Google Desktop Search Functions As Spyware
dioscaido writes "Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections. The Google cache feature allows all users to browse the contents of messages and files it has indexed, irrespective of who is logged in. 'This is not a bug, rather a feature,' says Marissa Mayer, Google's director of consumer Web products. 'Google Desktop Search is not intended to be used on computers that are shared with more than one person.'" Reminds me of a Neal Stephenson essay: "The Hole Hawg is dangerous because it does exactly what you tell it to. It is not bound by the physical limitations that are inherent in a cheap drill, and neither is it limited by safety interlocks that might be built into a homeowner's product by a liability-conscious manufacturer. The danger lies not in the machine itself but in the user's failure to envision the full consequences of the instructions he gives to it."
Whether or not Google intended this, I take great pause at knowing any e-mail I write or read on a PC with Google Desktop Search could be called up and read by a complete stranger.
This application is intended for single user machines which pretty much limits it, in most cases, to home machines. I don't have complete strangers roaming around my house so it is not an issue for me.
Mayer dismissed my concern that this is a security issue. She points out that you can configure Google Desktop Search not to index Web pages or specific domains. That would prevent Google Desktop Search from indexing and caching the URL "mail.yahoo.com".
So what part of that did the reporter not understand? Finally, this is not mandatory software. A user has to hunt it down, download it, and install it. So don't use it if it is a problem for your computer. Now, I am not trying to be a jerk and some of this is said with tongue planted firmly in cheek. Still, you gotta wonder why people need to find things to be upset about. I am not sure why this irks me so much, maybe I should drink less coffee.....
http://www.busyweather.com/
From reading the article, there is no indication that protected files were actually read. In fact, pretty much everything he talks about seems to have been pulled from the web cache. With default security on Windows XP, each user's cache is accessible to the other users. As are everyone's Outlook data files. This is not great security, but that is not Google's responsibility.
So, I'd be really interested to know if the desktop search application runs as an admin process, or with system rights. Unless it does, this article is nothing but hot air. Google indexes files that you can read anyway? OMG!!! This is teh suxxorz!!!
And spyware? Hardly. Nothing in the article even comes close to suggesting that all of this indexed information is transmitted anywhere.
Floating face-down in a river of regret...and thoughts of you...
Keep in mind that once you have physical access to the machine, all bets are off.
However...
Google's tool could be a danger if someone figures out a way to launch it remotely, by getting a user to click a link, or through some Windows exploit. If so, it's plausible that a remote attacker could gain access to the cache and use the information to gain administrative access to the machine.
---
"I contend that we are both atheists. I just believe in one fewer god than you do. When you understand why you dismiss all the other possible gods, you will understand why I dismiss yours."
-Sir Stephen Henry Roberts
The Hole Hawg is dangerous because it does exactly what you tell it to.
Yes, well computers in general are dangerous because they are very good at doing exactly what you tell them to do. For better OR for worse.
Per Square Mile, a blog about density
Since when does this constitute spyware? To my knowledge, spyware sends information to a third party without the user's knowledge.
It indexes all the files that you'd have access to anyway...
Can't see what the fuss is.
My Journal
Windows users have had "home" directories that are inaccesible to anyone except themselves and a domain administrator since NT4 was released. If this Google tool is allowed to index things it's not suppose to index, then that's not Google's fault, and it's certainly not Microsoft's. It's the fault of whomever configured that machine. AFAIK NTFS security has not been comprimised yet.
And the "spyware" tag? Love it. FUD works both ways, doesn't it?
I just installed Google Desktop today, but so far I'm pretty impressed. Even though it's still indexing, I haven't noticed any difference in speed.
Google Desktop isn't spyware, because it makes what it is doing clear before you install it. Of course it reads your files; that's how Google works. As long as my data doesn't go back to Google, I couldn't care less.
And actually, if everyone could choose just some of our files to make available publicly, think how much more useful Google would be.
Maybe that's their plan. Get everybody to index their disks, and than offer killer p2p on Google.com.
Does anybody *else* think that would be awesome?
The locate command was designed to get around the terribly slow transversal of directories when looking for a particular filename. It suffered the same basic design flaw in that it did not take user permission into account. The slocate (s as in secure) was designed to get around this obvious flaw. I'm a tad surprised Google didn't see this one coming. Maybe they've been hiring a few too many PhDs and not enough folks with real experience :-)
Does it install itself onto your PC without your permission? No.
Does it gather personal information and send it to Google? No.
Does it run secretly in the background, with no way to remove it save an anti-spyware tool? No.
Does it allow you to access anything you couldn't access without it? No.
How is this spyware again? Or even a security threat? As another poster pointed out, this tool doesn't access anything you couldn't access through Explorer.
What's this, is Slashdot helping to spread FUD?!? Say it ain't so!
Users of the Google Desktop Search software beware -- it indexes your files across all users on your PC, bypassing user protections.
This is just too misleading to be accidental. Talk about bias.
So dioscaido, you are suggesting Google defeats NTFS users/groups directory permissions and encryption?
No?
Oh.
Yeah, that's what I thought. Completely irresponsible journalism at work folks.
Basically this utility works NO DIFFERENT than "Start-->Search-->Search IN files", except that noobs don't know how to use Search properly, and Google search is "prettier". Oh, and MS's brain dead Search can't peek inside compressed files. Whoopie-do.
If I were more cynical, I'd chalk this fear-mongering up to someone with a lot of Yahoo stock, or someone afraid their wife/husband will find email evidence of an extra-marital affair. By default in Windows, ALL USERS CAN READ EACH OTHER'S FILES.
Nothing to see here, move along..
DISCLAIMER: I own no Google or Yahoo stock.
PC World has long been a Microsoft yellow journalism rag. It's just Microsoft Corp.'s Department of Monopoly Security at work.
Really, the Google tool is simply very powerful and is merely exposing the low default security in Windows profiles to the masses--but it's nothing me and the parent haven't known for 4 or 5 years now..........
Nothing to see here.
Cool! Amazing Toys.
while i can understand why some people might be leary of the security implications here, how in the world does this qualify as spyware? it doesn't pop up annoying adds, it doesn't send my data to some secret gathering place, it doesnt report any of my habits to any other person (unless thay also have physical access to my computer and can search for that information)
oh yeah, got ahead of myself. spyware is the new virus. its just a word one person uses to scare another person when neither one really knows what they are talking about. nothing to see, move along...
If I don't put anything here, will anyone recognize me anymore?
The problem as I see it is in the startlingly easy way google desktop search makes intrusion possible, sometimes even without the person searching intentionally looking into other user's data. Any keyword I type is an instantaneous hook into the world of the other user who used the pc before me. That is what I find scary.
/. user. It only indexes files in your Documents directory, it only indexes a handful of files (.doc, .xls, .txt, .html files for example). It has SEVERAL limitations that are annoying. For example: I want it to index my java source code and javadocs for the project I'm working on. However, it refuses to index them.
But that's just it. It's a SEARCH tool. It's supposed to find things that you don't know about. If it didn't, it wouldn't be a very good search tool. This should not be installed on public computers. And, if you are personally are concerned about it, there are products out there that will store all that sensitive information (browser history, email files) on a USB drive that you plug into the public computer before use.
As it is, I don't know how useful it will be to the average
Also, it doesn't index my Firefox cache or history, nor does it index my Thunderbird mail files.
In other words, nice try Google, but it's not useful to me (yet).
Don't count your messages before they ACK.
Considering that the essay is largely about the superiority of Unix, and the blindness of the prevailing PC/Mac culture to the existence of Unix, the PC/Mac dichotomy presented here seems oddly appropriate.
Of course this notion of "downloading" a compressed version is dumb. Harper Collins just needs to add mod_gz to their web server, so they can transparently compress for most modern browsers.
I doubt that Google, or any other company dedicated to develop software, could do such a silly application. In any case, it would be Windows fault if their supposed protected files could be ready by a user (or application) not authorized. Also, as somebody already pointed, nobody is forcing you to donwload and install this tool, if you wanna use it then do so, it's free and it's easy.
Alexis Bellido
I agree 100% it should honor the ACLs, but I wonder if we could do anything else?
We essentially have the google bot on our machines, would it be good to honor the standards the realbot uses?
Would it pick up and honor my robots.txt file?
Will we start seeing meta tags inside emails and word documents and stored pages to exclude from indexing?
liqbase
"Of course, all this seems silly as linux has had proper file permission settings forever whereas Windows has just recently added that feature."
Windows has had proper file permission settings since Windows NT 3.5 shipped September 1994. Slackware 1.0 (I consider this the first viable installable distribution) shipped August 1993. That's a whole year different. Percentage wise, Linux has had proper file permission settings 10% longer than Windows.
Not to mention, Windows ACL are more fined grained than what most Linux distributions offer.
To preempt the argument that Windows defaults are insecure: I am comparing the technical abilities of the systems out of the box; which are the tools an administrator may use to configure what he feels are "proper file permission settings."