Slashdot Mirror
Google Desktop Search Functions As Spyware
dioscaido writes "Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections. The Google cache feature allows all users to browse the contents of messages and files it has indexed, irrespective of who is logged in. 'This is not a bug, rather a feature,' says Marissa Mayer, Google's director of consumer Web products. 'Google Desktop Search is not intended to be used on computers that are shared with more than one person.'" Reminds me of a Neal Stephenson essay: "The Hole Hawg is dangerous because it does exactly what you tell it to. It is not bound by the physical limitations that are inherent in a cheap drill, and neither is it limited by safety interlocks that might be built into a homeowner's product by a liability-conscious manufacturer. The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it."
Spyware has a different definition...
Yes, its in the 'getting started guide' and in the application FAQ. And as another user above said, "It only indexes files you would otherwise have access to anyway", IE if it gets indexed, theres nothing stopping you manually interrogating the file anyway.
I have tried to access the tool remotely. It appears that it only accepts connections locally on the computer.
--------- I have no signature
Not all your files. I have access to my Trillian logs (c:\program files\trillian) and those are not indexed.
Thank you Mario! But our princess is in another castle!
How the heck is this spyware? Its not like it sends it anywhere. Thats what spyware does.
First of all, most Windows PCs are single-user.
Second, this just lets any user find anything that he has read permission on. As usual, Windows default settings are suitable only for single-user machines.
Third, it could only be ``spyware'' if it phoned home. Even the silly article didn't suggest that it does that.li>
Just another sensationalist /. headline. Nothing to see here ....
See what I've been reading.
The default file permissions seem to vary by the app that created them. My .mozilla and .kde directories are not world-readable, so the web caches would not get scanned. However, plenty of other files are world-readable by default, along with most documents I create.
This general situation has been around for many years. If you do share a machine, it's probably just a good idea to learn about file permissions in general.
Even worse.. Google's FAQ on Multiple Users states that it is not for multiple user systems, so all of this nonsense is perfectly within it's working parameters, and as a beta program, is to be expected. Don't like it? Don't use it. Period.
"Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
You've misunderstood how the system works. Google's software caches each user's files while that user is logged in, and stores the cache in a location accessible by all users. So if your wife (for example) had a bunch of documents created before you installed Google Desktop, those documents wouldn't be searchable until she logged in and the software cached the results.
Read the article more carefully. As far as I can tell what's actually happening is that Google Desktop Search makes copies of users protected files into an unprotected folder that may be accessed by all users. As the author says:
"I was not able to access the query results directly, but Google Desktop Search stores cached versions of search results found on your desktop, just like it does for its Web searches. The cached versions of the pages could be viewed."
Yes she did. As I understand it from other sources, the problem is when you install google desktop, you are administrator. As such, you index the whole hard drive, since the administrator has permissions to it. Later, this index is available to all users, and the cache allows for unprotected vieweing of the contents of the files.
I read this article a couple of hours ago, so I did what any self-respecting geek would do: I tried to see if the reporter/bloghead was full of shit or not. If you don't want to read any further, he is.
He used a public machine, presumably using a single logon. The software functioned as expected. It cached, separate from your IE cache, all traffic it was designed to cache. He then was able to search the data that anyone left on the machine. I contend that any douchebag that is dumb enough to send sensitive data from public terminal deserves whatever they get, ignorant or not.
The desktop search stores data in the c:\documents and settings\username\Local Settings\Application Data\Google\Google Desktop Search directory. On any PC that is relatively private, the average user isn't going to be able to search anyone else's data without a little bit of work. I had to actually copy the cache files from another user's profile to my PC in order to read the files. If were sharing a PC, I'd have to have elevate rights and access to the other user's provile in order to see anything of value.
As far as I'm concerned, the reporter that wrote the article doesn't know squat. There's no story here. Well, there is. He should have written abou the dangers of using a public terminal to send personal and/or sensitive data.
It's 11PM, do you know where your pants are?
The other thing is that locate doesn't let you search within files. Normally, the name of a file is not that important, what is inside is. There are exceptions, of course.
My cache is stored in: C:\Documents and Settings\[Current Account]\Local Settings\Application Data\Google\Google Desktop Search
I wasn't aware this was a publically accessible folder. I'm not allowed to access said folder under other users' accounts, on this machine, unless I run as Admin. That said, I haven't tried searching for files that would be found only under their accounts.
Although it lets you set what to index and what not to index, the indexer starts immediately as soon as you install the software, thus not giving you the chance to exclude certain files and directories from getting indexed.
Simpy
First let me say this is a very powerful and convenient tool that works as advertised right out of the box. However, I am also upset by how easily this group defends Google and attacks Microsoft. I'm sorry, but if you are creating software you need to keep the users in mind and work with the environment you are given.
I have done a lot of research into how the Google Desktop system works. Here are some things I found...
1. The indexing "agent" (not a windows service) runs as the current user. So, Windows security should block Google from viewing those files.
2. Google installs its own web server on the machine and maps to port 4664. They also do a lot of validation to make sure you can only see this information from the local machine. This appears to be pretty strong.
3. Google stores its cache in the following windows directory: C:\Documents and Settings\username\Local Settings\Application Data\Google\Google Desktop Search -- Leading me to believe that this is user specific. I checked permissions on this other users do not have access to the cache, leading me to believe they would have their own version of the cache.
4. Google seems to abide by the rules of the operating system. Unless they are somehow bypassing Windows security (being google they could reverse engineer anything I guess), this is pretty sound. So it really comes down to the user for setting permissions on their files. Otherwise any old search program could also find those files.
5. Google Desktop search is not spyware. I think the fear is how it integrates your desktop with the Google home page but the truth is no information is sent. At least that's what Google says. However, I looked at the source of what is returned and this is not done using client-side script or an ActiveX object, so I'm not sure how they pull this off. This sort of scares me. For instance, the path to one of my files is seen coming from the their server.
Now, the bad side...
While I was impressed by the lockdown of interface to the local machine, this is easily compromised. In an hour or two I created a VBScript class that could host on the user's machine and use local HTTP to access this data. This means that spyware could be created that allow remote access to the otherwise ironclad cache. This is obviously bad since you could just start searching for passwords and possibly get them.
My suggestion to Google? Add additional settings. For instance, right now the default setting is EVERYWHERE, with some control over WHAT gets indexed. I suggest being able to point the index at specific folders, or be able to not index other folders. This is sort of like shipping a firewall with all ports open. Sure its up to the user to lock it down, but if you don't... bad things happen.
Also, more filetypes would be really good. Especially more code files, etc.
I also think the ability to share your cache could be an option. This would be handy to install on a corporate file server to provide access to files (this is the reason I created the remote access hack)
Of course this may be Google's strategy all along... make the free version do everything and be for personal systems, and then sell a version with more file types, more granular control, sharing etc. Sounds like good bait and switch to me.
So that is all. Very good software, very easy to use. Ships wide open and could breach privacy on beginner level users. Can be used for attack and Google needs to consider this. Overall.. thank you Google!
Hehe. Ah yes, that wonderful feature... you do know that if you boot up, say, Knoppix, you can read that 'encrypted' folder perfectly?
And removed it today.
I arrived home from work today, and fired up a simple search using my now-indexed Google Desktop. The first item listed, by dint of a coincidental search term, was an email my cleaning lady had sent.
The 'drill' in the email was NOT the one I was looking for.
I must say, I was quite surprised - the search cached viewed and sent emails from a private hotmail account - it even kept a view of the inbox.
This is, well, bullshit. Really - how many people NEVER have anyone else on their system. This search has wayyyyyyyyyyyy tooo much room for abuse - and once they fix it, I guarantee you this old version will be worth $$$ on the black market...
The last fucking thing you want is my undivided attention...
So what's then the problem? Regular users can't read the admin profile folder.
Beware: In C++, your friends can see your privates!
The feature for file permissions on XP home is still there (provided NTFS is used) but microsoft don't provide a way to use it. I have managed to find a way.
I was bored one day so I picked up an old CD lying about. It was an ISP disk which happened to have an old NT service pack on it. I thought to myself, since XP home is based on the NT kernel perhaps there is something in it that allows access to advanced features not in XP home. I extracted the files (not sure how) and most of it was useless crap. However when I used the winfile.exe which was with it I found I was able to access the dialog for file permissions (click security on the menu, then permissions).
I have uploaded it to my website, as several days ago some people on another board were wondering how to do the same thing.
Shameless plug for my site, where i have the file
The irony is that it removes one of the reasons to upgrade to xp pro and it was made by microsoft.
Hopefully you at least read the article. Because your trolling is not helping.
So as to not be a troll, the point is that anyone with physical access to your machine can install something that takes advantage of caches, or creates it's own. This "news item" is blown out of proportion because the user went to a machine that had *already* had Google Desktop Search installed.
Any user that wanted to read all your yahoo email could just as easily have installed a key catcher, either hardware or software. Or all sorts of other types of spyware/snoopware.
The only real news here is that you shouldn't be doing anything you want kept private on a public machine. Is that news to anyone here?
In particular I'd like someone to prove the news summary posted here at slashdot, "it indexes your files across all users on your PC, bypassing user protections ". Go ahead and prove it. Come over to my house, install the software and then show me my Yahoo email. Good luck.
Joseph Elwell.
I'll assume that your talking about NTFS file permissions...
On a Windows XP box, disable "Simple Sharing". After a quick reboot, right-clicking on a file shows the standard NTFS File & Share permissions.
I am John Hurt.
I installed the google desktop search.
I had to be an admin to do the install. That means I have to have rights to read all files on the machine to install it.
I switched to a non admin account, I was told only the original person who installed it could run it.
I switched to a different admin account, tried to run it, got the message that only the installer could. I attempted to install it again under this account, I got the message that it's not meant for multi-user systems, only one user can install it on a PC at a time.
So in summary, if you don't trust someone who's an admin on your system, don't use that system. The search only makes it easier for them to see your data - they already have rights to.
XP Home does allow you to set file and folder permissions on NTFS drives; it just doesn't provide the GUI tab you'd use in XP Professional. You've still got cacls.exe that you can use from the command-line. There are many things in Windows XP that can be controlled from the command-line that most people know about.
You're conflating NTFS encryption with NTFS access control lists. It might be useful to read up on NTFS encryption. Some useful links include the step-by-step guide to EFS and an overview of EFS in XP/2003.
To encrypt a file, a random symmetric file encryption key (FEK) is generated. This is used for the actual file encryption and this key is in turn encrypted with the user's public key (and the public keys of any designated recovery agents) so that he can use his private key to decrypt the FEK and use that to decrypt the file. A user's private key is in turn encrypted by using the user's password. This is why resetting a user's password (as an administrator) without knowing the previous one will give you dire warnings about them losing access to any encrypted files they have; the new password wouldn't be able to decrypt their private key without which they can't decrypt the FEK keys which are used to actually decrypt files.
So, failing possession of a user's password or a major break in one of the (peer-reviewed and fairly well-respected) algorithms involved, booting into Knoppix won't allow you to access the plain text of encrypted files.
Access-control lists, on the other hand, are only secure insomuch as the host OS respects them, providing no other guarantees, cryptographic or otherwise. So you could indeed set a folder to deny access to Everyone and then access it in Knoppix without any issues. Even in Windows, an administrator can change the owner of the folder to themselves and then modify the ACL as they desire.
I don't know about your OS, but mine does not send my usage data to third parties.
It isn't accessing the Internet - it uses a local loopback connection to talk to its server, but your firewall doesn't distinguish that.
Google Desktop can send debug info to Google, but the claim is that it sends no information about what you searched for or your local file contents to Google. You can opt out of the debug and statistical info collection.
Then why do they distribute Linux install disks attached to the cover from time to time?
All that lets you do is bypass access control lists. You still won't get access to encrypted files since you need the original password to decrypt a user's private key which is then used to decrypt the specific file's encryption key which is then used to decrypt the file. A reply to the great-grandparent of this post gives more details.
It's probably nonsense, but not impossible. On a standalone default install, the root private key is stored in the registry and could be read by another OS.
A more secure setup would use a directory server or an external key.
I may be incorrect on this (XP Home is evil and I won't use it) but IIRC, you can't disable simple file sharing (also evil) on Windows XP Home. For XP Pro users, your suggestion is correct though.
The first rule of system security is that the only security is PHYSICAL security.
;-). You need to make that decision yourself but I do admit that most kids can find out what they need to know to penetrate any parents computers VERY easily. I do cruise the script-kiddie boards (often) to see what they are up to and the tools are all there within easy reach (Google search ;-) ).
What are the flaws here? It's a publicly accessible machine. Anyone can walk up and since it is publicly accessible, can merrily publicly access away. The presence or absence of the Google search tool in and of itself means nothing. In addition, with the tools that I have here, even if you DID have individual accounts I can own that machine, one way or another, in under a minute. It would slow me down some if someone with real Windows knowledge set up the system secuirty, but that is all that would happen, it would slow me down. After all, I do this for a living (systems security consultant). Don't be overjoyed Linux users, if I know your version, I can get you too. I track the vulnerability lists on a daily basis and no one save the truly paranoid (moi, of course) patches THAT quick!
Now, in the context of a personal PC, whose ox is getting gored here? No one. By definition. Note, I said personal PC. My personal PC, fully locked down Win'Server 2003 Ent., or as fully locked down as you can get with Windows (snort), happens to have this beast installed and yes I did pause to read the documentation, EULA, and all the warnings that they posted. This is just another search tool that just happens to use a web server front end so you can search using a browser interface that looks just like Google. Powerful (not Windows Find in my book) search tools have existed for eons in the computing world. This is yet another one and pretty spiffy actually. I was pretty impressed that it found in under a second something that I had been searching for for days, yes even with some pretty powerful search tools. Nice job!
Now, is my system less secure? No, if someone walked up, or happened to break into my system from the outside (about as likely as hell freezing over), then yes, having this available to them is a bit more of a problem but if they get in the door, then they already know where to drill down for personal information. Anything I'm really interested in protecting (under NDA, etc.) is already living on an encrypted HD with a VERY long key. Again, I'm paranoid. For the average user, again, once in somehow the presence of this tool changes nothing.
What is interesting is the potential for abuse in the case of a family or office setting. Be assured that half the problem in knowing where to go in those settings is identifying the interesting places and then you can identify the system security penetration required. This is NOT recommended for use in an office setting, but Google points out that it was not intended for such use anyway and spells it out most eloquently in the EULA as well. You do read the EULA, don't you? I do.
For the home, how much do you want to hide from your parents, spouse, or kids? Having no spouse of kids, I can't say. As for my parents, I'm the one locking down their systems
So that's my two cents. Mere FUD. BTW, what idjit uses a public computer and expects no one to know what they are doing? Apparently a LOT of idjits accordinig to a fellow SysOp elsewhere that happens to have a day job at a large library. If the cops want to catch a lot of kiddie porn and kiddie stalkers, I can tell them right where to go, but they aren't listening (sigh).
NetBlackOps
-"Never give entropy an entrance!"
OK, so this guy who wrote the article is a moron. I installed this on my Win2000 machine using my main account which is an Administrator account (but not 'administrator') and had it index my machine. I then switched to the 'administrator' username just to see what would happen, and it says that it was installed by somebody else (a different account) and couldn't run. Therefore, there is no security breach that I can see, and I was using two different administrator accounts.
The FAQ mentions multiple users who use the same login and password. Well, of course, duh. If several people use the same account, of course they can see the same files. It's the same damn account.
And one more thing, it isn't spyware as spyware returns information about you to someone else, like a company. At most, it could be classified as a 'priviledge elevation' of sorts, since purportedly you can see other people's files, although I can't reproduce this on my machine.
In XP you have to, in any folder, go to tools --> folder options... --> view (tab) --> scroll all the way down and uncheck "Use simple file sharing (Recommended)". That will give you a "security" tab in the properties of every folder and file allowing you to set NTFS permissions from explorer.
Centralization breaks the internet.
My school used to run a hodgepodge network of Windows 98, 95, and Me machines. The only halfway safe thing was that the pentium 133 running NT4 acting as a gateway. Their goddamn fileserver ran Windows 95A, sharing GRADES AND PERSONAL INFORMATION over SMB. They came to me one day and asked me if I could help them out, tell them why their network was so unstable. I couldn't do anythung but laugh at these fools. To my knowledge, it's still run on the same computer 4 years later.
The image is a dream, the beauty is real. Can you see the difference?