Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Desktop Search Under Fire

Posted by CmdrTaco on from the be-aware-people dept.

AchilleCB writes "Cnn and many other sources are jumping on the Google-privacy-bash bandwagon, they are carrying stories warning of more privacy implications regarding Google's Desktop Search, "if it's installed on computers at libraries and Internet cafes, users could unwittingly allow people who follow them on the PCs, for example, to see sensitive information in e-mails they've exchanged. That could mean revealed passwords, conversations with doctors, or viewed Web pages detailing online purchases." ... Type in "hotmail.com" and you'll get copies, or stored caches, of messages that previous users have seen. Enter an e-mail address and you can read all the messages sent to and from that address. Type "password" and get password reminders that were sent back via e-mail."

14 of 444 comments (clear)

  1. Security Diversion by stecoop · · Score: 5, Interesting
    warning of more privacy implications regarding Google's Desktop Search

    So the actual problem is that public computers aren't secure? Google Desktop Search doesn't do anything more than what a halfway good script kiddies can do. I say that all public computers install the software and plug the permissions problem on the OS. If everyone can SEE the insecurity then the users will either
    1. become aware
    2. find alternatives
    3. clamor to have the problem fixed
    4. Another law will be written (don't let it get to this).
      Choose one or proactively make a "none of the above choice" by doing something about it.
      PS we almost freaking died out here - it's been an over an 1 1/2 since the last story.
    1. Re:Security Diversion by lpp · · Score: 4, Interesting

      Why is this an OS issue? In Linux or OS X what's to stop me from writing a similar application? If I run the harvester part as a background process run as root (i.e. Administrator on Windows), I'll be able to grab everything. If the client is allowed to communicate with this daemon in order to pull up the information, I'll still see your stuff, unless you've encrypted it.

      But encryption is atypical as yet. And on a public terminal you aren't likely to be logging in as another user anyway, but rather as an unprivileged guest account. But then the harvesting and viewing could all happen without root/Administrator access.

    2. Re:Security Diversion by GoClick · · Score: 4, Interesting

      A well set up system doesn't let you read other user's files. Even a well set up Win2k or XP machine won't let you do that.

    3. Re:Security Diversion by Pxtl · · Score: 4, Interesting

      Question: how hard is it to make a "throw-away" login? That is, guest logs on, does his thing, logs off, all evidence of his existence is eradicated. Such a setup should be required for public kiosks. Under Linux or Windows, either way.

      Alternately, guest can make his own account with password really quickly, which will be destroyed with a month of inactivity. But that would be a frill.

    4. Re:Security Diversion by objwiz · · Score: 2, Interesting

      I would agree, except for the fact that IE does not clear its cache as it's supposed to. You can tell it "no history", "no cache" (well 1 MB cache as it will not let you have 0 MB cache) and guess what? The history is still retrievable with the "right" tools. And because you "can't have a 0 MB cache", files are left on your system after closing IE. It leaves things around in the registry too (That's why there's tools like Evidence Eliminator).

      Btw, see my /. post to an earlier comment about google desktop.

      Please dont mistake me. My concern is less with google's great idea and more with IE. The combination of these two technologies could really open up some exploit "opportunities".

    5. Re:Security Diversion by William+Tanksley · · Score: 4, Interesting

      And my point is that your point doesn't make sense to me. I can do all of that if I really wanted to, and you couldn't stop me (nor could the government). The reason? All that information is public, not private. If you want it private, keep it that way. If you need to work with someone who wants your data, make sure you get them to contract to keep your data private.

      This points out a very severe recent problem, by the way. A judge recently decided that an airline's privacy policy didn't matter because "few people even read it, and most people don't care". If this is upheld, this sort of contract will become impossible to enforce, and privacy will become very hard to guard.

      -Billy

    6. Re:Security Diversion by Samhaine · · Score: 3, Interesting

      On NT based machines (yes, NT4 -> XP and Server 2003), you just have to set the user account up with a mandatory roaming profile (ntuser.man instead of ntuser.dat) Changes are not saved past the current login session, whether to the registry or the users profile file system.

    7. Re:Security Diversion by cornev · · Score: 2, Interesting

      I hear what you're saying with regard to to airlines, and I think it's shocking. Could we say all agreements that we don't read should be null and void? When last have we read any agreements with our dentist or doctor?! Could the reverse also work? Could we say that someone has no agreement with Microsoft simply because they don't read the eula?! Surely that makes sense?! Anyway, as said, if the information is already on your machine and google finds it, it pays testament to good development from google's developers and highlights either our own complacency with regard to our data, or a security problem in what ever piece of software it is that's responsible for the information being there in the first place.

    8. Re:Security Diversion by Short+Circuit · · Score: 2, Interesting

      Here's the problem with your argument:

      Many (though certainly not all) people assume that sharing information about themselves is fine, because it's too difficult for malicious persons to collect, organize and analyze that data.

      And the only way to keep the data private is to become a hermit. The only other solution is to slow the process of analysis.

      I refuse to become a hermit. I'd rather take part in EFF Action Alerts to slow the passage of legislation that makes data about me easier to analyze.

      --
      tasks(723) drafts(105) languages(484) examples(29106)
  2. New killer app needed for public computers? by lildogie · · Score: 2, Interesting

    As a geekly laptop owner, I can take my relatively-secure internet access with me.

    But travellers that don't have laptops, travellers who've lost their laptops, and people who don't own computers, are going to find internet access more and more essential as time goes by.

    It would be good if there were some way to have secure public terminals, that people could get onto the internet and be reasonably assured that their access is private.

    I realize that iron-clad security isn't possible, but if it could rise to at least the security of ATMs (I say this knowing that ATMs have vulnerabilities) then I think the internet would be a better public resource.

  3. Ultimately doesn't this come down to how MS works by Mustang+Matt · · Score: 2, Interesting

    I'm not trying to troll here but I think this is a perfect example of how linux has a huge advantage over windows being that it's truly account oriented. Windows is moving that direction but files aren't protected between users in any way.

    Google Desktop is doing exactly what it's programmed to do. The insecurity is in the way Windows has no seperation between users.

    If there was a Google desktop for linux it would only be indexing the logged in users information and it would be readable/seachable only by that user (and root of course).

    I understand the concern and I would say that google desktop doesn't belong on public terminals. I mean is there any situation where public terminals should have files to be searched on them anyway?

    --
    The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
  4. Google Desktop Spam finder by khendron · · Score: 4, Interesting

    My big problem with Google Desktop Search is not the privacy issues, but the fact that it indexes all my email. By that I mean ALL my email, including spam. It is rather annoying to perform an seemingly innocent search and get the first hit being "Bu|y V|agra , Us|e you|r B|G D|CK!" Especially if my manager is looking over my shoulder.

    --
    Life is like a web application. Sometime you need cookies just to get by.
  5. Microsoft Knows Their Business by Anonymous Coward · · Score: 1, Interesting

    I don't think we should be surprised to see comments like this, and less surprised that Microsoft have been initiating them. They hate the idea of a Google desktop, and they want to scare the shit out of people on privacy issues.

    The question is, if Google's stuff can do all this, what would NGSCB and Trusted Computing do?

  6. The Big Corperation by jessebs · · Score: 2, Interesting

    Does microsoft have anything to say on the issue?