New Security Concerns Raised For Google Docs

TechCrunch is running a story about three possible security issues with Google Docs recently uncovered by researcher Ade Barkah. It turns out that an image embedded into a protected document is given a URL which is not protected, allowing anyone who knows or guesses it to see the image regardless of permissions or even the existence of the document. Barkah also pointed out that once you've shared a document with another person, that person can see diagram revisions from any point before they gained access, forcing you to create a new document if you need to redact something. The last issue, the mechanics of which he disclosed only to Google, affects the document-sharing invitation forwarding system, which can allow somebody access to your documents after you've removed their permissions. Google made a blog post to respond to these concerns, saying that they "do not pose a significant security risk," but are being investigated. We previously discussed a sharing bug in Google Docs that was fixed earlier this month.

It's nothing, Shroedinger's logarithm beats that

[Enleth]

Open a new spreadsheet, type in those formulas:

A1: "=log10(1000)", format for two decimals - equals 3.00
A2: "=trunc(3.00)", format for two decimals - equals 3.00
A3: "=trunc(log10(1000))", format for two decimals - equals... *drumbeat* 2.00, that is, TWO POINT OH OH. Uh, oh.

I decided to call it "Schroedinger's logarithm".

A report on the Google Docs' technical support forum went unanswered...

Here's how Gogle should respond

[bogaboga]

My submission is that Google should respond in a classic Linux/KDE/Gnome format as follows:

"While we acknowledge receipt of your concerns, the points raised are a feature of our product(s) and not bugs. Google takes security and privacy seriously and are committed to ensuring that all our users continue to enjoy products and services we provide."

Or even better, they should label these so called security feature with a tag: "Won't fix." I know I will tagged a "troll" but I must say this: The "Won't fix" label, though not unusual in both the KDE and GNOME worlds, it is more common in the GNOME world than KDE. What it does not tell is whether there is lack of expertise or resources to fix it on both teams or it's because of incompetence, some other factor(s) or both.

I know because I counted them the (Won't fixes) on the 19th of March this year: GNOME score: 121, KDE score: 43. You do the math.

Now you go ahead and mod me down.

Re:Business Security

[TheRaven64]

I did some consulting a while ago for a company which had a senior manager (I can't remember his actual title; the boss / owner's second in command) who kept the customer database on a USB flash drive. This was stored as an Access database and was completely secure, because it was always carried with him and only inserted into a computer when someone needed to access it.

Completely secure, of course, until he decided to go into business by himself, and emailed all of the company's customers with a quote for their business at a slightly lower rate than they were currently paying, and some quite unprofessional comments about his former employer.

You can't have absolute security, but it seems a lot of people are very bad at working out exactly how much security they really do have. In many cases, it's a lot less than they think.

Re:Access after you revoked permissions = a copy

[mysidia]

Is this meant to be a troll? copyright has nothing to do with permission to access.

Copyright has everything to do with controlling when new copies can be made and distributed, which is the most common and likely way that information ever gets distributed.

You may have the document containing the info, but copyright control means another company can't go into the business of distributing the document, without you having recourse, and possible criminal charges (depending on the circumstances).

That's a pretty darn good deterrant and powerful control over the flow of information.