Flaw in Google's New Desktop Tool [Update: Fixed!]

silassewell writes "A Rice University computer scientist and two of his students have discovered a potentially serious security flaw [Sell your soul to the NYTimes to Read] in the desktop search tool for personal computers that was recently distributed by Google." Update: 12/21 03:15 GMT by T : An anonymous reader writes "It's being reported that the security problem in Google's Desktop Search has been plugged."

So you don't have to regsiter....

[lightdarkness]

A Rice University computer scientist and two of his students have discovered a potentially serious security flaw in the desktop search tool for personal computers that was recently distributed by Google. The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact. "When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Professor Wallach said. Google introduced a test version of the desktop search tool on Oct. 14, and it can be downloaded at no cost. The program indexes material on a user's local hard disk and then blends Web search results with local user information like electronic mail, text documents and other files. The flaw would permit a search to reveal only small portions of the files. The way the software tool is designed, a user's queries, but no locally stored information, is distributed via the Internet. But by reading user queries sent to its search service, Google is able to place its AdWords text advertisements next to the search results displayed in a user's browser window. In a statement over the weekend, the company said that it had been notified of the flaw by the computer researchers in late November and had begun distributing a new version of the desktop search engine that repairs the potential security hole. Google's introduction of a desktop search tool has touched off a competition with its closest Web search service competitors, Microsoft and Yahoo. Microsoft made a test version of its desktop search tool available last Monday as part of its MSN toolbar suite, and Yahoo has said that it will begin testing a similar search tool in January. The Rice University researchers said that they had not yet examined Microsoft's desktop search program, but noted that the service did not appear to integrate Web and local search results in the same manner as the Google tool. The researchers said that the Google security weakness lay in the way that Google Desktop was designed to intercept outgoing network connections from the user's computer. The program looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search. They found that it was possible to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them. An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred. The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site. "This began as a student project to study how Google Desktop worked and to see if there were any security flaws," said Professor Wallach. "We started by wondering how Google did the local search integration. Once we figured out how it worked, it wasn't too much extra work to break it." The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10. The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge. The Rice researchers said that it was possible for users to tell if their version of the Google program had been patched by examining the "about" page from the Google Desktop icon in the browser task bar. Version numbers above 121,004 indicate a newer edition of the program.

Re:So you don't have to regsiter....

Learn how to format paragraphs, and post anonymously you filthy Karma Whore!

Re:So you don't have to regsiter....

Google has already fixed the error and automatically updated the deskbar

Re:So you don't have to regsiter....

The part that they forgot to mention is that Google has already rolled out the fix. You can read about in the "Google Desktop Search" group on Google Groups.

Re:So you don't have to regsiter....

[calethix]

Actually, they do mention that in the article:

"The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10.

The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.

The Rice researchers said that it was possible for users to tell if their version of the Google program had been patched by examining the "about" page from the Google Desktop icon in the browser task bar. Version numbers above 121,004 indicate a newer edition of the program. "

No Reg Required...

Here's a reg free link for those of us who have already sold our souls for other devious purposes ;)

Re:No Reg Required...

Isn't it aweful when you try to sell your soul, and then Satan gets back to you a little later, talking about a pre-existing lein? The look on His face, the patronizing way He talks down to you... I can't stand it. It's so embarrassing.

Re:No Reg Required...

[freakmn]

I think the holiday season is making me dyslexic or something. I misread Satan as Santa. I was trying to figure out what you were doing trying to sell your soul to Santa... I guess you might get what you want for christmas...

Re:No Reg Required...

Isn't it aweful when you try to sell your soul, and then Satan gets back to you a little later, talking about a pre-existing lein? The look on His face, the patronizing way He talks down to you...

Just thinking out loud here, but maybe Satan should be referred to with "hE" and "hIS", i.e. the first letter purposefully lowercase and all subsequent ones upper... just to highlight the contrast between Satan and his exact opposite (Yaweh/Kwanza/whatever).

Re:No Reg Required...

If Satan is the opposite of J*sus, how do we know that Satan isn't female?

Google Link (of course!)

[pegr]

Here is the no-subscriber link via Google News, for all that self-referential goodness...

At least they don't bury the bad news...

Re:Google Link (of course!)

[FortKnox]

Or, you could simply use Bug Me Not. It even has a firefox plugin.

The whole Sell your soul to the NYTimes to Read is getting old... actually it was old a year ago, and now its simply ridiculous.

Re:Google Link (of course!)

[Martin+Blank]

NYT (and many others) now scour BugMeNot to kill those accounts that are posted. I suspect they do it by script a couple of times a week, as the logins don't seem to work for me after a day or two.

Re:Google Link (of course!)

Wow, FortKnox! That is one of the quickest adoptions of a Slashdot AC Comment to a .sig that I've ever seen :)

Re:Google Link (of course!)

You'll notice I do give credit to an AC (had to adjust it to fit in the length provided). If you are the original writer, or someone wants to step up and admit the comment, I'll be happy to give credit where credit is due.

-FortKnox (no point in losin karma)

Re:Google Link (of course!)

[lowrydr310]

Or you could just use Cpunks. cpunks1 and cpunks2 didn't work, however cpunks3 worked just fine.

Re:Google Link (of course!)

I for one am sick of the NYT. If they're going to throw down this gauntlet, they're just begging for someone to spam them with fake accounts. There's no reason BugMeNot can't be scripted to auto-register a new account after every few hits. Register a free email address->Register at NYT->Reply to NYT->Cancel free email account. BugMeNot seemed like a nice middle ground. You'd have to be a fairly hardcore geek to use it in the first place, but no no no....they've gotta have an email address to spam you with. Don't they realize that anything that can be done with a browser can be done with a Perl script?

Re:Google Link (of course!)

[Fallen_Knight]

thats why some palces have that "type in the text in the image" stuff

Re:Google Link (of course!)

[Eriky]

I don't think they would be so stupid to spend their time this way. I as a webmaster would simply check if there are multiple people loggin in on the same account regulary (or even at the same time) and ban those accounts automatically. If you don't want to register, then don't read it. With all those ad blockers websites have to use these tactics to earn a bit of money.

Re:Google Link (of course!)

[Martin+Blank]

It seems to me a lot easier to run the script, which would take a few seconds to pull back all of the information, than to come up with rules on what constitutes multiple logins for an account, searching the records for them, and then disabling them. The script for the first would be far less complicated, and less likely to ensnare a single person browsing from a couple of computers at home or at work at close to the same time.

Re:Google Link (of course!)

[Trejkaz]

Or better yet, only register a new one when the NYTimes actually hits the site. That way, when their employees scour the site, they continuously see new hits and can never remove them all. :-D

Re:Google Link (of course!)

[terrox]

I like it and I hope they keep writing the "sign up needed" because it is very important. I do not want to click a link and be met with the sign-up message all the time. I would rather not see any articles linked from NYtimes.

Re:Google Link (of course!)

username: uforgotpoland
password: 12345

Re:Google Link (of course!)

[truesaer]

Agreed. I don't mind registering for websites that I will use frequently and wont be spammed by. NYTimes satisfies both options. We see an article here about them every day, just register already!

Re:Google Link (of course!)

[danila]

1) NYT doesn't spam you and doesn't sell your address. Confirmed repeatedly.

2) Most people here should already have a registration with NYT and a cookie, so they don't need to worry. NYT writes enough good stories that it's worth the trouble (which I had in about 1997).

Re:Google Link (of course!)

[jc42]

Most people here should already have a registration with NYT ...

Yeah; same here. Actually, it's my wife's account, but we have several computers behind our firewall, and they really can't tell who is using which one at any given time. ;-)

The real problem with all the news sites that want registration is the time it takes to deal with it. My file of online ids now has 62 entries, mostly from web sites that require gratuitous registration. I'd include the NYT in the "gratuitous" list, but not amazon.com, which actually gives me some useful time-saving goodies in exchange for registering.

One of my frustrations for several years has been following washingtonpost.com links and hitting their registration page. I've registered any number of times, and repeatedly all this ever got me was back to the registration page. Finally, last week, it worked, and I can actually read their articles now. (My wife succeeded at about the same time.) In this case, it was a huge time waste for no apparent reason.

It's interesting that news.google.com still doesn't require any sort of registration, though it has grown into one of the most useful news sources in the world.

In any case, maintaining that slowly-growing file of registrations is a PITA. They all have different rules for ids and passwords, so I can't use the same strings for all of them. And it wastes my time. But I suppose that doesn't matter to them, since it's not their time being wasted (except for the people who support the reggistration DBs).

I have found that this is one thing that the blogs are useful for. They rarely require registration, and they routinely publish the significant paragraphs from major stories. Maybe soon I'll be able to cut back on my registrations, and just subscribe to the few sites that I find are full of truly useful information.

Of course, in the political arena, the truly useful sites are likely to remain free and open. The primary actors want to get their story out, after all. The main problem here is that they keep changing. Right now, there are a number of very interesting sites in the Middle East that are in English and other major languages, and give "observer" info about what's really happening in their neighborhoods. Some have disappeared when the writers died ...

Re:Google Link (of course!)

[danila]

In any case, maintaining that slowly-growing file of registrations is a PITA.
It doesn't need to be. First, define very clearly what is a gratuitous registration (basically registering to be able to read/download/access something). The next level is registration to post, which you also would often not care much about. Finally are the relatively useful registrations where you are buying something or where your privacy is concerned (e-mail, for example).

Now just invent a rare login (8 chars) that is not used by anyone. Visit googlewhack for suggestions. :) Remember it. Invent a very simple password that is easy to type (qwertyui is fine). Now every time you need to register, use that login, that password and login@tanya.com for your e-mail. Now you can be sure that you will remember your user details every time, you can be sure that you would be able to use the login on every site (it won't be already taken) and you don't need to record the passwords at all.

Personally I don't mind website registration all that much - it's the BBSes and forums that I really despise. Especially the various PHP forums that almost always are set to registration-required on default. Even when it's a tech support for a game publisher. I mean, I can understand trying to preserve a community dedicated to some obscure topic from trolls and spammers by requiring a registration, but why require your customers to register (and separately from the product registration) to post to support forums?

Re:Google Link (of course!)

[fingerfucker]

What BugMeNot needs to do is present the login information to its users as an image with extra graphics to prevent programmatic optical character recognition, forcing the users to look at the login/password and retyping it into the site.

Ttis will obviously kill the usefulness of tools like the Firefox plug-in for BugMeNot, but that's the only way how BugMeNot can survive.

Plus, I doubt that those requests to BugMeNot aren't constantly coming from the same IPs that could be liked to the IP address space owned by the particular newspaper. So just ban those IPs. However, I understand that it might not be total morons working as sysadmins for them, so they might try use a machine with a non-matching IP address to do the login information scraping, so this leads to a conclusion that banning IP address ranges from visiting BugMeNot is not the most effective way. So now this leads back to the original idea, present the usernames/passwords as images requiring human retyping.

Moreover, most sites these days have 'log me in automatically next time' anyway, so this shouldn't be such a problem.

Re:Google Link (of course!)

[fingerfucker]

I don't think they would be so stupid to spend their time this way.

You're looking for two keywords: 'computer' and 'program'. If that doesn't ring a bell, maybe 'computer program' will ring a bell. Or 'automate', ooooh... now that's a really technical one.....

Re:Google Link (of course!)

[Martin+Blank]

Scripted comment spam can be an enormous PITA. I run a forum, and it's the reason that we have not only mandatory registration, but also random character strings on registration.

what the heck

[mako1138]

"When you put them together, out jumps a security flaw." What is this, magic?

Re:what the heck

[evilmousse]

nooo.. it's a fairly common way to find security holes. you can identify every input and every state a program can enter, test all that to be solid, and it can still yield security flaws when working together with another peice of software. This happens most especially on the web, where multiple technologies plug into each other, and unless the sandboxing is extremely solid, a combination of programs noone considered can easily have dastardly results. i think the usefulness of a desktop search tool to any bug looking for targets to infect is pretty obvious. The settings files for the programs are easily mined for info too, if they're not already stored in that abhorrent windows registry.

Re:what the heck

[shotfeel]

Its like MS Windows and a PC.

Windows, just sitting there on the CD isn't a secutity problem.

The PC, sitting there without an operating system isn't a secutity problem.

Put the two together -Microsoft magic!

Re:what the heck

I love how this isn't flamebait on "good ol' Slashdot", but if Linux was put in the same boat, it would be. Awesome. And btw, Linux is Security through obscurity, not because it's more solid.

Re:what the heck

Lighten up, Francis. It was a fucking joke.

Re:what the heck

[panck]

yes...

i nearly died laughing the other day. i'm a mac and unix guy, but received a win xp box in order to do some integration for our product.

i plug in the brand-new Dell and turn it on. after I do some configuration, up pops the windows desktop.

Immediately, before I click anything or do anything, a little bubble pops up from the toolbar tray and tells me "Your security is at risk!"

I was like, Frickety heck? I was secure before I turned it on.

Re:what the heck

please.. PLEASE no more soviet russia or korea jokes.

in Korean Slashdot, only old people tell Soviet Russia jokes!

This first post

is reserved for someone to reply to with the article text :)

Re:This first post

[spac3manspiff]

Rice University Computer Scientists Find a Flaw in Google's New Desktop Search Program By JOHN MARKOFF Published: December 20, 2004 SAN FRANCISCO, Dec. 19 - A Rice University computer scientist and two of his students have discovered a potentially serious security flaw in the desktop search tool for personal computers that was recently distributed by Google. The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact. "When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Professor Wallach said. Google introduced a test version of the desktop search tool on Oct. 14, and it can be downloaded at no cost. The program indexes material on a user's local hard disk and then blends Web search results with local user information like electronic mail, text documents and other files. The flaw would permit a search to reveal only small portions of the files. The way the software tool is designed, a user's queries, but no locally stored information, is distributed via the Internet. But by reading user queries sent to its search service, Google is able to place its AdWords text advertisements next to the search results displayed in a user's browser window. In a statement over the weekend, the company said that it had been notified of the flaw by the computer researchers in late November and had begun distributing a new version of the desktop search engine that repairs the potential security hole. Google's introduction of a desktop search tool has touched off a competition with its closest Web search service competitors, Microsoft and Yahoo. Microsoft made a test version of its desktop search tool available last Monday as part of its MSN toolbar suite, and Yahoo has said that it will begin testing a similar search tool in January. The Rice University researchers said that they had not yet examined Microsoft's desktop search program, but noted that the service did not appear to integrate Web and local search results in the same manner as the Google tool. The researchers said that the Google security weakness lay in the way that Google Desktop was designed to intercept outgoing network connections from the user's computer. The program looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search. They found that it was possible to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them. An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred. The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site. "This began as a student project to study how Google Desktop worked and to see if there were any security flaws," said Professor Wallach. "We started by wondering how Google did the local search integration. Once we figured out how it worked, it wasn't too much extra work to break it." The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10. The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on

Re:This first post

nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot nice try idiot
(Use the Preview Button! Check those URLs!)(Use the Preview Button! Check those URLs!)(Use the Preview Button! Check those URLs!)(Use the Preview Button! Check those URLs!)

Re:This first post

well he said post the text.
and it's pointless since it's not "slashdotted"

The first Test

This seems like it will be the first test for Google and thier ethics.

It shall be interesting to see thier response. I'm sure they will deal with it quickly.

Re:The first Test

[endoboy]

is "already done", a.k.a "in the past" quickly enough for you?

Re:The first Test

[Ulven]

It was dealt with 10 days ago.

"The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10."

Re:The first Test

At least they fixed it. But theres more then that. How did they ensure that users were no longer vulnarable. Did they make it fairly public and easy to deal with?

Haiku of the Google Ad

[Swamii]

Your website goes here
Google deploys their search tool
All is exploited

It's already been fixed

http://news.com.com/Google+Weve+fixed+desktop+sear ch+tool+flaw/2100-1002_3-5497885.html?tag=nefd.top

Re:It's already been fixed

[WIAKywbfatw]

So this story is a case of "All your BS are belong to us"?

Re:It's already been fixed

2 fast, 2 furious!

Re:It's already been fixed

[bradkittenbrink]

or you could read that here:

http://www.nytimes.com/2004/12/20/technology/20fla w.html

Re:It's already been fixed

[JoloK]

Only if you want to sell your soul to the NYT :$

Re:It's already been fixed

This is typical Markhoff bullshit reporting. The guy who lied to put Mitnick in prison. Somehow a story about a product which was patched weeks ago is "news". Go figure.... A "flaw" which requires a visit to a malicious website or running of a malicious program in advance. Internet Explorer is seriously flawed if this is the definition of a news-worthy problem. Windows moreso.

To help alleviate the problem

[Manan+Shah]

Goto http://www.bugmenot.com OR Download the bugmenot plugin for firefox: http://extensions.roachfiend.com/index.php#bugmeno t

don't worry

[AviLazar]

You can all, soon, download M$'s search tool - and we all know this will invade your privacy --- on purpose that is... :D

Programs like these (i.e. Gator password program) are the reason why I am a minimalist. I keep on my computer exactly what I need (pr0n included) and nothing else. Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).

Re:don't worry

This works well as long as you block IE and Firefox from accessing the internet. :)

Re:don't worry

[atlasheavy]

The MSN Desktop Search tool is already available, and a hell of a lot better than google's desktop search. You can download it from http://beta.toolbar.msn.com/.

Your definition of minimalism is probably different than a lot of other people's. Keep that in mind. I can't function unless I have at least a compiler, if not a full-blown IDE on the computer I'm using. Same thing goes for Photoshop and me.

You may not have either, and may disregard the need for me or anyone else to have these. Just remember, everyone's different. Because you don't find something useful doesn't mean someone else won't.

Re:don't worry

[doublem]

Kudos to you for admitting your need for p0rn.

Far too many people let shame take away their abilty to admit they like the stuff.

Re:don't worry

[AviLazar]

I was not disregarding anyone. Being a minimalist is the same across the board - keeping it down to the minimum. I think you were jumping the gun. I just said I keep the programs that *I* *need* to a minimum. So if you need a compiler then you need it. I wonder how many people need the google desktop search tool? I mean not just "hey this is cool, or this might help" but actually need it? I have a process (it's my own so it's seemless for me) of naming my files, and my directory structure. I never have a problem locating a needed file, unless it's some obscure system/application file (and then I just use the default search tool that comes with XP)

Re:don't worry

[indulgenc]

And Google doesn't collect personal data about you? Give me a break, Google's new search offers (and Gmail) are very invasive when it comes to your personal information. They need to serve you ads to make those services free, and guess how they find out what ads to show you?

-i

Re:don't worry

[Fallen_Knight]

Shame!?

If i start telling people about my multi terabyte porn collection they start asking me to send it to them!!

wait... umm I don't have any porn.. nothing to see here...

Re:don't worry

[Tackhead]

> If i start telling people about my multi terabyte porn collection they start asking me to send it to them!!
>
>wait... umm I don't have any porn.. nothing to see here...

So, umm, then you've got nothing to lose by installing Google Desktop Search or MSN Desktop Search, or anybody else's Desktop Search utility then, right?

*taps foot for ten seconds*

So have you installed it yet? Huh? Haveya haveya haveya? Whenyagonna? Huh? Huh?

Re:don't worry

[gad_zuki!]

sure google can do no wrong, eh?
*cough* the never expiring google tracking cookie *cough* the full featured toolbar is spyware.

Ironically, MS doesn't want your private info, the data miners google sells data to do.

Re:don't worry

[doublem]

You make a good point.

Desktop search is NEAT, but I don't need it. I keep my files organized to begin with, and since I use Mozilla at home and Thunderbird at work, none of the "tools" out there will help me search my e-mail anyway.

It's really a utility for the people who save files wherever the program defaults to, and never know where that is, who have their files scattered all over creation, and who need help organizing their data.

Re:don't worry

prove both.

tell me precisely what nefarious purposes it is used for. what packets are being sent from the toolbar (you said spyware)

you have to be specific when making accusations abouit a company with a good rep. not just expect everyone to beleive it.

Re:don't worry

[AviLazar]

Some people think they need it. I just had a conversation with my co-worker - she keeps every piece of e-mail she gets (she is the IT manager, and subscribes to groups, gets all the spam caught mail etc, which amounts to about 1000 e-mails in all each day). She likes it for searching through her e-mails, which according to her is way faster then Outlooks search ability.

So people need it for various reasons...part of my needs is Zone Alarm, for nothing else then to block these programs from accessing the net. So if I installed google search desktop and it tried passing information...well over ZA's dead body :D

Re:don't worry

[doublem]

well over ZA's dead body

Yes, Zone Alarm can be as annoying as Hell, and it can be a pain in the neck at times, but the payoff of having application by application control over Internet access is priceless.

Although one of these days I really need to get around to configuring it so it doesn't block SMB shares. I don't need it often, but when I do it's annoying to end up turning off ZA during the copy process.

Re:don't worry

[AviLazar]

It's so useful. I was having hopes for M$'s firewall, but I noticed that certain programs can automatically override it and insert themselves as "OK" programs to access the net (iTunes for example). Kind of annoying. Plus I do not see a list of every app the accesses the net, so that kinda worries me.

Re:don't worry

[gad_zuki!]

>you have to be specific when making accusations abouit a company with a good rep. not just expect everyone to beleive it.

Christ, you're lazy. This is common information that can be easily searched.

Google tracking cookie. Pick an article.

Google own "privacy" policy regarding the full version of its toolbar. Yes, Virginia, that's spyware.

Re:don't worry

[JoloK]

Hopes for M$'s firewall? Wha??? Oh, sorry, that must've been a troll ;)

Re:don't worry

How DARE you claim that anyone makes better software than Google. Google's search tool is in BETA, which means that they're making it better. You may not compare BETA softwares until they are released.

Re:don't worry

[X_Bones]

Let's see... a half-hearted anti-Microsoft troll, plus a bunch of stuff about you that nobody wants to hear about. Do you really think I care that you're "a minimalist?" Or that you keep on your computer -- GASP -- things you need? Sure, people might like to know what firewall you use (the one part of your post that's actually relevant), but do you think you maybe might've included some features that not every single other firewall product has too?

Re:don't worry

[Barlo_Mung_42]

I think you just brought the thread full circle. The MS firewall is intended for use by everyone and is on by default so it has to strike a different balance of function vs usability. Most people don't need (and would be annoyed by) the advanced features of ZA if they were in the MS firewall and would end up turning it off, which would defeat the purpose.

On a related topic: you might like to check out some of the tools at sysinternals.com. The TCPView tool is very useful.

Re:don't worry

[AviLazar]

apparantly so if you wrote that long of a reply. that or you like being a troll. Part of these forums is to hear people's life experiences - as the personal side of the story makes it interesting. If i wanted hard core facts I would open a text book.

Re:don't worry

[AviLazar]

Yea i think by default the capabilities of ZA are annoying (especially to the novice computer user). I would have liked to have seen an advanced option though in M$s firewall. Figuring they want to keep people from using other company software - this would have given me a reason to do such a thing.

Re:don't worry

[mystran]

Minimalistic systems don't run zone alarm. In fact, in a minimalistic system you don't install 'ls' as you could do with 'echo *' just as well.

Re:don't worry

[zoloto]

No one needs porn. They're either addicted to it, or like it and are addicted to it. It's a chemical addiction, and those chemicals come from you. There are four of them and when I get back I'll post a reply to what they exactly are. But you people who say you "need" porn and that it's not harming anyone seriously need to get a grip on reality.

And no, this isn't a religious rant. It's realism. I don't even have a religion.

Re:don't worry

[dunng808]

Anything that potentially interfaces w/the web is a no-no with me (I use zone alarm, so I can see any program trying to access the net).

Good point, but the Devil is in the details. I doubt Zone Alarm would catch Google's program shipping out data. It would if it went out to some weird port number, but why would Google design it that way and make trouble for themselves? Much easier to send it to port 80. You would never see that action unless you log and review all web activity. The best place to hide is in the open, so to speak.

Re:don't worry

[wheany]

Please stop writing it as "M$."

Re:don't worry

reply, man - I don't think I'm the only one with a problem on slashdot.

Re:don't worry

[Lehk228]

bitching about people writing 'M$' is as cliche as writing 'M$' in the first place, please stop

Re:don't worry

It's a chemical addiction, and those chemicals come from you. There are four of them and when I get back I'll post a reply to what they exactly are.

Adenine, thymine, cytosine, and guanine?

Re:don't worry

[Tony-A]

Ironically, MS doesn't want your private info, the data miners google sells data to do.

If MS doesn't want your private info, then why does it have access to it?
If MS doesn't want your private info, then why would they take any precautions to protect the integrity of whatever private info that gets dumped in their lap?

I would expect Google to fully understand the implications of the form and contents of the data it sells to data miners.

In short I'd expect Google to treat my private info as a valuable resource not to be sold out cheaply.

Re:don't worry

[AviLazar]

Please elaborate "ls" "echo"

No offense, but I hate when people throw acronyms, shortened versions, or commands. Computer field is a LARGE field and what one person knows is not necessarily known by another. For example: Go to a pediatrician and ask him about neurosurgery and his answer will be a referral.

Also, minimalistic is arbitrary. One persons minimum needs is not the same as another. The only thing consistant with minimalist is that a person keeps the programs
they need down to a minimum.

Re:don't worry

[AviLazar]

I thought ZA catches all programs based on it being a different program not based on the port number (hell it's even caught IE and other windows integrated products). Maybe if Google integrated itself with IE so ZA has no clue that it is Google, but thinks it is IE?

Re:don't worry

[AviLazar]

You know...the thing is, I picked up the M$ jargon from this site. I used to rant about it, but then I was assimilated (resistence is futile so to speak) :D

Just to make a note: I do not hate Microsoft at all. I admire Bill and how much he has accomplished for himself, his company and society as a whole (please lets not spark up a debate, this is just my opinion and nobody will change it).

Re:don't worry

[doublem]

I always considered writing it at M$ to be an easy to shorten the full Microsoft and still keep what you're talking about separate from the disease MS

Re:don't worry

[mystran]

I though anyone that found their way to /. should at least know what "echo" does. Anyway, "ls" (in Unix) does basicly the same as "dir" does on windows (or dos), that is, it lists files in the current working directory. Pretty basic stuff.

As for echo, it does basicly the same thing on windows too (IIRC, it's been a while since I really used windows for anything), so maybe lauch cmd.exe and type in "help echo"?

Re:don't worry

[AviLazar]

Unix? Unix freaks are on a plane of their own you know this yes (I mean this in a nice way). So how is typing dir (in windows) or utilizing echo going to act as a firewall? This would be a great thing to know as I wouldn't mind doing it that way.

Re:don't worry

[fingerfucker]

I have a process (it's my own so it's seemless for me) of naming my files, and my directory structure. I never have a problem locating a needed file

If it's not a problem, would you care to share a bit more on it? I am guessing I might encounter some things to learn from in your example. If you can't, that's okay I guess. Thanks.

Re:don't worry

[AviLazar]

Sure. It is relatively simple at hand.

when naming a directory or file I use underscores between any multiple words (i.e. file_name_has_underscore.txt). This also helps ensure compatability with any system (while most systems can handle blank spaces, there are times when some systems do not).

All files get grouped in similar directories and sub-directories. It may be a pain at the moment, and some might say "You have a lot of sub-directories", but I know where my files are, and they do not overlap. (i.e. If I have a picture of some girl from IM. I would have a directory like this: \IM\images\Girl_IM_Name\Girl_Real_Name.jpg).

I also utilize the properties of a file and give as much of a description as possible for doing searches. Also, when I move my mouse over the file I get a mini-description (helps with larger files such as pdf books).

Hopefully this gave you some ideas. If you have any suggestions, that would be cool.

[Note: Above content is licensed under open source stuff, feel free to use it, modify it, dissiminate it, and hell claim it as your own...all profits to be forwarded to my paypal account]

Re:don't worry

[atlasheavy]

I get a couple hundred emails every day at work. We use Outlook, and I need something that does quick, accurate full-text searches of all of my email. The default search tool in XP doesn't provide for this, unfortunately. Maybe in Longhorn, we can always hope...

PLEASE!

[swordboy]

BugMeNot

Both IE and Firefox extensions available. This copy/paste might be useful if you formatted it instead of karma whoring for first post points.

Re:Thanks, Windows!

[Kupek]

Come again? From the article, it sounds like the security flaw is completely the fault of Google, and has nothing to do with the platform it was written for.

Or you could

[MrHanky]

install the BugMeNot plugin for FireFox.

It is a dumbed-down explaination...

[Kjella]

You have two components, which act as intended. However, the way they are merged into a product (i.e. the glue code) is flawed. If you want to be more technical, it is the kind of flaw you do not find through unit tests, only through system tests. So going from two components with no security flaws, you have a product with a security flaw. The quote is somewhat melodramatic, but accurate.

Kjella

Re:It is a dumbed-down explaination...

[sfogarty]

Actually, the flaw is that we have one domain: public http pages, mixed with a second domain: private user data. The security model for the first domain generally allows web pages to access their own content. It is assumed that the site the page originated from is supposed to be able to get it's hands on what it sent, including sending it back. Thus when we mix in the second domain: static information from the user's local files that should not be part of active content, a security vulnerabilty is created. This is all said much better in our report, of course... this is me rambling on Slashdot, the other is a thoughtful discussion of the material.

Flaw Fixed

[KaSkA101]

Theyve already fixed the flaw and had users download it automatically.

purpose

[jamesbuko]

"The glitch, which could permit an attacker to secretly search the contents of a personal computer via the Internet, is what computer scientists call a composition flaw - a security weakness that emerges when separate components interact." I always knew that this is the ultimate purpose of Google Desktop. Unfortunately google's crawler have crawled almost everything on the web, so why stop there?..on to the Desktop!!!

Re:purpose

[ViolentGreen]

Unfortunately google's crawler have crawled almost everything on the web, so why stop there?..on to the Desktop!!!

I wonder if something like this will be applied to P2P (or if it is even needed.)

So, do I have the fixed version?

[winkydink]

The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.

Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed.

Fix for the flaw

[alphakappa]

Google has already fixed the problem, and if you are using GDS, you should have the updated version since GDS updates automatically without user intervention. If you neeed to check, your version number should be 121,004 (or above). I verified from my firewall that my version was updated yesterday. (Apparently Google has been rolling out the updates since December 10)

Re:Fix for the flaw

[Otter]

...since GDS updates automatically without user intervention.

Next Google "scandal": GDS updates automatically without user intervention!!!

Re:Fix for the flaw

[jeblucas]

your version number should be 121,004 (or above)

I'm going to go out on a limb and guess that Google's version number there is 121004, not because they want it read as "one hundred twenty-one thousand and four", but rather as "December 10th, 2004". Don't panic if it rolls back to 011605 next month.

Re:Fix for the flaw

[CaptnMArk]

This is a serious reason not to run Windows.

Too much software assumes it can rewrite and install/upgrade itself.

I want to install software as admin and not as the user.

Re:Fix for the flaw

[imsabbel]

No need for "" around the scandal: Its an app than is supposed to index all private information on a local pc (Email/documents/ect). It has to to be usefull.
I dont want such a critical program auto-updating without even giving the user a notice that he isnt running the same software version anymore.
Alone the fact that a new version can be downloaded and automatically executed SCREAMS security issue. One spoof/hack and we have a ton of google desktop zombies waiting for commands....

Re:Fix for the flaw

[alphakappa]

What you say makes a lot of sense (which means that my "or above" statement is not valid).

Re:Fix for the flaw

Yeah, but would the above be true (without sarcasim) if it was Microsoft doing it?

Re:Fix for the flaw

[alphakappa]

correction again: maybe we should then interpret "or above" as the next date above 12-10-04. I think a versioning system that uses year-month-day would be easier to interpret than the month-day-year being used :-)

Re:Fix for the flaw

[pjt33]

Not to mention that it's a good habit to get into because it can be sorted lexicographically. (Think ls putting your dated backup tarballs in the correct order, for example).

Re:Fix for the flaw

[MightyMartian]

Now if Google could only fix that awful new version of Groups which has screwed so badly with tens of thousands of links to the archives.

I'm beginning to think Google is a very bad thing.

Re:Fix for the flaw

And also because it is an ISO standard (ISO 8601), adopted by the European Union (EN 28601), Japan and many other countries.

Re:Fix for the flaw

Then make a "user" account and remove the policy of being able to install programs for users. How hard is that?!?!?

Re:Fix for the flaw

[YU+Nicks+NE+Way]

It may be good computationally, but it's actually bad from a human interface viewpoint.

The value in mmddyyyy is that the important data is most salient because month and year are far more informative than day-of-month. Thus, from a pure hci standard, displaying your favorite 32 bit time or 64 bit timestruct as mmddyyyy is a good idea, not a bad idea.

Re:So

[garcia]

Actually, just because it was running on Linux doesn't mean that the "attacker" couldn't redirect the results to a page other than Google.

Personally I thought it was a problem with the program itself and not Windows. Then again I read the article so I might be more confused than someone who apparently didn't and is trying to make a lame joke.

Re:Thanks, Windows!

[YU+Nicks+NE+Way]

Uhh--it's a troll. A good one, at that; notice the subtle use of dollar signs to smear the good reputation of Microsnot, as well as the subtle assignment of blame to WinDOS for the coder's error.

Better link

From the researchers themselves, rather than the NYT's garbled take on it.

How it's probably done

[grahamsz]

The article seemed a little vague, but i started investigating this when google desktop first came out.

GDS runs a webserver on your computer which any local application can query, including any java or activex app with outgoing http priviledges.

Google stop this by requiring that some sort of random ID as a key to access the page. This ID is generated as part of the url when you double click on the GDS icon in the taskbar.

It's also embedded into any results page that comes back from google, and you can exploit this by having the java applet first request www.google.com, find the link to GDS, then run a GDS search, then return those results via another web request to a remote host.

But it sounds like it's fixed, so that's good.

Re:How it's probably done

[sfogarty]

Not quite. Again, I recomend checking the webpage , but since I know most of you won't (I wouldn't)... Go install google desktop. Go to google.com. Do a search. Notice it says 'local results found:' and includes small snippets of the local results. We can get those snippets for arbitrary searches by making our own requests to Google. The local data is integrated after the reponse comes back from Google, but before we get it. The only tricky bit is making the requests to google.com through an applet, since the applet is not allowed to connect to google.com, only the originating host. Luckily we can run a web proxy on our originating host and still get the integration results. We don't even have to return the right google.com search result... we can just replay an old page.

Re:How it's probably done

[grd000]

It seems like one should able to exploit this using the same method Google Suggest uses to collect completion suggestions, the XMLHttp object and JavaScript.

Re:How it's probably done

[joel2600]

yes, the article is definitley vague...

but would you expect anything else from john markoff?

Re:How it's probably done

[sfogarty]

Note that the applet can never talk to the local server, as that is outside of it's 'sandbox'.

Re:How it's probably done

[grahamsz]

Applets most definitely can ask for permission to access webservers other than the one that is in their immediate sandbox.

IIRC most jvms assess the risk involved in granting a particular privilege to an applet, and accessing webservers is one of the lower risk permissions - versus socket operations and local filesystem access.

Most users will click yes to anything but the most dire warnings :)

Re:How it's probably done

[prat393]

Why doesn't the post by the person who actually DID the attack get moderated up?

Re:How it's probably done

[jesser]

Can you link to that post? I'd like to read it.

Re:How it's probably done

[prat393]

The parent of my previous post was the one I was talking about.

Did the students pass the class?

[jpvlsmv]

Was this flaw enough to gain a passing grade, unlike DJB's students

--Joe

Re:Did the students pass the class?

Sadly not; they needed to find 9 more security holes ... :)

AppRocket search tool

If you have the time, take a look at AppRocket (www.candylabs.com). Allows you to search your computer just like LaunchBar. The GUI is fairly light weight, eventually you'll never use the start menu! There is a review of it at http://beeger.net/archives/000031.html

I haven't tried to use google/yahoo/msn search tools yet, but this seems to do the same without the advertising or privacy issues.

Re:I don't know about anyone else

[dankrabach]

The Emergency Medical Hologram : "Why would anyone want to share their brain?" The Emergency Techie Hologram: "Why would anyone want to share their desktop?" Please, friends don't let friends meld their desktops.

From the article (I actually read it this time)

[31415926535897]

"An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable."

It seems like most non-email Internet attacks require you to visit an attacker's website before the payload can be delivered (there are some good articles about this at ISC). I would tend to think that unpatched browsers (<cough>IE<cough>) would still cause more problems that this.

Don't misunderstand me, though; I am not trying to excuse Google from the flaw, but the good news is that it's already fixed, and I'm sure the scum of the Internet are going to focus on these other (exciting, money-making) opportunities.

PS. I know Seth Fogarty, does that give me some sort of karma bonus ;-)

Re:From the article (I actually read it this time)

[sfogarty]

Wow, I'm famous enought that people are getting karma for knowing me.

As a note, you can find a tech report on our webpage at http://seclab.cs.rice.edu

Re:From the article (I actually read it this time)

>>I know Seth Fogarty, does that give me some sort of karma bonus ;-)

No, it doesn't ;-) you have veeeery looong ID.

Re:From the article (I actually read it this time)

[magickalhack]

Well, I don't need your karma, but congratulations on the achievement. ;-)

I like how there was a reference to one of my classes in one of the above comments, the link is "DJB's students" or something like that.

Hope graduate school is treating you well.

I'm actually somewhat impressed...

[KublaiKhan]

...by their implementation of the exploit. Using Java as an exploit-crafting tool is really quite ingenious. Perhaps we'll see more of this in the future: seeing as Java runs in a sandbox, it would be very difficult to put a viral load on a distributed exploit. .....of course, that just means that it makes life safer for the script kiddies....so perhaps this isn't a good idea after all.

Re:I'm actually somewhat impressed...

[DaCool42]

Java does not necessarily run in a sandbox, although it does as a web applet.

Re:I'm actually somewhat impressed...

[DunbarTheInept]

The JVM is always a sandbox. In web applet contexts it is more limiting, but there are still sandbox limits outside that context - like a maximum pretend memory size, the requirement that all memory access be done via references and not pointers, and so on.

Re:I'm actually somewhat impressed...

[Bou]

Actually, I think Java is an extremely useful language for virus writers, here's why:

- Java has numerous networking capabilities, making it extremely simple to integrate networking in your virus.

- All java programs run from one or two executables (java.exe and javaw.exe on windows), so once you accidently permitted one of those access to the net, your firewall will not alert you if another (malicious) application tries to go online.

- Java offers runtime URL classloading, so once a backdoor is installed, it is very easy to run Java code from anywhere on the net on the machine with the current user's rights; just set up a server port which listens for the URL and you have generic backdoor.

- All java programs have the same signature in Windows Task Manager, making it hard to determine whether a process is malicious.

People have actually done this (I've even played around with it myself) and I'm very surprised I'm not hearing more about it!

Potential Uses

[grahamsz]

Makes you wonder what this could be used for.

It's a dream exploit for finding users with illegal mp3s or video.

Trying to steal confidential information isn't so easy, since you'd have to have a fairly good idea what to search for first.

Re:Potential Uses

[amrust]

It's a dream exploit for finding users with illegal mp3s or video.

Now there's a scary thought... wonder what the crossover is, for users who peer-to-peer AND use Google Desktop?

Re:Potential Uses

[sfogarty]

Credit cards in cached web pages, passwords, any small bit of information we can reconstruct with repeated, targeted, searches. Certainly also to verify the existance of some files... we didn't consider that. Our search allows us interactivity, though, so we can search for random four-digit numbers, if we hit a credit card, keep looking until we get all of it, etc.

Re:Potential Uses

[slashjames]

It's a dream exploit for finding users with illegal mp3s or video.

Other than this being completely illegal. This small thing called due process would through any evidence gathered in this manner out. Plus, they themselves would be (probably) committing a federal crime of unauthorized access of a computer system.

Re:Potential Uses

[DunbarTheInept]

What you say is true, but there are already cases of the law applying in lopsided ways with regards to little guys versus big guys. I don't have the faith in the system to believe that the point you made would be that much of an obsticle. Someone would find a legalistic loophole, or invent one.

Re:Potential Uses

[Methuseus]

So the RIAA or whatever would be given a small fine of around $100,000 and would sue the person even though there's no hard evidence. The lawsuit would cost quite a bit of money to the defendant, and, even if the RIAA couldn't win, the defendant wouldn't be able to afford to keep going.

Congratulations!

[Tibor+the+Hun]

Not only did you get a -1 redundant, but you also got it on a 1st Post!
This elusive prize is given by sharp moderators who rate your posts on the basis of what future posts might contain!

Do break your paragraphs next time.

URL for original research report

I think the NY Times article was incorrect regarding which versions are fixed. The research report says 121004 and later are fixed (while NYT says those more recent than 121004 are fixed).

Read the original research report for a good dissection of Google Desktop Search and how it works.

Here are the URLs for the original summary, the original technical report (PDF), and a SecurityTracker alert:

http://seclab.cs.rice.edu/
http://seclab.cs.ric e.edu/gdesktop-tr-dec04.pdf
http://www.securitytr acker.com/id?1012624

Stuart
info@securitytracker.com

Re:URL for original research report

I think the NY Times article was incorrect...

John Markoff wrote the article.

I hope the fix...

[Socrates+Demise]

...Dosn't mess up my "hack".

From TFA

[java.bean]

"When you put them together, out jumps a security flaw," said Dan Wallach, an assistant professor of computer science at Rice in Houston, who, with two graduate students, Seth Fogarty and Seth Nielson, discovered the flaw last month. "These are subtle problems, and it takes a lot of experience to ferret out this kind of flaw," Professor Wallach said.

WTF? Want a cookie there Professor Wallach?

Re:From TFA

[beerman2k]

I think he was praising his students, not himself.

Big Deal

[crowemojo]

The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.

So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.

This security flaw doesn't seem like that big of a deal and if anything, it highlights that Google is being proactive about such things; addressing the issue and releasing fixed software in a reasonable amount of time. Kudos.

Re:Big Deal

[sfogarty]

This is not an official comment, but from my limited point of view Google was very helpful and polite throughout the entire process.

Re:Big Deal

[crowemojo]

So let me get this straight, after successfully fooling a user that the site they are seeing is legit when it's actually spoofed, then they can get the results of local search queries, potentially seeing parts of a file. Don't get me wrong, that kind of stinks and all, but if you have already fooled someone into believing the sites they are looking at are legit, why bother with this? Show them a gmail login, or a yahoo mail login, or if you know a bit about them, their internet banking login.

In retrospect, I think I had this wrong. The java app, once connected to, isn't necessarily spoofing the Google page, it's simply faking the process of querying Google. The java applet is querying Google as opposed to a user who thinks the applet *is* Google. Whoops, sorry, feel free to take the insightful mods back ;)

Another free alternative

Perhaps, you guys should try out a free alternative such as DocYouMeant Hound, available at http://myradus.com/.

(Disclaimer: I know the guy who wrote it, but it's a cool program.)

Security Flaw in Google DeskTop

[RagingChipmunk]

The security flaw in Google DeskTop was revealed to be the underlying operating system. Google has published an advisory recommending its customers patch their Windows operating system by installing Linux.

Re:Security Flaw in Google DeskTop

[wjsteele]

What kind of a fix is that? Doing that just makes the whole system unusable for most users.

Bill

Re:Security Flaw in Google DeskTop

[thebatlab]

I know, you're trying to be funny with a cliched joke. Seems that a lot of people are buying this logic though. However, it's the opposite of the logic that is cried out when something like suprnova.org getting closed down happens.

We can't shoot the supplier (suprnova) for offering illegal goods that people then *choose* to download.

However, we can shoot the supplier (MS) of a security flaw that allows someone to install software. This software then exploits a fundamental issue in somebody elses (Googles) software. Then we're allowed to be blame the supplier?

I know it's not a perfect analogy, as none are. However it does seem that the standard only works in whatever way fits peoples viewpoints best. Since we all know that everything MS does is evil, and everything Google does is good, we can then work at cognitive dissonating a reason that a Google flaw is MicroSofts fault. Bravo!

No, it is a dumb explaination...

[Digital_Quartz]

Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

These guys tricked the google search tool into sending that information somewhere else.

So, we have a "composition flaw", between two components; Google's search tool, and... uh... a Java attack script. Hmm...

The "flaw" here is that Google's search tool sends personal information to an external host, plain and simple. If I don't want a third party attacker seeing arbitrary parts of my hard drive's contents, I probably don't want Google seeing them either.

Re:No, it is a dumb explaination...

[sfogarty]

Google never sends the data to an external host. check the report and explanation The composition flaw is in the integration of external, possibly active, web page with local data intended to be integrated only into static pages. The security policies for active web pages don't take in account the possiblity of data intended only for the local computer.

Re:No, it is a dumb explaination...

[SiliconEntity]

Admittedly the NYT article is extremely light on details (and those details don't show up until the end of the article), but from what it sounds like, the Google search tool sends a brief chunk of each search result, whether of local or network origin, to Google, so Google can display some ads.

It does sound like that, but that would be a terrible design, wouldn't it? It would mean your private search data is being sent to Google! And Google swore up and down that they wouldn't do this.

Actually, your private results are not sent to Google; rather, when the data comes back from Google, the toolbar mixes your private results into the web search results and passes that on to the browser. The problem is that it may not be the user directing the browser to do the request. It could be a Java applet, or maybe (with some help) some Javascript on a malicious web page. Then the nasty code sees the results and it can send them off to where they shouldn't go.

Re:No, it is a dumb explaination...

The problem here is that their entire revenue model for desktop search is based on inserting context-specific advertising into your searches of your local machine, which quite simply cannot be done without sending details of the search back to the ad server, now can it?

Rice University

[BossMC]

I don't suppose anyone knows what types of vehicles are popular with the students at Rice University?

Re:Rice University

Each Other. Rice University professors and students drive so far up their own and each other's a$$es, it's a bit sick. To answer your question, most drive your typical rich kid car, as do the professors.

I should know, I work there as a lowly support person.

So what is the flaw?

[JPriest]

Either NYT left that out or I missed it, so what is it?

Re:So what is the flaw?

Did you not read the article? Because half of the article was about the flaw.

"The researchers said that the Google security weakness lay in the way that Google Desktop was designed to intercept outgoing network connections from the user's computer.

The program looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search. They found that it was possible to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them.

An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable. Google said there was no evidence that any such attacks had occurred.

The Rice group was able to create a Java program that makes network connections back to the computer from where it was downloaded and then make it appear as if it were asking for a search at Google.com. That was enough to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site."

You weren't expecting soure code to the exploit right?

Re:So

[Kilka]

If you *had* read the article, you would know that this flaw could also exist in Linux. The jist I got involves the client app sending search information back to the google servers, and they reply with the ads that will show up in your browser. It seems to me that this would only be a matter of hijacking that users dns, and pointing the name so a server that is listening on the appropriate port.

Um what the ??? does one have to do with the other

[Kjella]

"The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.

Many will not like this concept, but I am happy to learn, I don't have to uninstall, re-install, and re-index to ensure I have it fixed."

I much prefer to have a button "Check for updates and install now" or "Download, but don't mess with the setup (i.e. install) until I tell you". But I still don't want to, nor need to uninstall, re-install or reindex! Frankly, I just want a one-click install instead of a zero-click install, which always seems to do something wrong at the wrong time (hello Murphy). Forced auto-updating crap is blocked in my firewall.

Kjella

How it works

[SiliconEntity]

A web page on the attack is http://seclab.cs.rice.edu/ which also links to a technical report.

The way it works is actually pretty simple. What happens normally is that the toolbar watches your outgoing and incoming web connections. When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk. This design is to protect your privacy.

The attack is for a malicious site to download a Java applet to your system. This applet does a Google query (via the malicious site as a proxy, to defeat applet sandboxing), and then reads the results which come back. When the results get back to the applet they have gone through the Google toolbar and gotten the local disk results integrated. The applet then sends the data to the malicious site, and presto, it knows a lot about the contents of your disk.

Re:How it works

[HarveyBirdman]

When you make a Google query, it detects that and does a local search of its index of your disk. When the results come back from Google, it mixes in the results from the web with the results from your disk.

Remind me again why I need this?

I dunno... there's too many solutions looking for problems out there.

Intruder Alert. Kill the humanoid.

[HarveyBirdman]

Maybe they need to start making a list of software WITHOUT security flaws. It would save space.

Then again, I'm sure someone will find an exploit in Calculator or Freecell given time.

Re:Intruder Alert. Kill the humanoid.

[Refrozen]

I found one in Calculator already. It gives you access to the sum of 1 and 2. You press the one button, then the two button, then the equals button, and you have exploited it.

Re:Intruder Alert. Kill the humanoid.

[mzwaterski]

I followed your steps, but it didn't work...I got 12

Re:Intruder Alert. Kill the humanoid.

[burns210]

1. Default install of OpenBSD, unplugged from a network, in a locked safe... turned off.

Re:Intruder Alert. Kill the humanoid.

[Refrozen]

Why was this rated funny? I was being serious, didn't you try it?

Whoops!

[Thud457]

It was one of them there accidents!

Yeah, that's the ticket...

false alarm

[kevinx]

you had me worried for a sec. I thought there might have been a secret button that pops up that says, "find your husband's porn".

already fixed!

[museumpeace]

from the NYT article:
...The researchers said that Google had responded quickly to their alert last month and had begun releasing a corrected version of the program on Dec. 10....
BTW, CNET reported this last night.
[obligatory jab at microsoft,typical at this point in a comment, is being left as an exercise for the readers....]

No update here!?

[blahbooboo]

Well, glad to know its been patched. I am even happier to see that my version is waaaay below that minumum to have this bug fixed.

Check it yourself to be sure you are patched, I am uninstalling and re-installing now to hopefully get the newer version

Re:No update here!?

[sfogarty]

This is unnecessary. You can disable the integration option, which is a minor feature anyway. Check our webpage

Stop the press!

[caluml]

Stop the press! Bug in beta app! "Oh no!" Waves hands in the air, and runs around in circles. "Who will save us now? Who will save us?!!"

Re:Stop the press!

[Mournblade]

Think of the children!

Re:Stop the press!

[nzkoz]

Watch out. Dave Winer and friends will woop your ass.

You should be allowed to use Beta software for mission critical applications, Beta means bug free!!!

Re:Stop the press!

[kertong]

the children, won't somebody think of the children?!

Not new

[MHobbit]

This is not new info... there was an article in PC World about this a while back when it was sent to me. In short the Desktop search indexes all of your files and saves an index of your whole HD in a certain file that's unencrypted and easily accessible [enough].

Re:Not new

[sfogarty]

This is different. We get access when you visit our website, not through looking at that file.

Haiku for those affected

[HarveyBirdman]

Repeat 50 times as penance:

I installed this crap.
All the blame belongs to me.
I am a pinhead.

Re:Haiku for those affected

[Swamii]

And for your penance, dear Father Harvey, repeat 100 times, with rosary beads:

Google dies! My fault.
Windows dies! Blame Microsoft.
Google is smiling.

Re:Haiku for those affected

[HarveyBirdman]

No, no. I blame Windows users for their misery. :-)

Re:Haiku for those affected

[Swamii]

Fair enough. :-)

Which is why it's BETA

[diegocgteleline.es]

Google's desktop search is a BETA product. That means that it doesn't works always and that Google doesn't even need to fix it since you shouldn't be using it for serious purposes in first place.

Re:Which is why it's BETA

Google's desktop search is a BETA product. That means that it doesn't works always and that Google doesn't even need to fix it since you shouldn't be using it for serious purposes in first place.

Personally, I'm so tired of hearing "beta" being used as a copout (especially by people, I assume, who have absolutely no business making excuses for either party).

For example, I certainly can't set up an automated report at work which isn't accurate and weasel my way out of it by telling my boss that the report is still in "beta testing".

And what would be classified as a non-serious purpose? If this is a genuine security hole, it's going to be exploitable whether I'm searching for "teen tiffany" or "tps report december"

Pardon the AC (I don't feel like registering for my first post in years of reading)

MSN search

[spac3manspiff]

but noted that the service did not appear to integrate Web and local search results in the same manner as the Google tool.
Msn has a web search?

Re:MSN search

Hello and welcome to last week.

http://www.msnsearch.com/

Re:MSN search

[spac3manspiff]

Gah! it was attempting to be a joke..
I was implying that the msn search was bad and there fore nonexsistant in comparison to google's websearch.

Re:MSN search

Well that was a lame joke because the MSN search results are in fact a lot better (far better ranked) than googles. It acutally performs quite a lot better than Google does at the moment.

Re:I don't know about anyone else

[the31337z3r0]

I have a legit copy of Windows XP Professional SP2, and the built in search engine REFUSES to work. I'm a bit of a techie, and I've had several professionals look at it. They're all baffled. Google desktop does what it should, and if you're not doing anything illegal, why would you worry about someone seeing a list of your files? It's all about perspective, and I love the program.

Re:So

[bersl2]

We already have a desktop search tools.

They're called grep and find.

Re:I don't know about anyone else

[bcrowell]

Bruce Schneier has an interesting article about the security aspects of Google desktop search. His take on it is that it reveals underlying security flaws in Windows, so if there's a problem, it's not a problem with Google's utility. Blaming it on Google is like shooting the messenger.

How did they fix it?

I'm no expert on computer security (and certainly not javascript). Curious how they fixed it, since there doesn't seem to be an easy fix.

Re:How did they fix it?

[sfogarty]

See our for more information, but iirc they embeded the local search results in an iframe, which separates the security concerns so that the java applet and javascript security models prevent us from accessing local information.

Re:I don't know about anyone else

[sfogarty]

This actually has nothing to do with windows in the least. It is a combination of Google's security model and the Java applet security model.

Since I don't see a clear explanation

[dbacher]

Here is how the attack works.

This is based on Wired's much more clear and coherent description.

Desktop search installs an object that the browser instantiates on Google web pages to render local results along side of google results. No data is sent in this process.

The attack involves the fact that this data is present on the web page itself, and is added to the DOM. An attacker using JavaScript can traverse the DOM and read the exerpts of files shown on the search page.

It cannot follow this to the document itself in the cache, and it can see nothing other than the quoted excerpt.

It's beta software, bound to be problems. This particular problem is because the object isn't "locked to the page."

The vulnerability doesn't effect any other desktop search tool that is currently available, because none of them use an object in the browser to integrate search results with their web page. All the other tools are either search your desktop or search the web, not search both at once.

Using FireFox, without the object, you won't get the integrated search results, so you won't have the problem.

Re:Since I don't see a clear explanation

This explanation is wrong.

Google desktop search doesn't use an object in the browser. It uses a component that sits on the machine watching all HTTP traffic. When it sees an HTTP reply coming back from Google for a search it inserts the local search results into the html before the browser sees it.

This attack does not use Javascript or the browser DOM. It uses a Java applet and as such all Java enabled Windows browsers are open to the attack with the Google desktop search installed.

Firefox on Windows does display integrated search results.

Professor Wallach taking all the credit?

[beowulf_fag]

After reading the article and looking through the CS 527 course web page Wallach teaches, it appears that the vast majority of the work was done independently by the two students as a class project. Yet, in the article, Wallach's tone suggests he played a major role in the discovery.

Re:Professor Wallach taking all the credit?

[sfogarty]

Check out our webpage . The tone of the article is not Dan's doing. He has been more than generous with the credit, and was involved with our project and of invaluable assistance the entire time.

Deleted files show up in GDS

I've been using GDS since it came out, and while I like it I *hate* that it returns results for files that have long been deleted.

Is there a way to make GDS purge/rebuild the index?

Annoying "flaw"

The most annoying program I ever used was that Google Desktop search. Even after leaving my PC on for a week and Outlook up and running, the damned thing never finished it's "initial search".

whats your husband looking at kevin?

and how are things in Canada?

The Windows Admin

[fm6]

I want to install software as admin and not as the user.

Windows has the admin/user distinction too (at least in 32-bit versions). The "every user an admin" situation in Windows is more cultural than technical.

I don't want to minimize the security flaws in Windows -- of which there are way too many. But security has a social component too. Right now, most computer users are to some degree their own system administrator -- and most of them just don't have the skills to do it.

It's perfectly simple to set up a Windows box so that you have to enter an Admin password before you can install anything. But with most users no knowing when they should or should not supply that password, you don't really get any extra security that way.

Re:The Windows Admin

[ssstraub]

It is not perfectly simple. There are many games and applications that simply REQUIRE elevated rights to run!

Places I've worked at handle this problem in different ways. Some jump through various hoops to modify the software to work without elevated priveleges. Some put people with admin rights on a seperate subnet with retrictions. Some use "close but not quite" elevated rights like Power User.

Re:The Windows Admin

[fm6]

It is not perfectly simple. There are many games and applications that simply REQUIRE elevated rights to run!

But that's a feature of the program, not the OS. In theory, you could have the same problem in Linux or OS X. In practice, you don't, because developers for those platforms don't think that way. As I said, the difference is cultural, not technical.

Scared me into Uninstalling

[Croaker-bg]

This nifty little feature

The Google desktop program includes an update feature that permits the company to automatically install new versions of the program on users' computers without user intervention or knowledge.

Promptly got the Google Desktop uninstalled off my machine this past weekend when the checksum on the bianry changed for no apparent reason. I consider activity like this to border on sneaky and I see no way to force the program to prompt for my approval to run an update. I would highly reccoment to the Google folk that this be added as a feature or I will consider another desktop search program that treats me like I know whats going on.

Re:Scared me into Uninstalling

[wideangle]

Uninstalled it too. Autoupdates are OK only if users are given the option to disable them. Google doesn't even provide a registry key to toggle updates off.

Re:I don't know about anyone else

[shotfeel]

IOW, the Schneier article is about something completely different (browser caches are there wether they're being searched or not).

so what?

[js3]

People are using it on a large scale and a flaw is a flaw regardless of whether it is beta or not.

Registration: Government plot?

[Sell your soul to the NYTimes to Read]

Are you people so retarded that you can't just put in completely false data? I'm a 93 year old Afghani woman making over 100k/yr and I read the Times daily. You don't even have to create a Yahoo mail drop to get a farking authorization! Suck it up, wuss.

Re:Um what the ??? does one have to do with the ot

[shotfeel]

You're right. I already hear too much, " but it worked fine yesterday and I haven't done anything to my computer." I don't need updates happening behind my back to make things even worse.

So, um

[mcc]

It's basically just a man-in-the-middle attack, where a site that isn't google poses as google and then takes the information intended for google?

Well, um, that's a pretty well-solved problem, isn't it? Just have the google search agent thingy use SSL, and refuse to let it incorporate local data unless the SSL cert checks out as Google's. Problem solved? Or am I missing something?

Re:So, um

[sfogarty]

No, although a man-in-the-middle attack can be used as a delivery method. But if you visit our page, we get data without breaking any security policies.

Common Sense

[dshaw858]

I think it's common sense that if you install a third party tool to index your hard drive, especially one with internet access, you're setting yourself up for disaster. I love Google as much as the next guy, but having a tool that handily stores all of that information is a blatant security risk. Sure MS search is slow (for my Windows boxes), and I'm not even sure if GDS even was released for linux (updatedb | locate something | grep something-more-specific)... but if you're going to index your hard drive, you're taking a risk. I don't see why this would surpise anyone all that much.

- dshaw

Re:Common Sense

Give us a break with the updatedb locate grep BS. GDS finds stuff in fractions of a second. When was the last time you found that 2 year old text file that you only know the contents of, and not the name in 0.1 second. Get off the unix high horse.

Too Late

[eMartin]

You know, she's probably already found it.

I know a few people who think their porn is hidden on their computer, but those who live with them say otherwise.

Just think of all of the recent file lists and last used directories in your media players or image viewers, system logs with errors for codecs and paths to the problem files, browser history autocomplete and cookie names, disks with "missing" space or restricted directories, and the good old file search for mpg, avi, wmv, etc.

You're probably not the only computer-savvy person she knows (if she's not one herself), so just assume she's already seen your stash.

Re:Too Late

[eMartin]

Which, by the way, reminds me of the time a friend asked me to fix his computer, and while running a virus scan, the progress window soon started running through his porn directories flashing some pretty embarassing filenames.

And that went on for a good 10 minutes or so.

All i could say was "Well, we do need to do the virus scan."

Re:Too Late

[multimed]

...so just assume she's already seen your stash.

And she likes it.

I mean, this is Slashdot after all, so if we're already entered the land of make believe where readers actually have wives, then the extra step to wives who like porn is no big deal.

Re:Too Late

rar it encrypted with password. rename extension to .dll and place in winnt\system32

not bullet proff, but it works

Re:Too Late

[Rude+Turnip]

This is why Apple's market share is going to go through the roof when they release the Safari 2.0 browser with OS X 10.4 (codename Tiger). One of the noted features of Safari 2.0 is called "private browsing," where absolutely nothing gets logged anywhere (history, cache, cookies, etc.). It's every husband's dream come true!

Re:Too Late

[eMartin]

Yeah right.

"Honey... Why is "private browsing" always turned on when I get home?"

Re:Too Late

[Elwood+P+Dowd]

Many years back I had someone ask me for help resizing images to send to his mom as email attachments.

So I downloaded some random shareware image library app. Ran it, clicked "open" and navigated to the "my pictures" folder (or equiv).

It immediately started displaying thumbnails of all the dude's porn.

"No sweat. Which ones are for your mom?"

Re:Too Late

Just think of all of the recent file lists and last used directories in your media players or image viewers, system logs with errors for codecs and paths to the problem files, browser history autocomplete and cookie names, disks with "missing" space or restricted directories, and the good old file search for mpg, avi, wmv, etc.

I thought that's what all that multi-user OS stuff was about: everyone has to find their own porns....wait...a minute--are you still using Window$?

technological advantage of the latecomer

[bratboy]

I agree - this is definitely one of those utilities that I don't NEEEEEEEED, and am happy to wait a couple of versions before jumping in.

Dang, I was hoping

[zrk]

that a little Pi symbol would appear on the screen and allow me to bypass all security on all sites everywhere.

Summary

[823723423]

http://seclab.cs.rice.edu/gdesktop-tr-dec04.pdf Quote 1 java applet attacks because the google desktop application bases its decision to integrate strictly on network traffic, all that is required for an eavesdropper to obtain an integrated web page is to open a socket on the target computer and send an http request to go Quote 2 the google desktop's local search integration cannot distinguish this connection from the java applet with a legitimate connection from a web browser, and will thus integrate the search results where they can be read by the applet

No Reg Link

http://www.nytimes.com/2004/12/20/technology/20fla w.html?ex=1261198800&en=1516efbda44c949e&ei=5090&p artner=rssuserland

Watch out for wrapping and a potential white space in the link above.

Love,
Karma Slut

PS: I dont have a /. account, so if i borrowed a users name... sorry...

Re:Um what the ??? does one have to do with the ot

[Theaetetus]

I don't need updates happening behind my back to make things even worse.

Yes, but you're in some sort of IT field. Most users, given the option of downloading and installing security patches, will not. That's why MS has been in so much trouble about not having that on by default, and why they turned it on in XP SP2.

Why?

Can anyone see the draw of a tool like this in the first place? If so then please tell me. I know it's off topic, and besides a tool that index's you HD and also allows you to search the net..... that was asking for issues

Troll?!?

[Prince+Vegeta+SSJ4]

Excuse me for saying something a little negative about the sacred Google. I love Google's search engine, but I decided to wait on this little feature. Some mods need to get a clue.

Re:Um what the ??? does one have to do with the ot

And yet it at least attempts to pop up a "Security Center has updated your system" or "Downloaded Updates are Ready for Installation". It doesn't hurt to ask the user something, people are getting better all the time... I even talk to some computer literate people nowadays... And it usually only takes one time of wiping a computer and losing all your data (or paying $200 bucks to the "local computer store") to get a little more cautious...

Ah, but...

[mogrify]

..in Soviet Russia, web searches YOU! Oh, umm...

Re:Um what the ??? does one have to do with the ot

[Theaetetus]

And yet it at least attempts to pop up a "Security Center has updated your system" or "Downloaded Updates are Ready for Installation". It doesn't hurt to ask the user something, people are getting better all the time...

"What? No, I didn't click on that - you tell me never to install things when I don't know what they are. Did it say Security Center? I don't know - I didn't read it. I don't have time for that, and I'm on deadline. Now, fix my computer."

(or)

"You told me last time to click to install any security updates! What do you mean, the 'Gator Buddy Security Update' wasn't an important update? Make up your mind! I don't have time to investigate all these things, that's your job. I'm on deadline anyway. Now, fix my computer."

I much prefer the way Apple does it, with the Software Update application being a highly obvious and entirely different looking window from the usual 'click to download' windows. Plus, the fact that you have to put in your Administrator password, and click on a license agreement with Apple's name prominently displayed tends to help.

-T

OGM!!!1111oneoneone

ogm liek googel is teh suck

Straight from the horse's mouth

[prat393]

Here's Rice's security lab post about the flaw: clicky

Re:Straight from the horse's mouth

[prat393]

There's a more in-depth technical analysis available for download at the bottom of the page, if you're interested.

The other side...

[grahamsz]

Kazaa could use google desktop to inspect the system to find sharable stuff without having to do a painfully slow system scan. In fact it could even relay incoming searches directly to GDS to maximize the number of hits.

OT: Re:Too Late

[lhaeh]

This is how most kiddy porn busts happen. The first thing we did at the place I worked was a search for *.jpg, we never ceased to be amazed at the stuff that turned up.

Even sending out searches is a security hole!

[plampione]

Am I the only one that finds it very disturbing the fact that, in order to search your PC, you actually send out the search query? So Google can build for free an incredible amount of statistical knowledge on what users have on their PCs? Just how much is that worth? And, is the information encrypted? For otherwise, it would certainly be of interest to know what e.g. Intel's engineers are searching on their PCs...

It amazes me how much information people are willing to give out for free in exchange of a little convenience.

Re:Even sending out searches is a security hole!

[sfogarty]

You do not send out local searches. We are talking about normal web searches.

who cares anyway?

[commodoresloat]

The guy still needs to find 9 more exploits to even pass the class.

What I don't understand

[apankrat]

Is how can they patch twice a day with a versioning system like that ? One does have to plan ahead and allow for extreme cases :)

Don't take things for granted

[dunng808]

browser caches are there wether they're being searched or not

Read Schneier again. That other individual's files turn up in searches is the result of all users having administrator privleges by default in XP home edition. That XP HE does this is poor policy. Also, browsers should not cache pages sent via SSL, because they are likely to contain sensative information such as credit card numbers. Trivial to add that design to a browser.

Even if Google tries to improve their product, the data remains for less scrupulous programmers to harvest.

As for Google knowing what I search for on my hard drive, well, that isn't nearly interesting as what I search for on Google, and they allready have that. I would like it if they made clear to users that search data is being shipped out.

Shhhh.

[valkraider]

Damn it. Now everyone (who reads several levels down in /. ) knows...

still there?

[haxhia]

From the article
"Today, the security of the Google Desktop system is resting on JavaScript's "same-origin" policy. If an attacker can somehow violate this policy, far more serious attacks than merely reading local search results will become possible..."

Doesn't the famous Window Injection Vulnerability which affects most browsers violate the "same-origin" policy of javascript?

NYTimes?

[Muttonhead]

Why does Slashdot push the NYTimes? And why sell your soul to read an article. I just searched Google News and found many other links to the same story.

Flame Bait

[im_thatoneguy]

OMG!!! G$$GLE has another huge security flaw, yet another reason to use linux!!!

matter that stuffs

[Doc+Ruby]

Posting the text of the article is, by definition, redundant - to the article, if not to even nonexistent "prior posts". The -1 score might just balance the whored karma, in the bizarre Slashdot sense of equilibrium, a cosmos tipping forever between Insightful Trolls, and Informative Flamebaits.