Slashdot Mirror
Google Desktop Search Under Fire
AchilleCB writes "Cnn and many other sources are jumping on the Google-privacy-bash bandwagon, they are carrying stories warning of more privacy implications regarding Google's Desktop Search, "if it's installed on computers at libraries and Internet cafes, users could unwittingly allow people who follow them on the PCs, for example, to see sensitive information in e-mails they've exchanged. That could mean revealed passwords, conversations with doctors, or viewed Web pages detailing online purchases." ... Type in "hotmail.com" and you'll get copies, or stored caches, of messages that previous users have seen. Enter an e-mail address and you can read all the messages sent to and from that address. Type "password" and get password reminders that were sent back via e-mail."
So the actual problem is that public computers aren't secure? Google Desktop Search doesn't do anything more than what a halfway good script kiddies can do. I say that all public computers install the software and plug the permissions problem on the OS. If everyone can SEE the insecurity then the users will either
Choose one or proactively make a "none of the above choice" by doing something about it.
PS we almost freaking died out here - it's been an over an 1 1/2 since the last story.
Searching through e-mails only works if you're using a mail client, why would someone in a cafe use Outlook to check their email?
It's not google's fault that other programs leave data out in the open. The search tool does nothing a regular user couldn't do!
Didn't we already determine that Google has stated Desktop Search is not for use on multiple-user machines and that you can always retrict domains, directories and result types from inclusion despite the fact that the files are still publically accessible.
...google provides this tool, for personal use. Any libraries/public terminals that ALLOW the desktop search are the real problem here, not the desktop search agent itself.
I've been using the desktop search for a week, and find it indispensible now. But, like any good, powerful tools, it can be misused, in a mis-configured enviornment.
Basically, just watch where you surf on a PUBLIC machine. duh.
"The natural progress of things is for liberty to yield and government to gain ground." - Thomas Jefferson
how difficult it would be to make an Open Source version of a desktop search.
Isn't it time that media start to put up opposition to services that compromise privacy in fundamental ways? I think this bandwagon is one that isn't so bad to have going on.
Google does great things, but without such opposition, they might not keep all issues in proper perspective. The things they mention are very important.
First of all, GDS does not bypass security or username/passwords. These files are accessible via the IE cache using Windows Explorer anyway. The index is stored in %USERPROFILE%\Local Settings\Application Data\Google\Google Desktop Search
Plus, why are these people have rights to install GDS on library computers? The libraries need to take notice by using a policy control to begin with.
Its a GOOGLE DESKTOP SEARCH tool. It says SEARCH in a screaming font. If that doesn't ring these people's bells, then they need to buy hi-fidelity headphones that are used by chronic deaf.
Blaming the kinfe company when the kid cut itself playing with the knife.
Free XBox, PS2
We all are aware that privacy and Google are a potentially dangerous combination, why is this surprising?
So if I have user rights on public computers to install software for all users and store large data stores of cached information that is accessible to everyone it would be very simple to exploit that in order to install way more effective spying software such as keyloggers, remote monitoring software and other such software.
Notice people that write this software are the same group that use clippy to help them use Word and the same people that think anti-virus means complete security. Nuff Said!
This obvious fear mungering on the part of the media. Clueless as always.
Sheesh, I'm sure it will go through many more revisions before the thing is actually released as final. Where are these muckrakers when the legislature and the president pass laws that invade privacy?
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
...it becomes easier to see the "security through obscurity" really doesn't work. It's not that a desktop search compromises security, it's that the security wasn't there in the first place.
I am not your blowing wind, I am the lightning.
But who on earth would be so incredibly intelligent to install somethin like the google desktop search on a public computer?
There may be other valid concerns about google desktop search and privacy, but this is just silly.
It's not as if Google didn't document this. If you're installing this on a public system without any real form of user access control, then you're asking for trouble. Google desktop doesn't do anything that an end-user wouldn't be able to do with a little cache snooping and looking in temp files. Really, Google Desktop doesn't belong on this open of a type of system, and in addition one really shouldn't be using such an insecure system for anything very sensitive.
Maybe Google just needs to make the warning a bit more obvious, like a hug "WARNING: Google desktop allows you to search all files on this computer" or something.
-jason
If I could only live my life with my threshold at 4...
... the whole email argument is stupid as far is internet cafe's and libraries are concerned. I mean, come on. Do you honestly setup an email client for your ISP, download mail to a PUBLIC system, and then LEAVE IT THERE!!! If you want to argue about privacy concerns, argue about something that really breaches your privacy. These attacks on the desktop search are really pissing me off lately. Oh, and for those who who check their hotmail and yahoo or whatever, clear the bloody cache if the systems are setup to let you. Hell, they should do that by themselves if they are properly setup cafe or library machines anyway to protect your privacy. In fact, they should be setup so YOU CAN'T INSTALL APPS!!!! Damn I'm sounding shitty this morning. :) Ok, end of rant....
sigs are like a box of chocolates, they all suck remove the underscores to email me
OH please. Google could easily exempt obviously private data. Go away troll.
Hey, that stuff is there whether you use Google to show it to you or not. I say we thank our Google Overlords for showing the masses how stupid it is to read e-mail or get passwords on a public terminal.
Nothing new here except that Google has all of a sudden made it easier to look up "private" information that is locally cached. The data is already there for someone who knows what to look at, after all, but now Google's made it easy to access. How is this different from typing something into the address bar of a browser and being presented with an "interesting" list of choices that were stored via the browser's autocomplete functionality?
Eric
Read a bit of Vioxx humor
This evil thought just occurred to me. What if I installed tightVNC and used the no-tray icon trick on a target computer, then installed Google desktop search and set it's taskbar icon to "always hidden." A normal user wouldn't go looking for unfamiliar executable names in the ctrl-alt-del menu, so it would be possible to log a users activity through Google desktop search and retrieve it quickly through tightVNC.
When some teenage kid writes a worm that takes advantage of the google search and takes personal information off your computer. Hmm more like a trojan but you know what i mean. I will be able to probably send your ms money backup or your quicken backup straight over the internet back to him in an email. That is always fun to deal with. It is already easy to get that information why make it easier
what kinda of dumass checks very private email conversations on a public computer anyways?!?! thats their fault, not google's -jordan
What really gets me is the Slashdot response. If Microsoft had released similar search feature, it would be one more nail in the coffin of poor security, no matter what user advisories they had given. When Google does it, we all jump to say that Google expressly warned against using this on a multi-user box.
I'm guilty of it, too, but let's not lose sight of the goal--better privacy and security--just because one company has a better track record.
Under capitalism man exploits man. Under communism it's the other way around.
Build a system that is idiot proof, and someone will build a better idiot!
All joking aside, if you know what it can do, and
you use it, who is to blame? Not me! Not google!
YOU ARE!
I have seen this program in use, and yeah! it seems
to be useful, but I know where I keep my stuff,
so I don't have these problems! Keep your stuff sorted
and know what the heck you doing, and everything should be fine.
On a side note, this reminds me of the idea of the internet license.
If I wrote something witty, you would say I stole it from somewhere.
Google Desktop is making available to people information that they don't realize is already being stored on computers. Before Google Desktop you might leave a public PC and think you've safely logged out. Now you can ue Google Desktop to discover how much sensitive information you've actually left behind and do something about it.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
One solution would be to force log-ins/log-outs of public PCs. You'd have to go to the librarian or coffee jerk and request a "user card," which is just a slip of paper with a dynamic username/password generated by an administration machine. That admin machine has remote access to the public machines, and can make a new, dynamic user (e.g., pubsuer_230) by the batch for the day or even on-the-fly. Or just update an LDAP table that all the public machines look to... The account expires in 24 hours and-- pfft!-- so do all of the files in that account's home directory (or Documents and Settings).
Wah. Don't install it on public computers. They don't need to search through files anyways.
What is someone going to find if they install this on a library computer? livejournal.com pages? Orlando Bloom pictures? Lyrics to an Eminem CD? chat sessions with pinkkitty5555?
why does a public place need the google search tool installed?
--J--
You want what with that?
If you type your credit information, social security number, etc on a PUBLIC computer then you are asking, nay, begging to get screwed. And not in a pleasant way.
"You are going to die." - William Shatner
The idea of insecurities on public machines is not new. Obviously. However, these insecurities are made much more user friendly by the Desktop Search. It used to be script kiddies that could crack the cafe or library computers, now it seems it could be many people. I think the media is right to raise this issue and people should be wary of the Desktop Search on public terminals
That said...
Can anyone think of why the Desktop Search app would be installed on a library public terminal or internet cafe machine? I used a terminal at my library and it was running Solaris with Firefox and was nicely locked out for all other apps. Is this unusual? What are other public terminals using?
The fact is that anything new that Google does will come under attack, regardless of its usefulness or security implications. They can't attack the usefulness, in this case, but installing it on a public terminal would not be possible if the security of the terminal were not lax in the first place.
I admit that the same argument can be used with almost any product.
"It's a memory aid! A robotic assistant! An epidemic detector! An all-seeing, ultra-intrusive spying program!
, 00 .html
The Pentagon is about to embark on a stunningly ambitious research project designed to gather every conceivable bit of information about a person's life, index all the information and make it searchable."
http://www.wired.com/news/business/0,1367,58909
Would Google Desktop Search be a great part in achieving this?
You bet.
users could unwittingly allow people who follow them on the PCs, for example, to see sensitive information in e-mails they've exchanged. Wouldn't the same users leave cookies, history and temporary files that could be viewed by anyone following them? If so many people are ignorant of this fact, isn't the duty of the library or "cybercafe" to post a notice about this possibility and what to do to protect yourself?
Some considerations:
In favor of google: I do think they had the intent on creating a usefull tool.
In favor of google: As far as I know, all the information that their desktop search tool exposes can be found in simular ways using a veriety of tools including MS windows own 'find-in-files' search options. In other words, their desktop search tool doesn't go out and break user-protected barriers.
Against Google: Just because your intent is honerable doesn't mean you can ignore privacy concerns.
Against the media (CNN, et.al): No integrity to be found for a while now! Just plain bashing, advertising, manipulating, money-making propaganda.
my $0.02
It's getting old, guys.
An 'objective' news for nerds site would be a pleasant change.
How much privacy before or after usage of a system in a public place do these people think they actually get? They are public, not your home system.
Also, who would be sending private emails or requestion passwords via a public terminal and not know that this info could be seen after weither the Google utility is installed or not.
I'm called Overhype on this.
Okay, maybe it just me, but I don't see any need for search capabilities like Google's program on public-access computers. People use them for, what, like an hour at most (at a time)? If someone manages to "lose" something in that short of time and needs to use Google to find it again, they probably should not be let anywhere near a computer. Not to mention that this probably isn't installed on these computers by the IT staff, and temporary users shouldn't be able to install apps (like this one) anyway, so its a non-issue.
William George
or a cafe one also? Your just buying time on or using the system for general usage not for storing files.
Why doesn't the media report on the fact that most analysts were talking down googles' ipo since they tried to cutout the middlemen?
Or how one AG can manipulate the market by hinting at a investigation into at a industry, HMO's?
Shut the fuck up.
The innovation itself is not what is scary. I think its a great idea to finally update the antiquated file seach programs we've been using for years. What's got people paranoid is that google is creating a standard data format to index all our data (web browsing info, emails, im chats, contents of our computers). With the plethora of security vulnerabilities out there it seems very dangerous and even naive to assume this information can't be gathered in mass quantities and then abused.
My experience has been that it is also a performance hog. It slowed my computer (P4 2.6 GHz 1GB RAM) to a crawl. http://www.simplechronicle.com/2004/10/now-coffee- is-linked-to-inflammation.html
I dunno where you've been living, because the quality of Husqvarna equipment has dropped drastically in the past few years. Stihl chainsaws and grasscutters are t3h shizzlest these days. I should know, as I spent a good part of the summer doin' some heavy duty cutting stuff with one. The Stihl equipment was much better compared to the Husqvarna stuff I've previously used. The real pros, too, use Stihl saws (and prefer them over the more expensive, yet less reliable Husqvarnas). So shut your mouth.
with the reference to hotmail.com this is beginning to sound more and more like another MS astroturf campaign. I can imagine hotmail business has dropped off some since gmail has started, and gmail is still in beta testing.
how is it that mass media gets their balls twisted in a knot over something they don't understand when it involves an up-and-coming company with good practices, but when it comes to international politics, they like to walk on by the heinous deeds?
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
Wait! If we don't search for every private bit of information on public computers, then we could be accused of missing potential advanced warning of the next 911 terrorist plot.
:)
The Google engine should be required under The Patriot Act to forward everything that it finds on every public computer to Homeland Security at connectthedots.gov
Defensive measures such as logout and flushing the cache are acts of terrorism.
If library computers are not being locked down and letting random users install programs, then the Google Toolbar is the least of their worries. If someone is trying to harvest some passwords or just see what people are doing, a simple keylogger or any of the other hundreds of "hacking" tools out on the internet could be installed instead.
"Well kids, you tried your best, and you failed. The lesson is, never try." -Homer Simpson
more crap for the media to stir up regarding privacy acts on software creators/dotcoms. I faitly remember this happening to another big software company.
So don't use a PUBLIC computer for private matter....how hard is that?
what?
Computers are now at $400 . When computers were $1500, people had no money for security, and they still don't.
This post written under Gentoo-linux with an SCO IP license.
We refer to this fallacy as post hoc ergo propter hoc.
(Well, not "we". I don't actually speak Latin).
-- Will quantum computers run imaginary-time operating systems?
However, I would like to have complete access/understanding to what data the GDS sends back to the mothership. I unchecked that little box but when I search for something on google.com it brings the results from the local search as well so there is lots of data sent up.
The point is that all the libraries I've been into don't allow you to do any of those things, otherwise they would already be infested with spyware and trojans, and I doubt that those same libraries would be stupid enough to install this google desktop search without knowing what it does. And it's the same with Kinkos, Kinkos actually allows you to install some stuff on there, but they reimage the drive every time a new user goes on there (but unlike what the story seems to suggest, Kinko has been doing this for years -- long before Google even became an household name).
This is a non-issue. This is just a newspaper troll who's taken the issue of the day and combined it with the hottest brand of the day, nothing more.
Look in the cache. Uh, what's the big freakin deal here. Is it that now any lamer can see the cache instead of just people who know what they are doing?
...you guys would be all up in arms.
But it's Google, therefore, they couldn't POSSIBLY do any wrong, huh?
When this was first posted a few days ago, someone actually made the comment, "What do I care if it bypasses security? I'm the only one in my house using the computer." Yeah, great thinking there.
Yet the same guy would say, if this was Microsoft, "No wonder their shit sucks, they totally bypass all permissions!"
Weee little hypocrites.
We have secretly replaced these Slashdot mods' sense of humor with a rusty nail. Let's see if they notice!!
Search for files or folders named: *.* Containing text: password How is this any different?
First off, after using it for several days, I realized that I do NOT want GDS caching my Web activity. I certainly don't have anything to hide in my surfing at work, but to me, GDS's incredible usefulness comes in being able to VERY EASILY AND QUICKLY search for data WITHIN documents currently stored on my PC. This is proving to be an invaluable tool at work.
Anyway, as for being installed on public PC's, the problem is not Google's, but those who permit the application to be installed on a public PC in the first place. Any PC administrator who permits user-installable applications in a public environment is asking for problems, headaches, and potential litigation.
Let's just hope this news doesn't get spun wrong and opens people's eyes to security...
My mom always said, "Jim, you're 1 in a million." Given the current population, there are 7000 of me. God help us all!
Trust me, you don't actually want to see what the people before you were viewing or searching for.
If the sysadmins for these public computers have half a brain (ok - it may be a stretch at times), they'll set up the machines to disallow software installs (can you say "duh?"), and set the cache to 0 - no cache, no hits on the indexing. No installs, no google desktop software.
I saw that little chicken again, and she still thinks the sky is falling! Give that chick some prozac!
WARNING! Installing MS Windows on a public terminal of any kind may allow malicious hackers or evil goons to steal your identity!
What the hell is with this? OF COURSE the GDS is insecure, it's running on a MS platform!
What do we expect? Is Google supposed to fix the inherent flaws found in an OS built to resemble a box of crayons?
This is sensationalist media reporting.
hardware is always the first step to insecurity. if you let ppl tacke your puter, or if you aproach other puters and systems that u dont control, be prepared to be watched at to be exploited.
who are these big and famous scientists and reasearchers who "found out" that google desktop search could mean a risk.
i mean when u type in shit at a box, u never know who logs keystrokes and so forth, you dont know about proxies, unless its your machine, and you have latest patches, antivirus/anti-trojan protection and are in charge yourself and even then you are still dependant on your os manufacturer and other software manufacturers.
then there is still the hardware, and with the coming age of crypto chips, microsoft-being-in-charge-of-your-live/box-times ahead who knows if you can even trust your sixtium or ibm-powerpc-6 and so forth.
stick to your good old 386 or 486, with all the standard hardware, grab some good opensource software and be ready to take some coding and puter-science classes to fix your own stuff and code shit you need.
only then you might be secure. and think about that keyboard and mouse cable that goes unshielded to your boxes, or even the monitor radiation, that the cia can record out on the street that passes your house or even half a mile away....
so google desktop search finds exactly shit that exists on your drive or any drive out there. so you can achive the same result with todays means and little windows built in tools already. so guess what, why is everbody bashing google now? its cos most of the ppl are dumb, and media is the ones who make stories these days...
be sure to protect your data, dont leave your personal and private data at a great many different places, dont enter private data into unkown boxes, dont use unencrypted information and network connections, dont use unshielded cables and try not to use monitors that radiate too much....
simply put, you can avoid some stuff, but u cant avoid everything. and its not googles fault or the new search that makes this world less secure, but its the stupidity of the common folks, and misconception about how the systems work these days....
keep your personal information close to you and in secure places (as good as you can manage that...) and you will be as secure as you can be.
GDS causes problems on public terminals? Easy solution: DDTT!
Another one bites the dust
I wrote up a review on my blog and ran into this problem in the process of putting the software through it's paces. I found that searching for my wive's name produced a number of cached web mail pages, some containing entire email conversations.
On my home machine my wife and I have different accounts, but in general I've only locked down file system access by making files read-only. So I guess you could say that this is not a problem with GDS, but with my security settings. I could have read her emails anyway, GDS just catalogued them for me and made them easier to search.
Still, I'd like to see the default GDS configuration changed so that it only searches the web history and email of the user who installs it. Yes, this is security/privacy through obscurity, but most people simply aren't going to go to the trouble of locking down their file system.
Assuming Google's new search tool spreads like wild fire, what implications are there for malicious code spread via a virus to use the tool to search for things like passwords, credit card numbers and the like? I suppose this can still happen with a cache search - but it seems the Google search tool is a simpler method.
I use the tool on my personal laptop - it's quick, efficient and way better than waiting for that stupid XP dog...
Instead of raising your voice, try strengthening your argument.
Once again, the Gmen already said it is only for personal use on a computer with !!!1!!! user.
Furthermore any moron who sends confidential info through email shouldn't be worrying about getting it stolen, since email is totally unsecure.
I can see this being more of a problem on a "locked down" public terminal. Our local library allows you to use a restricted browser (no new windows, no downloads of software, no access to drive) so users (other than slashdot readers ;) ) would expect it to be reasonably secure.
Adding googlebar suddenly gives a search capability that wasnt there before, without some probably significant effort, while people may be watching.
IE's habit "deleting" cache but keeping it all in hidden files is just as big a part of the problem,
but that's no surprise.
As a geekly laptop owner, I can take my relatively-secure internet access with me.
But travellers that don't have laptops, travellers who've lost their laptops, and people who don't own computers, are going to find internet access more and more essential as time goes by.
It would be good if there were some way to have secure public terminals, that people could get onto the internet and be reasonably assured that their access is private.
I realize that iron-clad security isn't possible, but if it could rise to at least the security of ATMs (I say this knowing that ATMs have vulnerabilities) then I think the internet would be a better public resource.
There should be a warning label on this that says:
"Not for use on Public Terminal"
Because Public Terminals are like Public Bathrooms.
I rarely search my PC for any files, because I know where everythign is and it's faster for me just to browse a directory than type in the search requirements.
The price is always right if someone else is paying.
I'm not trying to troll here but I think this is a perfect example of how linux has a huge advantage over windows being that it's truly account oriented. Windows is moving that direction but files aren't protected between users in any way.
Google Desktop is doing exactly what it's programmed to do. The insecurity is in the way Windows has no seperation between users.
If there was a Google desktop for linux it would only be indexing the logged in users information and it would be readable/seachable only by that user (and root of course).
I understand the concern and I would say that google desktop doesn't belong on public terminals. I mean is there any situation where public terminals should have files to be searched on them anyway?
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
...is like complaining about General Electric's light bulbs when they show you the termites which are eating your house from the foundation up.
Google Desktop Search is highlighting problems in Windows' Security, which is that there is none. This is good for Google in the long run on two fronts. It puts Microsoft on the defensive, as this is another issue that Microsoft will ultimately need to solve in security ahead of implementing new features. This gives Google the time to go on the offensive implementing new products for customers that are technically excellent and do not have the cooked in problems of Microsoft Software.
"Give away the stone, let the oceans take and transmutate this cold and faded anchor." - Maynard James Keenan
Seriously, you cannot have power without any potential problems if you are talking software. If the search tool did not enable search through everything a user could access anyway, then it would be pointless, because the whole premise of searching involves finding things in places you may not think of looking for them in the first place.
If you are sufficiently paranoid about security, you have a great many options. You could set your browser cache to size 0, you could delete cookies everytime you closed the browser, you delete history when you end each session. You do not store email on an unencrypted volume. Download axcrypt or something similar and encyrpt everything you need to keep from other prying eyes.
Do not blame Google's search tool for exposing the severe weakness in your security. You secure the computer and the search tool allows you to find anything that is unsecured. And this is not supposed to be an epiphanyeither!
My big problem with Google Desktop Search is not the privacy issues, but the fact that it indexes all my email. By that I mean ALL my email, including spam. It is rather annoying to perform an seemingly innocent search and get the first hit being "Bu|y V|agra , Us|e you|r B|G D|CK!" Especially if my manager is looking over my shoulder.
Life is like a web application. Sometime you need cookies just to get by.
Why jump on this? Seems to me the voting machines are far more of a problem with their Jet databases just crying out to be compromised.
I smell Microsoft cash somewhere in this mix.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Ok, so here I sit, nice and happy with an arsenal of security tools, manually typing my web addresses in with my browser that has no history, stores only 4Mb of cache which is emptied every time. I have hardly any plug-ins and my processes are monitored quite frequently along with network stats and all traffic flows. My email is stored in a compressed and encrypted folder with only myself added to the "allow me to be 'God' of this folder" list. Mine, mine, mine.
Problem is, the more "convenient" we get, the more security holes we punch. The IT departments of these "libraries" need to get with the program and realize what they're installing. And in addition to that, why can a plain-jane/joe user just walk in and install that sort of thing? Are you nuts? But the IT guys aren't just to blame either. I also blame the incompetant users who will more than quickly click on the CitiBank Fraud link to verify their account details on a public computer of which they have no idea what the operating environment is like. I could have sworn I heard the term "key-logger" mumbled in the back row...
-- Game Developers: Stop porting badly-textured games from crappy console systems!
If Google search is finding things that are already stored on the hard drive, you can't blame Google search. Depending on evil people not finding things that are right there for them to see is security through obscurity.
Any web sites containing sensitive information should use SSL, which is not cached anywhere. SSL is free and widely supported. There is no excuse not to use it.
How is it possible the users can install ANYTHING (not just Google Desktop) on public internet terminals or in libraries?
Seems to me focusing on the WRONG problem.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
There is this cool card (Magic card) by a company called Rogev. Everything you do on the computer is reset the moment you reboot the computer. So someone could have installed a virus, formatted the hard drive, viewed porn, etc.. The moment you reboot the computer, its restored to normal.
Put one of these bad boys in a computer then tell each user to reboot the computer and you are good to go. No more internet history, virus problems, someone deleting a portion of the OS, etc.
As for the normal humdrum security "flaw" of google search bar - it seems like a tool designed for the majority of computers out there - where specific people use the given computer (family members, co-workers)...Public computer owners can opt to not install the search bar.
I mod down so you can mod up. Your welcome.
In most public libraries/terminals you can already access all sensitive information on the hard drive. Sometimes, if you just go in and paste what is on the clipboard you can get people's e-mails. Inbetween users these computers should be completely wiped. How do you access data on a computer that has the run menu disabled and you can't get to the desktop? Easy. Just go to Internet Explorer and enter this into the address bar:
// yeah THIS isn't a security threat. //takes you to the system root //takes you to the current user profile //takes you to the all users profile //takes you to the application data // THIS WILL EXECUTE CMD.EXE GIVING THE USERS A COMMAND PROMPT
V ER%X T%R %P T%U SERPROFILE%
%TEMP% and %TMP%
%SYSTEMROOT%
%USERPROFILE%
%ALLUSERSPROFILE%
%APPDATA%
%COMSPEC%
Now that they have a command prompt they can type in even MORE fun things.
%HOMEDRIVE%
%HOMEPATH%
%HOMESHARE%
%LOGONSER
%NUMBER_OF_PROCESSORS%
%OS%
%PATH%
%PATHE
%PROCESSOR_ARCHITECTURE%
%PROCESSOR_IDENTFIE
%PROCESSOR_LEVEL%
%PROCESSOR_REVISION%
%PROM
%RANDOM%
%TIME%
%USERDOMAIN%
%USERNAME%
%
%WINDIR%
See here for a list. It's for Windows Server 2003 but it's all more or less relevant. GDS isn't even taking full capability of Windows' inherent flaws.
python -c "x='python -c %sx=%s; print x%%(chr(34),repr(x),chr(34))%s'; print x%(chr(34),repr(x),chr(34))"
I say if it is a public terminal:
A. The admin should disallow installing software such as this (any software for that matter)
B. Users should clear the cache when they leave, and be aware it is a public terminal
C. Don't write top secret nuclear information on a computer in a coffee shop. Wait and do your banking at home.
PUBLIC TERMINALS ARE PUBLIC...NOT PRIVATE
If it is a home computer, I don't blame Google for building a tool that does this. There are other similar programs that search through emails, or search through word documents or whatever. This just happens to do a lot of different little searches all in one.
I blame the companies and web sites that leave cookies or passwords laying around for the insecurities. I blame the person trying to hide a top secret word document on the computer. (DUH it's not safe!!!) And I blame the person saving their chat history where the Google toolbar can see it. If you don't want the google toolbar on your machine, do not install it and take precautions for keeping others from doing it, like any other piece of software. I believe you can also set up the Google toolbar to ignore certain apps and certain directories. So you can still use it, and just ignore the TOP SECRET folder on the C:\ drive.
I'd side with those who say this isn't Google's problem- it's the problem of apps that store private data unencrypted. The only caveat is that, as best I can tell, there's no way to clear the index. Even if you clear your web cache, the items stay in Google's index. Meaning you can practice relatively safe surfing and still have private data exposed. It'd be better if Google had a 'Clear Index' available for each type of index.
Other than speed, is the "privacy problem" with Google's search tool any different than the one that Microsoft builds in to the desktop toolbar?
Have you tried turning it off and on again?
Regardless of whether Google Desktop Search is merely taking advantage of an insecure underlying OS or if it's bad by design, it seems to me that it certainly violates the company's "Do No Evil" mantra. Most of the people here are trying to downplay the privacy concerns over GDS as no big deal but imagine for just a second if this were a tool released by MS instead. I think the response would've been quite different.
1: Does Google Search's index maintain copies or text fragments of e-mail and HTML items AFTER they are deleted? (Can I search for 4000000000000000...4999999999999999 and at least find an index entry?)
2: Does Google Search turn on any additional logging that isn't already on? I thought it turned on AIM's logging.
one more:
3: Can the tray icon be hidden -- so you don't know it's running?
If I login, read my email from hotmail and logoff, the only way anyone else can read my hotmail is if they have my username and password. What Google does is monitor my web browsing, grabs the pages and caches them somewhere so you can search them after you logoff. The problem is that Google allows you to view files that should be protected. The problem is not windows; it's Google.
Who knows if key loggers (hardware and software) are installed? What virii are sending your information to China? All sorts of crap could get your information. I think media is blaming the wrong group here, but they're doing it because they themselves don't understand.
My sig can beat up your sig
I've always been surprised by this.
The only place i've ever encountered linux was in a small underground cafe in tallin, estonia. The had a bunch of systems with what was probably enlightenment running in an very industrial underground place with blue lighting. Never seen anything like it since.
I run Fedora, and this is equally applicable to any Linux version, but there is a search tool used by linux and probably other *nices called slocate. It has a database and you can prune paths from the databse so that it never indexes those. Whilst people may wish that there be good defaults, it can not be a problem of the maker of the software if you do not take into concern that this software may have a bad side.
Maybe people need to actually take 5 minutes to read about a piece of software before they install it. You, know, like people do when they buy a microwave. You do not randomly start pushing buttons. You learn what it does, an if you can how it does it. Same here. People need to know what they want to use it for, what they would like it not to do, and how they can prevent it being accessed by the wrong people.
A lot of people have pointed out that technologically, this isn't a big deal. If you install software, you have to know what the software does. The search tool is no worse than a key logger, and we don't act surprised when key loggers cause privacy problems.
The problem I see is one of marketing. Google, as a brand name, is for the masses. Their tools just quietly make the Internet easier. Best of all, you don't have to know much about the technology to use them or want to use them.
So by making a complicated tool appeal to novices, they've encouraged people to bypass a basic computer security rule: know what the software does.
I was thinking about this - the way to maintain privacy on public computers is simple. When a user logs out of a computer, the entire user directory is erased and then created from scratch. (and the tmp directory emptied and so on).
Not sure how easy that would be to do on Windows, but it would be very easy on OS X or Linux desktops.
You cant search what isn't there.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The thing is -- and I may be wrong here -- if the Google process stores things from caches, then even if I clear out the cache it will still have a record of the data, won't it?
In other words, I use a public machine, when I'm done I delete Cookies, empty the cache and restart the browser to clear all the session Cookies. But if Google's software had walked over the cache before I deleted it, won't it still contain that data? Which means that it *isn't* just something that was happening before, and that people didn't know about.
I'd be happy to be proved wrong here -- because I thing Google's great, and usually I hate the knee-jerk "it's invading my privacy" comments that arise over things like Gmail...
I have to seriously question the wisdom of anyone who uses a public kiosk with the expectation of privacy, not to mention the system administrators of kiosks who would a) install such an app or b) have the boxes set up in such a way that the public could install it.
Yes, my only tool is a hammer. And you're starting to look like a nail.
anyone who is typing there email password into a PUBLICLY unknown machine deserves to be LARTed
>The FedEx Kinko's chain is also taking preventive
>measures. It's deploying software designed to
>automatically refresh its public access terminals to
>a virgin state for each new customer
Seems like the perfect solution, and one that should be standard. I've used some internet cafes that had a few years worth of cached crap on a generic user session. I have a preference for those what don't allow profile changes to be saved, and revert to virgin on each reboot from a saved default profile.
http://drteknikal.blogspot.com/
There are a few real security concerns with GDS. So far, the most frightenign is the fact that it caches data from my **password-protected** Excel files. I though they were semi-secure, but lo and behold -- the numbers come up in Google's desktop search cache, a bit badly formatted, but recoverable. Now, use this in a company with critical numbers, and you're in for a ride.
Now, I realize that Excel password protection doesn't offer much security, but... is it that weak!? I assume Google didn't even intend to crack that "protection".
Acknowledging the concerns, Mayer said managers of shared computers should think twice about installing the software until Google develops advanced features like password protection and multi-user support.
Right. Making a computer support multiple users is a job for the people that wrote the search utility, and not a job for the people who wrote, I dunno, the OS...? Dude, if I don't want someone snooping through my files, chmod -r
What is even funnier is that that quote comes from someone at Google. Yes, Google is going to take it upon themselves to solve this. If they're serious about that, they're heroes, not bad guys.
already readily available on the computer!
Not true! It will find data that was available on the computer.
Without GDS, a user can use a kiosk to browse sensitive info, clear the browser cache and be safe.
With GDS, they aren't safe because it can be cached by GDS even after the browser cache is cleared.
Someone needs to put together a write-up for this new "vulnerability" for all the script kiddies out there. All the popular Google Desktop Search queries like "hotmail.com" and "password"
Ok, you guys are amazing. Let's put this into context. Microsoft comes out with this great tool called ActiveX. It allows all kinds of wonderful things to happen, especially rich content in emails. Uh-oh, someone finds out that this technology is a great way to F around with folks' email since it's so integrated in Outlook (just using Outlook as an example, won't even go there with Windows). Bad, M$, no bone. Nevermind the users who don't know to simply turn off active scripting, they're not the problem - it's Microsoft - since software manufacturers should understand that all users are dumb. Enter Google. All data that's currently on the PC is presented in a highly searchable manner, even to people who have no idea about privacy issues involving electronic data. Stupid users, you shouldn't put such data there, don't you know how every application you've ever used persists data? It's obviously not Google's fault you're so stupid.
Allow me to describe for you living-in-yo-mamas-basement geeks how 6 billion people operate:
The average user has no idea of the security implications of simply going to a public computer and using the facilities provided for them.
If they've ever bought a computer before, they did not buy it from a store with a sales rep that gave them a book listing out every privacy/security vulnerability in the OS installed on it, and if they did they didn't read it. They may have never even talked to anyone knowledgeable about it.
Average users don't have conversations with geeks, sitting around talking about why M$ fscking sucks today and how 3l337 they are or how they 0wn3d U or whatever the hell they say. Average users have conversations with other average users about sports and knitting.
It is doubtful the user has a college degree in computer science, engineering, or even went to a technical school.
Not every kiddie is a script kiddie. I would venture to say most kids who use a library aren't script kiddies - script kiddies have computers at home. If you don't believe me, go to any public library with computers in south Atlanta and ask if their parents own a computer.
In a perfect world, it would be awesome if everyone understood the problems with computer privacy, but we have to deal with all those fucking ignorant lusers who don't read slashdot every hour. If Google doesn't understand this, rest assured they will be hounded by privacy counsils until they learn.
Ok, off do to some google credit card searches ;)
With that said. I'm a web design teacher. I've got four kids in here right now trying to get caught up before quarter grades are due. They're typing up a web page, and cannot remember where they are saving it. One kid tells me he's saved it four times. Problem is, he can't tell where or under what name he saved it (I've serached about a dozen ways, I really don't think he did it). This represents about 20% of my class who cannot grasp the concept of directory structure.
If this is indicitative of the rest of the population, I can see how Google thought this would be a needed product.
If you're on a public terminal, don't do anything that you don't want to be seen in public.
How hard is that to understand? Sheesh. If I were the libary admin, I'd install GDS and tell everyone about it for this very reason. Heh people, if you want to do private things, find a private place.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Why not just avoid the software? Don't download it, don't install it, DON'T BITCH ABOUT IT.
_________ Help me get a PSP!
So, let me get this straight...
IT managers and other network maintainers need to be careful about deploying this on multi-user systems because of security problems. Home users however don't need to worry (yet) unless one spouse or family member is trying to hide their pRoN browsing from the rest of the family.
How is this different from the usual state of affiars with ANY new software? A network manager who installs anything on shared computers without doing a security assessment is an idiot, and as usual a home user couldn't care less because they're probably not using multiple user logins so anything on the computer is visible to all users anyhow.
It sure seems like a lot of people are jumping all over Google for launching some software that merely points out the natural order of such things, the necessity for corporate users to do security assessments for any software and the fact that home users couldn't care less about physical security (ie. access to the physical computer itself). It's all a bunch of shouting over nothing, at least nothing new anyhow.
Now when there's a remote exploit to the google search tool, THEN there is something to worry about. But that's not the *BIG NEWS* being reported and shouted about is it? It's a powerful utility and like any powerful utility, it's not something you want available on public terminals. What's so unusual about that? A systems manager who installs or allows this on corporate computers needs to be fired, but he's the only one who ought to be concerned.
Type "password" and get password reminders that were sent back via e-mail."
Using obscurity by promiscuity, google is trying to own everyone!
You should not be running stuff like this on public computers to begin with. And I don't envy you a bit if you are in charge of securing public computers. It's an impossible, thankless job.
This is (almost) like saying
"NEWSFLASH! User installs crappy spyware program called gator to remember passwords and logins. Idiot installs it on public computer. Hilarity ensues, dumb journalists portend that the sky is falling, and people with no concept of change say that the internet will be dead in two years."
Seriously, there are problems with stuff like this, but this isn't news.
-- Having a Creationist Museum is like having an Atheist place of worship
installing powerful applications where they don't belong might be dangerous
you may now resume your regularly scheduled ruminations on the obvious
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
This is just another reason a single user OS (Windoze) should not be used in a multi user environment.
Friends don't help friends install M$ junk.
This is stupid. Google desktop is a user applicaiton, it is not intended for use on a public terminal.
Further, Google Desktop requires that it be installed as local admin, and further requires that the user be RUNNING as local admin.
Any library or cafe that is allowing walk by users to log in as local admin has much greater problems than google desktop to worry about.
Anyone that is NOT letting people log in as local admin can ignore google desktop all together (until they get smart and let it run with reduced privs)
You know, now that Google is encroaching on Microsoft's desktop turf, expect more of these kinds of articles.
Google, security risk of the new millenum.
"Gee, I have no idea where that email went."
"Oh, here it is. Doh!"
Google's desktop search and archiving would be a disaster for Microsoft, given their poor record on document retention. It might also be a revolution in e-mail based discovery proceedings. Imagine how hard it is to plow through the thousands of hourly (or daily) emails a firm receives every day. Stick google on it, and you can find anything.
It's a lawyer's dream and nightmare, all in one.
Meanwhile, most folks think Gator is actually useful and Comet Cursor is "cute".
Because M$ made a system that automatically installs software from any random internet site? Really. Librarians go through absurd lengths, such as automated software that reinstalls windoze every day, to support Windoze on their public terminals. For all that work, it's still an insecure, single user OS that should not be trusted.
If these cache files are world readable, you should be able to use any search tool to get the same information. Google's search tool is just easier to use.
Friends don't help friends install M$ junk.
It seems to me that there is really no use to installing GDS on a public machine, especially one in an internet cafe. Surely the point of an internet cafe machine is that you go on it and use the internet, maybe sending some email. You don't expect it to remember you when you come back or keep all your email, and many cafes reimage the machines every day anyway to keep them clean. In such circumstances, what benefit does GDS give you ? Simply put - GDS may be very cool, but if its not necessary for the task, why install it ? As I side note, I have it on both my home machine and my work machine (which only I use) and its wonderful. It really is very very good indeed.
In this case you are sacrificing 'privacy' (if you want to call having information hidden away in some part of the file system that most users don't know about privacy) for the ability to quickly find things. If you think that is a worth sacrifice, by all means install the program. Otherwise, keep it off your computer.
As far as public computers go, well you shouldn't be accessing sensitive data on a public computer in the first place! Its easy to tell if google's desktop search thing is running, its not so easy to tell if someone installed a virus that is recording your every keystroke.
Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
The problem is that it's a public terminal, Windows has nothing to do with it.
Being a public terminal it is most likely going to have only one user account set up for public use, meaning the seperate user space offered by linux would never come in to play.
I do agree that I can see no reason why you would want this installed on a public terminal.
I have not used google's desktop or WinFS so I could be way off base here. But isn't the google desktop providing many of the same features promised by WinFS in longhorn? And people on slashdot never really seemed to exicted about longhorns features :-P. Now don't get me wrong, I don't think google has done anything wrong here, I just think it is strange that no one has pointed out that it is just like a feature that has been demonized on slashdot in the past. I personally don't like the concept of either. The best way to find data fast is to *gasp* keep it organized in the first place. If I want to check my AIM logs I have a search for that already. If I want to check old emails, my email client can search for that already.... etc. Thus if I keep everything on those areas and a decent order I can find things super quickly anyway. To me it would only be helpful to those that have no idea what they are looking for but just want to find something "interesting" and they do some keyword searches to see what comes up.
I suppose the only major difference is that google doesn't integrate it into the OS.
Do you somehow think that spelling it with a Z makes you cool? You're a moron. I mean U R A m0r0n.
And if you knew anything about Modern versions of Windows you'd know it IS multi user. Ever heard of terminal services? Funny cause we have 80 people using one windows machine via clients and they can't view each others files let alone change them. You're a fucking twit. A poorly set up Linux machine will suffer the same horrors as this using grep and cat, and don't even try and argue that it doesn't come poorly set up because most distros do. Windows works WELL as a multi user OS when used properly, Heck there is a company in town here with 300 yes that's 300 not 30 people using one machine as a terminal server and it works fantastic.
Am I advocating windows? I mean w1nd0z3... No I'm not, I'm a huge fan of Linux I'm just admittedly opposed to your blanket statement casting ignorance. Best of luck finishing high school with that attitude I hope 11th grade is better for you than this one is.
That was posted on behalf of a friend of mine, not myself. I personaly don't have any windows servers let alone one with terminal services running.
Windows is moving that direction but files aren't protected between users in any way.
That's a bunch of BS. Profile directories have permissions set so that only that user, Administrators, and the system (SYSTEM account = OS) can read it. This is by default, without any user intervention. User-specific data includes user documents, the HKEY_CURRENT_USER registry tree, and Internet cache among other things.
What I'm assuming is happening with Google Desktop is that it's running as a service when indexing, which enables it to bypass the default permissions since SYSTEM is given full access to profiles. This is akin to running a service as root in *nix. In case you're thinking "see?!?! Windows sucks because it runs as system!!!", you can change the account under which services run; IIS for Windows 2003 runs under a lesser-privileged account, in fact.
So really, the fact that Google Desktop is indexing data of all users is in the design of Google Desktop itself. It's perfectly feasible to restrict Google Desktop to running under the security context of a single user, which will restrict it to indexing only that user's files. Unfortunately, although permissions are restricted properly, users by default have Admin access in Windows, so it ends up being a Windows problem in the end unless you've restricted accounts. However, my point that file protection between users exists still stands.
Naked pictures of the librarian's wife.
Why is this news now? I read about this last week... Move along, nothing to see here..
I don't think we should be surprised to see comments like this, and less surprised that Microsoft have been initiating them. They hate the idea of a Google desktop, and they want to scare the shit out of people on privacy issues.
The question is, if Google's stuff can do all this, what would NGSCB and Trusted Computing do?
This is nothing new.
/.
All virus scanners read all your email. If Symantec wanted to, it could make its virus scanner post all your private emails to
Not Microsoft's fault. Not Linux's fault. Not Google's fault. Just clueless media and its readers.
For the most part, you can disable it for email and instant messenging...
Gee, you sound so persuasive when you curse and call people morons. Do you really get worked up by posts on Slashdot or are you paid to pretend you are?
I'm a huge fan of Linux
What a wonderful advocate you are.
there is a company in town here with 300 yes that's 300 not 30 people using one machine as a terminal server and it works fantastic.
That I would believe if I saw it, but I've never seen a Microsoft run computer that could stay up for more than a day or so with as much as one user.
we have 80 people using one windows machine via clients and they can't view each others files let alone change them
Your ignorance is not a proof. You may not know of a way to look at other people's files. The relative frequency of Windoze cracks before and after security became "job one" for M$ two years ago makes me think there's a way to do it.
Good luck to you and your windows using buddies.
Friends don't help friends install M$ junk.
Hey,
t ive
The maker of FileLight should tweak their tool to act as a GNU site-finder-reminder. With some help from KDE, Gnome and others, it could be tied to:
--the kernel for the "core-geeks", hehehe
--the GUI for the user
--file logs for sysadmins or network types
--browser cache for site designers or troubleshooters
--tmp file for those who need it (can be done now)
--Arrays, for cluster analysers
But if it is able to parse and present delimited files it would be greater still. But, file logs are not necessarily following a consistent parsing or delimiter scheme.
I like FileLight, and tho I don't use it much, other than to make sure nosy people in the Library have some eye-candy to visually snort, I think it would be even BETTER if KDE/GNOME/Xfce4 and others help hook FileLight into their GUIs.
Then, tie this into the various browsers, and make it:
--Session-aware
--user-aware (so root can aggregate all of them)
--frequency-sensitive
--file-size-inquisi
and more...
For parents and places where kids (or adults, too) need to be monitored, this took would be pretty neat.
I'm gonna have to look of FileLight's PayPal icon.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Google indexes everything in it's own private cache which remains even after you delete the source document. This private cache, although not the full document, can reveal sensitive information even though the source document has been deleted. So even if you are a good administrator and set up rentention, privacy policies, clear your cache every time you shut down the browser, etc etc, personal information can still be queried.
So yes, Google is to blame.
When Microsoft uses a privacy policy that entitles it to your business plans all hell breaks loose - as it should. When Google uses the same privacy policy for Orkut, the l33t kids roll over and want to be fucked^H^H tickled again. It's amazing.
Google has performed a Mitnick-style social engineering exploit, giving people what they want to hear.
l33t kidz: "We love you, Google!"
... rinse and repeat.
Google: "We're not evil!"
l33t kidz: "We love you even more, Google!"
Google: "We're not evil but we're not too bothered about security or privacy, and you allow us to use your business plans!"
l33t kidz: "That's OK! It's not your fault. We love you, Google!"
Google might not be evil, but it's already gone far beyond anything Microsoft could have got away with. And with l33t kidz as our watchdogs, how will we ever hold them accountable?
Is that it is making obvious what CAN be done with software on the desktop, and it's freaking people out. It doesn't do anything a spyware package couldn't do, except it asks before doing it. There is no partitioning of data from one app to another logged in as a given user, and as such, it should be assumed that any app has access to anything, including passwords, etc. If people are allowed to install software on shared computers, then there is already a security issue.
On the flip side, we can't dismiss the problem with a "the problem is already there" as it is still a problem. The question is at what price are we willing to give up the convienience that our current user based computing model provides to one where every piece of data is locked down with encryption and passwords. And if we even did that, would it help, as everybody would just end up using the same passwords anyway. Beyond a certain point of security, the inconvience will prove more detrimental than what it provides to people and they will stop using computers at all.
If you let people install things on public PCs then as a sysadmin you deserve to be shot.
At the very least, you will end up reinstalling Windows every week as the system drowns in a mire of spyware and viruses.
In addition, why would anyone on a public PC want to install this? They'd only do it to look at other people's files. And if they want to do that, then why not go the whole hog and install a keystroke logger instead? Why bother looking through the windows when you can steal the keys?
Nothing to see here, move along...
with or without google desktop the problem about caching information will be there yet.
:)
Google desktop find some information that some other program store in unsafety mode in computer.
The problem is about these other software.
Sorry for my poor english language
This is merely a tool. Just because it can be used the wrong way shouldn't make it a privacy concern. Peer to peer apps actually are more of a privacy concern just because they export all of the information?
My UID is prime is yours?
Although I don't care for the desktop search utility,
it's hardly a valid complaint for privacy at a public
facility. It just means the average Joe can now find what most
with any limited knowledge of Windows can already see.
This is hardly worthy of news. It should be titled "Using Public Computers
Leaves Users Open."
Download and install their free program.
Then feel free to install the Google Desktop Search. Although the program tried to access the Internet, Zonealarm blocked it. Presto chango, problem solved and now I have an awesome desktop search on my computer which cannot spy on me.
Wouldn't that put Google squarely in the **AA's sights? And didn't someone smaller already get bitch slapped for this very same 'innovation'?
Why was this modded up as interesting? Windows (NT, 2000, XP and 2003) is account oriented. In XP, my account settings are under "Documents and Settings\$USERNAME\".
Google Desktop Search runs with the same permissions that my account has, meaning that it can't search across other user's folders.
Certainly there's a lot of instances when Windows is not secure, but this is just FUD.
It's "no one," not "noone." Who the hell is noone anyway?
http://shit.slashdot.org/article.pl?sid=04/10/21/1 934234
This is a valid example of the media working in the interest of its readers. There is a security issue as a result of what Google has created and there is a need for that flaw to be exposed. There is not an excess of negative publicity or a bandwagon.
GDS departs, subtly, but significantly, from a resonable definition of search because it caches data and thus misleads it's users (though, without malice). When the average person thinks "search" they do not think "cache". Cacheing does not enter into the experience of searching, from which most people are going to base their assumptions.
The average person when searching for their keys will try to remember where they put them. They may even have written down where they put them last, but they would not put a copy of their key in their pocket, nor would they keep a history of all the keys they had ever used as they moved from house to house.
Its the difference between what a resonable person expects when Google says to them "Desktop Search!" and what actually happens that creates the potential security problem.
When you delete a sensitive document is it reasonable that your "Search" tool underminds your intentions?
Reading the GDS documentation you can glean that GDS caches data and that users should be wary, but I see nothing wrong with the explicit manner in which the media has pointed it out.
The headlines are mild at best: "Google's desktop search a serious privacy risk?" and "New Google tool creates privacy risk on shared PCs"There is really only one article on this topic by Anick Jesdanun of The Associated Press that appears to be syndicated to many different sites. I read one other original article by Wolfgang Gruener, Senior Editor Tom's Hardware Guide (and I don't count the Motely Fool article). At best, a lonely and awkward bandwagon ride for the two of them.
I am truly sick and tired of all those comments that get moderated as high whenever there's a google story and all seemingly are defensive of google regardless of what.
Let's face it. Google's practices towards privacy have been far from holy and way too intrusive. In fact, they've had an AWFUL record by any objective account. This invitation-only model of builcing up demand for their services as in orkut and gmail is ludicrous; it's such a cheap trick, the scarcity principle, and I can't believe how stuipdly the masses are falling for it, that once they get an orkut or gmail account they'll willingly do anything. Have you filled up an orkut form? pages and pages of information collected, NEVER seen anyone online who wants so much information about someone. The privacy conerns about gmail are also legitimate. It doesn't require you to tell them your life story by filling forms before you can use the service but who needs that when they got your email and can and do scan them. This whole beta excuse is pure BS; Google News has been beta for 3 years now! I have downloaded Google desktop search, but decided not to install it seeing how I already had software solutions that did more and better and without the privacy compromises I would have to make.
Dare anyone mod me down as troll or flamebait on this post and it'd be so much evidence of how sucked up into it many of you are.
Windows is moving that direction but files aren't protected between users in any way.... The insecurity is in the way Windows has no seperation between users.
Where have you been for the past five years, pal?
Find *.* containing "text" would always have put this up. Google Desktop just does it faster. Its amazing these privacy concerns stacking up against google. If you choose convenience, there is always some compromise to be made - though I think with gmail and this, its getting blown out of proportions. In comparison to google's desktop search - I do believe Copernicus still beats it hands down. The search maybe a little slower, but the interface is definitely better there - esp. when it comes to mails and attachments.
I haven't installed the Google Desktop software but that quote is pretty damn stupid. If I'm using a computer at a library or an Internet cafe then I know there is a very good chance that I've already relinquished a lot of my privacy. It is a public computer. Does it have a hardware keylogger installed? Is the software compromised? Anyone using public computers should keep that in mind and not act surprised if their information suddenly becomes available to other people.
I agree that the public library thing is a non-issue. There is no reason Google Desktop should be installed on a public computer. The fact that it's public means there should be nothing on it you'd want to search for in the first place.
But, that did make me think, for the paranoid that maybe you don't want to install Google Desktop at work. Before, if a conniving co-working wanted to find dirt on you or they would have most likely manually search your computer either by hand or by using the slow processes of Windows search or Outlook search but now they can find that info nearly instantly if you have the Google Desktop Search installed.
Google Desktop search kicks ass.
The problem with public terminals is that every person who logs in acts as the same user, therefore later users see the data for earlier ones. What's interesting is that some public terminals go to great lengths to scrub the data between logins so that later users don't see earlier ones' impacts.
But this scrubbing doesn't clear Google Desktop, so its data spans logins. I suppose one could extend the inter-login scrub to also clear GDS, but what's the point? Might as well just omit GDS altogether. But one must also prevent users from installing GDS when they use the terminal. You could do this by disallowing all downloads, but this may be too strict (especially if you want to encourage users to use your terminal for a long time, and so they may want to install software for the duration of their session, e.g, Putty). In this case, the terminal has to prevent the installation of GDS but allow other software.
All in all, this issue is more subtle than it appears on the surface. Hopefully the response will be better public terminal software, rather than worse GDS software!
Does microsoft have anything to say on the issue?
1) The current tool runs with Administrator permissions.
This is simply a tiny technical oddity that Google will soon be able to fix.
2) The current tool indexes cache content.
We users don't want that. Even if the fact that it merely exposes underlying OS or app security flaws (by virtue of the power of indexing), it's not likely to impress users if Google brings these things up as search results.
This can be easily fixed by excluding cached content from indexing.
3) Search might move in a direction where global repositories and Web content are accessed using the same query.
This is tough: because it's such a useful feature, many people will want to have it. However, by submitting all your local searches in parallel also to a global search engine that maintains knowledge about your IP and a cookie, Google will soon more about you than your next to kin. This needs a theoretical solution (most likely there needs to be an intermediate layer of anonymization, like Freenet has it).
4) Google might be transferring "interesting" local content they find to their site to spy on you.
I don't believe they do this now, but that doesn't matter. The problem is they might in the future: imagine a fictional country passed a law that allowed their agents to get access to Google's infrastructure to fight a made-up enemy.... Right now, you have to TRUST them, but nobody monitors this in a principled way, so there should be a well-found mechanism in place to render potential temptations meaningless. Freedom is at stake here.
5) Even if you index only your own account, you don't want to see everything all the time. When you're being watched by your nine-year old boy, a search for mum shouldn't perhaps bring up and email revealing somebody close to him will probably die from cancer within 6 months. There are more examples.
This is tough, and it's a conceptual HCI issue, and a social one, not a technical security flaw. One solution could be to introduce a MODE to indicate the privacy/trust level of your context/environment, e.g. "I'm working alone at home", "I'm working in a group of colleagues in my company", "I'm on a public terminal in a busy shopping mall" (some people access their home machines remotely). The problem is somewhat related to watching other people type their passwords: it's always been part of hacker etiquette to look away when somebody logs on to a machine rather than stare on their fingers and take pencil notes. But the search issue is more complex, and there really needs to be a mechanism in place, not a social norm.
In summary, the Google desktop search tool is useful, because it forces us to re-think security and privacy as boundaries between local and global systems are blurred. After all, the network is the computer.
--
Try Nuggets , our mobile search engine. Ask questions in plain English via SMS, across the UK.
Besides, these problems are easily countered through one of many methods (some of which are exclusive with some other options):
1. Regular security audits (e.g. after the library or cafe closes.) You may need specialized software to automate the process, but you should at the very least be checking the computers to see if they are okay.
2. User account restrictions. In most cases, security breaches occurr because the user somehow got hold of local administrator prvilages - this should be prevented when possible.
3. Public monitering. You generally want most computers within public view. For the computers that have a privacy screen, you should give a priority audit. While this doesn't preevnt intrusions, it does deter some and otherwise make things easier to detect by a random bystander.
4. Hard drive images. If a machine is suspected to be compromized, restore it from an image.
5. DeepFreeze. Pressing the reset button restores the computer to a usable state. You can even give users permission to install software without worries either under this option (but be careful not to give permissions to change user accounts or configure the network.)
The sky is not falling. As long as Chicken Little doesn't create enough panic to get all the barnyard animals to the fox's den, we are safe.
Do we really think that Google was the one that thought this up? They are just the ones to make it free. This desktop search has been around for quite a long time. We are seeing an uproar now because a public company is now putting it out there for all to see.
Im sorry to say Slashdot is going downhill. Anything blaming Windows gets modded up without a thought.
This jackass has no clue what he is talking about. The problem is multiple PEOPLE using a public terminal using the SAME USER LOGIN. Now explain how this is a Windows problem? IDIOT.
Too bad you will never get modded up. You are talking too much sense to be heard above the "we wuv google" slobbering sheep around here.
Maybe this is a stupid question, but why would a library computer have the Google Desktop search installed? Library computers are for, as far as I know, surfing the internet if you're broke. There shouldn't be anything on the machine to search for in the first place. Just seems like a silly arguement. I daresay it's like someone giving a gun to a madman, and then declaring that the gun is dangerous because it helps the madman shoot people. The gun is only dangerous if you give it to the madman. Google desktop is only dangerous if it's users are stupid.
Safari on Mac OS-X has a functionality just for the shared computer. with the push of a button, all what you have done with it is erased. ... Nothing to be found afterward.
...
Cache, bookmarks, history,
I know, it not very usefull here as google search is not available for Mac and safari is not available for Windows but,
Such a functionality should be implemented in firefox with a default preference which do just that each time you exit.
Laurent
---
Google has provided a tool to easily access your data. It indexes data it can get it hands on. If it can access sensitive data like credit card info, passwords etc. which the original poster mentioned then it's not its fault. The problem lies in the protection of sensitive data, the lack of it, that is. If you don't protect your stuff it's not Google's tools that's your enemy, it's every trojan out there.
:P
Anyway, this is anything but a compulsory tool, so I don't see the reason for the negative hype. Nowadays it's just chic to start flaming on anything that pops up.
You don't trust it, don't use it, move on. But no, that would be too easy, ain't it
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
I was under the impression that Windows XP Home addition did not have the security that the people who replied to my original topic have stated. My mistake and I apologize to Bill Gates and his fan boy that called me a "jackass."
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
You really put me in my place. Way to post anonymously.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
This is why things like DeepFreeze or a daily (or weekly, or per-login, depending on paranioa and how public the computers are[*]) re-clone of a public machine is a good thing.
Each day (or whatever) you start back with the machine as it was. No sensitive data. No malware. No easy way of someone totally trashing the machine, without physically trashing the machine.
Google-desktop or not, between spyware and cached data there's a lot of things that are beneficial (both to the users and to the sysadmin) to not persist for too long on the computer. But if the public computers roll back frequently to a known-good configuration it means that yesterday's ReallyCoolToolbar or last week's batch of Hotmail user passwords are no longer there.
[*] I've seen at least one Internet Cafe that automatically runs Ghost to place a fresh clean copy back on each machine before the next user can logon.
Tiggs
"120 chars should be enough for everyone..."
If the service is running with admin rights that is significant.
- Open the source code in your favourite text editor
- Locate the offending section of code
- Insert comment markers at the beginning of each line
- If necessary, add lines setting various variables to sensible values instead of what what you just commented out would have set them to
- (Optional but stupid not to) Add comments explaining what you just did
- make clean; make && make install (or whatever you do on Windows to compile and install a package)
- (Optional but good manners) Submit patch to appropriate Internet sites
Easy, isn't it.Je fume. Tu fumes. Nous fûmes!
Well, I guess the person modding this to "Offtopic" is more enthusiastic about seeing GOOGLE'S search tool no be harmed by tools such as FileLight, which could steal the show if networked to specfic environments.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Several Librarians I know have told me that they have to re image Windoze on a daily basis to keep it clean and virus free. Even that is not enough now.
XP supports multiple concurrent users, sort of like X (but it's a simpler system, unless you use a full-fledged TS server). No one has to read anyone else's files, and the whole thing is easily secured and restricted if you know what you're doing. Yeah, I've seen time slicing, such as Magic Twin, and it can work at the 3GHz level with specialized hardware but Microsoft did not write that. I seriously doubt you can carry many users with it, AS I KNOW YOU CAN WITH ANY DECENT LINUX DISTRO. The security issues mentioned above make that kind of thing pointless, however.
Friends don't help friends install M$ junk.
Twitter, you're a petulant cock-gobbling sycophant to Linux Torvaldyos! Quit taking DP from ESR and RMS's feculent cocks and why don't you try to stop sucking quite so much? Get out of your parents' basement and see the real world - maybe then youll see how pathetic you sound, with your neverending stream of bullshit about how Microsoft is stalking you. Wasn't it you who said that Microsoft believes your insane ranting is actually a threat to them, so they PAY PEOPLE to reply to you on Slashdot? No sir, I don't get any money. I do it for the love. Someone has to go up against your paranoid whining. So get back in your cage and shut the fuck up already.
(I changed my sig)
This post written under Gentoo-linux with an SCO IP license.
It's like the media is trying to report on real technology news! That's the media, always trying! They're dumber than paint chips, but you have to love them for trying.
This is a good example of un-news. "Google has a thing that if you install it on a computer you'll be able to know what files are on it...! Um. Be worried! Yes, that's it! PANIC!"
I wonder, honestly, what chowderheaded hairdo caused this lemming-like reporting. "It's something on GOOGLE?!" the reporters all say as they snuffle around like cattle. "Oooh, we'll report it! Whatever it is! We show that people pay attention to the word GOOGLE!"
-----------------------
You are what you think.