Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Going Google" Exposes Students' Email

Posted by kdawson on from the visibility-in-the-clouds dept.

A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"

13 of 244 comments (clear)

  1. Re:Someone has high demands. by JonJ · · Score: 2, Informative

    You want faster response times, 100% avail and dedicated engineers? For free?

    I don't think they are giving this away for free.

    --
    -- Linux user #369862
  2. Re:Someone has high demands. by olderchurch · · Score: 2, Informative

    Yes they do: https://www.google.com/support/a/bin/answer.py?answer=139019

    --
    Disclaimer: This opinion was created without the use of any facts
  3. They must be kidding by trifish · · Score: 5, Informative

    While the glitch itself was minor and was fixed in a few days

    Pardon my ignorance, the glitch was minor?

    What?

    The fact that emails contain back-mailed passwords to many kinds of online services, including those involving payments (which is stupid practice, but the online service providers do it anyway, they send you the password when you sign up)...

    The fact that I can reset your password to any third-party online service account where I know that you use it and that you associated it with this email account...

    Still minor glitch? Reading others emails? Really? I or TFA must be missing something.

    1. Re:They must be kidding by Anarchduke · · Score: 4, Informative
      Small glitch, as in 22 out of 200 students affected on a data migration to Google's free service.

      The glitch itself wasn't fixed for three days, true. However, the glitch occurred on Friday, and the CIS department notified Google of the issue Saturday. Prior to the fix on Tuesday, Google had disabled the accounts. The article also states that during this 24 to 48 hour windows before Google shut down the accounts, the CIS had sent out emails to the students and waited for their replies. I don't know how fast you expect students to reply to an email sent out over the weekend, but I am guessing that those emails didn't get back to the CIS department immediately. Let's give it 12 hours.

      So, a free service responds to your problem and disables the accounts within 24 to 36 hours, then fixes the problem 18 - 36 hours later. All the while this same service is responding to similar glitches at ten other institutions, with no word on how large those universities were.

      Overall, I'd say that is a pretty fair turnaround, all things considered.


      By the way, the author of the article, Sarah Perez, seems like a fairly Microsoft-centric person, considering her personal website. So the guess by miffo doesn't seem that far off.

      Consider the article itself

      Friday, September 11th, a couple of students notified Brown's Computing and Information Services department (CIS) that they were able to read emails belonging to other students. The CIS department contacted Google on the following dayand sent out an email to the 200 students whose mailboxes were in transition

      then she says:

      That means that the students had access to each other's email accounts for three solid days (Saturday, Sunday, Monday) as well as parts of Friday and Tuesday before the accounts were suspended by Google

      The author includes "parts of Friday" even though she had made it clear Google wasn't notified until Saturday. I mean, my God, Google didn't even bother to go back in time to before they were notified!!!

      --
      who prays for Satan? Who in 18 centuries has had the humanity to pray for the 1 sinner that needed it most? ~Mark Twain
    2. Re:They must be kidding by agiduda · · Score: 3, Informative

      By the way, the author of the article, Sarah Perez, seems like a fairly Microsoft-centric person, considering her personal website.

      Understatement, she is a contract worker at Microsoft and has what reads to me as a very defensive disclaimer on her site. Her neutrality is questionable.

      --
      How much easier it is to be critical than to be correct.
      -Benjamin Disraeli
  4. Re:3 Days Turnaround by john83 · · Score: 4, Informative

    It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

    That was my thinking too, but TFA says that the students notified their admin on the Friday, who notified Google on the Saturday, who fixed it on the Tuesday. It's not clear - bad writing - but they may have suspended the service on the Monday.

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.
  5. Legal issues? by Max+Romantschuk · · Score: 2, Informative

    In Finland reading someone else's mail, of electronic or snail variety, is illegal. What about other legislations? This sounds like something that would be taken rather seriously here.

    (Actually, due to how seriously this is taken a recent law has (unfortunately) been put in place, to explicitly allow employers to read employees' work mail. Google "lex Nokia" for more info.)

    --
    .: Max Romantschuk :: http://max.romantschuk.fi/
  6. Re:Someone has high demands. by miffo.swe · · Score: 3, Informative

    "I'm sorry, perhaps you missed the part where students could read each others emails."

    If we are to be true, students could not reach other students inboxes. During migration mails wore put in wrong inboxes. Its a pretty big difference if the source system is on crack or if there is a security breach in the target system. In this case the problem could lie in the software used to migrate the users mails but it did not lie in Google Apps itself.

    --
    HTTP/1.1 400
  7. Re:3 Days Turnaround by Runaway1956 · · Score: 4, Informative

    "11 % of users were affected"

    No, ~1% I think. Following the links in the links, you'll find that Brown University transferred 2000 accounts, not the 200 in the above summary. It seemed suspicious that a university was only transferring 200 accounts, to begin with. An individual small college would have that many accounts, or more.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  8. Re:3 Days Turnaround by Anonymous Coward · · Score: 5, Informative

    Well, I'm the guy at Brown who actually does the part of the migration that switches over internal email to Google (though others are involved), and I can tell you that we knew about a few almost immediately, from student reports. Google was involved as soon as we found out, but it took them a little while to determine exactly what happened.

    Also, this wasn't as bad as it sounds. Students weren't receiving new mail meant for someone else, the problem was with the tool that migrated their old existing email from our Exchange system to their new Google email boxes. The 22 students got the contents of other students' -old- mail boxes, not new mail.

    It appears that Google upgraded their IMAP migration tool on the back-end, and there was a problem with the new version. Interesting thing about 'the cloud', all the tools available on it are upgraded without the end user being aware. Had there been a 'migrate user email boxes - updated today to version 1.1!' button instead of 'migrate user email boxes', I might have waited a few days to let Google shake-out the bugs.

  9. Re:3 Days Turnaround by spyrochaete · · Score: 4, Informative

    Is this still the gmail that you don't pay for btw?

    Schools get Google Apps for free (that is to say, they don't pay for the licenses) but it's the full-fledged Google Apps that normally costs $50/user/year. It's effectively the same as the enterprise version.

  10. Re:methinks he doth protest too much by nametaken · · Score: 2, Informative

    I don't know that I'd call that inconvenient. I'd say being locked out of my email for a solid week is unacceptable, and I'd migrate away from that provider immediately.

  11. Re:Someone has high demands. by agwadude · · Score: 3, Informative

    A few mailboxes (20 out of 200) had the wrong mail migrated into them. We don't even know the source of this problem yet, but the university could very well have TOLD Google to put sally.smith's e-mail into sally.jones' new mail box.

    This isn't a google apps security problem. Please RTFA and get off your high horse.

    No, why don't you RTFA and get off your high horse. According to an article linked from TFA, Google acknowledged the problem was on their end, and an earlier comment from a Brown sysadmin indicates that Google upgraded their migration tool right before this happened. It may have "only" been 20 out of 200 accounts, but the problem is squarely Google's fault; stop blaming the Brown sysadmins.