then it's a problem by itself. It's not as serious as a remote exploit, but it still needs fixing. These sorts of things can make a weak remote exploit strong.

That said, I don't see anyone suggesting that Google's code actually provides such an opportunity.

Re:A problem if accessible remotely

[The-Bus]

Well, it binds it self to a port and points to 127.0.0.1. Wouldn't it be as simple as just changing the hosts file to 1237.0.0.1 is know your IP address?

Re:A problem if accessible remotely

[geminidomino]

127.0.0.0/8 is mandated to be put aside for 'localhost' or the 'loopback device'. IOW, it's only accessible by the machine itself. If you set your IP address to a loopback IP, you wouldn't even be able to use IP-based network connections.

How is it spyware?

Does it phone home, sending entire indexes of your harddrive to google?

Re:How is it spyware?

Does it phone home, sending entire indexes of your harddrive to google?

Yeah, then it kills your entire family and rapes your dog. Not being evil isn't as easy as it sounds I guess.

Re:How is it spyware?

[kjamez]

it would if you saved all of your index information to your googlefs mount. /dev/google

Re:Security Breach? Really?

[jdunlevy]

yeah, certainly not "spyware" in any usual sense of the word if the information isn't being made available or transmitted off the box.

uhhh...sorta

[Zed2K]

Unless you add the path to the preference option of the user that you don't want to be indexed. This also isn't release software. Its beta toy tools stuff. You know, the kind that says "use at your own risk."

Re:uhhh...sorta

[filtur]

Its beta toy tools stuff. You know, the kind that says "use at your own risk.

Like windows.......

That was too easy, ignore my post.

Re:uhhh...sorta

[misleb]

Don't all software EULA's basically say "use at your own risk?"

Re:uhhh...sorta

[Jugalator]

Don't all software EULA's basically say "use at your own risk?"

Yes, they usually do... But one should take much greater care with beta software anyway.

An adage I've heard before

[TimmyDee]

The Hole Hawg is dangerous because it does exactly what you tell it to.

Yes, well computers in general are dangerous because they are very good at doing exactly what you tell them to do. For better OR for worse.

Re:An adage I've heard before

The original essay was about computers. The Hole Hawg was an analogy he used.

Re:An adage I've heard before

[lothar97]

Yes, well computers in general are dangerous because they are very good at doing exactly what you tell them to do

I'd argue that computers are more dangerous because they do lots of things that most users do not have the slightest inkling about. In the case of Win boxes, you get open ports, system restore to cache virii, not coming with AV software, default "administrator user" with no password, default firewall that ignores outgoing traffic, etc. I could go on, but I'm bored with the list.

Couple this with people who click any attachment, click "Yes" to any dialogue box, etc., and I'd argue that users are more dangerous than the PCs. It's not cars that kill people, it's the bad drivers. It's not guns that kill people, it's the people that use them.

Re:An adage I've heard before

[selderrr]

computers are very good at doing exactly what you tell them to do.

I would rephrase that as Computers are very good at doing exactly what the developers told them to do when someone told them to do something they had programmed to do under that nomen. Computers suck at everything the developers didn't envision.

In practice, it means computers are awesome at rendering paperclips, and suck at everything else.

Re:An adage I've heard before

[chandoni]

According to Stephenson, only DOS computers were as dangerous as Hole Hawgs. GUI interfaces are less dangerous because they pop up annoying modal display boxes that say things like "are you sure you want to tear your arm off?"

Re:An adage I've heard before

[owlstead]

That's for better XOR for worse.

Uh.

[emazing]

Since when does this constitute spyware? To my knowledge, spyware sends information to a third party without the user's knowledge.

Re:Uh.

[metlin]

Worse, all that this does is use a feature of the OS - nothing more.

It's almost National Enquirer-esque, sensationalist.

Whether or not Google intended this, I take great pause at knowing any e-mail I write or read on a PC with Google Desktop Search could be called up and read by a complete stranger.

If a complete stranger has physical access to your single user system, you have more problems than you realize. Don't blame Google for that. Duh.

Re:Uh.

[Deviate_X]

The third party in this case is the other users of your computer. Two major reasons for having multiple logins are for 1. Personalization 2. Privacy.

Re:Uh.

[LiquidCoooled]

But thats EXACTLY what it does.

Some folks like to be private on their computer.
Up until now, there has been relative cosiness in seperating user accounts with a simple password.
Mary-Lou doesnt know where to look on the computer to find Freds secret files, she thinks they are locked up behind the password.

However now, Google comes along and makes it nice and easy to see them all.
And oh look if I search for this, it shows me those. Isnt that amazing!

Mary-Lou is the 3rd party, Fred gets violated.

The effect is simple, the damage could be great.

Re:Uh.

[hacker]

"Worse, all that this does is use a feature of the OS - nothing more."

I don't know about your OS, but mine does not send my usage data to third parties.

"Once the Google search technology is installed for free on a personal computer, it will transmit basic data daily about usage patterns. For example, it will tell the company how often Google is being used to search personal computers, how often it is used to search the Web, and how often simultaneous searches are done. Google lets users opt out of sending some usage data, but not all of it.

However, Mayer said the data collected will be aggregated so that the company knows where to focus its efforts on upgrading the search technology. She emphasized that the daily up-loading will not transmit any personal information to Google and said it is typical for major software programs that offer voluntary upgrades and fixes for bugs to capture that sort of information as a matter of routine."

Re:Uh.

[NoInfo]

Uh, this is an option. You can turn it off immediately upon installation. Please look into something before spouting off random quotes.

Re:Uh.

[SirTalon42]

Maybe Fred should set his home folder so only he can access it?

Re:Uh.

Actually, you can't. Read the fucking article again. You can disable some of it, but not all of it.

Nothing to see

[samael]

It indexes all the files that you'd have access to anyway...

Can't see what the fuss is.

Re:Nothing to see

Are you sure? To me, it sounds like they are running as a system service, which can have access to any file.

If MSFT did this, you'd be howling about it.

Re:Nothing to see

[hng_rval]

Not all your files. I have access to my Trillian logs (c:\program files\trillian) and those are not indexed.

Re:Nothing to see

[colin_n]

This panic reminds me a little of when Phynd was being shut down at my Alma-mater, RPI. It was just a tool to show you what was already publicly available, but it scared the powers that be because people could find files that were not necessarily intended for them (i.e. exam questions / papers / mp3s / copyrighted materials ) I think the software is still around.

http://phynd.chewplastic.com/

Re:Nothing to see

[ciroknight]

Even worse.. Google's FAQ on Multiple Users states that it is not for multiple user systems, so all of this nonsense is perfectly within it's working parameters, and as a beta program, is to be expected. Don't like it? Don't use it. Period.

Re:Nothing to see

[samael]

Well, no. But they could be, if they had the right extension.

Re:Nothing to see

[Jugalator]

Are you sure? To me, it sounds like they are running as a system service, which can have access to any file.

... and a user can apparently just run a system service to gain the same access as GDS does. If it's as simple as that and something undesirable, Windows really needs an overhaul in that area, not GDS in my opinion. It's a fully legitimate way to work with the OS, and wouldn't surprise me if numerous of Microsoft's services already do this too.

Re:Nothing to see

[GlassUser]

... and a user can apparently just run a system service to gain the same access as GDS does.
That's about as inaccurate as the FUD comes.

Re:Nothing to see

[Tongo]

No, it runs at the same level as the user you are logged in as. If you are logged in as admin, it runs with admin rights. If you log in as joeuser, it runs with joeusers rights.

BTW, MSFT DID do this. It only indexes the same information that you can get to using Explorer.

Re:Nothing to see

Here's the fuss..

Wife is a little curious about somthing she has heard about and looks it up, once, to see what it is about...

That web-site visit is recored dutifully buy google desktop

Husband comes home, it's time to get wife a gift, Birthday's commin up... Husband knows wife wants some new china.
Chippendale is a kind of china right?? Whoa what kind of china has Wife been looking at....

Posted anonymously so you don't know if I am wife or husband.

Re:Nothing to see

[kokamomi]

oh yeah? what about the last paragraph then?

"If you would like to use Desktop Search on a shared computer, we strongly recommend that you use separate Windows logins for each user. Your Desktop Search index is stored under your specific Windows login, so someone logging in with another Windows account will not be able to search your files with Desktop Search."

Re:Nothing to see

[samael]

Well, that information's already available if husband decides to go looking for it...

Re:Nothing to see

[Com2Kid]

• No, it runs at the same level as the user you are logged in as. If you are logged in as admin, it runs with admin rights. If you log in as joeuser, it runs with joeusers rights.

And if file encryption is enabled, admin's can't touch another user's files anyways.

Another fiasco...

[ryanmfw]

Sounds like another fiasco that Google is gonna have to withstand, just for being honest. Anyone remember when the privacy hounds were out about GMail perpetually storing your mail, and that a *gasp* computer would actually read it! Reminds me exactly of this. Of course, they'll come out and clarify it later, but by then the damage will be done. Oh well.

Re:Another fiasco...

[DogDude]

This won't create any kind of fiasco. First off, it's not spyware, and the only person who suggested it, did so on a relatively unknown blog. "Spyware" won't even cross the minds of non-Slashdot readers, nor should it.

Re:Another fiasco...

Once Google went public. All bets are off as to its pureness.

Re:Another fiasco...

[ryanmfw]

I don't think privacy was on anyone's mind either immediatly after Google said they would store email indefinitely, either. It wasn't until a bunch of talking heads took it out of context that people started to worry. The same could happen here unfortunately. Notice I said "could". :-)

Re:Another fiasco...

[metlin]

Well said.

However, the problem is that Google actually tries to portray a benign image. Although I must admit that so far they have kept that up.

However, as an AC has pointed out in this thread, that is the problem of being a public company.

Although your motives may be benign, you're under the control of your share-holders. At which point all bets are off and you will be scrutinised very closely.

Re:Another fiasco...

[zecg]

Anyone remember when the privacy hounds were out about GMail perpetually storing your mail, and that a *gasp* computer would actually read it! Reminds me exactly of this. Of course, they'll come out and clarify it later, but by then the damage will be done. Oh well.

Well, that is a problem if you believe Google is already being run exclusively by machines, all profits from the company being used to build this huge machine city smack dab in the middle of Israel, which would grow so badly that we'd have to kill the sky and live one last rave party underground in the caves of Zion.

Re:Another fiasco...

[mabinogi]

Share holders who do not take due care and research the companies who's shares they are buying have only their selves to blame if that company acts in a way in which they always said they would, and that results in lost value.

It's a two way street - yes companies have to look out for their shareholders, but part of the way they do that is by telling people what sort of company they are and how they operate, and then continuing to operate in that way. No one compells anyone to buy shares in a company.

No company is so beholden to their shareholders that they _have_ to compromise themselves, no matter what some people might like to think.

Wahey, no Mac version.

[ecc962]

Suddenly I'm not so bothered that there's no Mac version!

Re:Wahey, no Mac version.

Suddenly I'm not so bothered that there's no Mac version!

Not too surprising. That's my normal state.

stock

[ch-chuck]

goog up 2 bucks on the news

original locate vs. slocate

[BACbKA]

The first versions of locate(1) had the same problem - the cronjob was indexing all the files and reporting on all the files even if the user running locate would not be able to learn of the file name. This was used as an way to circumvent the systems with the "security by obscurity" way of collaboration via random directory names. Today's slocate doesn't have this fallacy.

Spyware?!

[lunar_legacy]

Spyware has a different definition...

milwaukee hole hawg

[bodrell]

In the essay, he described someone holding onto this tool, spinning around while the bit was stuck firmly in the wall. Pretty scary.

But then again, I like things to do what I tell them to. That's why I no longer use Windows at home.

Re:milwaukee hole hawg

[Scud]

In the essay, he described someone holding onto this tool, spinning around while the bit was stuck firmly in the wall. Pretty scary.

That's exactly what happens, I used to be an Electrician, and when you hung one up, particularly in low gear (they actually have a transmission), you were in for a ride.

Using a hole saw on a ladder was always an act of faith as it was even odds that the damn thing would get hung up and send you sailing off of the ladder.

They do come with a bar that you can screw into the side of the drill (7/8" in diameter, rather massive) so that you can hang on with both hands. But since it usually got in the way when you were drilling holes, it was seldom used.

Our Millwrights use them here at work to drill holes in white iron (structural steel). These models come with magnetic bases that allow them to position the drill where they want and then "stick" it to the steel. This makes kicking the cord out when they are drilling horizontally a capital offense :)

I used mine the other day to spin up my lawnmower (with the spark plug & blade removed, natch) to see how bad the shaft was bent. No problem for the old girl at all :)

Was there a warning?

[Fat+Casper]

I haven't used this, but the only problem I'd have with it is if there wasn't a warning. Was there a mention anywhere that it was only intended for one user computers? If there was, then good for Google. If there wasn't, I still don't think it's that huge of an oversight.

Re:Was there a warning?

[Richard_at_work]

Yes, its in the 'getting started guide' and in the application FAQ. And as another user above said, "It only indexes files you would otherwise have access to anyway", IE if it gets indexed, theres nothing stopping you manually interrogating the file anyway.

Evil?

I can't remember. Is Google good or evil these days? Or is it an every-other day thing?

Re:Evil?

Today is an odd day, the 15th, so they are evil. No, wait, they're good. Shit, I forgot.

I wish it was password protected

[Dr.+Sp0ng]

I can already see the girlfriend-snooping potential here.

Re:I wish it was password protected

thats why you have to keep all of your pr0n and cybersex logs in an encrypted, password protected vault. have you learned nothing, young grasshopper?

Re:I wish it was password protected

Not a problem for /. readers.

This does not apply to browsers other than IE

This security concern does not apply to browsers other than IE. Only the cache of IE is searched, although that might change in upcoming releases.

Weak argument

[tuxlove]

This is a weak argument by Google. Saying that this tool is only for single-user systems is just a cover for laziness. Why in hell would an operating system implement a system of file permissions if security weren't an issue? Since the tool functions the same whether or not the system is single-user, Google is implicitly admitting they're lazy and don't care if their software can be used to spy on others. I don't see a problem with a tool that indexes all users' files, but I do have a problem if it doesn't restrict file listings when used by non-administrators. How hard could that be to implement?!

Re:Weak argument

[William+Tanksley]

I do agree that Google shouldn't, by default, look into other users' home directories. This makes a lot of sense, and as you say can't be hard to do. But I think you might be mistaken in thinking that there are file permissions blocking Google's way. The problem is that Windows programmers don't tend to put file permissions, encryption, or other protection on their files; you can't really tell what's yours and what isn't.

I do, however, suspect that Google probably overlooked the idea of NOT searching through other users' directories, and I think that would be a great addition. I can see how it would be easy to overlook, in the excitement of writing a whole-drive search utility.

There's certainly no malice here, and even more so, no security flaw.

-Billy

Re:Weak argument

[colin_n]

Microsoft is also lazy for not making a truly multi-user operating system. As a regular / power user of a system, I shouldnt have access to anything beyond what belongs to me! However the software should also take into consideration that I dont want to see false positives from other users of the system. Dont forget that it is beta!

Re:Weak argument

[vakuona]

Probably quite hard without breaking things. If you do not want your email read, then make sure it can't be read by the google search, or any other way. You do not try to obscure the fact that the information is there. It is almost like complaining that when it indexed your HD, it allowed your girlfriend to find the porn you had hidden in C:\Windows\system32. If you do not want that data to be indexed, then secure it directly. there is a little app called axcrypt (axcrypt.sf.net) that can protect your files individually with a license key or a passphrase. It wouldn't be well designed if it didn't allow you to find the stuff you had even forgotten was there.

Re:Weak argument

It does run a web server on 4664 but bound to local loopback. Anyone sniff the phone home traffic? I wonder if my search for my long lost "big big big tits" file is being reported.

Re:Weak argument

If you were a non administrator you wouldn't be able to index another users profile. No google toolbar would get around this.

They are all running as a full administrator and crying wolf when they index each others files...

Re:Weak argument

The problem is, its the users fault. When you create a new user account in windows, it asks if you want to make the files private.. if you choose yes, google cant index those files unless its running on that user account

Re:Weak argument

[hkm]

I don't think this tool works around file permissions, so I fail to see the problem.

Also, it is a beta version, so you can't expect it to be flawless. If there's something you think is wrong, send them your feedback.

Spin alert: Not a feature, a bug

[DongleFondle]

"'This is not a bug, rather a feature,' says Marissa Mayer"

If it were really intended as a feature, Google would have developed the option to install for individual users or accros all users.

Re:Spin alert: Not a feature, a bug

Well seeing as the google index files are locating in the "X:Documents and Settings\YOUR USER NAME\Local Settings\Application Data\Google" directory.. i'd say it's pretty user specific

If its indexing other user accounts, its because you didnt make them private when you created the account in the user accounts manager of windows, thats your fault, not GDS

Re:Spin alert: Not a feature, a bug

[DongleFondle]

I didn't think access to the index directories was the problem, though (and I may be just wrong on that). I thought the problem was that when *any* user indexes the machine, that user indexes the *whole* machine, I.E., every users information.

When I said it was spin, I said that because Google is claiming they intentionally wanted whatever user who uses it to index everything because they are going to be the only one using the hard drive. But what I would consider a feature is if when a non-admin user creates the index, it only happens for information under their profile. If an Admin creates the index, they get the option of saying, index the whole thing, or just index my profile.

I'm guessing that Google looked at it that way and said, this is beta and we want it to work first and we will implement that profile specific indexing later if this catches on. I mean, its just free beta software right now so I understand that it aint going to cover all the bases right now, but I still think they spun this decision so that it didn't look like a security oversight.

Or maybe I don't even understand how the indexing service really works which is quite possible. That was just my thought.

Re:Security Breach? Really?

[RobertB-DC]

With default security on Windows XP, each user's cache is accessible to the other users. As are everyone's Outlook data files. This is not great security, but that is not Google's responsibility.

Indeed. Yet another reason I use Opera. With IE, I've never been able to figure out exactly where the cache is, much less how to kill it without trashing the OS. Not that I've tried very hard, because it's so much easier to take care of it in Opera:

* "File"
* "Delete Private Information"
* check all the boxes
* hit OK

Extremely handy when you're at work and you click on a link that didn't go where you meant for it to. Closing the browser is one thing... knowing that goatse guy isn't hiding in some system file somewhere is real peace of mind.

Google, the new Microsoft

[The+Bungi]

FUD, clear and simple. With the usual hysterical Slashbot "OMFG TEH COMPANIE IS TEH SUXXORZ!!1!" byline. It's amazing how once a company starts entering different areas and markets everyone starts whining, crying wolf and feeling threatened.

Windows users have had "home" directories that are inaccesible to anyone except themselves and a domain administrator since NT4 was released. If this Google tool is allowed to index things it's not suppose to index, then that's not Google's fault, and it's certainly not Microsoft's. It's the fault of whomever configured that machine. AFAIK NTFS security has not been comprimised yet.

And the "spyware" tag? Love it. FUD works both ways, doesn't it?

Re:Google, the new Microsoft

[ed4fa0c8]

Please don't use whom if you don't understand how it works.

Him didn't configure the machine, he did.

Re:Google, the new Microsoft

[Deviate_X]

I think u missunderstood the problem. The Google Search make copies of all users seacrhable data in a single/global database ( cahche ).

This means whenever a user logs on their data is indexed and _copied_ into the google cache making it availiable to all users.

It has nothing to do with NTFS or the FileSystem.

Re:Google, the new Microsoft

[ajs]

And the "spyware" tag? Love it. FUD works both ways, doesn't it?

Please define "both ways". I wasn't aware of Google spreading FUD about someone else.

"M$"? That's hilarious. "Open sores" is funny, too. Oh, it isn't?

No one ever said (that I've read) that "M$" was funny (yes, I know it's your sig, not part of your post, but it has the same tit-for-tat flawed premise, so I thought I should address it as the same time). It's simply appropriate because Microsoft has traditionally been focused on making money to the exclusion of any technical merits of their software. Trading "$" for "S"oftware... it's meant to be ironic, not funny.

"Open sores" on the other hand is neither ironic nor particularly funny. It's one of those things that 5th graders would come up with by permuting a kid's last name into the closest word for a bodily function they can think of.

The fact that a huge number of people (not particularly open source proponents) have taken to using "M$" to refer to Microsoft isn't really much of a justification for arbitrary name-calling.

Re:Google, the new Microsoft

[mrchaotica]

It's at least a little bit Microsoft's fault, for not having intelligent defaults. The person configuring the machine should have to make extra effort to turn off NTFS security, not turn it on.

Re:Google, the new Microsoft

[dedazo]

It's one of those things that 5th graders would come up with by permuting a kid's last name into the closest word for a bodily function they can think of.

I suppose "Winblows", "Windoze", "Lookout", "Microsloth", "Microserf", "Internet Exploder" and on and on and on... and on are something else entirely - the cry of an entire generation yearning to break free from the surly bonds of evil.

Or something like that. I mean, whatever I can come up with must be as insightful as this little essay of yours on why "M$" is some sort of valid expression but "open sores" is... childish.

Man, this place cracks me up.

Re:Google, the new Microsoft

[Tooky]

it's meant to be ironic, not funny

There's something deliciously ironic about this statement.

Re:Google, the new Microsoft

However, you're an idiot and don't understand at all what's going on, because what you said is completely false.

1) Your data cache is under your 'application data' folder. Other users *cannot* read this folder, therefore your data is safe as NTFS is.

2) There is no 'global cache', everyone has their own.

3) This article is talking about
a) public workstations where
i) everyone logs in under the same account

and therefore would have access to 'other user's' data since neither the OS or Google has anyway of knowing that in fact, 100 different people are using the same account.

Is that spelled out in simple enough terms for you? Let me guess, you went to public school?

Re:Google, the new Microsoft

[ajs]

All of the other names that you cite (other than "Microserf", which is more appropriately, "Microserfs", and was the title of a book about Microsoft's corporate culture, equating it to a feudal monarchy... again an ironic name), are the same sort of infantile name-calling as "open sores". I don't equate any of them to "M$". Had he used any of those as his example, I would have agreed with him.

In fact, my point revolved around the idea that his logic was flawed on the specific point of "M$" vs. "open sores", not that name-calling was ever justified. Microsoft DOES trade software quality for revenue, which is why I bite my tongue when I want to poke fun at them for holding up Longhorn. If they're truly trying to reverse that corporate policy of release-date-over-quality, then bravo!

You do see the difference between irony and simple "you stupid fart-face" name-calling, right?

Re:Google, the new Microsoft

[The+Bungi]

I wasn't aware of Google spreading FUD about someone else.

Oh, no. I wasn't talking about Google, I was talking about Slashdot. You didn't really read my post, did you?

No one ever said [...] that "M$" was funny [...] the same tit-for-tat flawed premise [...] Trading "$" for "S"oftware... it's meant to be ironic, not funny

Thanks for validating the meaning contained in the sig. Not that I needed that, but thanks regardless.

Re:Google, the new Microsoft

[ajs]

"Oh, no. I wasn't talking about Google, I was talking about Slashdot. You didn't really read my post, did you?"

Yeah, I did. That's not what you said. It might well be what you meant, but I'm not a mind-reader, and when I ask a question, I generally do at least browse the context for my question first. Thanks for asking, though.

"Thanks for validating the meaning contained in the sig."

I'm not sure how you got that out of what I said, but my basic premise stands: check your logic against your desire to draw parallels, and you'll find that people listen to what you have to say.

If you continue to (as you did in your post and your sig) attempt to draw equality between inequal sets, then... well, why bother?

For example, if you sig read:

"Microsloth"? That's hilarious. "Open sores" is funny, too. Oh, it isn't?

then I and many others would agree. You instead specifically chose a term that isn't funny at all, but a rather dry irony ("M$"). Why? It hurts your entire point.

Same deal with your post. You draw comparisons, but fail to enlighten your audience as to who the comparisons are drawn between and why.

Ok, nuff said. If you still think I'm just sounding off, then ignore me and I'm sure we can go our seperate ways without having to interact further.

Re:Google, the new Microsoft

[dedazo]

Look, I don't like Microsoft any more then you, probably. But "M$" is about as childish, retarded and passe as anything anyone can come up with, including "open sores". It doesn't matter how much you try to rationalize it.

Not Google problem think microsoft..

[sardonic2]

If there is no windows security stopping someone from seeing those files their public aren't they?

It's not spyware it does what is supposed to and Microsoft doesnt.

Re:Not Google problem think microsoft..

[sridev]

If Windows can't secure it, why should Google?

That's a good argument, but then Google forces you to install the Desktop search tool from an administrative account - so that it can access all the files?

I would recommend turning off the web cache search feature - and never install the Desktop on a public machine.

Google Desktop seems useful.

[kngthdn]

I just installed Google Desktop today, but so far I'm pretty impressed. Even though it's still indexing, I haven't noticed any difference in speed.

Google Desktop isn't spyware, because it makes what it is doing clear before you install it. Of course it reads your files; that's how Google works. As long as my data doesn't go back to Google, I couldn't care less.

And actually, if everyone could choose just some of our files to make available publicly, think how much more useful Google would be.

Maybe that's their plan. Get everybody to index their disks, and than offer killer p2p on Google.com.

Does anybody *else* think that would be awesome?

Re:Google Desktop seems useful.

[Darthmalt]

You dont notice a change in speed cause it only indexes when your computer is idle. Course I wish there was an option to change that back and forth. It would be cool if you could put txts and docs into a special folder acessible to the outside world.

Re:Google Desktop seems useful.

[dasheiff]

Maybe that's their plan. Get everybody to index their disks, and than offer killer p2p on Google.com.

Does anybody *else* think that would be awesome?

I just run apache, and ln -s something that I want on the web.

Re:Google Desktop seems useful.

[iammaxus]

Maybe that's their plan. Get everybody to index their disks, and than offer killer p2p on Google.com.

A year or so ago, I remember reading a comment on /. about Google suggesting that Google would become the next big player in p2p because p2p is really mostly about searching, and that's what google does. I really think you are on to something with this one.

Re:Google Desktop seems useful.

[Free_Trial_Thinking]

I installed it yesterday and I like it, but it also feels kind of 'spooky' to me because everytime I search, it shows me things on my computer I had no idea I had.

Is there any way to make it read Thunderbird emails?

Re:Google Desktop seems useful.

[Richard_at_work]

You wont notice any difference in speed, as it doesnt index while the system is being used (same deal as seti@home etc)

Re:Google Desktop seems useful.

This utility is useless.

It indexes email - as long as you use Outlook.
It indexes documents - as long as you use MS Office formats.
It indexes webpages - as long as you use MSIE

Since I use Firefox, Thunderbird and OpenOffice - this is fucking pointless.

Re:Google Desktop seems useful.

Unless (to make use of the new tool)you save you open office docs as .rtf or .doc....

Re:Google Desktop seems useful.

[Peyna]

It would be cool if you could put txts and docs into a special folder acessible to the outside world.

Gee, if only someone could make some kind of program that could make files on your computer accessible to the outside world.

Re:Google Desktop seems useful.

[hacker]

"Google Desktop isn't spyware, because it makes what it is doing clear before you install it. Of course it reads your files; that's how Google works. As long as my data doesn't go back to Google, I couldn't care less."

Except that it DOES transmit some of that information back to Google (and partners).

"Once the Google search technology is installed for free on a personal computer, it will transmit basic data daily about usage patterns. For example, it will tell the company how often Google is being used to search personal computers, how often it is used to search the Web, and how often simultaneous searches are done. Google lets users opt out of sending some usage data, but not all of it.

However, Mayer said the data collected will be aggregated so that the company knows where to focus its efforts on upgrading the search technology. She emphasized that the daily up-loading will not transmit any personal information to Google and said it is typical for major software programs that offer voluntary upgrades and fixes for bugs to capture that sort of information as a matter of routine."

http://www.washingtonpost.com/wp-dyn/articles/A321 09-2004Oct14.html

Re:Google Desktop seems useful.

It would be more in-line with the MS OS if it opened port 80 and phooned home to google. Google would probably add a page ranking score tho.

Re:Google Desktop seems useful.

[dreamer98]

I like it because it's way better and much faster at searching for files than Microsoft's search functionality.

Re:Google Desktop seems useful.

[rbaf]

That's enough for me not to use it. I don't care if personal info is not being sent. If I'm not given a choice about what can and cannot be sent, I don't want it.

Besides, X1 has been doing this for years and it works much better than this new thingy from the company that doesn't invent, simply copies and improves. X1 is not free, but it beats this Google Desktop search on almost every aspect. Don't believe me? Try for yourself.

Re:Google Desktop seems useful.

[Darthmalt]

yes I know there are plenty of p2p apps out there but I was thinking of something with googles weight behind it and where you dont have to worry about getting sued for downloading/sharing a file that has a similar filename as a movie produced within the last 1000 years

Re:Google Desktop seems useful.

dumbass, the link was to APACHE, A WEB SERVER. IMAGINE THAT, you can use a WEB SERVER to share your files on the INTERNET

Re:Google Desktop seems useful.

[multimed]

Maybe I'm picking nits here but sometimes semantics matter:

As long as my data doesn't go back to Google, I couldn't care less."

Is not the same thing as

Except that it DOES transmit some of that information back to Google (and partners).

Theres a huge difference between transmitting usage information of how the program is used and transmitting personal information and/or data files. Everything I've seen so far has said the software clearly states it will send the usage/debug info and you can disable this function. Both Mac OS X and Windows have a built in function to submit debug info when programs crash. Are they spyware too?

Re:Google Desktop seems useful.

[hacker]

Read it again. It transmits usage patterns, heuristics about the nature of your content, aggregated with the other information collected from other users of the tool, and so on... with the intended target of improving ad relevance as served to you, when you use Google. It caches (tracks) what you search for when using Google, and it also caches (tracks) what your own local files and content contain, as they pertain to the tool's functionality.

It may not be sending your emails or files back to Google, but it is certainly sending back what types of data those files contain, and how often you use them, etc.

That to me, is just as dangerous. It allows them to build a "profile" of how you use your computer, and how you use the Internet, and for what purposes, and what "kind" of data your computer is used to manage, search for, and transmit.

The paranoid few might say thats a really short leap from having a government office (like the DHS) step right into place, and request this information, so they can see who is "most-likely" a threat, or a terrorist, or someone likely to become the next Malvo or McVeigh.

Re:Google Desktop seems useful.

[dn15]

yes I know there are plenty of p2p apps out there

You do realize the parent to your post linked to Apache, which has nothing to do with P2P. Right? :) The point was all you have to do is run a web server and drop some files in it to get just what you wanted.

Re:Google Desktop seems useful.

There's a world outside?

Sounds good to me

[lukestuts]

Now I can share all those important email attachments people keep sending me!

Re:Security Breach? Really?

[boomgopher]

Yeah, on my two user XP Pro box, I was able to index and search the seconds user's files, but their account was not "protected" using a password, etc.

One annoyance is that the second account cannot use Google desktop at all. It warns roughly "Only the user who installed this can use the Google Desktop", etc.

Year of Google Contraversy

[ciroknight]

Seems like every step Google has taken to make searching more integrated into our life and software has been shot by the media saying it's "too intrusive", and this is on BETA software and BETA programs that Google are running.

This says that either Google's far too ahead of it's time, or that the media really needs to grow up. Google's policy is that their software does no evil, it's the user's responsibility to make sure that they are not evil with it. Besides, if someone wanted to write a trojan to scan all of a user's files and report back somewhere, it could be done a lot easier than hacking GDS.

Face facts people; Google's here to stay, and they're here to help.

Re:Year of Google Contraversy

[DogDude]

Well, "the media" hasn't attacked Google at all. The only person suggesting this ridiculousless is one writer for a relatively irrelevant PC rag on his blog. Anybody can post anything on the Net... that doesn't make them "media" any more than it makes what is written true. In fact, that's one difference between "the media" and average joe. Real journalists do fact checking and real analysis. This is some guy talking about what he found, and he happens to work for PC World (which I didn't evne know still existed).

Re:Security Breach? Really?

[Cassanova]

"With default security on Windows XP, each user's cache is accessible to the other users."

The problem as I see it is in the startlingly easy way google desktop search makes intrusion possible, sometimes even without the person searching intentionally looking into other user's data. Any keyword I type is an instantaneous hook into the world of the other user who used the pc before me. That is what I find scary.

Agreed this is a non-issue inside a household where one or two people use a PC, yet the potential of this sends a slight tingle down my spine...

Spyware

[KaSkA101]

How the heck is this spyware? Its not like it sends it anywhere. Thats what spyware does.

Re:Spyware

[geekoid]

Sure it does. In this case it happens to send it to the user, who may or may not be on your system with your permission.

WHen a Virus comes out that exploits this, then your going to be screwed. Well, maybe not you, but you get my point.

Re:Spyware

Uh whats a virus going to do with google desktop search that it cant already do? Google desktop search is accessing the same files any virus could access.. i dont see your point at all.

Re:Spyware

[hkmwbz]

How is this spyware if it requires a virus to pass on information? That's like saying that anything on your system is spyware, since a virus can pick it up and send it to someone.

Let's get this into perspective

[G27+Radio]

Maybe I'm mistaken here, but does this even allow you to search files that you wouldn't otherwise be able to access via Windows' built in search? If not then this whole google/spyware freak-out is just a bunch of bullshit and the people propagating it are idiots.

Re:Let's get this into perspective

[LO0G]

From the article, it sure sounds like it does.

Spyware may be too strong, security hole big enough to drive a truck through might be appropriate however.

If you index the hard disk, you've got to honor the ACLs on the things you index.

Re:Let's get this into perspective

[PoiuyTerry]

No it doesn't. You will only see the files you have access to when you installed GDS. If an administrator logged in to install it then the cached files would be in the 'xx\administrator' folder and therefore only be availble to administrators.

Re:Let's get this into perspective

[LiquidCoooled]

I agree 100% it should honor the ACLs, but I wonder if we could do anything else?

We essentially have the google bot on our machines, would it be good to honor the standards the realbot uses?

Would it pick up and honor my robots.txt file?

Will we start seeing meta tags inside emails and word documents and stored pages to exclude from indexing?

Re:Let's get this into perspective

[aardvarkjoe]

this whole google/spyware freak-out is just a bunch of bullshit and the people propagating it are idiots.

The "people propagating it" includes michael. There shouldn't be any question that they're idiots.

How can it tell it is running in Mozilla?

[Saint+Stephen]

When the google service is running, surfing to www.google.com shows a Desktop choice. When it is not running it doesn't. This works in IE and Firefox -- but not Lynx.

How can www.google.com tell the service is running on the local computer without using activex? I thought maybe it had some javascript that checked http://127.0.0.1:4whateverportituses, but I didn't see that. Must be that.

If it can do that, it can upload data to google!

Re:How can it tell it is running in Mozilla?

[Andrea_from_Arg]

Better do some research before trolling. The Desktop engine has a service that monitors where are you browsing. When you access any of the Google sites (or any site thats on the Sites.txt, I asume), the EXE changes the HTML on-the-fly, inserting the results from your harddrive on the Google page. The same goes to the main page (thats why you see the Desktop Engine link).

Re:How can it tell it is running in Mozilla?

[Oh-es-eX]

That must be correct, probably a javascript that can run a netstat sort of command. Can any java-developer comment wheter this is possible? Clever thinking! How dows APPLE's spotlight technology do this, anyone???

Re:How can it tell it is running in Mozilla?

how does that work? wouldnt that mean it has to edit the cache? and once my browser loads the page, it wont reload the changed cache unless i press reload

and i know its not running as a proxy

Re:How can it tell it is running in Mozilla?

Google Desktop recognizes and intercepts the web page as it is read by IE and Firefox and changes the HTML.

Re:How can it tell it is running in Mozilla?

[Saint+Stephen]

Does it work at the network level and look at the useragent? Or does it use a Browser Helper Object or an activeX? How can you do this in Mozilla?

Re:How can it tell it is running in Mozilla?

as per blogzilla

we must all go to the Google Request page to suggest they support Mozilla.

http://desktop.google.com/support/bin/request.py?t ype=features

Support the Future,
The Future is the Browser,
Mozilla AND Firefox.

Re:How can it tell it is running in Mozilla?

[Andrea_from_Arg]

No, the content is edited before it reaches the browser, or the cache. It's like comparing a ASP or PHP file with it's HTML result. The browser sees only the final result

Looking up for warez ?

[GrAfFiT]

Hey i got the bills for every single bit of my internet cache !

Fizzbin!

I think fizzbin pretty much sums Google's good/evil-ness up.

..except at night, and on Tuesdays, of course.

Re:Security Breach? Really?

[The+Bungi]

With IE, I've never been able to figure out exactly where the cache is, much less how to kill it without trashing the OS. [...] it's so much easier to take care of it in Opera

Tools, Internet Options, Delete Files, check "Delete all offline content". You can also clear auto-complete history for form user IDs and password stored in the isolated storage system.

Your IE cache is stored under [rootDrive]:\Documents And Settings\\Local Settings\Temporary Internet Files, if you feel so inclined to look at them in some other way or delete them manually, which it must be said, has never "trashed the OS" in any way shape or form.

That wasn't too hard, now was it.

Re: Security Breach? Really?

[Alwin+Henseler]

...there is no indication that protected files were actually read.

That's still an information leak, and thus a security breach. If a user can see filenames of other user's files, or inspect URL's that other users typed in, then they accessed that other user's private data. Just knowing what files are accessed or what webpages were visited, can be as serious a security breach as any, depending on the context.

Re:Security Breach? Really?

[qodfathr]

It runs under the account of the user who installed the program -- so, as has been said, if Google Desktop Search found something, the user already had access to the same data.

Sadly, GDS doesn't seem to be able to install multiple web servers on different ports, so each individual log in can have their own index. The first userid to install GDS gets to use it, and no one else.

A long way from spyware!

[RealAlaskan]

First of all, most Windows PCs are single-user.

Second, this just lets any user find anything that he has read permission on. As usual, Windows default settings are suitable only for single-user machines.

Third, it could only be ``spyware'' if it phoned home. Even the silly article didn't suggest that it does that.li>

Just another sensationalist /. headline. Nothing to see here ....

Re:A long way from spyware!

[Oh-es-eX]

Maybe this tool only needs a warning message to the install user. So at least it is clear for everybody that all user's information can now be googled, fair, not?

Re:A long way from spyware!

[RealAlaskan]

Maybe this tool only needs a warning message to the install user.

Or maybe a message to all users on the machine? Since it's not just the installing user's stuff that will be exposed by MS's idiotic security settings which assume that all machines are single user.

Re:A long way from spyware!

[ozric99]

Third, it could only be ``spyware'' if it phoned home.

Interestingly (or not), when I attempted to install this on an XP box earlier this evening I was greeted with a "Yes/No" requester giving me the choice of carrying on with the installation and changing some IE settings or exiting the install. I wasn't sure what settings it wanted to change so clicked "No" and went to search for more information. Moments later a personal firewall alert popped up telling me the installation program wanted access outside of the LAN. Nothing to worry about, but I just add this info for completeness.

Re:Security Breach? Really?

[Waffle+Iron]

The situation is somewhat similar with the Linux 'updatedb' and 'locate' built-in search facilities. On my box, by default, the scanner runs under the 'nobody' account. However, unless a user takes specific action to change it, their home directory is world-readable by default.

The default file permissions seem to vary by the app that created them. My .mozilla and .kde directories are not world-readable, so the web caches would not get scanned. However, plenty of other files are world-readable by default, along with most documents I create.

This general situation has been around for many years. If you do share a machine, it's probably just a good idea to learn about file permissions in general.

get a grip

[verbs_of_life]

I'd go so far to say that if someone else is using your system (aka computer) it is neither safe or reliable in any sense of the word -- so on one hand it doesn't matter and on the other it doesn't matter. As to the product - I'm in love.

Re:get a grip

[geekoid]

except now anybody using your system can easily find out this information, not just a skilled minority.

Re:get a grip

Yes because it takes skill to go to start>search>files & folders, and then follow the instructions from the animated talking dog

most n00bz i've talked to dont even understand what google desktop search is, they'll never know how to use it.. plus no one touches my pc anyyway

Other ironies

[markomarko]

I never installed the google search tool since it warned that it be installed as an Internet Explorer "helper application." Ahem, cough....IE...helper application...back to the drawing board google.

Re:Other ironies

Umm.. what? Maybe it's because you were running IE. but I downloaded it from Opera and it never said anything like that, it did say Opera had to be closed though... And I checked IE and theres no google activex controlls or any helper objects..

Re: Security Breach? Really? Dreaded "locate"

[einhverfr]

That's still an information leak, and thus a security breach. If a user can see filenames of other user's files, or inspect URL's that other users typed in, then they accessed that other user's private data. Just knowing what files are accessed or what webpages were visited, can be as serious a security breach as any, depending on the context.

If the files don't have appropriate permissions set, what expectation do you have of someone not being able to do this? This is why the question whether the files are protected is important.

In UNIX, I could use "locate" to find out whether a co-worker has cookies from porn sites if the permissions are not set. And what about Windows' "Search for files containing the following text?"

We have a total lack of information.....

spyware?

it makes me sad when people try to sensationalize stories to make them more exciting. No information is being sent back to a mothership (the usual definition of spyware) ...

The same mistake was made in Unix!

[Anthony+Liguori]

The locate command was designed to get around the terribly slow transversal of directories when looking for a particular filename. It suffered the same basic design flaw in that it did not take user permission into account. The slocate (s as in secure) was designed to get around this obvious flaw. I'm a tad surprised Google didn't see this one coming. Maybe they've been hiring a few too many PhDs and not enough folks with real experience :-)

The Hole Hawg

[ScarletEmerald]

The Hole Hawg is dangerous because it does exactly what you tell it to

The (supposed) problem in this case, though, is that the Google software will do things that it was not (explicitly) told to do, and that users might not expect it to do, or even realize it is doing.

Re:The Hole Hawg

[SpecBear]

Read the quote to the end: "The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it."

Joe User: "Hey Google Desktop, index and cache all the files on my machine."
Google Desktop: "Ok"
Jane User: [searches for "flowers"] "Joe, you bastard! Who the hell is WyldRoze69??!!"
Joe User: "D'oh!"

Re:Security Breach? Really?

[The+Bungi]

That's [rootDrive]:\Documents And Settings\[yourID]\Local Settings\Temporary Internet Files

Luke, come to the dark side.

[recharged95]

"And google, now a public company, gives in to corporate America. They tried to redefine the business, but instead it refined them." It is now the corporation.

Makes sense that you don't bite the hand that feeds ya.

next...

Microsoft Plant?

[DanielMarkham]

This article looks like a plant from the Microsoft PR department. There really is not much of a story here.

I know it has to be driving MS nuts that google is getting into the filesystem niche, especially with all the trouble they've had over the years with putting together a database-based filing system. I imagine if they keep on pushing the release out past Longhorn, google is going to overtake them .

Where does the security problem really lie?

[jelwell]

"[Google Desktop] indexes your files across all users on your PC, bypassing user protections. "

If this is true, then the problem lies with your operating system not the application. How is it that Google Desktop was allowed to bypass user protections? Maybe because there are actually no protections at all?

If you read the report the problem isn't that Google is bypassing protections, it's that some other application is caching the information - likely Internet Explorer or Firefox is setup to save web passwords. Google is just taking advantage of this knowledge.

So where is the security violation? It was already on your PC, you just didn't realize it until Google Desktop came along. Good thing it did, or you wouldn't have realized it until someone loaded up Internet Explorer's password database and showed it to you.
Joseph Elwell.

Re:Where does the security problem really lie?

[geekoid]

way not to read the article dude!

Re:Where does the security problem really lie?

Hmm... it could be that unless you're using a Domain Controller or policies correctly, that you probably haven't set this up correctly, if at all, on your home computer (if you're a MCSE-type, please forgive me. It shouldn't include you...).

Maybe it *IS* checking ACLs, and not finding any restrictions!

Not spyware

[Guspaz]

Does it install itself onto your PC without your permission? No.

Does it gather personal information and send it to Google? No.

Does it run secretly in the background, with no way to remove it save an anti-spyware tool? No.

Does it allow you to access anything you couldn't access without it? No.

How is this spyware again? Or even a security threat? As another poster pointed out, this tool doesn't access anything you couldn't access through Explorer.

What's this, is Slashdot helping to spread FUD?!? Say it ain't so!

Re:Not spyware

[Infinityis]

Well, technically, most anything Google does can be considered a security threat. Google brings together people and information. Information = power. Power can be abused, and this abuse of power can lead to security threats.

However, it should be noted that Google isn't biased in favor of malicious users. For every malicious use of Google and or their tools, there are hundreds of good ones.

My opinion: Google does for information what cars did to people.

Cars got us going where we wanted faster than ever before. Google gets information where it's requested faster than ever before.

Car have been used for malicious purposes (drive-by shootings, running people over, robbery getaway cars, etc.) However, their overall usefullness outweighs the minority negative applications. I belive the same can be said of Google.

Re:Not spyware

[Peyna]

My opinion: Google does for information what cars did to people.

Cars got us going where we wanted faster than ever before. Google gets information where it's requested faster than ever before

Google is more like a car that gets you to the most popular destination with the same name of the place you're looking for, it's not always where you want to be, and you can't trust what's behind the front door.

You all are too funny...

[INetEngineer]

I think it's funny that the people complaining about Spyware use SlashDot which often serves DoubleClick ads. And the author who links to PCWorld which has a few DoubleClick and Avenue A, Inc. ads. The DoubleClick threat as defined by SpyBot reads, "Use information about your web surfing... that could include any information, like accounts and passwords." The threat for Avenue A, Inc. reads "They say they no longer do tracking."

the future of google

[kloidster]

Let's see: 1) monopoly 2) bugs are features 3) global sprawl 4) two billionaires in charge Hmmm....I wonder where this is heading?

Re:the future of google

[AllNicksWereTaken]

Let's see...

1) monopoly?
Nope. It's not their fault they give awesome services and the alternatives suck ass.

2) Bugs are features?
Nope. Google Desktop Tool does not bypass user restrictions... perhaps there are no restrictions at all?

3) global sprawl?
Don't really care, as long as they keep offering a great service.

4) two billionaires in charge:
Good for them.. They're making money with unobstrusive advertising. Sounds good to me.

Re:the future of google

[kloidster]

5) zealous users who do not realize how dependent they are now and in the future

Re:the future of google

[cpghost]

Nothing that Google offers is really unique or irreplacable. If they started to behave badly, alternatives would be more than happy to take their place. Google is currently very dependent from the goodwill of us users. They are actually everybody's darling, because they offer the best possible service net-wide. Should this change in the future, users could quickly switch to greener pastures.

One (important) question ?

[noselasd]

Now, If I install this as a non-administrator, I take it that it
runs as non-administrator ? Or does it install itself as as service
running with administrator provileges...
Bottom line is, can a program running as a normal user somehow access
files of other users ?

Re:One (important) question ?

[Oh-es-eX]

You also have a right called everyone or others, if this right is default for a lot of files all users create on the same computer, you don't need admin rights. You are always one of others or everyone.

process

[natas802]

the google desktop process runs with user privelages not system, for those wondering. i think this article should DEFINATELY be renamed because it doesnt even come CLOSE to being spyware.

FOUR processes

[hey]

It runs as *four* processes on my box:

C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe

Seems like more than enough.
I am finished indexing.

Re:FOUR processes

Oh nos! 4 PROCESSES?!?

I only have 2mb of RAM.. I'm going to have to buy 2mb more! That'll cost a ton!

Maybe you should get a new PC, I don't think Google Desktop Search is meant to run on a 286 anyway.

Re:FOUR processes

[Peyna]

I am finished indexing.
It continually indexes as you add more files, it's just the first run through the takes awhile. Otherwise it's useless.

Anyway, it might have 4 processes, but it only uses about 2-4 MB of memory. The Windows Update control uses more than that.

Re:FOUR processes

[Jugalator]

Seems like more than enough.
I am finished indexing.

Huh?? What a strange conclusion...
The reason to stop being more exactly...?

Re:FOUR processes

Huh?? What a strange conclusion...
The reason to stop being more exactly...?

Ok...I'll take a stab at this one:

[Four processes] Seems like more than enough.
[After waiting for an eternity, the initial indexing has completed, hence, ] I am finished indexing. [Let's try it out!]

Re:FOUR processes

"Four precesses should be enough for anyone."

Re:FOUR processes

The Crawl is probably the filesystem monitor, which filters OS events and sends indexing requests/directives to Index, which are then queried by Desktop.

I bet "OE" is a hook for Outlook Express as OE's method of storing e-mails on the filesystem is NOT plaintext, so you may need to either intercept e-mails going in/out OR use a Microsoft API for querying the OE mailstore.

In any case, using many separate processes...isn't that the *nix way? You tell me how many lines you see next time you type "ps ax | grep apache".

Stupidity risk

[Eminor]

I can see how this could be useful if I owned a windows machine. I want to find a file regardless of which user put it there. (on Linux I just use a find or locate as root)

The fact that it bypasses user protections speeks more about the security of Windows than the product itself. While only a privledged user should be able to do system wide searches, only a priviledged user should be able to install the software. If you let users run as root, then it's your own damn fault if someone installs it.

Who wrote this summary, Fox News?

[Sleepy]

Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections.

This is just too misleading to be accidental. Talk about bias.

So dioscaido, you are suggesting Google defeats NTFS users/groups directory permissions and encryption?

No?

Oh.

Yeah, that's what I thought. Completely irresponsible journalism at work folks.

Basically this utility works NO DIFFERENT than "Start-->Search-->Search IN files", except that noobs don't know how to use Search properly, and Google search is "prettier". Oh, and MS's brain dead Search can't peek inside compressed files. Whoopie-do.

If I were more cynical, I'd chalk this fear-mongering up to someone with a lot of Yahoo stock, or someone afraid their wife/husband will find email evidence of an extra-marital affair. By default in Windows, ALL USERS CAN READ EACH OTHER'S FILES.

Nothing to see here, move along..

DISCLAIMER: I own no Google or Yahoo stock.

Re:Who wrote this summary, Fox News?

Yes, they wrote it. Now go back and enjoy CNN while they're still around.

Privacy Concerns

[cb8100]

"I was able to...view personal messages sent and received on public PCs.

There should be no expectation of privacy when using a public PC.

Uh, What About File Permissions?

[John_Booty]

When you run GDS, it runs under your Windows login's security context.

Therefore, it only indexes the files that you have permission to see. The article describes a scenario where a user installs GDS and reads pages out of the browser's cache that were left there by other people who used the same Windows login.

Of course those files are visible to GDS. They could have also been retrieved by simply browsing through the cached files normally or using Window's crappy built-in search tool.

Conclusion: DUH. Nothing to see here, move along people...

Re:Uh, What About File Permissions?

[Crizp]

What about this scenario, something I'd like to know before installing this:

I run the GDS as an Admin, but some of my directories/files are set to RW for my user only, any other local user account (also admin due to some lousily written apps etc, you know) has NO ACCESS to the files. I've tested, the other users can NOT see these files.

As far as I've understood, if I let the GDS index my files (when I run it with my user), it creates a _copy_ in a directory accessible to all users. Is this correct, and (it seems so) would the other local users be able to read these?

Re:Uh, What About File Permissions?

[John_Booty]

As far as I've understood, if I let the GDS index my files (when I run it with my user), it creates a _copy_ in a directory accessible to all users. Is this correct, and (it seems so) would the other local users be able to read these?

The GDS index is stored in a subfolder of your personal Application Data subfolder. Unless your file permissions are really screwed up, no other non-admin users should be able to access this directory. And it sounds like your file permissions are fine. :P

Re:Uh, What About File Permissions?

[Crizp]

Ah, if it's located there it's okay, of course my userdir is well protected :)

Re:Security Breach? Really?

[Electrum]

Your IE cache is stored under ..., if you feel so inclined to look at them in some other way or delete them manually

You should NOT delete the cache manually. The proper way to do it is through IE or using the DeleteUrlCacheEntry function.

PC WORLD

[inKubus]

PC World has long been a Microsoft yellow journalism rag. It's just Microsoft Corp.'s Department of Monopoly Security at work.

Really, the Google tool is simply very powerful and is merely exposing the low default security in Windows profiles to the masses--but it's nothing me and the parent haven't known for 4 or 5 years now..........

Nothing to see here.

Re:PC WORLD

[BrokenHalo]

PC World has long been a Microsoft yellow journalism rag. It's just Microsoft Corp.'s Department of Monopoly Security at work.

Then why do they distribute Linux install disks attached to the cover from time to time?

Re:PC WORLD

[Breakfast+Pants]

So that people like you don't catch on to them.

Re:PC WORLD

[msoya]

Isn't PC World the store, and Personal Computer World the mag with linux coverdisks?

Re:PC WORLD

[matthewn]

PC World has long been a Microsoft yellow journalism rag. It's just Microsoft Corp.'s Department of Monopoly Security at work.

As the in-house Linux columnist for PC World, I can tell you that I'm not employed just to be a token alternative view. The publication I work for views Microsoft with a skeptical eye when appropriate. We are not a Microsoft shill. And I have come to discover over the years that the geeks who immediately dismiss us as such typically do not read our magazine, because we're not geared toward geeks -- we're geared toward folks who need more help with technology than geeks do. So we may not be your magazine. But we work hard to be impartial. We are not bought and paid for by Uncle Bill, and anyone who says we are is not paying attention to our coverage, either in print or online.

Re:PC WORLD

[inKubus]

Hey, I'm just saying what they want to hear. It's not your fault the magazine has to cater to the masses, the majority of which (including me) are Windows users. I'm glad you're the Linux columnist, and I hope you make a lot of money doing what you do. That said:

The author of the article in question did not research the problem enough to point out the simple fact that it's the Microsoft default user settings that are the problem, NOT the tool itself (something that would be obvious to any slightly educated user of Microsoft Windows).

Microsoft has been relying on hidden folders and stuff to protect sensitive information for too long and frankly Google Desktop should not be blamed for their problems. The article makes NO mention of this fact. The article was written by someone who does not know what they are talking about, and was written just for the money, not for any reason of journalistic integrity.

I imagine a typical day at the PC World Internet News desk to go something like this: The editor AIM's (or more likely, MSN Messengers) everyone about the newest headlines. There's probably a number of departments or columnists, like the security columnist, for instance. So he (security) goes out and says, "What story are a lot of people going to click on and read today?" or (less likely), "What security flaw am I going to inform my poor, unknowledgable users with today so they can compute more safely?"

Boom, he sees a little blurb out on the wire about the new, highly-touted Google Desktop search. It was probably a security advisory, low-priority, which says something like, "Users should know that you can look at other people's profiles due to default Microsoft Windows security policies. The files you believe to be private can often be viewed by other users on the same computer if you haven't encrypted them. The Google Desktop Search (like the Microsoft FIND feature built into Windows) searches all folders on the computer. This makes it a tiny tiny bit easier for another user to look at your files, if they didn't already know what they were doing at all."

Again, the one of the two mindsets of the journalist come into play: A: "Ooh, this thing is going to get a lot of hits because people love Google and I can say there's something WRONG with their product." or B: "My users should know that there's a flaw in Google. I don't really understand this security advisory, but it looks like people might be at some risk, or something, and I can let them know. Plus the boss will like it because I'll get a few more hits today." and C: "Oh my GOD, I JUST INSTALLED THIS AT HOME AND MY WIFE IS PROBABLY READING EMAILS FROM MY OTHER WIFE" (I could have left that out, but...)

So the security columnist drafts his column. But because he doesn't really understand the problem, he says that Google Desktop has a flaw in in that allows them to view other people's files.

You state yourself that you gear your magazine towards people who need more help than a geek would on the computer. Yet the stories you publish are NOT FACTUAL. This author could have VERY EASILY explained that when you use Windows, your Outlook profile and folders, your desktop, your Temp Internet Files are all stored in World Readable folders and then have a simple step by step to fix the problem. If you are in business to HELP, why are you NOT HELPING? "We're here to inform" but you're leaving out a lot of important information. I feel sorry for the poor people who buy your magazine and depend on it as the truth.

I see a tool such as Google Desktop as making a person's computer as easy to browse as the Google internet site. Something more familiar.

The only thing your magazine's article did was to scare the users who don't know anything into NOT using Google Desktop even though it will improve their knowledge and control of the computer without additional learning. It was a USELESS WASTE OF TIME for anyone that read it!

YET SOMEONE WAS PAID TO WRITE IT and your advertisers PAID FOR US TO READ IT!

Re:PC WORLD

[inKubus]

I'm sorry, I shouldn't have gone off like that. It just makes me angry sometimes. Isn't America stupid enough already without the media furthering the ignorance? Please help us out, help America out, make us stronger by really working hard to give us the truth. I know that there's not much time to keep up with everything but maybe everyone should just slow down and stick to integrity. I can only wish.

It may not be spyware

[grahamsz]

but, consider that spyware can now ask your google desktop for all sorts of useful information.

Spyware can now be much more efficient since it can query google desktop to find out what your interests are, who you are friends with etc....

Re:Security Breach? Really?

Yea, it's pretty eaisy to read other user's files when your a numbnuts and allow everyone to have admin rights by default. Puhlease...nothing new to see here you couldn't do beforehand.

False!

Read the article more carefully. As far as I can tell what's actually happening is that Google Desktop Search makes copies of users protected files into an unprotected folder that may be accessed by all users. As the author says:

"I was not able to access the query results directly, but Google Desktop Search stores cached versions of search results found on your desktop, just like it does for its Web searches. The cached versions of the pages could be viewed."

Re:False!

How's it going to make copies of files if they're protected from access? If it can they're not protected.

Re:False!

They're proteced by access from other users, but not from the user who is currently logged in. These files will be cached and available to other users who wouldn't otherwise be able to look at other user's files. That's the point.

Re:False!

I think the reporter is making some confusion...
He talks about a public computer (in a booth in some expo). Various visitors used that computer to access their web accounts (using probably the same windows user on that demo machine).
The result pages were stored in the IE cache.
The reporter (using the same windows user) accessed the cache, not the live page at mail.yahoo.com, bypassing _Yahoo_'s and _Hotmail_'s passwords. (Evidentely the webmail users didn't check the "public computer" button in the login page...)
But, as usual, reporters don't know what they're talking about and seldom use a correct terminology...

Re:False!

[Martin+Blank]

It's stored in %USERPROFILE%\Local Settings\Application Data\Google\Google Desktop Search. If I lock off my profile to other users (if they existed), then they wouldn't be able to read the files that exist therein, including the Google cache.

Re:False!

You're the one who's confused. It's indexing the entire hard drive across user accounts and allowing User X to search User Y's files including his e-mail. If you live in a household with a shared computer you can now read your roommate's/brother's/mom's e-mail.

Re:False!

[devilspgd]

Please try to avoid introducing facts or logic into this discussion.

This IS a security issue...

[Televari]

... To believe otherwise is naive. I think the article's fear is right on. The idea that every file on my computer is indexed along with web pages, email, etc, means that there is one less barrier between my personal content and hackers, not to mention intellectual property theft. How can you honestly not see how dangerous this is? This may be fine for people who have machines filled with data they don't care about, but what about authors, musicians, programmers? Though I like and use Google's internet search engine, I don't see the necessity moving that to my personal desktop. That's what the file system is for. This type of 'marginal-improvement' feature is the kind of thing that caused the growth and burst of the dot-com bubble, and will continue to plague IT unless we approach such things with more skepticism. When it all comes down to it, if you don't know how to find files, email, and documents on your own machine with the current tools available, you need some serious help with organization. If your excuse is that 'your file-system is too big' then you probably have so much data that anyone who finds a way in will know their hard-earned work was worthwhile.

Re:This IS a security issue...

"When it all comes down to it, if you don't know how to find files, email, and documents on your own machine with the current tools available, you need some serious help with organization."

That is such bs, I'd imagine people were saying the same thing when search engines started to arrive on the internet. "If you have to use a search engine to find web pages, you don't know how to use the internet!"

The fact is, most people don't know where their email resides on their computer, and I have a hard enough time determining which folder under "My Documents and Settings" an application has decided to store files, is it in "Application Data", or how about "Local Settings/Application Data", or is it in etc....

Re:This IS a security issue...

[Jugalator]

The idea that every file on my computer is indexed along with web pages, email, etc, means that there is one less barrier between my personal content and hackers, not to mention intellectual property theft.

Was there a barrier in place in the first place? No, not if you use Windows, at least, since, well... GDS can do it. If it can do this, anything on your computer can do this. Then there isn't a barrier, except for an imaginary barrier put up by you since no currently installed software on the system does it, although nothing says a user with an account on the computer can do the same thing by installing some software.

This may be fine for people who have machines filled with data they don't care about, but what about authors, musicians, programmers?

First, this only applies to computers where multiple users are using it, for example in a family, or at work. It doesn't let random users access your data. They'd need an account on the machine first and accounts are to be password protected. Assuming all this is true, you're storing sensitive data on a public terminal with all the scary things that implies.

Even if GDS was modified to no longer do this, the lack of security in Windows would let any guy on the public terminal bring a CD with him with the appropraite tools and do the exact same thing. If you want to see this problem solved, it must be solved by Microsoft, otherwise you'll just fix it with one specific application! And as long as it isn't fixed, I'll just assume this is how Windows is intended to work. I believe that's really the case, since GDS doesn't even try to workaround anything. It doesn't use any unpatched exploits.

When it all comes down to it, if you don't know how to find files, email, and documents on your own machine with the current tools available, you need some serious help with organization.

I think you misunderstand the purpose of GDS. I'll try to explain with an example.

To access your music somewhere inside a folder hierarchy because you've ordered things properly to find files using the file system easily, you know need to navigate through this hierarchy to get to it. With GDS, you can skip the navigation part. GDS is equally useful for both organized users and those who aren't, so having a reason to use it is unrelated to having a problem with organization.

Next you mention using current search tools, and these of course work, but do they find what you want in less than 0.1 seconds? If they do, well, congrats, you've found a competitor to GDS. :-)

Re:This IS a security issue...

If you spent 1/2 the time you used on your post, researching this subject, you'd realize all your facts are wrong and your opinions also run contrary to the facts.

This SEARCH works JUST like Microsoft's Search. Stop fear-mongering.

In fact.. you have to CHOOSE to install Google Search. Did Microsoft ASK YOU when they put that Search icon under Start?? Nope.

Go away, moron.

This isn't FUD, this is a problem

Sorry, but indexing everything in "Documents and Settings" regardless of which user is running the program is a security issue ... especially for your typical family situation where mom and dad may have files they don't necessarily want junior to see. Or, for that matter, in an office environment with roaming profiles off.

And I don't buy the excuse of all the Google apologists who say "it's your own fault for not securing your Windows config correctly." Sorry, but there is no way to "secure" Windows while still allowing all users on a machine to install programs, which is a user requirement even in many corporate environments I've seen. (Pointy-headed boss won't tolerate having to get IT guy to come over to install something every time a new version of RealPlayer comes out.) So the reality is that in many situations, all users on a machine are running in Power User or Administrator mode, and they have access to everything on the hard drive.

And there is a big difference between browsing random Documents and Settings directories looking at someone else's files (that's called snooping, and it requires at least some technical skill) and inadvertently pulling up someone's private files every time you Google something.

Blame Microsoft for having an unsecure OS. Blame sysadmins or home users for their less-than-paranoid security practices.

But blame Google too. Shipping a piece of software whose default configuration is to completely ignore individual users' privacy (stuff in my Documents folder is mine, stuff in Joe's Documents folder is his) is bad.

Google's Trouble with XP Multi-User

Google has a history of trouble getting their software designed to work well with multi-user Windows XP installations. Their Picasa photo software can only run as the Admin. user. Now their Desktop search software only works for the first user that installs it. Sad...

So why can't Google get it right?

Re:Google's Trouble with XP Multi-User

So why can't Google get it right?

Maybe because the plain fact is that they're still a web service company, not a desktop applications company?

Perhaps they'll buy a copy of MSDN eventually or something.

how is this spyware?

[drew]

while i can understand why some people might be leary of the security implications here, how in the world does this qualify as spyware? it doesn't pop up annoying adds, it doesn't send my data to some secret gathering place, it doesnt report any of my habits to any other person (unless thay also have physical access to my computer and can search for that information)

oh yeah, got ahead of myself. spyware is the new virus. its just a word one person uses to scare another person when neither one really knows what they are talking about. nothing to see, move along...

Re:how is this spyware?

[Deviate_X]

Whenever a user logs on their searchable data is indexed and _copied_ into a single google cache/database which it then makes availiable to all users.

This makes it trivial for any user of that machine to read/spy on your email, documents, and web pages that you've visited.

Its quite simple really.

Re:how is this spyware?

[Jugalator]

Whenever a user logs on their searchable data is indexed and _copied_ into a single google cache/database which it then makes availiable to all users.

No, the cache is located in each user's profile folder, not at a single folder.

Re:how is this spyware?

[Deviate_X]

I doesn't matter how you want to spin, you still end with someone else reading your mail.

Re:how is this spyware?

[drew]

only if they would have had access to read it already anyway. if windows didn't make a users data, documents, and web caches world readable by default this wouldn't be an issue.

anything google desktop search 'enables' somebody to find, they would have been able to find anyway without it. it just would have taken longer (and may have required a little more knowledge about what you were looking for).

Re:Security Breach? Really?

And a proper umask wouldn't hurt either.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Security Breach? Really?

Slashdot's suffering from an awful lot of spin these days. Is it just me, or is article quality degrading?

Mandatory Simpsons quote

[Frigid+Monkey]

Homer: Now, talks into mouse Computer, kill Flanders.

Flanders: Did I hear my name? My ears are burning.

Homer to computer: Good start. Now finish the job.

Flanders: Catch you later computator!

If only computers were that good at doing what you tell them too...sigh...

Re:Security Breach? Really?

[ip_fired]

The problem as I see it is in the startlingly easy way google desktop search makes intrusion possible, sometimes even without the person searching intentionally looking into other user's data. Any keyword I type is an instantaneous hook into the world of the other user who used the pc before me. That is what I find scary.

But that's just it. It's a SEARCH tool. It's supposed to find things that you don't know about. If it didn't, it wouldn't be a very good search tool. This should not be installed on public computers. And, if you are personally are concerned about it, there are products out there that will store all that sensitive information (browser history, email files) on a USB drive that you plug into the public computer before use.

As it is, I don't know how useful it will be to the average /. user. It only indexes files in your Documents directory, it only indexes a handful of files (.doc, .xls, .txt, .html files for example). It has SEVERAL limitations that are annoying. For example: I want it to index my java source code and javadocs for the project I'm working on. However, it refuses to index them.

Also, it doesn't index my Firefox cache or history, nor does it index my Thunderbird mail files.

In other words, nice try Google, but it's not useful to me (yet).

Slanted article

[AbyssLeaper]

I read this article a couple of hours ago, so I did what any self-respecting geek would do: I tried to see if the reporter/bloghead was full of shit or not. If you don't want to read any further, he is.

He used a public machine, presumably using a single logon. The software functioned as expected. It cached, separate from your IE cache, all traffic it was designed to cache. He then was able to search the data that anyone left on the machine. I contend that any douchebag that is dumb enough to send sensitive data from public terminal deserves whatever they get, ignorant or not.

The desktop search stores data in the c:\documents and settings\username\Local Settings\Application Data\Google\Google Desktop Search directory. On any PC that is relatively private, the average user isn't going to be able to search anyone else's data without a little bit of work. I had to actually copy the cache files from another user's profile to my PC in order to read the files. If were sharing a PC, I'd have to have elevate rights and access to the other user's provile in order to see anything of value.

As far as I'm concerned, the reporter that wrote the article doesn't know squat. There's no story here. Well, there is. He should have written abou the dangers of using a public terminal to send personal and/or sensitive data.

Re:Slanted article

[LiquidCoooled]

It is not the location of the Search cache that is the problem, it is that the search itself caches folders belonging to other users which most people expect to be private (My documents/ local settings mail folders etc).

I believe this is a problem for users with either Fat32 User partitions (no inbuilt access rights), or the user running the search is an administrator.

When reading the help for this desktop search, it includes a method for blocking certain folders on your file system, and one specific one it mentions as an example is

"C:\Documents and Settings\private"

They knew of this issue before it even started, so how they let it ship without defaulting the search to local users' folders only I don't know.

I have other security concerns with this tool, but if they can be ironed out, I believe having google on my desktop will still be a "good thing". I was a little freaked out seeing my local files and folders listed essentially in a google window. Yet another shift - like seeing gmail for the 1st time.

Re:Slanted article

[LiquidCoooled]

Very slight factual error (I just reinstalled it to check).

The folder they suggest to hide is actually:

c:\Documents and Settings\username\Private

Re:Slanted article

"I contend that any douchebag that is dumb enough to send sensitive data from public terminal deserves whatever they get, ignorant or not."

With your arrogance, I hope you never, ever make it into a managerial position or have influence over public policy at any level.

Re:Slanted article

[gcaseye6677]

The story here is that somebody had a deadline to meet and needed a scary sounding story to impress his boss. This hardly qualifies as "spyware". When I read the headline and the first couple of sentences, it sounded like the application put users' files out on the internet for the world to see, but of course it does no such thing. This is the technical equivalent of the National Enquirer and what little respect I had for pcworld is gone since they allowed this rubbish to be published.

Re:Slanted article

If you're implying that the original poster's sentiment was in any way wrong, I hope the same of you.

Re:Slanted article

You're stupid. If it's on FAT32 it's world-accessible anyway. Dipshit.

Thoughts

[kc0re]

i actually think it's kinda cool, I found stuff on my computer i haven't found in years!

Re:Security Breach? Really?

[LO0G]

But it's not supposed to let you see files you don't have access to. And apparently that's what the reporter found - they couldn't access the files directly, but they WERE able to access them through the google cache.

Re:Security Breach? Really?

[vondo]

Nope, locate, or at least the version I have (slocate), doesn't return the names of files you don't have access too. The db may be out there and readable, but if I type "locate messages" as a normal user, I don't get /var/log/messages since I can't read it.

The other thing is that locate doesn't let you search within files. Normally, the name of a file is not that important, what is inside is. There are exceptions, of course.

WTF

[mixy1plik]

Somone should be fired (Michael?) for posting this. This is one of the most misleading stories posted on /. in a while.

Is Karl Rove now approving submissions?

Troll Troll Troll

[mekkab]

This is by far the best Troll I have ever seen.
Infact, it is the meta-troll; the troll from which all other trolls spring from.

This particular troll managed to get the troll posted as an article. And all replies are baited.

My hats off to you, good sir!

users="people" NOT "computer accounts"

[spideyct]

Neither the post nor the article say anything about the Google tool being able to read files create by other "accounts" on the computer (it may be able to, but that is not what this article is about).

It is talking about multiple users/people using the same computer, under the same login account (it is a computer at a tradeshow booth), to access their web-based email. Of course Google doesn't integrate with Hotmail/Yahoo/etc to check credentials of who is searching.

This story might be interesting if the tool allows you to read files on a computer created by a different password-protected computer account. For example, I cannot read the files in someone else's My Documents folder on my computer (assuming I am not an Admin). If the Google Desktop Search allows this (by running with elevated priveleges), there may be a valid concern.

The Irony - "stuffit" or zip

[crucini]

I've long enjoyed this essay. I find some irony in the linked version, which gives us a teaser paragraph and then:

Download the rest of the article here. Mac stuffit or PC Zip

Considering that the essay is largely about the superiority of Unix, and the blindness of the prevailing PC/Mac culture to the existence of Unix, the PC/Mac dichotomy presented here seems oddly appropriate.

Of course this notion of "downloading" a compressed version is dumb. Harper Collins just needs to add mod_gz to their web server, so they can transparently compress for most modern browsers.

Re:The Irony - "stuffit" or zip

[Blakey+Rat]

Especially stupid since both OS X 10.3 and Windows XP support .zip natively and StuffIt is equally available on both platforms.

I mean, I have no problem with them giving the user an option of which format they want, but to imply that StuffIt *only* runs on MacOS or that .zip *only* applies to Windows... that's just stupid. Either that, or their webmaster is stuck in 1998 where that distinction might make sense...

Re:The Irony - "stuffit" or zip

[cpghost]

zip and stuffit are available on Unix too...

Another Google Desktop Warning

[otisg]

Although it lets you set what to index and what not to index, the indexer starts immediately as soon as you install the software, thus not giving you the chance to exclude certain files and directories from getting indexed.

Hole Hawg point flawed

[Have+Blue]

This is essentially the same stance as "We shouldn't blame the virus writer for infecting your computer, it's your fault because you're an idiot." It's irresponsible to release a product with no safety features, or one which does not obey common sense (like the rule that if a particular user installs a program, that program's entire domain of operation should be restricted to that user unless explicitly expanded).

Security?

[iyliki]

bypassing user protections

uh? What user protections? I once without problems managed to log in as guest on my friends "unconfigured" computer (xp). Oh yes I couldn't do much but I could view and delete her files. I don't need a google toolbar to do that, windows already does it for me...

Re:Security Breach? Really?

[RobertB-DC]

You should NOT delete the cache manually. The proper way to do it is through IE or using the DeleteUrlCacheEntry function.

Hmm. So here's my choice:

Opera: File, Delete Private Information, select exactly what I want deleted, click "OK".

MSIE: Tools, Internet Options, Delete Files, check 'Delete all offline content', wonder what that means, hit "OK" and hope for the best.

Sure, both apps are closed-source. Both have some history of bugs and security gaps. But my gut tells me that Opera is by far the l3ss3r 3vil.

Re:Security Breach? Really?

[sploo22]

I don't even think the slocate database is readable to normal users. The locate executable runs as root.

Didn't read the article, but...

[Jugalator]

Google Desktop Search Functions As Spyware

Where does the spyware part come from??

Here's one definition I found for it:

"Software that tracks usage and reports it to others, such as advertisers. Usually the tracking is concealed from the user of the software."

It goes well with my personal thoughts about what spyware is.

Is it spyware because it doesn't obey user restrictions when scanning a hard drive?!
Would seem like a totally new definition of spyware in that case. *confused*

outlook files

[TubeSteak]

normally speaking, checking out someone's email archive is a nuisance and a hassle. Its not about whether something is possible... its baout how easy it is.

Example: Script Kiddies.
nuff said

Ahh, so this is why they never answered

[Tajas]

Hmm, I always knew google wasn't being completely honest with their 'software'. I have been using the google toolbar for awhile and using my packet sniffer I kept seeing packets being sent back about my activity although I chose the setup which would not send any data back to google. E-mail to google about this went unanswered.

I also notice that this sounds strangely famaliar to what Real Networks did (read http://grc.com/downloaders.htm) back around 2000 with their download program and Player.

Speaking of Fox News ...

Rent this movie: Outfoxed: Rupert Murdoch's War on Journalism

Re:Security Breach? Really?

[EvilSS]

True story. MS does some bizzare virtualization of the cache directory. What explorer sees really isn't there. Go go command prompt, CD to the cache folder, and do dir /AH and dir /AS and compare to explorer.

Re: Security Breach? Really? Dreaded "locate"

[k2r]

> In UNIX, I could use "locate" to find out whether a
> co-worker has cookies from porn sites

No, that's wrong. Locate searches a database of filenames not a files content.

k2r

Very Powerful Tool

[jkichline]

First let me say this is a very powerful and convenient tool that works as advertised right out of the box. However, I am also upset by how easily this group defends Google and attacks Microsoft. I'm sorry, but if you are creating software you need to keep the users in mind and work with the environment you are given.

I have done a lot of research into how the Google Desktop system works. Here are some things I found...

1. The indexing "agent" (not a windows service) runs as the current user. So, Windows security should block Google from viewing those files.

2. Google installs its own web server on the machine and maps to port 4664. They also do a lot of validation to make sure you can only see this information from the local machine. This appears to be pretty strong.

3. Google stores its cache in the following windows directory: C:\Documents and Settings\username\Local Settings\Application Data\Google\Google Desktop Search -- Leading me to believe that this is user specific. I checked permissions on this other users do not have access to the cache, leading me to believe they would have their own version of the cache.

4. Google seems to abide by the rules of the operating system. Unless they are somehow bypassing Windows security (being google they could reverse engineer anything I guess), this is pretty sound. So it really comes down to the user for setting permissions on their files. Otherwise any old search program could also find those files.

5. Google Desktop search is not spyware. I think the fear is how it integrates your desktop with the Google home page but the truth is no information is sent. At least that's what Google says. However, I looked at the source of what is returned and this is not done using client-side script or an ActiveX object, so I'm not sure how they pull this off. This sort of scares me. For instance, the path to one of my files is seen coming from the their server.

Now, the bad side...

While I was impressed by the lockdown of interface to the local machine, this is easily compromised. In an hour or two I created a VBScript class that could host on the user's machine and use local HTTP to access this data. This means that spyware could be created that allow remote access to the otherwise ironclad cache. This is obviously bad since you could just start searching for passwords and possibly get them.

My suggestion to Google? Add additional settings. For instance, right now the default setting is EVERYWHERE, with some control over WHAT gets indexed. I suggest being able to point the index at specific folders, or be able to not index other folders. This is sort of like shipping a firewall with all ports open. Sure its up to the user to lock it down, but if you don't... bad things happen.

Also, more filetypes would be really good. Especially more code files, etc.

I also think the ability to share your cache could be an option. This would be handy to install on a corporate file server to provide access to files (this is the reason I created the remote access hack)

Of course this may be Google's strategy all along... make the free version do everything and be for personal systems, and then sell a version with more file types, more granular control, sharing etc. Sounds like good bait and switch to me.

So that is all. Very good software, very easy to use. Ships wide open and could breach privacy on beginner level users. Can be used for attack and Google needs to consider this. Overall.. thank you Google!

Re:Very Powerful Tool

[A+Guy+From+Ottawa]

Although I thought most of your post was quite intelligent and interesting, I have to take offence (for Google) to this statement:

In an hour or two I created a VBScript class that could host on the user's machine and use local HTTP to access this data. (snip) This is obviously bad since you could just start searching for passwords and possibly get them.

If I have comprimised a machine to the point that I can CREATE a script AND execute it, basically the you're fucked. All your base are belong to me. I could ftp the ENTIRE harddrive to myself. Or just the password cache. Google can obviously do nothing about this since I have OS level access.

Even if Google were to "lock it down" and not run a server, I could easily write a script to open their app, do a search, and then ftp the screen scrapings.

Re:Very Powerful Tool

[lildogie]

Thanks for an insightful, balanced article.

Re:Very Powerful Tool

[neeraj_iitd]

5. Google Desktop search is not spyware. I think the fear is how it integrates your desktop with the Google home page but the truth is no information is sent. At least that's what Google says. However, I looked at the source of what is returned and this is not done using client-side script or an ActiveX object, so I'm not sure how they pull this off. This sort of scares me. For instance, the path to one of my files is seen coming from the their server

They pull it off using what is called a BHO(Browser helper object). Whenever you access www.google.com, their BHO taps into it and renders the page with the Desktop tab. Search "BHO" on google to know more :). And, that is why they work only with IE as it is a IE specific BHO.

Re:Very Powerful Tool

[drew]

However, I looked at the source of what is returned and this is not done using client-side script or an ActiveX object, so I'm not sure how they pull this off. This sort of scares me. For instance, the path to one of my files is seen coming from the their server.

although i haven't researched this very carefully yet, my guess would be that the google desktop application uses some invisible hooks to set itself as a proxy for http://*.google.com, and splices any of it's search results into the page that it gets back. at least that's how i would do it if i were writing such an application. sort of like a junkbuster, except its adding stuff to the results instead of filtering it out.

While I was impressed by the lockdown of interface to the local machine, this is easily compromised. In an hour or two I created a VBScript class that could host on the user's machine and use local HTTP to access this data.

i wouldn't say this is an issue for google to fix. if somebody else can get sufficient access to your machine to install and run a proxy daemon with your user permissions, you're pretty much fscked anyway, google desktop search or not.

Re:Very Powerful Tool

[syates21]

Hmm, except that it *does* work with at least one non-IE browser (Firefox), so I guess that must not be it.
It may not index the local page cache for Firefox, but it does let you do an "integrated" desktop + big Google search.

Re:Very Powerful Tool

[syates21]

"that must not be it".
At least for FireFox I mean, unless it somehow uses IE's BHO's?

A diffrent kind of "spyware"

[autopr0n]

In this case, this tool lets you spy on other people using the same machine, rather then fuck up your computer and send data back to the master computer.

And anyway, this is nothing like the drill. It's more like a drill that explodes when you try to use it. Clearly, you should have realized that it would explode, right? Wrong. Even if it's 'obvious' that such a drill would explode at a certan RPM, the maker is still responsible to make sure that their products won't explode.

Anyway, this is software. Pretty much all software contains errors, they'll fix it. There's a huge diffrence between this (some software with privacy exploit) and what we normaly call "spyware".

bla bla, click here, etc

Re:Security Breach? Really?

[ip_fired]

But it's not supposed to let you see files you don't have access to. And apparently that's what the reporter found - they couldn't access the files directly, but they WERE able to access them through the google cache.

Okay, time to debunk this article.

Boys and girls, open your command prompt and type:

C:\Documents and Settings\ben>tasklist /V /FI "IMAGENAME eq GoogleDesktopIndex.exe"

Image Name - PID Session Name - Session# - Mem Usage - Status - User Name - CPU Time Window Title
GoogleDesktopIndex.exe - 1604 Console - 0 - 2,220 K - Running - BLACKHOLE\ben - 0:00:00 - _GD_Index

(reformatted so that /. would let me post this, but the data is the same)

You will notice that the GoogleIndexer is actually running as my username (non-priviledged). In fact, all of the google programs currently running on my computer are running as the person logged in. If you happen to be running as Administrator, then you will be able to see all of the files on the computer. It is impossible for the indexer to look at files that I can't access through a normal way (via explorer). Conclusion, this article was probably written by a MS PR Monkey trying to cast a little FUD towards one of their main competitors in the search market...Google.

Google is now evil

Let's face it. Google has turned evil.

google vs copernic

[literate]

copernic is going to charge for their desktop search...does this mean they're toast? or are the products sufficiently differenciated to leave room for a free one and a for-fee one?

meanwhile, copernic http://copernic.com/ has a server version too.

The Hole Hawg

[Wanker]

These drills are great. I doubt anyone could really appreciate how much like UNIX they really are until they've injured themselves with one.

Here's the whole (hole?) essay:

http://steve-parker.org/articles/others/stephenson /holehawg.shtml

Some choice quotes:

The Hole Hawg is a drill made by the Milwaukee Tool Company. If you look in a typical hardware store you may find smaller Milwaukee drills but not the Hole Hawg, which is too powerful and too expensive for homeowners. The Hole Hawg does not have the pistol-like design of a cheap homeowner's drill. It is a cube of solid metal with a handle sticking out of one face and a chuck mounted in another. The cube contains a disconcertingly potent electric motor.

During the Eighties I did some construction work. One day, another worker leaned a ladder against the outside of the building that we were putting up, climbed up to the second-story level, and used the Hole Hawg to drill a hole through the exterior wall. At some point, the drill bit caught in the wall. The Hole Hawg, following its one and only imperative, kept going. It spun the worker's body around like a rag doll, causing him to knock his own ladder down. Fortunately he kept his grip on the Hole Hawg, which remained lodged in the wall, and he simply dangled from it and shouted for help until someone came along and reinstated the ladder.

It's very, very difficult to have both the presence of mind and the physical strength to hang onto a powerful drill that's just flung you off your ladder. Kudos to that guy-- I wasn't so lucky. :)

Where my homeowner's drill had labored and whined to spin the huge bit around, and had stalled at the slightest obstruction, the Hole Hawg rotated with the stupid consistency of a spinning planet. When the hole saw seized up, the Hole Hawg spun itself and me around, and crushed one of my hands between the steel pipe handle and a joist, producing a few lacerations, each surrounded by a wide corona of deeply bruised flesh. ... After a few such run-ins, when I got ready to use the Hole Hawg my heart actually began to pound with atavistic terror.

There never seemed to be a good happy medium between holding the drill tightly enough that when it hung up I had enough of a grip to let it grind through whatever was hanging it up and loosely enough that when it REALLY hung up I could abandon it without injury.

Apply appropriate Windows/UNIX metaphors. :)

Re:Security Breach? Really?

[gnuman99]

The situation is somewhat similar with the Linux 'updatedb' and 'locate' built-in search facilities.

No it isn't. Updatedb runs as root and it does nothing but caches the file tree. It doesn't go though the files. It doesn't cache file contents. Any file that 3rd party is not suppose to be read, cannot be read by a 3rd party. Period.

Updatedb/locate do nothing but make it faster to search though a file tree for a given filename.

I guess so

[alexisbellido]

I doubt that Google, or any other company dedicated to develop software, could do such a silly application. In any case, it would be Windows fault if their supposed protected files could be ready by a user (or application) not authorized. Also, as somebody already pointed, nobody is forcing you to donwload and install this tool, if you wanna use it then do so, it's free and it's easy.

Re:Security Breach? Really?

[Crizp]

And that's what I like about NTFS and XP (if you turn off 'simple file sharing'; you can set permissions for local files and folders (which I'd missed ever since I started working with Linux).

This allows me to hide stuff as my diary and other stuff from my brother, who's got an account on the box. At least he's old enough so I don't have to hide the pr0n :)

That's not to say the security system in XP is not severely flawed though...

Re: Security Breach? Really? Dreaded "locate"

[VAXGeek]

I think he was a little confused... in Win32 cookies are stored in a folder named Cookies and all have filenames like 2342345j2h34i52uh34i25uh4@www.yoursite.com

Maybe he's using cygwin on Windows? Then locate would display that behavior.

I installed this yesterday...

[Plural+of+Mongoose]

And removed it today.

I arrived home from work today, and fired up a simple search using my now-indexed Google Desktop. The first item listed, by dint of a coincidental search term, was an email my cleaning lady had sent.

The 'drill' in the email was NOT the one I was looking for.

I must say, I was quite surprised - the search cached viewed and sent emails from a private hotmail account - it even kept a view of the inbox.

This is, well, bullshit. Really - how many people NEVER have anyone else on their system. This search has wayyyyyyyyyyyy tooo much room for abuse - and once they fix it, I guarantee you this old version will be worth $$$ on the black market...

Re:Security Breach? Really?

[antirename]

Or just try regedit... You'll find some odd keys in there on a search

Way to not read my post.

[jelwell]

Hopefully you at least read the article. Because your trolling is not helping.

So as to not be a troll, the point is that anyone with physical access to your machine can install something that takes advantage of caches, or creates it's own. This "news item" is blown out of proportion because the user went to a machine that had *already* had Google Desktop Search installed.

Any user that wanted to read all your yahoo email could just as easily have installed a key catcher, either hardware or software. Or all sorts of other types of spyware/snoopware.

The only real news here is that you shouldn't be doing anything you want kept private on a public machine. Is that news to anyone here?

In particular I'd like someone to prove the news summary posted here at slashdot, "it indexes your files across all users on your PC, bypassing user protections ". Go ahead and prove it. Come over to my house, install the software and then show me my Yahoo email. Good luck.

Joseph Elwell.

Re:Security Breach? Really?

[Odin's+Raven]

The situation is somewhat similar with the Linux 'updatedb' and 'locate' built-in search facilities.

Yep, that is indeed a potential privacy issue with locate. Sure, you can't read the files using locate, but depending on your users, even just knowing about the existence of, say, a /home/raven/candid-pussy-shots/ directory might be enough to get 'raven' into trouble. (Even if the directory happens to contain, for instance, nothing worse than pics of raven's favorite feline.)

Consider switching to slocate instead - it's an improved (from the security/privacy standpoint) version of locate, which only lists files that the user actually has permissions to access.

However, unless a user takes specific action to change it, their home directory is world-readable by default.

That depends, to some extent, on your distribution. Red Hat distros, for instance, create home directories with all group/world access disabled by default. (This wasn't always the case for RH, but the switch was made at least as far back as RH9, probably earlier.)

If you do share a machine, it's probably just a good idea to learn about file permissions in general.

Amen and hallelujah - knowing what you're doing is a solution that works across all distros!

Re: Security Breach? Really? Dreaded "locate"

[einhverfr]

locate .com | grep sex will do a remarkable job of finding such cookies.....

The long range plan

[Lightborn]

I'd like to think that the long range plan here is to make people aware of how useless Microsoft software is for people who are interested in protecting their data, thereby raising interest in real operating systems like Linux and OS X.

Too bad the versions for those platforms aren't available yet, because then the Google response could be the perfect "That's just because you're using a worthless OS. Try one of these..."

Do you know what a umask is?

[Chuck+Chunder]

I'm just curious but... isn't it a flaw of the operating system that files generated by a user aren't automatically restricted to access by that user? This isn't google's fault, the same exact design ported to linux would work flawlessly.

Chances are your linux installation is creating files that are world readable by default.

Re:Do you know what a umask is?

[Tragek]

Shouldn't all 'System files' be readable, but not personal folders? I would think that is what the above poster was attempting to get through... though I'm not qute sure. (not that I'm saying he's right... which he isn't)

Re:Do you know what a umask is?

[Minna+Kirai]

Chances are your linux installation is creating files that are world readable by default.

An exactly which Linux distros do you think have a +o umask? Linspire? Come on...

Re:Do you know what a umask is?

[cakoose]

I think Debian creates home directories that are world readable. The default umask is 022, which is "rw-r--r--". Applications tend to set the permissions correctly on directories and files they create (OpenSSH, mail clients, GNOME).

Re: Security Breach? Really? Dreaded "locate"

[bcrowell]

In UNIX, I could use "locate" to find out whether a co-worker has cookies from porn sites if the permissions are not set.
Isn't this why Linux has slocate (secure locate), as opposed to the original locate? And the locate/slocate database will only exist if someone with root privileges has created it. And, as someone else already pointed out, it only indexes filenames, not file contents.

Re:Security Breach? Really?

[Waffle+Iron]

I realize that it just stores the filename. That's why it's somewhat similar. Sometimes, however, just the name of a file can be sensitive information, like '2004Q4_staff_reduction.xls' for example.

Updatedb doesn't necessarily run as root. My machine defaulted with updatedb set to run as "nobody" out of the box. This automatically guarantees that it won't reveal any information that other people couldn't see anyway. My point was that a lot of systems allow rather liberal read access to users' account directories by default, and users should be aware of that.

Minor inconsequential correction

[Kelmenson]

Basically this utility works NO DIFFERENT than "Start-->Search-->Search IN files", except that noobs don't know how to use Search properly, and Google search is "prettier". Oh, and MS's brain dead Search can't peek inside compressed files. Whoopie-do.

Just a minor correction to a post I otherwise agree with 100%... Windows' default search can and does search inside of ZIP files.

But everything else, spot on.

go beagle go!

go beagle go!

Re:hole hawg

So what is that thing, 1/2 hp? Taking half a horse up a ladder sounds dangerous to me.

It uncovered all the folks with tinfoil hats

[wodelltech]

I guess that makes it spyware...

It does exactly what I expected it to do. No more, no less. The only 'issue' here is that folks don't understand how much information they have sitting around on their PC's

Only one copy, one user per PC

[Kraegar]

I have an XP pro machine.

I installed the google desktop search.

I had to be an admin to do the install. That means I have to have rights to read all files on the machine to install it.

I switched to a non admin account, I was told only the original person who installed it could run it.

I switched to a different admin account, tried to run it, got the message that only the installer could. I attempted to install it again under this account, I got the message that it's not meant for multi-user systems, only one user can install it on a PC at a time.

So in summary, if you don't trust someone who's an admin on your system, don't use that system. The search only makes it easier for them to see your data - they already have rights to.

This is not spyware...

[Vernalex]

The program indexes content as you view it, and it's an option to index secure content. This has nothing to do with Windows being insecure, such as an insecure file system. The program running under the user's privileges should always be able to view their files, this is just common sense. And it has nothing to do with Google writing spyware, because this program operates as it was intended and it doesn't report this information back to a server. If you don't want it to index secure content, then turn the option off in the options.

: Vernalex.com malware guide

Home vs. Pro edition of XP

[Doppler00]

Are we talking about installing this Google Desktop Search software on Windows XP Home edition or Windows XP Pro? There is a huge difference between how these two operating systems handle user right assignments. Windows XP Home has a very stripped down version of the system whereby you can't easily change user permissions of individual folders. My guess is that most people will set up user accounts on the home version with "Administrator" rights as many programs simply don't work correctly in XP as a "User".

Because XP Pro is typically used in office environments, if you set up a user account and you log in, you will NOT be able to see the other users folders unless an Admin sets those permissions.

Of course, all this seems silly as linux has had proper file permission settings forever whereas Windows has just recently added that feature.

Re:Home vs. Pro edition of XP

[praxis]

"Of course, all this seems silly as linux has had proper file permission settings forever whereas Windows has just recently added that feature."

Windows has had proper file permission settings since Windows NT 3.5 shipped September 1994. Slackware 1.0 (I consider this the first viable installable distribution) shipped August 1993. That's a whole year different. Percentage wise, Linux has had proper file permission settings 10% longer than Windows.

Not to mention, Windows ACL are more fined grained than what most Linux distributions offer.

To preempt the argument that Windows defaults are insecure: I am comparing the technical abilities of the systems out of the box; which are the tools an administrator may use to configure what he feels are "proper file permission settings."

Re:Home vs. Pro edition of XP

[Doppler00]

I'm talking about home versions of Windows though:

Windows 3.1, Windows 95, 98, etc...
It wasn't until Windows XP Home that they had anything resembling file permissions, and even then it's a sad implementation.

Not to mention, Windows ACL are more fined grained than what most Linux distributions offer.
I'll agree with you there. Also much easier to use than chmod.

Re:Home vs. Pro edition of XP

[praxis]

I will agree if we are talking about consumer releases that it was only recently that home users could enjoy the benefits of file permissions. It's a hard to balance between providing protection and letting users do their work, considering most of them don't know how to configure file security.

This is extraordinary, the amount of apologising

[LadyLucky]

I installed this at work. I use Outlook with exchange. It only indexes files in outlook when I am logged it (so it doesn't need permissions as per windows explorer). Since then, it creates a cache of those emails and they can be searched. Great for me.

What if someone else can view that cache? Can they? I don't know. I certainly hope not. If they can, this is a serious flaw in the software, one that was certainly not made well known. FAQ my arse. What if Microsoft puts in an obscure webpage somewhere 'we don't guarantee this software is free of security holes'. Why aren't you rushing to their defense? Don't install it... they told you about it.

Quite honestly, if this makes it easier to view other people's documents, this is a flawed piece of software and you should be aware of this.

Author needs to learn the definition of spyware

[auzy]

Oh no, it indexes all the files on the harddisk. It can do that regardless anyway, regardless of whose user it is. Thats spyware???

Spyware is where information is sent back to a server to spy on a user.. Last time I checked, this just uses a local daemon and doesn't send any info to google. Therefore, this isn't spyware.

I'd imagine though that files which are encrypted would be ignored completely though. If they were that worried about it, they would realise that it wouldn't make a difference whose user it is anyway, because they could just run the windows search function on it.

Sometimes I wonder how some of these articles make it on slashdot. Next they'll be telling us Linus isn't the author of Linux.. err wait a sec, that already happened too

This is no cause for concern and its actually an even more invalid concern then the gmail privacy worries

I can't get it to install anyway.

[Gldm]

The coders of this program were quite retarded. On install it immediately tries to install to a preset path on C: with no option to change it. For me, this means it immediately bitches about less than 1GB free on C: and dies. I emailed google's support telling them that it's unlikely a small partition designed just to fit my OS will ever have 1GB or more free though it's welcome to use the hundreds of GB on the other partition in my system. They said they might allow you to specify where it installs to someday, maybe, possibly, if they feel like it.

It does apply to other browsers. But whatever.

[hkmwbz]

It indexes Opera's cache files too, at least.

But it's not an issue anyway. The spyware claim in this article is ridiculous. It's sensationalist journalism at its worst.

I'm not going to go into any greater detail, as many have put it more eloquently than I can, earlier in this discussion.

Is there any way to stop the madnes?!?!?

You can get EVERYTHING that you have ever done?! How to stop it?! Oh. Go to preferences?

From the preferences page (there is a checkbox by each item)

Search Types
Index the following items so that you can search for them:

Outlook email
Outlook Express email
AOL IM Word
Excel
PowerPoint
Text and other
Web history
Include secure pages (HTTPS) in web history

Changed my mind midstream.

[xigxag]

I was getting to write a screed on how the headline to this topic is verging on libel, with reckless disregard for the truth. But then I realized there are spyware-like aspects to the software. Imagine a husband and wife sharing the same machine. The tech-savvy husband suspects his wife is cheating on him with his neighbor Rick. So he installs Google Search on the machine. Whenever the wife logs on, her email is indexed, and then, yes, the husband is thus able to spy on her by looking up any instances of the name "Rick."

Of course, any reasonably expert computer user is going to be able to view the wife's info anyway. But since this software seems to greatly facilitate the process, and reportedly does so in a way which is not necessarily transparent to all the users, I think that calling it potential spyware really is not that much of a stretch.

A possible solution might be to force each user to enter her password into the software before it starts to index any of their files. And then to offer her a choice -- to make her information globally accessible, or to encrypt her index so it is only accessible to the individual user.

I haven't downloaded or used this program yet, so if I've somehow misunderstood and it already does something like this, then I apologize in advance.

Well:

[mattyrobinson69]

if its for single user machines, why does it purposly bypass security and scan for other users?

anyway, it probably only runs on IE anyway (i didn't rtfa), so one more piece of spyware isn't going to hurt now is it?

i setup windows XP for my dad last week on his new computer. I said to my sister "im going now, download mozilla firefox, and install it right now, before you go on the internet, and dont use internet explorer for anything other than firefox"

I left, went camping for the weekend, came back. the computer was so slow (AthlonXP 2800, 512mb ram), as was the 150k internet connection, that adaware couldn't help, and i couldn't even get to the spybot homepage. i reinstalled and made sure firefox was installed and default myself before i left.

the moral of the story is:

a) dont trust a woman to do anything with a computer that isn't playing the sims
b) install firefox and set it as default before you leave
c) dont build computers for other people (especially family), as they expect technical support

Re:Well:

[lachlan76]

c) dont build computers for other people (especially family), as they expect technical support

Lucky...My family expects tech support no matter what. They also blame me for whatever goes wrong with the computer. Then find out that the motherboard had failed.

And you know what their solution is? My computer doesn't work, probably video card failure, it's at the shop now being replaced with a 9200SE, and next month a new computer is coming which I'm not allowed to use, and btw, that new computer has a Radeon 9800 Pro. It's only going to be used for email and burning DVDs, and my younger brother playing BF1942, which will work fine on a Geforce4. I'm not allowed to put Linux or even Cygwin so I can use distcc. I'm also expected to keep everything up to date, and spend my free time fixing it when it gets a virus, all because my family don't want to learn basic security. And they still sometimes don't use firefox.

I wouldn't complain too much about your family's tech skills ;)

Re:Well:

[UncleFluffy]

Are their tech skills sufficient to notice that you've swapped the video cards over without telling them ?

Re:Well:

[lachlan76]

Seperate incident, they took the computer back to the shop today to get it checked out.
I don't have a spare video card lying around to make sure ;)

Re: Security Breach? Really? Dreaded "locate"

[einhverfr]

The point is that it will still find the files if the permissions were not appropriately set and the database exists. Yes the database must be created as root.

However....

If the files are not protected, a search will still find the files.

i thought the headline was talking about this...

at work when I installed this, my firewall came up and asked me if I wanted to allow google desktop search to access the internet. Why the heck does it need to access the internet to allow me to search my own files?

Wow

[joebp]

Have slashdot's editors been replaced with National Inquirer "reporters"? If so, WHY WAS I NOT INFORMED!?

Allows you to... spy on yourself?

[NoMercy]

Or any machine to which you have administrator access, no shock there, you can do that without google's desktop search.

If it were spyware wouln't that mean data was sent to google without your permission, which is very much so not the case, though you do have the option of sending data on crashes, which probably contains how many files indexed etc.

Admitidly I'm not convinced enough to install it, it's tempting, but it really doesn't seem that much better than just waiting for search results, mabie if it included whistle a tune and find it in your mp3 collection, or draw a sketch and find it in your pictures, things you just can't do today.

Obligatory LOTR Quote

[Glamdrlng]

'This is not a bug, rather a feature,'

,/i>It's been called that before, but not by you...

Re:i thought the headline was talking about this..

[stevel]

It isn't accessing the Internet - it uses a local loopback connection to talk to its server, but your firewall doesn't distinguish that.

Google Desktop can send debug info to Google, but the claim is that it sends no information about what you searched for or your local file contents to Google. You can opt out of the debug and statistical info collection.

Re:Security Breach? Really?

[Minna+Kirai]

It is impossible for the indexer to look at files that I can't access through a normal way (via explorer).

Your message is insufficient to prove that.

If Google Desktop was installed by an administrator, then it could've possibly installed a system-level DLL which that program can be using to look into forbidden files, without opening them directly itself.

Any program which had admin privs at installation could've kept them, meaning it can potentially violate file-access controls whenever the program is later run by a normal user. That's why I don't approve of videogame installers that require admin rights.

I haven't installed Google Desktop though, so I don't know if it requires administrator install- but I think most people install that way anyhow.

Clear cache - Firefox

[cbr2702]

Firefox: Tools > Options > Privacy, find "Clear All Information Stored While Browsing", click "Clear All"

Or chose appropriate buttons on the same "Privacy" screen to delete only some things.

its a beta version lack of features, that's all

[laughing!oni]

What it probably should do, and what it probably will do a year from now is to let each user select the set of users that get google search access to their index. It is actually useful to have it span multiple users on the system, if you sometimes log in as a different user (say I log in as my wife), and have a problem remember which user you saved a particular file as. On your typical home machine, I would hazard that you want Google Desktop to behave just the way it does in the beta.

Er, no.

[Nailer]

I'm just curious but... isn't it a flaw of the operating system that files generated by a user aren't automatically restricted to access by that user? This isn't google's fault, the same exact design ported to linux would work flawlessly.

No it wouldn't. The default permissions (umasks) in almost every Linux distribution allow 'others' read access on new files.

Whether this is a good thing is left up to the reader.

Re:Er, no.

[LnxAddct]

Really? Because my default FC2 installation forbids anyone or any group from viewing anything in my home directory. My home directory is where anything personal is kept, and this is what the writer of the article is complaining about.The settings are similar on my debian server too, although thats been running so long I forget if I set it that way or if it came that way.
Regards,
Steve

Re:Er, no.

[Nailer]

Oops, you're right. The umask thing is true, but I'd forgotten about the folder permissions.

so how do I program my google desktop?

[binarybum]

How is this like the hole hawg? As long as I am aware of the potential consequences of using the hole hawg I can avoid them. If used correctly it can make just about any kind of hole I want. I can't control the google desktop, it simply allows users to jump the security rules that the OS and most software obey.
This inability to control this problem is why, my dear Ms. Mayer, this is a bug and not a feature.

"Knowledge" Paradox?

To my knowledge, spyware sends information to a third party without the user's knowledge.

Hmm, is it just me or does that statement sound like a paradox if you happen to be the user?

Administrator account

I would suspect that if users are not set up as administrators google desktop will not be able to index other user's files.

Re:Security Breach? Really?

[freedom_india]

I really don't get it.

First of all we "pray" google introduces an easier and more thorough way to search our unwashed mass of files on our fixed-disks to find things faster and better.
Google introduces one such program and we praise it like sliced bread.

Then suddenly we complain it is spyware, searches unpermitted files, blah, blah...

Is it a case of blaming electricity because it can kill? or is it a case of lasers because they can be used to blind you...

I say when do we grow up and start treating tools and devices for what we want them to do instead of worrying about how to abuse them...

Iam heartily sick of such no-gooders and nay-sayers who call themselves critics but who in reality are Pussies...If such people had their way in earlier times we would still be riding Horse buggies because the Ford T would have been long banned for not having seatbelts, automatic transmission, pollution control, airbags.... etc.

google worship rampant here

So google releases an intrusive program with massive security risks and the ./ fanboys are falling all over themselves to explain why it isn't google's fault. YES, IT IS. It's bad software, you install it, you're a moron. I don't want google on my desktop and I don't want them in my browser and I don't trust them. Stop making excuses for them. They're out to make money like anybody else and they don't care how.

Holy paranoia

[shoptroll]

Geez...

Did anyone expect the program to NOT index everything? I installed this on my machine, and I run 2 accounts: admin and power user on Win2k.

You need admin privs to install the thing in the first place, which gives it full access to ALL files.

If a normal user could install this and see everything, I'd be more worried. But I can fully understand why the app does this.

Also, you need admin rights to run it as well. This is what i've found so far.

The only people who should be worried are those who suspect their sys admins... But then again, I'm quite sure those people have been suspecting their sys admins since before this app was released.

Finally, the only time it will pull e-mail up for searching is when a user has Outlook running. I haven't tested this feature yet, but that is what it says it does.

Re: Security Breach? Really? Dreaded "locate"

[FuzzyBad-Mofo]

Why would the permissions not be set properly? By default, most distros create secure user accounts, with /home/user owned by user:user and set to drwx------ permission. If I tried to list Bob's files, like so:

$ ls /home/bob

The result would be a swift:

ls: /home/bob Permission denied

Of course, it goes without saying that root can read anyone's files..

commercial alternatives

These guys, http://myradus.com/, will probably be annoyed about this.

Who knows what evil lurks in the heart of Google?

[Doc+Ruby]

If the Google Desktop source code were open, we could check to see what else it does that we don't expect, and wouldn't like. Like maybe sending hashes of your URL surfing history to the Google server.

All of you are short-sighted

How can all of you nit-wits be so short-sighted? How can you not care if this indexes the internet cache? This basically means you can never check your webmail on a friends computer again without them being able to easily read your emails. That's really lame. I hate Google now.

bigger issues

[driven2insanity]

I don't see what the fuss is about. You set it to index what you want and don't set what you don't want. I don't see how it can be set up across networks, even a home network, yet.. and there are many other more advanced programs that allow companies to 'spy' on employees internet usage so even IF they installed it secretly on each machine , it isn't networked so each machine would have to be scanned for usage tracking .. what's the point when there are networked programs that give screen shots of exactly what each employee is looking at every minute of every day ? For home use , use passwords and the profile settings for each user and there is no cross indexing of it around that feature on XP anyway. What I REALLY would like to know is after you search and find info that you didn't know was still there I was SHOCKED to see how much I thought was untracable that is still on my system, how to delete it leaving no trace , directly from the search page , i see no option for that and THAT would be a very cool feature. Anyone find a delete option on it ? I suppose after locating emails, logs, websites etc , I can manually go to the location and delete it , but in doing that does it leave a trace of the deletion that is then indexed ? That is my main concern. I am new at geekdom , not too nerdish , working on it, Friday night at 12:23 and i'm sitting here reading this site, so that's a good start I'd say :) I am wondering how, short of wiping out my whole hard drive and starting over to get RID of the stuff I found is still there after installing the google indexing program today. I'm stunned and want to get rid of alot of it , there has to be an easier way, you'd think right ? If it is all right there on a quick search , why not an option to shred it ? If there is and I missed it, someone please clue me in . thanks ! AND if anyone knows how to stop windows messenger from logging in at random without being asked or even showing the icon or contact list anywhere , PLEASE let me know, I have been puzzled by this phenomenon for months now, I know it's an issue and should install the XP upgrade which i beleive fixes that however, i am burnt so not into figuring out other issues at the moment. I am not referring to MSN messenger, it's the windows messenger that simply logs me on randomly and I don't even know i'm logged in , just suddenly a 'buddy' starts saying hey and THAT is more of a privacy issue at times than googling your computer and maybe your spouse will find the name of someone who you don't even know who IM'd you b/c the damn thing logged you on for no apparent reason ;) hey it happens.. Anyway, apparently there is no way to stop it , i've tried most everything.. annoying.. i'm new and it's late forgive my babbling.. i just don't see what the fuss is about , there are SO many privacy issues, this is just a non issue compared to most. I just want to know how to stop Windows messenger and how to use the google indexing to find and destroy all the old files i am finding and want to get rid of , is that too much to ask ?? TY!!!

foul

[earthstar]

Crying Foul about something / some software is a pass time for some - Probably they want to grab others attention that they have found 'holes'.

Iam dissapointd that even slashdot allows the word 'spyware' to be used in title.

In a wide user base like calling someone 'spyware' without verification is blasphemy.

Re:Security Breach? Really?

[ip_fired]

You mean to tell me that a program running as an unpriviledged user can access priviledged files? That hasn't been my experience with WinXP. The indexer runs in the background as the user that installed the program. Anyway, this is all moot. It was designed for single user systems (ie, 99% of the installed home user base).

Re:Security Breach? Really?

[ip_fired]

installed a system-level DLL which that program can be using to look into forbidden files

Oh, I see what you mean. My mistake. That may be the case. I guess I could try by creating a severely limited account and seeing if it will install.

Missing feature from Google Desktop?

[kleinux]

It should come with a tinfoil hat.

Ships wide open

[guet]

While I was impressed by the lockdown of interface to the local machine, this is easily compromised. In an hour or two I created a VBScript class that could host on the user's machine and use local HTTP to access this data. This means that spyware could be created that allow remote access to the otherwise ironclad cache. This is obviously bad since you could just start searching for passwords and possibly get them.


Well, the thing is, if spyware is installed, it already has access to all the user's files, so it has no need of the google cache to locate the ones it wants. How exactly could they prevent access for a local program? I can't see a suggestion in your post. I suppose they could encrypt it but this would hit performance in a serious way.

All your other points are interesting, and it's nice to see someone looking at this critically - in particular it'd be nice if they added the ability for the user to add other file types (many of which are just text anyway), but I'm sure that will come in time. The security problems you mention are mostly a result of windows security policy though aren't they?

What he means,

[warrax_666]

I suspect, is that you need to install using administrative privileges and try to a do a search using a severely limited account to see if the search will let you see stuff which you're not supposed to.

The theory, I believe, is that when you install as admin., it installs a "search server" and any unprivileged users which install afterwards just get a "search client" which connects to this server (via TCP over localhost or whatever). If the server returns results which allow the client to see stuff it's not supposed to, then there is information leakage (and quite a grave one at that). If not, then it's a load of hot air.

Maybe it is not for you then!!!

[binmugahid]

I for one have been waiting for a long time for google to index my desktop. This is a feature that will give google a clear advantage over Yahoo and any other search engine. If you are afraid of your files being compromized, then this product is definitly not for you or your files are stored in the wrong locations. Congratulations google.

The only security

[NetBlackOps]

The first rule of system security is that the only security is PHYSICAL security.

What are the flaws here? It's a publicly accessible machine. Anyone can walk up and since it is publicly accessible, can merrily publicly access away. The presence or absence of the Google search tool in and of itself means nothing. In addition, with the tools that I have here, even if you DID have individual accounts I can own that machine, one way or another, in under a minute. It would slow me down some if someone with real Windows knowledge set up the system secuirty, but that is all that would happen, it would slow me down. After all, I do this for a living (systems security consultant). Don't be overjoyed Linux users, if I know your version, I can get you too. I track the vulnerability lists on a daily basis and no one save the truly paranoid (moi, of course) patches THAT quick!

Now, in the context of a personal PC, whose ox is getting gored here? No one. By definition. Note, I said personal PC. My personal PC, fully locked down Win'Server 2003 Ent., or as fully locked down as you can get with Windows (snort), happens to have this beast installed and yes I did pause to read the documentation, EULA, and all the warnings that they posted. This is just another search tool that just happens to use a web server front end so you can search using a browser interface that looks just like Google. Powerful (not Windows Find in my book) search tools have existed for eons in the computing world. This is yet another one and pretty spiffy actually. I was pretty impressed that it found in under a second something that I had been searching for for days, yes even with some pretty powerful search tools. Nice job!

Now, is my system less secure? No, if someone walked up, or happened to break into my system from the outside (about as likely as hell freezing over), then yes, having this available to them is a bit more of a problem but if they get in the door, then they already know where to drill down for personal information. Anything I'm really interested in protecting (under NDA, etc.) is already living on an encrypted HD with a VERY long key. Again, I'm paranoid. For the average user, again, once in somehow the presence of this tool changes nothing.

What is interesting is the potential for abuse in the case of a family or office setting. Be assured that half the problem in knowing where to go in those settings is identifying the interesting places and then you can identify the system security penetration required. This is NOT recommended for use in an office setting, but Google points out that it was not intended for such use anyway and spells it out most eloquently in the EULA as well. You do read the EULA, don't you? I do.

For the home, how much do you want to hide from your parents, spouse, or kids? Having no spouse of kids, I can't say. As for my parents, I'm the one locking down their systems ;-). You need to make that decision yourself but I do admit that most kids can find out what they need to know to penetrate any parents computers VERY easily. I do cruise the script-kiddie boards (often) to see what they are up to and the tools are all there within easy reach (Google search ;-) ).

So that's my two cents. Mere FUD. BTW, what idjit uses a public computer and expects no one to know what they are doing? Apparently a LOT of idjits accordinig to a fellow SysOp elsewhere that happens to have a day job at a large library. If the cops want to catch a lot of kiddie porn and kiddie stalkers, I can tell them right where to go, but they aren't listening (sigh).

NetBlackOps

crap

OK, so this guy who wrote the article is a moron. I installed this on my Win2000 machine using my main account which is an Administrator account (but not 'administrator') and had it index my machine. I then switched to the 'administrator' username just to see what would happen, and it says that it was installed by somebody else (a different account) and couldn't run. Therefore, there is no security breach that I can see, and I was using two different administrator accounts.

The FAQ mentions multiple users who use the same login and password. Well, of course, duh. If several people use the same account, of course they can see the same files. It's the same damn account.

And one more thing, it isn't spyware as spyware returns information about you to someone else, like a company. At most, it could be classified as a 'priviledge elevation' of sorts, since purportedly you can see other people's files, although I can't reproduce this on my machine.

I'm not saying they would, but they could...

[davesag]

So let's posit the worst case scenario should Google turn out to have been really very evil all along. The biggest potential for evil as I see it is the possibility for google to sell private, undisclosed web services interfaces to layers of data that we just don't have access to. Perhaps as a private high net worth client I could google for individual people, their news reading habits (i.e. the articles they follow from news.google.com), their gmail, their desktop files, their friends (i.e. people they invited to gmail, people in their address books), their buying tastes (the ads they click on or products they search on), web surfing habits (google ads again) and their reading tastes (print.google.com). Google could cross reference this data against traditional google searches and google searches on 'hidden' pages - i.e. pages that have been indexed by machines that do not ever declare themselves as being google, but masquerade as other indexing agents, and which run through and index everything in spite of no-robots files and instructions.

Such a webservice would make a fantastic tool for a more precise purge of social undesirables. What state security apparatus, especially one fighting a war of^Hn terror, would want to be without one. Stalin's almost random enslaving and death of 30 million odd people would have been much more focussed by such a tool. No need for messy torture to find out who your friends are - until of course you have all of them in custody too and still have a quota to fill. You can just see the ads - "A revolution in state oppression!".

Google have in theory at least, a terrible potential for abuse. Given how terrible it is, I think Google would be well advised to prove beyond all reasonable doubt that they really truly do not link everything up like that under the hood, that they recognise the inherent lurking evil that would just love to get its hands on Google itself, hire a team of ethicists to help them actually define what evil is and isn't, and take a public ethical stand on issues - after all one of the greatest ways to allow evil to flourish is to remain silent.

Spyware? Is the editor asleep at the keyboard?

[XunilOS]

How did a headline like this make it onto Slashdot? I agree with the general tone of comments I've read so far - I think it's quite a stretch to call Google Desktop Search spyware just because it allows you to access other users' files on a PC running Windows. Many other routes could be taken to achieve this same goal.

It's always been my impression that "spyware" was software that was installed on your (typically Windows-based) PC, usually without your knowledge or consent, which then communicated some otherwise private information back to a vendor (be it a spammer, a software company, or what have you) for use in marketing or advertising, or maybe just because the vendor is abnormally nosy. This article doesn't say that GDS does anything of the kind.

Yeah, sure, someone could walk up to my laptop when I'm grabbing a soda down the hall, and do a quick search, but so what? They could do the same thing by clicking 'Search' on the Start menu. My fault for not locking my screen.

Not to mention masturbation material... (n/t)

n/t

Not Google, not Microsoft, users!

[AlphaSys]

OK, bashing where it is due, NT-based OSes at once introduced the concept of local admin to a community that was not ready for it. They provided the vehicle for segmenting privilege while implying to joe user that he should usurp it all if he is to be able to get his work done. It got the whole world of n00bs thinking they had to be root and not just via context-switching to get particular tasks done. It has fed the average windows user's megalomania into believing himself to be a computing genius.

In Redmond's defense, they developed these features in an earnest attempt to enable best practices functionalities in the product line. The problem was that even though the features had been enabled in an somewhat OK manner, nobody who would be caught dead in a Win32 environment knew the first thing about how to implement those best practices given the tools. MS knew it too, but they still had to sell this "Windoze is EZ to use, even at the server, so you can pay less for adminz and more for s0ftwarez" line a little longer if they were to penetrate the server market enough to ensure they didn't have to compete seriously with Novell and/or IBM again for another 15 years or so. To be fair, from a purely market driven view, they have played it well. Their products were insecure to some degree, the implementations were disastrously so, but the market bears it without so much as a whimper and comes back for more.

Redmond's dilemma now is they are trying to make themselves over as the Trustworthy One, because they are no longer selling themselves to businesses, they are selling themselves to entire industries. And particularly industries that NEED the kind of security they wish they could be seen as providing. So they are pumping out obscene amounts of $$$ to try to make the systems truly enterprise-grade securable, while dragging (kicking and screaming I might add) that admin community that got hired cheap and promised easy advancement. The admins still make shit wages, even though some have adequately educated themselves with real security education, not MS certification crap. And then there are the users they support and their PHBs who understand PC security about as well. And the PHB says "just make 'em local admins on the box - that'll solve everything". If you mean dis-solve, maybe.

Re:Not Google, not Microsoft, users!

[The+Bungi]

Well OK, but I could make the same argument about any Unix-class OS. That Windows has the means to work as a fully secure environment is a fact - that almost no one is able or willing to take advantage of this is unfortunate and, I would concede, MSFT's fault to a certain extent (yes, their marketing is very good. No, that doesn't mean everyone has to swallow it verbatim). Perhaps there is a higher percentage of clueless admins and developers (hey make the account an admin!!) in the Windows world. Certainly that would match the percentage of clueless users. That's what happens when you lower the entry barrier.

Spyware that requires a "OK" to install itself, worms that come in inside password-protected ZIP files and millions of unpatched zombied Windows machines talk more about (IMO) the fact that computers are not easy to use, and Microsoft sure as heck didn't figure out how to combine ease and security. But, if they hadn't made the effort to make the PC easy to use there wouldn't be a million desktops to target - sometimes I really wonder which of the two evils is the worst. I don't think however that Linux or any other open source product is the silver bullet that will cure all these problems. You cannot engineer user stupidity away, you will never write 100% secure code from the get go, and you can never ensure that everyone who is using your product will constantly upgrade and patch - free or not.

google os .1b

[kraksmoka]

google seems to be quietly readying it's desktop tools and poised to try and knock m$ft off. so far, they have a search engine, email platform, news service, image service, shopping helper and even Answers. at some point, they are going to tie all of this together into the proverbial "simple, easy solution" to operate one's computer.

their ultimate goal is to complete the inevitable commoditization of the windows platform. then it is only a short step to porting that system (web and desktop integrated) to other platforms that are open and freely available like gnome, to replace windows.

Did you let them know all this?

You can leave them feedback at http://desktop.google.com/support/bin/request.py,
clicking "about" and then "contact us" gets you there. Interesting to note that they already have voting options for the obvious missing features under "suggestions" (e.g. firefox support, more filetypes, etc.):

• Index .pdfs
  
• Index audio files
  
• Support Mozilla Firefox
  
• Partial word searches
  
• Search folder names
  
• Support more chat programs
  
• More than 10 results per page
  
• Add Desktop Search button to Google Toolbar
  
• Other (Please describe below.)
  

This is pathetic

[Gurny]

I don't know how this got posted. Are the slashdot editors trying to get net geek street cred by bashing a google tool that does what it is supposed to?

Jesus guys.

Re: Security Breach? Really? Dreaded "locate"

[k2r]

well, luckily not on systems with proper access-rights.

But you are right in a way:
KDE /konqueror seems to save its browser-cache as files labelled by sitename.

KDE + sloppy access rights + locate
= global browser history for anyone

k2r

Not just access, but lifetime

[Flexagon]

And it's not simply that GDS might allow access by others of files they shouldn't access. It's also that it causes files and other transactions to hang around longer than people think, due to the cache. For example, if you believe you've deleted a sensitive file or e-mail message, and even wiped it with one of several programs that can do this, you're wrong. The GDS cache still has the data. At the very least, this creates yet another place that data you thought was gone is still around (think personal info, future legal discovery processes, etc.).

Mike Langberg of the San Jose Mercury News provided an additional view (reg req'd) yesterday. Sample quote:

Second, the software keeps its own copy of all your Outlook and Outlook Express e-mail messages -- even after you delete them from within Outlook or Outlook Express. A confidential company memo, in other words, will still pop up during Google searches after you've emptied the Deleted Items folder in Outlook.

Re: Security Breach? Really? Dreaded "locate"

[Donny+Smith]

RTFA - it is Google's search index that is accessible, it has nothing to do with permissions on user's files per-se.

As not all Windows have the ability to set per-user permissions, they should have password-protect their software so that the search index file is accessible/usable only when the user is logged in to Google desktop search engine.

Spyware?

[SlipJig]

I'd only consider this "spyware" if it sent confidential information back to Google without telling me. There's no indication that it does that.

As for security against other local users, I agree with the vast majority of posters that this is a non-issue.

Oh the irony

[Rob+Nance]

Anyone else see how terribly ironic this post is? "I doubt that Google, or any other company dedicated to develop software, could do such a silly application." Ummm, Microsoft does a thousand silly things a day as far as releasing software with massive security loopholes, why should Google be any different? I see your point, I do tend to hold Google in much higher regard than MS, but it's your wording that I found so hilarious. Now, with all that said, your defense is, "don't download it if you don't like what it does", it seems like it's more than that. Scenario, a student in a school has an account on a machine that multiple people use. They could load this software and then gain access to personal information from all users on this machine. This goes from a personal security issue for the person installing it on their machine to a personal security issue for all of those who use the machine. It's the equivalant of putting a keystroke recorder or a packet sniffer on a network to gather information. It is a software developer's responsibility to not release software that can be used maliciously, and this one sounds like it can.

Re:Oh the irony

[alexisbellido]

Hi Rob, I did not intend to be ironic, but you are right, there is some irony in my comment. I agree that Google should have put a big note telling people not to use Desktop in public access PC's. I guess that Google could say that it's written in the license agreement, hey, maybe it is, but they know most of users don't read it anyway. A big notice telling what the software can and can't do should be needed, the use in public access PC's should be one point there and I guess there are many other considerations. Update after writing the last lines, I just read: http://desktop.google.com/eula.html and there is no mention about using the software in public terminals, I only found this in the FAQ:

9. What about my privacy? Does Google Desktop Search share my content with anyone? We treat your privacy with the utmost respect. The Google Desktop Search program does not make your computer's content accessible to Google or anyone else. You can learn more by reading the Desktop Search privacy policy.

Now, I am not sure if somebody has tested if you can search, and see, files from other users in a Windows PC. If everybody uses the same user I think is very possible that this is so, but if using different users, uhhm, I am going to test. Best regards!

the geek who cried wolf

[soloes]

dioscaido seems to have a misconception of the word spyware, or a vengeance against google, not sure which.
This is not transmitting any information to a 3rd party, or for that matter to any party. the information is gathered on your computer and so far cannot be remotely accessed (though I am curious as too how long it will take somebody to exploit this index).
This software does not maliscously install. you have to choose to put it on your computer.
This in no way resembles spyware, and calling it such is a prime example of why people dont take us seriously everytime we cry wolf.

If you want to worry about a problem with this indexing service worry about what can be done with it if accessed remotely.