"Going Google" Exposes Students' Email

A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"

3 Days Turnaround

[sgbett]

Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.

Re:3 Days Turnaround

[BikeHelmet]

It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

Re:3 Days Turnaround

[john83]

It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

That was my thinking too, but TFA says that the students notified their admin on the Friday, who notified Google on the Saturday, who fixed it on the Tuesday. It's not clear - bad writing - but they may have suspended the service on the Monday.

Re:3 Days Turnaround

[sgbett]

Its conveniently devoid of detail regarding the timeline of things. I don't mean to be a google apologist, but the article seems full of conjecture.

11 % of users were affected during a migration. OK it could have been better, but a 3 day turnaround (over a weekend) of an outage during planned maintenance doesn't sound *that* bad to me. Is this still the gmail that you don't pay for btw?

The critical (missing) detail is how quickly did Google turn off access to other people's mail following notification. Yes it may be a contentious decision if it was made without approval, but in areas of privacy it might be a good idea to CYA first ask questions later.

Heated discussions are one thing, being taken to court over Data Protection is quite another.

I'm confused at the reaction from Brown, were they advocating leaving people's data out in the open whilst it was resolved?

Re:3 Days Turnaround

[Idiomatick]

Friday: School got 1 or 2 emails from students
Saturday: Google got email from School. They sent an email to all 200students asking who was affected
Sunday: I only assume they we waiting on replies.
Mon: Ditto.. Prolly working out what it is.
Tuesday: Problem fixed early in the morning. Only 22 accounts were affected. Of those accounts they couldn't see everyone's email, all of some accounts or just a few emails that weren't theirs.

If this weren't a free service I'd definitely raise hell, I don't think I'd sue. Since it is free and happened over the weekend. And on a new service during a data migration... I don't think it is a horrible problem. Also its a uni email not professional or personal. If those schools are anything like mine the only thing you get in them are fliers and profs responding to questions.

Re:3 Days Turnaround

[aetherworld]

It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.

That was my thinking too, but TFA says that the students notified their admin on the Friday, who notified Google on the Saturday, who fixed it on the Tuesday. It's not clear - bad writing - but they may have suspended the service on the Monday.

That was my assumption too. And actually, that's not too bad... If they shut down the accounts on Monday morning, that's as prompt as it gets. To my knowledge, Google email support doesn't work on sundays.

Re:3 Days Turnaround

[Runaway1956]

"11 % of users were affected"

No, ~1% I think. Following the links in the links, you'll find that Brown University transferred 2000 accounts, not the 200 in the above summary. It seemed suspicious that a university was only transferring 200 accounts, to begin with. An individual small college would have that many accounts, or more.

Re:3 Days Turnaround

[sgbett]

Interesting! I must admit I had to do a double take when I was checking the total user-base to figure out a percentage, it did seem low to me for a University but as I'm not familiar with the US system I didn't go any further. Seems, I should have dug deeper - I'll never make a journalist eh.

I suspect this bit of misinformation was another convenient re-phrasing designed to increase the newsworthiness of this non-event.

Re:3 Days Turnaround

[Jurily]

Following the links in the links, you'll find that

Nice summary, isn't it?

Re:3 Days Turnaround

[Uber+Banker]

If this weren't a free service I'd definitely raise hell..

Are these students not paying fees, and (were it to occur in most other countries) taxpayers paying also?

Re:3 Days Turnaround

Well, I'm the guy at Brown who actually does the part of the migration that switches over internal email to Google (though others are involved), and I can tell you that we knew about a few almost immediately, from student reports. Google was involved as soon as we found out, but it took them a little while to determine exactly what happened.

Also, this wasn't as bad as it sounds. Students weren't receiving new mail meant for someone else, the problem was with the tool that migrated their old existing email from our Exchange system to their new Google email boxes. The 22 students got the contents of other students' -old- mail boxes, not new mail.

It appears that Google upgraded their IMAP migration tool on the back-end, and there was a problem with the new version. Interesting thing about 'the cloud', all the tools available on it are upgraded without the end user being aware. Had there been a 'migrate user email boxes - updated today to version 1.1!' button instead of 'migrate user email boxes', I might have waited a few days to let Google shake-out the bugs.

Re:3 Days Turnaround

[sukotto]

Also, have they already arrested/suspended/expelled the students that reported the problem?

Re:3 Days Turnaround

so you're giving them kudos for good customer support because they don't work on Sunday? Hey Google, this is the big leagues. Put on your uniform and show up to work on time.

Re:3 Days Turnaround

[icebraining]

Yes, but if Brown uses a free email system, it's their fault, not Google's.

Re:3 Days Turnaround

[Yizzerin]

Though Google Apps for Education is free, I'm guessing that Brown is paying for SLAs (and supposedly for enhanced privacy haha). Personally, I think this is pretty bad: college email accounts are supposed to be more-secure forms of communication than regular email (in that sensitive communication can go through them). It's a bit unacceptable to have this happen, even during rollout. Many people use their university emails for personal or professional purposes; I would be pretty upset if this happened to me.

Re:3 Days Turnaround

[spyrochaete]

Is this still the gmail that you don't pay for btw?

Schools get Google Apps for free (that is to say, they don't pay for the licenses) but it's the full-fledged Google Apps that normally costs $50/user/year. It's effectively the same as the enterprise version.

Re:3 Days Turnaround

Is this still the gmail that you don't pay for btw?

Actually, having worked for a "university" who outsourced e-mail services to Google, it's not free. Not at all.

Re:3 Days Turnaround

[Bender0x7D1]

No offense, but from a privacy perspective there is nothing "less bad" about seeing "just" the contents of old mailboxes.

If I have nude photos, love letters, an email from porn-porn-porn.com, or just something I don't want someone else to read in my old mailboxes, how is someone else being able to see them not horribly bad even if they are over 90 days, (or whatever), old?

Re:3 Days Turnaround

[belg4mit]

Is this still the gmail that you don't pay for btw?

No, it's the education edition of Google Apps. They've been offering
for a while now to colleges and universities.

Re:3 Days Turnaround

Is this still the gmail that you don't pay for btw?

Regardless of whether or not the universities pay for the google mail service, incidents like this should not happen. What would happen if the same Blackberry organization, say, Rogers wireless, mixes up the accounts of executives from different companies?

If in the terms and conditions it states: we may mix up accounts from time to time, if you want this to NOT happen, please pay $20/month - everyone would pay the $20/month then.

These students may have had information about marks, papers, exams, etc, in their emails and I most certainly would rather have my CC number broadcast then my academic information, because at least I can call the CC company and get it cancelled.

Paid for or not, this shouldn't happen.

Re:3 Days Turnaround

[sgbett]

Depends on the terms of your contract as to what remedies would be made available to you.

One would have to be incredibly naive to expect perfection from any service, let alone one which you are getting for free.

If Blackberry screw up then I could ask for financial recompense wrt the contract I have with them, and/or I could sue for damages.

Brown could sue google for damages (Well the students could sue Brown, who in turn ....), which is when then promptness (or not) of suspending accounts comes into play. If google suspended the instant they knew then they aren't going to be liable - if Brown sat on it before telling Google then they are probably liable.

In any case you would probably have to demonstrate some sort of negligence somewhere along the line along with some sort of actual damages, material or otherwise.

Re:3 Days Turnaround

[FlyingBishop]

TFS implied that they had wiki-like access to each others' mail, so this scenario is indeed "less bad" from a privacy perspective than unfettered access to in-progress communication. What if I'm ordering something and someone else sees the tracking number, sees when it's delivered, and surreptitiously intercepts the shipment? It takes a lot longer to search a back catalog for something good, and someone is a lot less likely to do such a thing on impulse. (Odds are, these were not incredibly tech savvy nor evil people that got the email.)

Re:3 Days Turnaround

Hey, at least you aren't the guy at Brown that isn't telling all of us that are mail inboxes would just be deleted if we selected to use mail forwarding. Imagine if you were stuck being that guy for all those students, like me, who at least were lucky enough to remember that this old "standard policy" existed.

Re:3 Days Turnaround

If this weren't a free service I'd definitely raise hell, I don't think I'd sue. Since it is free and happened over the weekend. And on a new service during a data migration... I don't think it is a horrible problem. Also its a uni email not professional or personal. If those schools are anything like mine the only thing you get in them are fliers and profs responding to questions.

http://www.google.com/apps/intl/en/business/index.html

This isn't free.

Re:3 Days Turnaround

[sulfur]

If I have nude photos, love letters, an email from porn-porn-porn.com, or just something I don't want someone else to read in my old mailboxes, how is someone else being able to see them not horribly bad even if they are over 90 days, (or whatever), old?

That's why you should separate your emails as much as possible. Use your work email for work purposes only; your college email to communicate with professors and fellow students about school-related issues; and personal email for stuff that you don't want the whole world to know.

This way you won't be embarrassed when your friendly BOFH from corporate IT decides to read your inbox. You also wouldn't care much about the situations with college email like this one.

Re:3 Days Turnaround

[TheUser0x58]

For one, being only able to see my old emails, you couldn't complete an email-based password reset from whatever sites I have accounts on. If you could do that, you would be effectively stealing my account on that site until I do another password-reset to steal it back. While bank websites usually have a little more security than this, getting in to e.g. a PayPal, eBay, or Amazon account would be enough to do some damage before the account owner figures out whats going on.

Re:3 Days Turnaround

[dave562]

To my knowledge, Google email support doesn't work on sundays.

For Google's sake I hope that is conjecture on your part and not the reality of the situation. Any organization that is touting their software as "enterprise ready" better have tech support there and ready to take care of problems 24x7x365 for organizations willing to pay for it.

Re:3 Days Turnaround

[TheCarp]

Thats a pretty solid bug right there. At least it highlights a gap in their expectations. Maybe they will refrain from doing that sort of "behind your back" upgrade again? Probably not.

When I worked at a University we had more amusing problem. We used a webmail client that had some cookie hijacking issues. Overall not a real problem, since you need to actually steal someones token before you can use it.... at least... on the surface.

The real problem came in that....well...it took any token that you gave it. So if I said my session ID was 00000001 then, it dutifully checked, saw 00000001 was unused, and let me log in on session 00000001.

Again, not a huge issue.... until someone sent out a setup CD that installed a link on everyones desktop that included a session ID in the URL.... and hilarity ensued.

There were students fighting over tokens. You could see it in the logs. User A logs in, a few mins later, on the same session, user A logs out, user B logs in. Then user B logs out, A logs in...back and forth every few minutes!

It was one of those login fights that I noticed in the logs that tipped me off to where the problem was...and I laughed....

-Steve

Re:3 Days Turnaround

Or worse - credit card statements, logins and passwords, address books, and so on. It's less the privacy exposure and more the identity theft exposure that I find problematic.

Re:3 Days Turnaround

If I have nude photos, love letters, an email from porn-porn-porn.com, or just something I don't want someone else to read in my old mailboxes...

Your ideas intrigue me and I wish to subscribe to your newsletter.

Re:3 Days Turnaround

[TheMysteriousFuture]

Please Elaborate

Re:3 Days Turnaround

gp is correct. for commercial users, there is a special support team available 24/7/365. no idea about student / university accounts though.

Re:3 Days Turnaround

[Idiomatick]

That is the business version not the school one which is free.

Re:3 Days Turnaround

[stephanruby]

Schools get Google Apps for free (that is to say, they don't pay for the licenses) but it's the full-fledged Google Apps that normally costs $50/user/year. It's effectively the same as the enterprise version.

Except for the Service Level Agreement (SLA) of course. Also read the fine print, the Google Apps without the ads would be for enrolled students only.

The staff and alumni on the other hand (assuming the school has a US non-profit tax status, but not the Charity status) get the ads and the lower standard quota (which is not 25 GB, it's more like 6 GB or 9 GB -- I forget which).

Re:3 Days Turnaround

[stephanruby]

Are these students not paying fees, and (were it to occur in most other countries) taxpayers paying also?

Don't worry, the taxpayers are paying. That's the entire point of donating to Universities and Non-profits. They get their (Federal Employee) Tax ID number, then they can off-set those in-kind donations on their taxes against their revenues from Ad-sense. Everybody does this. Google does it. Microsoft does it. Etc.

Re:3 Days Turnaround

...I most certainly would rather have my CC number broadcast then my academic information,...

Do you realize that you just said you'd prefer that your Credit Card information was broadcast first, followed by your academic information? What difference does the specific order that they're revealed in make?

You don't need to worry about people getting hold of your lack of qualifications, considering you don't know the difference between the words than and then you've revealed your lack of education through your comments.

Re:3 Days Turnaround

being ready to take care of problems 4x7x365 = being ready to take care of problems for nearly 7 years.

Re:3 Days Turnaround

Well, sound a little bit funny, but I have actually had another interesting situation, which is still happing, but using just plain gmail.

When I initially registered for gmail via that invitation only phase I used my old work address. After a while I found out that every email I send from my work address, via my work servers (which I was responsible for) to a correspondent using google for mail hosting would pop up in my personal gmail send folder. Funny, huh? It does not work the other way around though.

Breach of privacy

[Yvanhoe]

Sue.

Re:Breach of privacy

You were born in California?

Re:Breach of privacy

Sue.

It's the American way.

Re:Breach of privacy

[Yvanhoe]

I'm French and if my personal or professional email were to be made public, that would be one hell of unsatisfactory service. Privacy is why I accept paying a provider for things that could be free (as in beer). If this expectation goes out, I will ask for damage. You know, the expectation for privacy is written in our constitution.

Re:Breach of privacy

I'm French

Just save us the trouble and surrender this argument now.

Re:Breach of privacy

It's the American dream.

Fixed it for ya.

Re:Breach of privacy

[_merlin]

How is that a troll? I'd be suing if I got that kind of service from an e-mail service provider. They're selling you a service and support. If they don't provide it, you deserve compensation.

Re:Breach of privacy

[agentgonzo]

How is that a troll?

Because it's a one-word answer to an unasked question that parrot's the American Dream (tm): "Get rich without having to do anything".

I'd be suing if I got that kind of service from an e-mail service provider. They're selling you a service and support. If they don't provide it, you deserve compensation.

And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".

Re:Breach of privacy

[Idiomatick]

They aren't paying anything for it. If someone gives you a car I doubt you'd sue them if the electric windows stopped working.

Re:Breach of privacy

[Elary]

Yeah, blame Susan, that's the spirit...

Re:Breach of privacy

[Runaway1956]

"I'm French and if my personal or professional email were to be made public, that would be one hell of unsatisfactory service."

Well, who do you think would want to read a Frenchman's mail, anyway?

More seriously, what does nationality have to do with privacy issues? You think that maybe a Ugandan needs more privacy than a Russian? Degrees of privacy are scaled from one nationality to another? Had you said something to the effect, "The Iranian government has grown really oppressive, so my mail being made public is a major threat to personal security", then your nationality and/or government might be a factor.

Re:Breach of privacy

[agentgonzo]

Actually, a lot of people probably would. One of the things that really annoys me is that large companies will dispose of their old IT equipment by throwing it in a skip rather than donating it to local schools who would benefit from them. One of the major reasons that they do this (from what I have heard) is because "if we give it away to a school and someone goes wrong, we would be liable and could get sued". I still don't understand why the school can't just agree (via a disclamer or whatever) not to sue, but that's probably because I'm not a lawyer and live in my own little make-believe world where people shouldn't sue just because they can get away with it.

Re:Breach of privacy

[brusk]

I think stating one's nationality implies that the writer is framing his/her comments as representing the expectation in one's country. What level of privacy one should desire from a pure philosophical standpoint, what is legally protected, and what the cultural norm expects can all be different.

Re:Breach of privacy

[Schmorgluck]

This has to do with the GGP stating "It's the American way."

In France, as in most European counties, this affair could even be a case for a criminal proceeding.

Re:Breach of privacy

[brusk]

Not paying anything? Tuition at Brown is $35,584, and some of that goes to IT services; the fact that they've contracted student email service out to Google is irrelevant.

Re:Breach of privacy

[Schmorgluck]

Then again, in most sensible countries, punitive damages don't exist.

Re:Breach of privacy

I was I had Karma points to give.. That's funny.

Re:Breach of privacy

[Dog-Cow]

My understanding is that's it's actually for accounting purposes. The equipment can't be written off the same way if they are donated, or something like that. I'm neither an accountant nor a tax specialist.

Re:Breach of privacy

It's not the school who's going to sue. It's the customer (who's financial information you left on the computer, and which the student has just sold to the newspaper) who is going to sue you.

Re:Breach of privacy

[Svartalf]

Depends on your version of "sensible".

They exist to hammer home wrongs done.

Unfortunately, in the past, they've been given for any willy-nilly thing instead of handing it down for egregious conduct. I know about egregious conduct- I'm experiencing it right now in a matter that I can't discuss for legal reasons.

Fortunately or unfortunately, depending on your viewpoint, there's a cap on just how much punitive damages you can get in most of the states. Texas' is three quarters of a million after computing 2.5 times the economic damages. It's similar in other states.

So, when you say "in most sensible countries, punitive damages don't exist", it implies you know little about how it all actually works. When someone sues someone else, it's mainly for economic or actual and potential (believable potential) harm. Now, since someone can file any stupid civil cause they want to (See SCO v. IBM...) we have at least a few people out there filing all sorts of actions that waste money, court time, etc. to see if they can extort money or score big on dumb blind luck in the courtroom. Except for rare cases, there is no pursuit in punishing barritry (the promulgation of a nonexistent case...) or for penalties being brought against a party that honestly believed they had a case and didn't because they didn't do all their work. In most sensible countries, you should have penalties for bringing a case of this sort to court- but there isn't so you see "sue em" happening all the time for things that shouldn't have ever been brought to court.

Re:Breach of privacy

[Culture20]

What privacy? Those are Google's emails. They were sent by your friends to Google. That they are about you and you are allowed to read them makes no difference to their ownership.
/sarcasm ...?

Re:Breach of privacy

[nycguy]

It's troll because he's saying bad things about teh Google! We only bash Micro$$$$$oft here.

Re:Breach of privacy

[thePowerOfGrayskull]

And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".

Spoken like someone whose only expose to the American legal system is via television...

Re:Breach of privacy

[thePowerOfGrayskull]

Sigh. *exposure.

Re:Breach of privacy

[Blymie]

That's easy to handle.

Example.

During WWII, for the aeons before the US entered the war, they were 'neutral'. Neutral to all the death and slaughter, and cry for help from their allies.

Uh, sorry.. off track a bit there. :P

Seriously though, it wasn't all bad. For whatever reasons the US remained neutral, they weren't as neutral as could be. One thing they did, was 'accidentally' leave massive quantities of ammunition and weaponry right near the US border. Somehow, the Canadian military would fine out, and would 'steal' this weaponry and ammunition.. which was quickly transported to the UK, and then to the front lines... that is, whatever would make it across the German sub riddled sea.

Point being, there is no reason that this can't be the same way. You write off the equipment, you throw it in a dumpster in the back, and then someone tells someone that there are computers in the garbage.

At that point, they've been trashed. All is well on one side, and the other can act as they wish...

Re:Breach of privacy

[sud_crow]

Most probably, it means there are laws regarding "Unsatisfactory service". D'oh.

Re:Breach of privacy

[Convector]

Reminds me about a story I heard about the math department at a university I attended (yes, I'm deliberately being vague here). They had a large number of computers for which they no longer had a use. However, they were forbidden by their purchasing contract from re-selling them, giving them away, or even disposing of them. So the machines were put into storage. On the loading dock. Outside. The contract didn't forbid the department from having the goods stolen.

Re:Breach of privacy

[rsax]

lol that was brilliant :D

Re:Breach of privacy

[mito]

Just like you guys surrendered in Vietnam after killing 2 million locals for nothing?

Re:Breach of privacy

[shentino]

And I suppose that if a defense contractor leaked classified information then it's ok because you are a private company.

Point: Being a subcontractor doesn't let you off the hook when you're handling confidential information belonging to someone else.

Re:Breach of privacy

My concern has always been the aggravation of making VERY sure there's no data to recover. Completely doable, but requires time and effort when they can just as easily have the HDD removed and toss the rest in the dumpster.

Re:Breach of privacy

While you idea does work, I for one think legal and tax codes which incentivizes throwing-away working equipment rather than donating/selling it to someone that can use it indicates some deeper problems with modern society. It's a wasteful misuse of resources and it's causing unnecessary trash. And no, I don't care if it adds a few more dollars per year to some PC manufactures bottom-line. Economies exist to serve their societies, not the other way around!

Re:Breach of privacy

[kannibal_klown]

More seriously, what does nationality have to do with privacy issues? You think that maybe a Ugandan needs more privacy than a Russian?

From what I've learned from colleges, Europe has very strict privacy laws, especially with electronic information when compared to the US. What are departments allowed to see, store, etc. And failure to comply usually means all heck breaking loose.

Re:Breach of privacy

[LordLimecat]

Have you actually read the EULAs to googles services, or are you content to merely fearmonger and spread FUD about them? I hear this crap every time chrome, or gmail, or blogspot are mentioned-- that there is a google minion reading all your sordid affairs in some cubicle somewhere.

Possibly some day complaints will be based on legitimate issues with their services, rather than blatantly false attempts to rile up concern.

Re:Breach of privacy

[Idiomatick]

Works doubly if they had them insured against theft...

Re:Breach of privacy

[Schmorgluck]

I admit my grasp of how punitive damages actually work may be superficial, but as I understand it, they end up as being an incentive for silly lawsuits.

Coming from a different country, with a different legal system, I find weird the notion that punishment can be discussed in a civil court, instead of a criminal court where it belongs.

Granted, I'm not biased enough to ignore that I'm biased, but that's how I view it:

• Punishment, with fines, imprisonment and stuff like that: criminal courts.
• Compensation, reasonable, can include a pretium doloris: civil courts.

And anyone who tries to abuse the system should face some due consequence, I quite agree with that.

In a civil suit, for example, the costs of the proceedings plus, in severe cases, the defender's attorney fees. It's applied in some countries, just so you know.

Still more secure than most school systems

[muftak]

I bet most of us could read everyone else's email at school...

Re:Still more secure than most school systems

[julesh]

I bet most of us could read everyone else's email at school...

Not convinced. Mine used Solaris's default maildrop security, which is pretty effective, and I think was fairly standard practice until recently.

Re:Still more secure than most school systems

[AvitarX]

Mine encouraged checking your mail with telnet.

Re:Still more secure than most school systems

[PuercoPop]

My school sends the login/password as clear text, so in my experience OP has a point. Also gmail has google docs and view as HTML to quickly check to see the document contents.

Re:Still more secure than most school systems

[betterunixthanunix]

Google docs is another liability, when it comes to security. A while back, Columbia experienced a major data leak -- tens of thousands of social security numbers, names, dates of birth, etc. (everything you need to open a bank account) -- all because someone was using Google docs. Frankly, if you want the same level of document/email integration, there are a lot of free-libre and proprietary packages that will do that; MS Office, or KOffice+Kontact, for example. Being willing to put up with a slightly less convenient, but far more secure (in terms of data) method is all it really takes.

Re:Still more secure than most school systems

[mcgrew]

Gmail must not ve very secure, and their reaction to glitches makes me want to stay away from it. I had a Gmail account, one day it wouldn't let me log on, saying it had been used for "improper purposes", odd since I'd only used it to email friends, never forwarding anything or sending a mail to more than one person at a time. One of the questions it asked was "do you think your accout was compromised"? I probably should have said yes, because they took the account away. No big deal, they're no better or worse than any other free web based email service, but their attitude was really shitty and there seems to be no way to contact a human at Google.

Re:Still more secure than most school systems

[ryen]

my school, UIC, used aix unix with its own mail setup (no Exchange) when i was there. the admins never had problems like this (i know them personally).

Re:Still more secure than most school systems

I didn't expressed my idea adequately apparently. Yeah Koffice + Kontact rocks, but I use that on my PC. My School as a a lot of remote terminals (running linux with xfce now) and in those terminals I can access school email and gmail. (the rest of the internet is blocked)

I am aware that leaving my data to be stored on a remote location is not a good security practice, but what I wanted to do is support the OP statement that most of us could read everyone else's email.

Given that in my school the intranet and email send the password as cleat text one has only to log into the wifi network, launch wireshark and just wait for someone to log into intranet. With such weak security in place, google's ocasional bugs don't look as bad.

Of course I agree with you that for more sensitive data it is unacceptable.

Re:Still more secure than most school systems

I have a few questions re your claim:

Got a reference for the story?
How did the 'major data leak' happen? Weak password? Logged in workstation?
Does everyone experience a 'major data leak' 'all because someone was using Google docs' ?

You really have a very weak argument against the security of Google Docs, IMO. The security issue is really an end user security issue, not a Google Docs specific security issue.

Re:Still more secure than most school systems

[mlts]

This is nothing against Google, but I wish more colleges would "pack their own parachute", and keep a system so critical as to a school's function like E-mail in house.

First that comes to mind is that if their IT staff knows what they are doing, it isn't hard to create an extremely fast, responsive, and secure sitewise E-mail configurations. One could use a high end Solaris or AIX machine that does it all, multiple servers for security and separation of duties (SMTP out go to one box, POP/IMAP/Zimbra another), or Exchange (in whatever configuration [1] works best for the university.)

Second, it allows a university to know how things are backed up. If you have a good drive array and a backup system, a university can not just have solid backups of E-mail, but be able to have a solid archive mechanism so they can pull archived/deleted users out of the system for audit or legal reasons.

Third, if the university loses its internet connection, intranet mail can go through.

Fourth, guarentees like storing all E-mail on encrypted partitions, servers with specific configurations can be implemented.

Fifth, should a university move to a setup using SecurID or smart cards (I think Tulane University moved to Aladdin eTokens for all access which made phishing pretty much a thing of the past), it would be trivial to do, as opposed to a cloud provider that may or may not support the enhanced access.

Call me old fashioned, but some services you can outsource, others such as E-mail, really need to stay as close to home as possible.

[1]: Probably the best setup for a medium size university would be to have a hub/edge server setup, so if the DMZ box got compromised, it wouldn't mean the mailboxes themselves are easily obtained.

Re:Still more secure than most school systems

[bencoder]

there seems to be no way to contact a human at Google.

That's because there are no humans left at Google. It's all automated now.

Re:Still more secure than most school systems

[LordLimecat]

What caused the leak? Did someone share docs with someone outside the company? Why do you suppose this is something google can fix?

Re:Still more secure than most school systems

[LordLimecat]

Google uses SSL-- theyre as secure as most online banks. If someone got into your account, perhaps you should check your computer for keyloggers and make your password more secure

Re:Still more secure than most school systems

[betterunixthanunix]

The leak was caused by an error in the sharing settings for the document. This is not specifically something that Google needs to change; sharing is the nature of Google docs. It is more a question of whether or not sensitive data should be processed on a publicly accessible, sharing oriented system. I would no sooner say Google was at fault than I would say that Microsoft would have been at fault had the document been leaked because someone left it on a publicly accessible Samba share.

Re:Still more secure than most school systems

[jc42]

I bet most of us could read everyone else's email at school...

Probably not most of us here, but when I was a grad student, I had a job for several years that included managing the main campus email system. I've also had similar jobs inside a number of companies, mostly because I was one of the few who had experience with the task. In all of them, after various email emergencies in which I had to dig into the system's innards, I also frequently found myself explaining (preferably in private) that yes, I had to look into some of their emails to fix the problems, and yes, all the people who work to support the email system can do the same. So maybe they should be a bit more careful about the sort of things they send, or remember delete the messages quickly. As part of the explanations, I'd try to make it clear that I had no intention of reporting any "content" to anyone, but others in the support team might not be so supportive. I'd also offer to teach them how to use an available encryption package, if they'd like. Few of them took me up on this, though a some did, and at least one of them got interested enough to become somewhat of an encryption expert.

In some cases, I've been pretty sure that others on the support team were digging around in the email system during their spare time. But I've never tried to verify this, much less report it to anyone.

Google's version of...

[The+Ancients]

...social networking.

Taking it to a new level, no joining or other conscious actions required to share everything about your life.

Re:Google's version of...

[Arancaytar]

"You have sent an email to Emily. 6 people like this. 3 people have left a comment:"

"Frank has sent/received 26/20 emails to/from your friend Tom, 20/23 with your friend Megan, 15/12 with your friend John. Your social graph proximity is therefore 45.1. Click here to add Frank to your friend list and read his emails."

People would love it! :P

Re:Google's version of...

[sunjae]

Haha... So funny. You know what though. You should file a patent on this. At the current rate of people's acceptance of loss of privacy, this might actually come to pass!

Re:Google's version of...

[MikeBabcock]

Considering the appeal of reality TV like Big Brother, I bet a number of people would surrender this privacy in exchange for the possibility of winning money too.

Re:Google's version of...

...that would be the day everyone learns that their life is identical to everyone elses, and that all their emails, problems, values, concerns are shared by everyone on the planet.

Re:Google's version of...

Its called Google Wave and there is already a private beta. I am not joking and while we are on the subject I can hardly wait for it to go public. No. Really. I can hardly wait, so I tried hacking my way into the private beta but failed because it is completely sandboxed...

http://wave.google.com/

I'm feeling lucky

So that's the use of that button!

Google: Lowering standards for the rest of us

[GradiusCVK]

We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.'

Look, I think we can all agree that if there were some major security breach like this for which we were responsible and we sat around for 3 days before doing anything, then unilaterally suspended a bunch of accounts before finally fixing the problem, we'd be fired.

On the other hand, if I were the head of IT at some place and we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence, it'd be really easy to say, "That's just how tech is, it's hard to do right even for Google, get used to it. Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"

I'll bet that IT manager is pretty happy right now, student complaints aside.

Re:Google: Lowering standards for the rest of us

[miffo.swe]

Microsoft lowered the standards. Google is just placing themselves a tad above those.

Re:Google: Lowering standards for the rest of us

[JasterBobaMereel]

The current IT guy is laughing .... it is out of his hands and he cannot do anything about it and everyone knows this ...the person who outsourced it to Google however .....!

Re:Google: Lowering standards for the rest of us

[Scutter]

Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"

[BigBoss] It only affected students and not my e-mail so it's not a problem. No budget increase for you. NOT YOURS.[/BigBoss]

Re:Google: Lowering standards for the rest of us

if you were a full time professional IT manager for a school (with associated cheap labour) only covering 200 users I'd expect you to run a mail server alongside you other tasks.

Re:Google: Lowering standards for the rest of us

[martinX]

we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence,

Does Google actually have a reputation for excellence? Apart from their search engine and maybe Google Maps, is anything they make "excellent"? Does anything excel; is anything groundbreaking and complete in utility and quality? I remember when a lot of their releases stayed in extended-Beta, which is code for "it's free, it's out there so use it at your own peril". I find a lot of their stuff nifty, and I think they head in interesting new directions, but they seem to be always short of excellence. Personally I think that they have gained years worth of kudos - and, by extension, a reputation for excellence - by creating a great search engine (not to mention the big plus of not being Microsoft) and are spending it.

Re:Google: Lowering standards for the rest of us

Gotta love it when your boss is a graduate of the Gomer Pyle School of Management! Shazaam!

Re:Google: Lowering standards for the rest of us

is anything groundbreaking and complete in utility and quality?

If that's the standard, I'm struggling to think of any company that "excels".

Re:Google: Lowering standards for the rest of us

[drinkypoo]

More and more of this is coming. At my local community college they are actually postponing the meeting in which they were supposed to explain what positions are being cut, and which are being cut back, to almost immediately before the new budget comes in, so that they can avoid static with the union; they're just not going to tell them. Begging for a strike? Probably won't happen anyway in this economy, right? Let's see how far we can push. They have already outsourced router configuration, which is pretty sad since that's one of the jobs way up the chain. No joke, all their WAN equipment is operated by a third party. You think you've seen problems in academic networks now? The fun is only starting. The economy is not on the up-swing...

The IT guy will not have the last laugh; he will eventually be outsourced. By the time they understand the folly of their actions, he and his family will already be on the street. Or, you know, working some other job, experience lost to the school forever...

Re:Google: Lowering standards for the rest of us

[dada21]

He didn't lose his job, he became less efficient than someone or something else at it.

The unions definitely ruin the efficiency of the division of labor in the world. It is the division of labor that makes us wealthier by saving us time and money. PCs, phones, iPods, TVs, even clothes and food have a tendency to get cheaper because new competitors enter a market and do things faster/cheaper/better.

I hope IT continually gets cheaper -- it means cheaper infrastructure and support for the 99% of the world that doesn't work in IT. No problem here for me.

Re:Google: Lowering standards for the rest of us

[smooth123]

Their email on Exchange was not shared with other accounts their email on google was. Don't just blame everything on Micro$oft. In this case Google had lower standards......

Re:Google: Lowering standards for the rest of us

[KnownIssues]

Apart from their search engine and maybe Google Maps, is anything they make "excellent"?

I have to say, I'm really glad to hear someone share this opinion. I've been a long time "fanboy" of Google, seldom questioning any of their choices (while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source). On reflexion after reading this, I've come to realize something: Google is what would result from my IQ being doubled and a thousand clones made from me. They find some problem-space, develop something with really cool potential, get bored when it comes to refining the product and making it viable, then find some shiny new problem to work on. It's like they're grad students getting paid by a commercial entity to do research.

Re:Google: Lowering standards for the rest of us

[je+ne+sais+quoi]

(while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source)

Don't sweat it, that's just the usual slashdot compartmentalization going on. When it comes to Google, anything they do in relation to MS or Apple is good thing, anything else they do with privacy, it is a bad thing. Nevermind that Google's "rejected" voice app substitutes itself for the native one that comes with the iphone, and thus could almost be considered malware for the iphone and by admitting it to the store, apple might be liable for any security breach that might happen, *just* like this one. Or in this case, just ignore that Google did the right thing by making sure that the damage from the private data breach was minimized as soon as they realized there was a problem.

Re:Google: Lowering standards for the rest of us

the person who outsourced it

I'm sure it wasn't a person-- it was a Committee of deans, provosts, and faculty (most of whom are still trying to figure out how to change the ringtone on their new iPhone) deciding that they could spend all of this year's tuition increase on themselves if they outsourced the school's email. (Of course, the "retreat" they attended at a swank hotel sponsored by the outsourcing company had no bearing on their decision.)

Yeah, I work at a university. Can you tell?

Re:Google: Lowering standards for the rest of us

[artg]

The bar is the expectation of faults arising and time to fix, not faults in specific applications. Compared to Microsoft, a fault affecting 22 students that's fixed in 3 days is well beyond excellence.

Re:Google: Lowering standards for the rest of us

[SOdhner]

Certainly I've disliked some Google stuff, or liked but been unimpressed by it.

I am quite impressed with Gmail, especially when viewed alongside things like Hotmail. You already mentioned the search engine and google maps. Honestly, I'd say those three are enough for the general public, right or wrong, to mark them with the 'excellence' tag.

Reputations are never entirely accurate, they just need some grain of truth to be grounded on and a lot of PR.

Re:Google: Lowering standards for the rest of us

[dave562]

I find it funny that they moved off of Exchange and ran into problems. Now granted the problem was with Google's migration API, and if Microsoft had open documentation for their Exchange code then it would be easier for Google to write compatible migration tools. In the long run the school will probably save money because they won't have to house all of their infrastructure and pay the associated costs. Most students probably won't ever leverage all of the features of Exchange so there isn't really any point for the school to pay for all of the bells and whistles.

Re:Google: Lowering standards for the rest of us

[drinkypoo]

He didn't lose his job, he became less efficient than someone or something else at it.

False. Everything the college has outsourced so far has become a problem. Not having someone onsite will be a bigger one. They are actually settling for less service because they are out of money (in this case, mostly because the administrators get paid very, very well.)

Re:Google: Lowering standards for the rest of us

If that's the standard, I'm struggling to think of any company that "excels".

err...i believe that would be microsoft...

Re:Google: Lowering standards for the rest of us

[smooth123]

I agree with the general argument however in this case it still stands that No Personal email was shared on Exchange. However moving email to google compromised certain mail boxes. 22 or 2200 or 22000 its the same thing, ask the student whose mailbox was compromised. Also why is supporting google Insightful but speaking to the face Score 0. Looks like one sided modding.

Re:Google: Lowering standards for the rest of us

[shirotakaaki]

To be honest, Microsoft lowered the bar for excellence pretty low.

*ducks*

Re:Google: Lowering standards for the rest of us

[LordLimecat]

Postini would probably rank as excellent, i am unaware of anything that even touches it. Ive tried ORF +clamwin, Symantec Mail security, etc, most seem awful. Most mailhosts have abysmal mail filtering. With postini, ive had maybe 2 spam messages get thru and 1 false positive in the last 2-3 years with probably 30-50+ messages a day. I get newsletters that i signed up for, and automated IT alerts, and even shady looking emails from actual clients, but nothing thats actually spam. It also provides a safety net if our Exchange server goes down, at which point it starts spooling messages.

Google Apps provides a poorman's Exchange + BES equivalent running (calendar sync + contact sync + outlook connector) for pennies.

In fact most of what google seems to do is "on par with competitors, for pennies, with 0 maintenance". Kind of hard to argue with that.

Re:Google: Lowering standards for the rest of us

[ibennetch]

Calling it "excellent" might be a stretch but a lot of what they do is generally "better than average" -- take Gmail, since that's mostly what this article is about. Before Google, no free email provider offered POP access, much less IMAP; incoming and outgoing attachments were required to be small, and archiving old messages was limited by severely small data limits. Gmail really raised the bar of expectations.

Not that being this way excuses their behavior, especially in cases like this; but there's certainly more to Google's "reputation for excellence" than just their search engine.

Re:Google: Lowering standards for the rest of us

[Kalriath]

Yes, but they bought it not developed it.

Re:Google: Lowering standards for the rest of us

[Kalriath]

Um, Microsoft DOES have open documentation for the Exchange protocols. Google even has a license to implement them (why you need a license to implement a publicly availably spec I'll never know).

Re:Google: Lowering standards for the rest of us

[martinX]

That's why I posed the question. It wasn't me who said "Google has a reputation for excellence". I think that word is overused and what should have been said was "Google has a reputation for a great search engine and some other stuff..."

Re:Google: Lowering standards for the rest of us

[martinX]

That's what I was hinting at. IMO, they almost get there, but then get distracted by the next thing. In the words of Steve Jobs: "Real artists ship". If it's not in a box being sold in stores and in people's hands being used/abused/supported, then it's just a hobby.

methinks he doth protest too much

[fireball84513]

i could just imagine the awkwardness when you find your best friends gay porn collection due to a software malfunction

Re:methinks he doth protest too much

[Zardus]

Most people don't keep that on their email accounts...

Re:methinks he doth protest too much

[calmofthestorm]

I use gmailfs you insensitive clod!

Re:methinks he doth protest too much

[gbjbaanb]

Most people don't keep that on their email accounts...

Most people don't keep that *what* on their email accounts?

Private stuff?
Passwords?
User ids?
$25,000,000 money-making invitations?
Shakespeare quotes?

I know one fact about email which makes it an incredibly important security risk - the 'I forgot my password' link. Log on to a site you think the user uses, click that 'forgot' link, read his new password a few moments later. erm.. profit.

That said, this is google mail we're talking about, the one that bills itself as "store everything on us" we're safe and you'll never lose an email again thanks to our massive storage, indexing and searching facilities. So, for some people email is downloaded immediately and never stored on the server, for many many others, it stays right on the server.

I'd have cancelled the account, the way it was handled is not acceptable, even a free service has reasonable expectations of security. To let it linger for 3 days... that's simply not good enough.

Re:methinks he doth protest too much

They didn't until GMail came along. They give you 7 gigs right now!

Re:methinks he doth protest too much

As a friend I have to point out that the same glitch enabled me to see your private data...

I think your diapered latino transexual cosplayer fetish will really put a damper on our friendship. :(

Re:methinks he doth protest too much

[Arancaytar]

Well, that's one reason why those passwords aren't sent in clear. Breaking into someone's email account to get access to a forum/blog/website account is relatively easy - preventing them from catching on is hard to impossible.

Another security feature is to force you to leave your account unused for a week, to make sure the account is really not accessible. Few sites actually use it, unfortunately (Gmail does) - it's a substantial convenience trade-off, and people always value convenience above security.

Re:methinks he doth protest too much

[Runaway1956]

Meanwhile, AC has 387 invites from new friends who have discovered his bestiality photos, most of which involve German Shepard males and stud ponies.

Re:methinks he doth protest too much

[Yamata+no+Orochi]

Most people don't keep that on their email accounts...

Most people don't keep that *what* on their email accounts?

Well, according to the post he was responding to, most people don't keep their gay porn collection on their e-mail account.

Now don't you feel silly for responding so seriously to that?

Re:methinks he doth protest too much

[nametaken]

I don't know that I'd call that inconvenient. I'd say being locked out of my email for a solid week is unacceptable, and I'd migrate away from that provider immediately.

Re:methinks he doth protest too much

[smoker2]

They did not have access to NEW emails, only the old stuff imported from existing exchange mailboxes. So you could click that "forgot password" link and not have access to the reply. If the user had kept old passwords in their mailbox that would be different, but still, most people change the passwords immediately anyway, don't they ?

So instead of insightful you should be labelled flamebait.

Someone has high demands.

[miffo.swe]

" Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response."

In my NSHO three days is pretty fast for a free service. You want faster response times, 100% avail and dedicated engineers? For free? Sorry, no can do.

Everytime i see an article like this all i can think is "what Microsoft backed puppet wrote this crap?". Microsoft is working very hard to make out Google as craptastic, greedy and customerhating as them. For me it has the opposite effect, Google becomes the underdog with Microsoft kicking them in the groin. I find myself feel for Google in the search market despite their 90% marketshare.

Way to go Microsoft, no PR in the world coming from Google could accomplish that feat, feeling sorry for a market leader. ;D

Re:Someone has high demands.

[JonJ]

You want faster response times, 100% avail and dedicated engineers? For free?

I don't think they are giving this away for free.

Re:Someone has high demands.

[olderchurch]

Yes they do: https://www.google.com/support/a/bin/answer.py?answer=139019

Re:Someone has high demands.

[miffo.swe]

Google Apps for Edu is free.

24/7 support, ,complete monitoring, 1hr response time and 100% avail is not free.

Re:Someone has high demands.

[Trogre]

I'm sorry, perhaps you missed the part where students could read each others emails.

Microsoft participation is not required in this case.

Re:Someone has high demands.

What the fuck.

This is a really big deal. And if the excuse is that 3 days (admittedly, 2 of them weekend days) turnaround on an absolute security breach is what you get for free, and to expect better you must pay for it, then the proper response is to pay for better and not use this service because it's shit-broken. It is my understanding that Google Apps for Education is not a tiered service -- you're a school, you get it free; there is no paying for better. If there IS paying for better, then we should spread awareness that the free version is bad.

Might I point out that losing privacy on your email and THEN losing access is pretty much the worst possible failure mode? This is an enormous fuck-up. This has nothing to do with Microsoft. Why would you bring up Microsoft? YOU are the one twisting something into what it is not to make some other company look bad. If I were as paranoid as you, I'd suggest that Google or Apple or somesuch was paying you to do this, but in fact, I know that you're capable of being fuckwitted all on your own.

Jesus Christ. Google Apps' security fails utterly, and that's Google kicking Microsoft in the groin to you? Maybe Google can start a puppy-stomping program; I bet that's just like Google ripping Microsoft's arms off.

I'd be a lot more comfortable if Google said "yeah, we fucked up, here's what we're going to do to prevent this from happening again". Instead we get the self-contradictory "it was a small hiccup [...] it's an issue we've taken extremely seriously".

Re:Someone has high demands.

[JonJ]

Wasn't aware of that, thanks. Still a pretty serious bug though.

Re:Someone has high demands.

[eebra82]

Everytime i see an article like this all i can think is "what Microsoft backed puppet wrote this crap?". Microsoft is working very hard to make out Google as craptastic, greedy and customerhating as them.

Why are you diverting a serious matter like this into smearing a company that most likely had nothing to do with it? E-mail accounts can contain very sensitive data, ranging from bank papers to personal issues. And especially if people you know get access to this, it makes the problem more serious than ever.

I won't comment on Google's actions because I don't know enough details, but if I had my mails exposed, I would be pretty pissed. And the fact that it is free doesn't make it more acceptable. It's like saying that someone volunteering for a non-paid job can act whichever way he or she wants just because it's free. No, you still have to follow rules.

Comments like this make me realize why there are so many extremists in this world.

Re:Someone has high demands.

[miffo.swe]

My impression is that this incident is a fuckup at the customer end of things. The problem was getting the emails out of Exchange into the right account in Google Apps.

This is something where i personally have missed a couple of times and its very common since there are always some accounts that are broken in an exchange system.

Re:Someone has high demands.

[st0rmshad0w]

What the FSCK! How lame is your college that it can't run an email system?

When you finally get out you might want to check and see if your diploma is signed.

Re:Someone has high demands.

[miffo.swe]

"Why are you diverting a serious matter like this into smearing a company that most likely had nothing to do with it?"

Because Microsoft is running a big campaign in portraying Google as bad. Google is a really hard hit target right now for FUD. The fact that this was a big Microsoft Exchange customer before makes my radar tingle a bit extra for that reason.

"E-mail accounts can contain very sensitive data, ranging from bank papers to personal issues. And especially if people you know get access to this, it makes the problem more serious than ever. "

Yes, and the problem wasnt Google Apps in itself but getting mails out from exchange and into Google Mail to the right account. It was more a migration error than any security problem. Most times the problem with migrations lies in broken accounts in the source system.

"And the fact that it is free doesn't make it more acceptable. It's like saying that someone volunteering for a non-paid job can act whichever way he or she wants just because it's free. No, you still have to follow rules. "

The fact that its free does make it more acceptable. Where talking free market here, not soviet russia.

"Comments like this make me realize why there are so many extremists in this world."

Different view = extremist? Yay for talibans!

Re:Someone has high demands.

[miffo.swe]

"I'm sorry, perhaps you missed the part where students could read each others emails."

If we are to be true, students could not reach other students inboxes. During migration mails wore put in wrong inboxes. Its a pretty big difference if the source system is on crack or if there is a security breach in the target system. In this case the problem could lie in the software used to migrate the users mails but it did not lie in Google Apps itself.

Re:Someone has high demands.

[YojimboJango]

99% sure that the admins at Brown thought the response was acceptable because the 'small glitch' was actually operator error on the part of said admins. I'd try to downplay the whole situation if it was my fault, and that seems to be what the admins at Brown are doing.

Re:Someone has high demands.

[surgen]

When you move files from a user's hard drive onto a network share are you allowed to blame the user when you don't set the permissions the way they told you to?

A common problem with exchange? In that case the google side of the migration should have been expecting for it to happen and have had a plan to fix it before they went live.

Re:Someone has high demands.

Because Microsoft is running a big campaign in portraying Google as bad. Google is a really hard hit target right now for FUD.

Microsoft wants to smear google. Therefore any criticism of google is a smear attempt written by a microsoft puppet? No matter how hard google dropped the ball on this one?

This is a serious problem caused by google. If microsoft wants to call them out for it, not only are they well within their right to, THEY SHOULD. I am a college student, if my emails got exposed I would be pissed. I also work for the college, if those emails got exposed not only would it be a breach of my privacy, but a breach of the privacy of every single student on campus, it would expose an identity theft goldmine.

Re:Someone has high demands.

[Blymie]

It isn't FREE, people.

Google advertises all over the place. They store your mail for an indeterminate period of time.

They link your gmail account cookie to your google account cookie, which is linked to various advertising streams.

Do you think TV is free? Really? Ever heard of commercials?

TV is a deployment method for commercial advertising. It's at breaks (standard commercials). It's during TV shows, with in show spots for products.. such as actors pumping various products. It's at the bottom of the screen, with dancing advertising logos and such, while you watch the show!

This is not free. This is an arrangement between two entities. You watch our shows, and we try to sell you things. Clearly your time has value, you watching has value, and that is why TV is on the air. It isn't on the air to be 'free'.

That is, unless you think that 'free' means 'no hard currency was exchanged'. If you do, then I suppose you help your friends move for 'free', and the beer and pizza after isn't compensation?

Gmail is not different. It isn't free. Google is making a PROFIT on this -- or if not, it will be. It will make money by examining the relationships between people that use gmail. It will make money by examining those relationships, and what you search for on the web. It will make the same money, by looking at those relationships, your financial data (Google finance), the places you search for on Google Maps, the apps you download with Andoird/Gphone, the people you call in your gphone, and on and on and on.

Google has become the largest depository of human interaction. They span more than email and searches. They know who you are in contact with, who you buy from, and the list goes on and on.

Further, they store this information for an indeterminate period of time.

Whether or not you like this, whether or not you approve, it is what you pay for using their service.

Free? Hell no!

Re:Someone has high demands.

[miffo.swe]

Its a common problem in most mail systems. You often have a couple of accounts on acid, be it by corruption, useless tools or human error. The university side should definately have checked their system before the migration.

Re:Someone has high demands.

[Albanach]

How lame is your college that it can't run an email system?

I don't think anyone, except you, is suggesting the colleges can't run an email service.

Email is time consuming and expensive to provide. 10, 20 or 30 thousand accounts, all demanding storage - and these days you can't give folk 100MB quotas. Accounts that are all attracting spam that requires either constant tweaking of anti-spam rules, or outsourcing spam and virus checking. Add in off-site backups, support, abuse and you are quickly spending tens of thousands on equipment and more on staff.

Then they get a call, or an email saying Google will offer all that for free. For a school facing budget constraints it's a very tempting offer. It says more about their budget than their technical ability.

Re:Someone has high demands.

[afex]

That is, unless you think that 'free' means 'no hard currency was exchanged'.

Yea, that's pretty much what we all think. do you really think someone is reading your post and going
"holy crap, he's right - they DO look at my data! and tv DOES have ads! none of this is FREE!!!!"
Yea, we all know we are giving up time, or letting company X gain something by giving our time, or whatever, but most of the general public (including me!) considers only their pocketbook when thinking about whether or not something is "free". Hell, even if i have to spend 20 minutes doing something (lets say filling out a rebate on something so that the final price is $0), i STILL consider it free!

Re:Someone has high demands.

[jimicus]

What the FSCK! How lame is your college that it can't run an email system?

When you finally get out you might want to check and see if your diploma is signed.

Higher education is all about money these days. It's not so much "can they do it?" as "can they do it for anywhere near the same price?"

A highly available email system for any large organisation like a college pretty much means a SAN and a cluster of some sort, which immediately implies a fair bit of hardware and a hell of a lot of work to get everything tied together. Even using free software everywhere you can, the hardware costs money and so does the engineer time to set up and manage it.

Google, OTOH, will provide the whole lot free. Leaving more money in the budget for that ivory back scratcher.

(FWIW, I've recently looked into this for my employer and reached a similar conclusion. At the price Google charges, the level of reliability they are hypothetically able to offer, spam-filtering that actually works and the extra features that don't have a UI that makes people want to gouge out their own eyes, I can't provide this any cheaper than what Google do. Hell, my co-located secondary MX server costs more per year than Google for every single member of staff)

Re:Someone has high demands.

[jimicus]

Obviously I don't know how they managed the migration, but I'm looking at doing the same thing myself and I can see one glaringly obvious way how this could happen.

One of the migration mechanisms Google provide is you enable IMAP on your mail server and give them a CSV file listing IMAP usernames, the corresponding Google account username and IMAP passwords. Google's system then brings all the email across and puts it in the relevant accounts.

Of course, if the mechanism you use to generate the CSV file is slightly broken.....

Re:Someone has high demands.

[MikeBabcock]

A lot of things (not just higher education) are like this.

I contemplated writing my own or even hosting a pre-written photo gallery application since I have the skills to do so, for my family photos.

I then realized that Flickr, which exists already and has incredibly good tools is only $20/yr for unlimited bandwidth usage and unlimited storage, and its really not worth it for me to put any more than half an hour's work a year into doing it myself at that rate.

Re:Someone has high demands.

[miffo.swe]

Ive encountered that numerous times when doing large imports and exports. Often the problem i have had is that the export from the source system has been incomplete because of missing info on the accounts or just corruption in the DB. cut -fn and pals does not like such things very much.

Re:Someone has high demands.

A few mailboxes (20 out of 200) had the wrong mail migrated into them. We don't even know the source of this problem yet, but the university could very well have TOLD Google to put sally.smith's e-mail into sally.jones' new mail box.

This isn't a google apps security problem. Please RTFA and get off your high horse.

Re:Someone has high demands.

It might not cost actual cash from either the student or the college, but this is Google, they are extracting their pound of flesh in terms of information.

Information they then sell to others, hopefully in an aggregate fashion, though who knows, possibly even wholesale.

Re:Someone has high demands.

[Blymie]

No, I don't think you are correct in stating that you 'all' know. For starters, there are people here indicating that there should be no expectation for quality of service, since it is a 'free' service. You *are* paying for the service, and in exchange, you should demand a certain level of quality.

"Free" would be a download of Ubuntu. While there are certain social expectations that go along with using open source, none of them are ripped from you, whilst you use that product. The closest I can think of, is Firefox defaulting to Google's home page... which you can change at will.

In other words, you are free not to pay those hidden charges.

I've seen people state that they should buy pizza from company $x, because they give you a second pizza 'free'.

Er. There is no free pizza. You're paying for both of them.

Most people don't realise the true cost of things. They have been bedazzled by the constant corporate speak that pervades our lives. Heck, most people don't even consider the real world cost of *anything*.

So, yes.. some people realise it. For the large part, most don't.

As for yourself? You don't realise it, not really. You're supporting those that define 'free' as 'no government sponsored currency changed hands'. You probably use the word incorrectly... in fact, you advocated just that!

Re:Someone has high demands.

[afex]

I agree completely with you, in fact i was going to mention the 'buy 1 get 1 free' type of "free" in my post as well. What i'm saying is that since there is little, if anything, that is truly free nowadays, and the word has sort of shifted meanings to mean "doesnt cost any money".

I suppose we should also complain about people that claim they "saved" $50 on an item that was $100 w/ 50% off? (just joking, i know half of the people will read this and be foaming at the mouth just thinking about something saying that : ) )

Re:Someone has high demands.

[nametaken]

It sounds like we're talking about a couple hundred accounts. I totally agree though.

Re:Someone has high demands.

[agwadude]

My impression is that this incident is a fuckup at the customer end of things

No, according to this article, "The problem was on Google's end. They acknowledged a bug," and according to this comment, Google had upgraded their IMAP migration tool right before this happened.

Sounds like a case of insufficient testing on Google's part before rolling out the new version of their tool.

Re:Someone has high demands.

[agwadude]

A few mailboxes (20 out of 200) had the wrong mail migrated into them. We don't even know the source of this problem yet, but the university could very well have TOLD Google to put sally.smith's e-mail into sally.jones' new mail box.

This isn't a google apps security problem. Please RTFA and get off your high horse.

No, why don't you RTFA and get off your high horse. According to an article linked from TFA, Google acknowledged the problem was on their end, and an earlier comment from a Brown sysadmin indicates that Google upgraded their migration tool right before this happened. It may have "only" been 20 out of 200 accounts, but the problem is squarely Google's fault; stop blaming the Brown sysadmins.

Re:Someone has high demands.

[jim_v2000]

22 / 2000 email accounts isn't a big deal, sorry. And most of those people probably don't check their school email every day (I don't, and most of my friends don't), and most of the people who did happen to check their email didn't even notice that their old emails weren't theirs. This really was a small hiccup.

"Google Apps' security fails utterly"

It wasn't a security issue. It was a data migration error, and there's a huge difference there. One is an application problem, the other is user error.

Re:Someone has high demands.

[jim_v2000]

Comprehension fails. The above AC was pointing out that it's not a security problem with Google Apps, and he's entirely correct. It was a problem with migrating data into Google Apps. There's a distinct, important difference, and you appear to be missing it.

Re:Someone has high demands.

10, 20 or 30 thousand accounts, all demanding storage - and these days you can't give folk 100MB quotas.

You can, and you should set a reasonable quota (256-512 MB). It forces people to back up their Mail after some time. If one wants to transmit files on an order of magnitude that this becomes a problem, there are better ways to do that than E-Mail, and the IT-department should help users with that.
And 30k*0.5G leaves us with ~15TB of data - that can be handled easily.

Re:Someone has high demands.

[Avalain]

While I agree this could have been a really big deal, it also is a one time event. It happened during the migration, not as a result of day-to-day operation. It may have taken 3 days to resolve but as of this moment it HAS been resolved, so I don't feel that the proper response would really be to find another solution and migrate everyone all over again. Now if this was just the first of many batches of email accounts being migrated then they had better be absolutely certain that this isn't going to be a recurring problem, but other than that there really is no risk that the students will randomly obtain access to other accounts.

Personally, if I lost privacy on my email and my account had to be locked while they fixed it, I would be perfectly happy with them locking it. For me, I think the worst possible failure would have been a response of "oh, shoot. Well, what's done is done. There's nothing we can do about it now".

Re:Someone has high demands.

I agree!
I'm no IT guy, but didn't Adobe/Macromedia screw up with Flash?
and for how long?

Isn't that why the Apple iphone doesn't/didn't have the
Flash plug in?
well they do have Flash lite now.

Re:Someone has high demands.

"holy crap, he's right - they DO look at my data! and tv DOES have ads! none of this is FREE!!!!"

Cue Anthony Hopkins manhandling Cuba Gooding Jr. over a pad of paper and a crayon. "What have I taken from you? What have you lost?"

Re:Someone has high demands.

[bill_mcgonigle]

Your analysis is spot-on but your conclusion is wrong. I'm familiar, mostly in passing these days, with an effort at another Ivy College, to displace their home-grown, yet standards-compliant, e-mail system. The current system requires about 3FTE's to provide service for somewhere on the order of 50,000 e-mail accounts. They're discussing moving to Google or Exchange as alternatives. Now, perhaps Google could cut down on that staff load somewhat, but equipment costs can be traded for bandwidth costs, and the costs of interfacing with Google are non-zero. Now, then look at Exchange - by some estimates you need 1:1000 admins:users for Exchange. Even calling that generous, the license costs on top of the hardware costs, on top of the FTE's makes it very expensive. But it's on the table because it's 'normal' and the home-grown system is not. Or, so I've heard.

Minor glitch! I think not

How the fuck the "glitch itself was minor"? I'm not sure if it actually violated any privacy laws given the extensive cover-your-ass EULAs, but still, it was a a serious breach of privacy, and indeed was much more important than "how Google handled the situtation". With respect to the latter, temporarily shutting down all affected e-mails, _immediately_, was completely justified, and in fact, was the only thing to do until Google had the chance of finding out exactly what was going on, who and how is affected, and how to fix it. I'm much more of the opinion that Google, as a free (as in beer) service, ows you no performance SLAs whatsoever (it may even shut down Gmail completely tomorrow, and if you lose e-mails, its too bad for you for not backing them up). But even so, AS LONG as Google provides a mail service, it DOES have some obligations to respect the privacy of its users. So guaranteeing privacy > guaranteeing performance, and Google acted correctly in this case.

Re:Minor glitch! I think not

[ubrgeek]

In most (all?) states, universities that receive federal government funds have an absolute requirement to protect privacy-related information. That's one of the reasons nearly 20 years ago the California State University system switched from using SSNs as student ID numbers to some non-related numbering system. I know, because I was part of the group that challenged the use of SSNs. As IANAL, I don't know if what happened in the article email _might_ constitute the same thing, not do I know if the same would be true (i.e. whether it would constitute such a breach) if the system has a "If you use this system, you consent to monitoring" banner that pops up at login.

Re:Minor glitch! I think not

[jim_v2000]

"I don't know if what happened in the article email _might_ constitute the same thing, not do I know if the same would be true (i.e. whether it would constitute such a breach) if the system has a "If you use this system, you consent to monitoring" banner that pops up at login."

Thanks for letting us know that you don't know.

OMG!?!?!?!

In the ether, thousands of janes are shrieking 'OMG!?!?!?! he really does fancy me!'

Brown

Ah Brown, generally home to spoiled rich kids who's kids buy their way through college (all Ivy's have this, but Brown is the worst) and the least rigorous of any Ivy. Not surprised to see them shill a bit...

Re:Brown

[ubrgeek]

Exactly why is this comment (and an AC one, at that) labeled informative? What does it have to do with the story/topic?

Re:Brown

[tonycheese]

To make people feel better about themselves for not getting into Brown.

This was an anti-terrorism glitch

[NSN+A392-99-964-5927]

You do realise that google has to comply with terror-laws don't you? gmail has been used for years. Inteliigence suggests students are most likely to be the ones who will be recruited for terrorism or do school shootings or become a suicide bomber.

They must be kidding

[trifish]

While the glitch itself was minor and was fixed in a few days

Pardon my ignorance, the glitch was minor?

What?

The fact that emails contain back-mailed passwords to many kinds of online services, including those involving payments (which is stupid practice, but the online service providers do it anyway, they send you the password when you sign up)...

The fact that I can reset your password to any third-party online service account where I know that you use it and that you associated it with this email account...

Still minor glitch? Reading others emails? Really? I or TFA must be missing something.

Re:They must be kidding

[Anarchduke]

Small glitch, as in 22 out of 200 students affected on a data migration to Google's free service.

The glitch itself wasn't fixed for three days, true. However, the glitch occurred on Friday, and the CIS department notified Google of the issue Saturday. Prior to the fix on Tuesday, Google had disabled the accounts. The article also states that during this 24 to 48 hour windows before Google shut down the accounts, the CIS had sent out emails to the students and waited for their replies. I don't know how fast you expect students to reply to an email sent out over the weekend, but I am guessing that those emails didn't get back to the CIS department immediately. Let's give it 12 hours.

So, a free service responds to your problem and disables the accounts within 24 to 36 hours, then fixes the problem 18 - 36 hours later. All the while this same service is responding to similar glitches at ten other institutions, with no word on how large those universities were.

Overall, I'd say that is a pretty fair turnaround, all things considered.


By the way, the author of the article, Sarah Perez, seems like a fairly Microsoft-centric person, considering her personal website. So the guess by miffo doesn't seem that far off.

Consider the article itself

Friday, September 11th, a couple of students notified Brown's Computing and Information Services department (CIS) that they were able to read emails belonging to other students. The CIS department contacted Google on the following dayand sent out an email to the 200 students whose mailboxes were in transition

then she says:

That means that the students had access to each other's email accounts for three solid days (Saturday, Sunday, Monday) as well as parts of Friday and Tuesday before the accounts were suspended by Google

The author includes "parts of Friday" even though she had made it clear Google wasn't notified until Saturday. I mean, my God, Google didn't even bother to go back in time to before they were notified!!!

Re:They must be kidding

I agree with the password thing. Our MSDNAA passwords are stored in plaintext. When you request your password you get your SAME password in PLAINTEXT. While I typically avoid those services like the plague, sometimes you just have to put up with it. I wouldn't be running Windows 7 without MSDNAA.

I hope that any other service you use would at least send a one time password in which case the email thing doesn't matter as much in that regard. While I don't have anything more incriminating than a few Newegg emails I still don't want people seeing what I get emailed.

Re:They must be kidding

[Professor_UNIX]

Who the hell uses their college e-mail account for anything important unless you're part of the staff? When I was in school I just forwarded my university address to my home account.

Re:They must be kidding

why would you link your personal info back to a school's email address?

its 2/4/6 year email address and once your gone, for what ever reason the email addy is gone too, the headache then is bigger then being a fool and linking your acct/login info back to a school email.

Re:They must be kidding

[FloydTheDroid]

Perhaps they meant the fix was easy...

if (password == account.password);
logUserIn(account);

Re:They must be kidding

[StackedCrooked]

It's not their personal mails but their school mails that became public. These mails are less likely to contain sensitive information. Not that this makes it a totally minor glitch, but somewhat less dramatic nonetheless.

Re:They must be kidding

[keckbug]

When the google migrations took place, the address was migrated, but no emails are imported into google's system. There are no back-mailed passwords. There are no private emails. There is an empty inbox, with the wrong name at the top. You could reset passwords if you knew of an online service that the email was tied to, but this is a temporary educational account, that must students recognize as non-permanent and unsuitable for password recovery purposes. You could send nasty emails to other people, which could be fun, but limited in scope. So yes, there is a nice lil screwup here, it's not the doom-and-gloom, all your stuffs are mine now.

Re:They must be kidding

[MikeBabcock]

Please don't use services that actually mail passwords to you.

I've had it happen too, when I've forgotten my password, that a website just sends it to me -- and I immediately E-mail them about how stupid and insecure it is and beg them to implement a mandatory password changing page link instead.

Being able to retrieve the password is completely unnecessary and potentially exposes one of your well-used passwords to others.

Even assuming you reset all of a co-student's website passwords using this glitch, they can probably re-reset them three days later because their signup E-mail hasn't changed.

Re:They must be kidding

[agiduda]

By the way, the author of the article, Sarah Perez, seems like a fairly Microsoft-centric person, considering her personal website.

Understatement, she is a contract worker at Microsoft and has what reads to me as a very defensive disclaimer on her site. Her neutrality is questionable.

Re:They must be kidding

Mod parent up. The entire "news" here is that the University IT department botched a migration with Google for a couple days for 20 people.

The more interesting part is that a Microsoft contractor is trying to use it as a desperate excuse to attack Google.

Re:They must be kidding

[sud_crow]

Small glitch, as in 22 out of 200 students affected on a data migration to Google's free service.

Actually, they were 2000. RTFA.

Re:They must be kidding

[Stuart+Gibson]

I'd like to know the difference between a site emailing you the new password and the site emailing you a link to reset your password (in both cases assuming you have forgotten the original one). In either case if someone intercepts the email they can achieve the same effect. I suppose that a reset link at least gives you a chance that you'll be there before an eavesdropper and the link is one use?

Or are you explicitly talking about the site emailing your existing password, which means they are storing it in either plaintext or reversible hash?

Re:They must be kidding

[kannibal_klown]

Every IMPORTANT service I've used (read: bill pay, bank, credit card, credit reporting, etc) do not send me my password in the email.

The worst case I usually for my important sites is they send me a temporary password that forcefully requires I change it upon logging in the first time.

Other websites like forums, free news sites, download sites, etc might send me my old password or a reset password. But I'd be less concerned about those.

That's not to say this isn't a big security issue in its own right. But the hard-core access is minor.

Face it, schools using your SSN as your ID number on every page of paper is probably a bigger concern.

Re:They must be kidding

[onemorechip]

The "22 out of 200" is directly from TFA. RTFA.

Re:They must be kidding

This says it all (Sarah Perez Disclosure ) :

"In my case, I work for two organizations: ReadWriteWeb.com and Microsoft's Channel 10. ReadWriteWeb is a blog that covers technology news, web apps, startups, and other internet trends. Channel 10 is an evangelist outreach blog focusing on Microsoft news for the tech enthusiast."

Re:They must be kidding

[StuartHankins]

Mod parent and GP up.

Anytime you have someone reporting news and there's an obvious conflict of interest, you need to take it with a large chunk of salt. This reporter stands to financially gain from this article (by the fact that it attempts to harm a competitor of her employer).

Re:They must be kidding

[jim_v2000]

Amen.

My university shuts down email accounts 6 months after you leave...I'd assume other schools do the same thing. Why would anyone use it for anything other than school related email?

Re:They must be kidding

[Chirs]

Actually, my university email account is my main personal email account. I've been using that email address for 15 years. (alumni get to keep using their email account)

It was convenient in that it allowed me to move or change my ISP without impacting my email address. And at the time, gmail and such didn't exist.

Re:They must be kidding

[Fulcrum+of+Evil]

It sounds like the site is mailing the current password, which is all sorts of bad (most people duplicate passwords across sites, so this can compromise other sites that you know someone visits). As for mailing the new password vs. a reset link, you can expire the link in some time frame (an hour, perhaps) and make it single use. This means that the link will show up when the user is expecting it and limits the potential damage. Yes, it means that compromising someone's email is a very bad thing, but lots of sites have that as the only real form of identity anyway, so there's not that much to do, really.

Re:They must be kidding

Small glitch, as in 22 out of 200 students affected

You must be kidding. That's a very bad joke.

What did you expect

Is Google Apps for Edu in beta? :-)

Small breach?

[Dan541]

"While the glitch itself was minor and was fixed in a few days"

That's not exactly what I would call a MINOR breach.

Legal issues?

[Max+Romantschuk]

In Finland reading someone else's mail, of electronic or snail variety, is illegal. What about other legislations? This sounds like something that would be taken rather seriously here.

(Actually, due to how seriously this is taken a recent law has (unfortunately) been put in place, to explicitly allow employers to read employees' work mail. Google "lex Nokia" for more info.)

Re:Legal issues?

[cronostitan]

Actually it is only illegal if there 'are security procedures in place' to prevent it.
'Public' email is totally legal to read.

Not exclusive to cloud migrations

The article makes a great point about communication being a problem when migrating services to the cloud environments. But this issue is not exclusive to cloud-sourcing, it's prevalent in most outsorcing today. How many call centers and admin management have been moved to different country with cheaper resources - countless. And how many times you had to make a third and even a fourth call to something resolved with say your favourite telecommunications provider?

If you've worked in an organisation that outsources services you will have encountered communication problems like this and worse every week. The fact that Google is a high-profile outsourcing vendor means that everyone gets to hear about it.

But I would still choose Google over 99% of other outsources because these guys care about quality, and as a rule they don't make the same mistake twice.

Read your email

"We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"
um....someone else can read your email, and for more than 3 days. You store your email on an external server or send it through other servers unencrypted, and someone else can and probably does read it. Period.

If you want some bit of privacy, use encryption and don't store your email on other people's servers.

When concerning inidivdual citizen liberty and privacy, history has PROVEN. People cannot be trusted. Corporations can be trusted less. Governments can be trusted least of all. For those who are confused, the US founders created a 2nd amendment with the INTENTION of having a government which feared it's citizenry. If there was going to be a rebellion, they WANTED the citizens to win.

i ran out of toilet paper

i wiped my ass with a koran.

fuck all muslims. they're fucking pigs. i shit on allah.

FERPA

[wireloose]

Worse than just a breach of privacy of email, students use their college-provided accounts to communicate with their faculty. If other students are able to see their emails, that constitutes a potential FERPA breach. As a college IT administrator, I would be screaming at Google for not sharing info and reacting immediately. Waiting a day to shut the accounts down temporarily is inexcusable.

Re:FERPA

[surgen]

As a college student, the possibility of having my own personal emails with faculty members exposed concerns me, but nowhere near as much as the confidential student data emailed between me and the staff members I work for.

The IT manager is praising them

[digitalderbs]

probably because his neck is on the line, and he's trying to save face with management. Oops.

Re:The IT manager is praising them

[betterunixthanunix]

The article does not give many details on what their email system was before they sold their soul to Google. It may very well have been (or perceived to have been) worse, and this is an improvement in the eyes of upper management.

Re:The IT manager is praising them

[glyneth]

This will make me unable to moderate, but what the hell?

Brown had a unix based backend for years. A few years back, they got a new IT head, who insisted on off-the-shelf packages for everything. So out went postoffice, and in came Exchange. It's been running Exchange since then, and yes, untold numbers of problems (though nothing like this). We're not even on the most recent version of Exchange, which will make my office's future transition to Snow Leopard problematic since afaik the native Mail interoperability with Exchange that comes in 10.6 won't work with anything but the latest.

AFAIK, the plan is to move everyone to Google eventually, departments too. Once they get all the security figured out. This isn't helping, of course.

Re:The IT manager is praising them

[dave562]

It's been running Exchange since then, and yes, untold numbers of problems (though nothing like this).

What sort of problems were you having with Exchange? Were they real issues with the software, or lack of technical competence on the part of the IT staff?

Re:The IT manager is praising them

[betterunixthanunix]

Sounds like my alma mater. We had been using Cyrus and Squirrelmail when I arrived (I just used Kontact, but other students were using Squirrelmail), and it was working well, with some effort on the part of the IT staff. Then, one day, we hit an upper limit on the number of emails Cyrus could handle at a time -- and things got slow. Sadly, our IT staff had been taken over by some new managers, who preferred to buy proprietary, packaged solutions than to rely on our paid IT staff to solve these problems. $300k/year got us Mirapoint's black box rack mount mail system, which while pricey and proprietary, works very well. One year later, they decided to go for a better deal and just move everything to Google.

Re:The IT manager is praising them

[glyneth]

For one, randomly not allowing Mac users to get/send their mail. They did some upgrade on the Exchange end that broke the SMTP sending, which it shouldn't have, since they don't auth. This lasted a few days, and kept recurring at random intervals. I have no idea whether it was the fault of Exchange or the admins, honestly. I just had angry users (and was one myself). I'm not privy to CIS's inner workings; just a tech geek in a non-teaching department here.

Why is it even necessary for "school email"

Why is it even necessary, in this day and age, for a school to provide their students with email? I can understand, back in the dark ages, when I was at university, and few incoming students had email addresses. But these days, doesn't every one of these incoming students have an email address somewhere? Wouldn't it be better to have the professor email out to the student's personal email account that the student had before they went to university, and will likely have long after they leave the university?

Re:Why is it even necessary for "school email"

[Ash-Fox]

Why is it even necessary, in this day and age, for a school to provide their students with email?

Off the top of my head... Facebook, student deals with software companies like Microsoft who verify you're on a .edu domain, people who are incapable of registering an e-mail address themselves etc. are things that come up to the top of my head.

Re:Why is it even necessary for "school email"

[acoustix]

Why is it even necessary, in this day and age, for a school to provide their students with email?

Off the top of my head... Facebook

Are you suggesting that it's the school's responsibility for the students to use social networking tools?

Re:Why is it even necessary for "school email"

OT, but Facebook is open to everyone at this point. You don't need a .edu email address to register anymore.

Re:Why is it even necessary for "school email"

For several years, Facebook was restricted to students and educators only. You couldn't register unless you had an email address in the .edu TLD. This is no longer the case, but I'm sure it's what Ash-Fox was referring to.

Re:Why is it even necessary for "school email"

[Ash-Fox]

You don't need a .edu email address to register anymore.

You do to join a network, as it always has been.

Re:Why is it even necessary for "school email"

[Kalriath]

No they don't. There's networks for all sorts of things from Corporations to entire countries, and you don't need to use a specific email domain at all to join them.

Re:Why is it even necessary for "school email"

[Ash-Fox]

No they don't. There's networks for all sorts of things from Corporations to entire countries, and you don't need to use a specific email domain at all to join them.Try to join the quickfox network on facebook then.

Still better than the School's IT

[FlyingBishop]

Or lack thereof.

This wasn't IT's fault, but in my university CS department, there was a period of about three months during which we had passwordless logon to our department course Wiki, which provided the option to use Perl in place of Wikicode as the source for a page. Said Perl ran with the webserver's username on the server.

As far as I know, nothing bad came of it. The seniors just enjoyed not needing to bother with passwords. (To be clear, we repeatedly notified the professor responsible for the Wiki, who repeatedly said he'd take care of it. After a couple weeks, it just kind of became normal.)

Delays by Google or Brown Staff

[ragarwal]

Why was this feature^H^H^H^ bug present in the first place? It's not like this is the 1st time Google has had to implement email for 3rd parties.

Did Brown give a list of "superusers" to Google that had the ability to read global mails and someone botched it? O Oh.

"Ah.. CRAP. I think we cut and paste the wrong names on the God list."
"What... Call Google, quick!"
"Hello Google.... can you spin back time... ? ... ? What do you mean NO? .... Oh yeah the whole space-time thing.... . Err.. can we just call it a Google bug? .... ? What do you mean we have to deal with our own PR?" ... click.

I Hate Google So Much

[Philip+K+Dickhead]

That I see their failure as a possible bright spot in the failure of the Global Economy.

Crash, Baby! Crash!

acne

acne information acne treatment acne after 40 acne practise acne cure acne race ooh yeah is this all necessary??

Told you so!

[meyekul]

Somewhere at Google HQ there is a guy saying "I told you we still weren't ready to come out of beta!"

That's why Gmail is still in beta...

3 or 4 years later. Hahaha. Google stinks.

As a Brown student I want to clarify

[modestmelody]

While the issue took three days to resolve, the unilateral shut down of the accounts prevented students from reading other students' emails during that period.

So for review, no one got to read others' email for three days, instead, they got to read no email for that time and email sent to the accounts which were routing wrong was bounced back.

If you really want something to be private...

[a+still+small+voice]

If you really want something to be private you don't put in your emails anyway. This is pretty well known by now isn't it, that privacy on the 'net is a myth? Can we stop with the "omg, I thought it was private" b.s. now? When I communicate on the 'net (or on my mobile phone, now, too) I always treat it like I'm using a p.a. system, no matter how many people the communication is addressed to.

Official school email?

This is an account given to the students by the school, right? I would assume the school is reading my email in that case. Just like the email address given to you by your employer, it is not yours, it is theirs. You are better off just assuming someone is snooping it. Don't use your work or school email for anything but work/school. Do we really need to tell people this still?

Translation

[HockeyPuck]

However, the real issue that concerned the university was the matter of communication between Google and the CIS department. Before fixing the issue on Tuesday, Google suspended the affected accounts, a necessary step that was taken so no more data was improperly shared. What angered the IT director, though, was that the accounts were suspended without first notifying CIS.

Translation: We sent you an email communicating the issue at hand. However, we had to disable your email account so nobody else could accidentally view it.

"I've spoken very forcefully with the account (executive), my boss, senior administrators at Brown -- including the president. (Google needs) to find a better way to communicate with us," said Tom.

Translation: We told them to stop or else we'll say stop again.

Google's way of dealing Privacy:

People who use Google services will be too scared to send privacy info over email. They then stop sending anything personal on personal email ;-)

After sometime, it occurs to people, why they should use an email account to exchange info. that every one can share with everyone.

After that, it becomes, Google Social email or Social conversations if you like it.

Then suddenly, people move away from email to Social Mail/Social Conversation platform. Email is so last century ;-)

periods in user names?

I wonder if this was because they converted usernames that had periods in them and some that didn't, or just in slightly different places.
Gmail had some issues with this when it started off, because it allowed you to sign up as "j.smith" but would treat it the same as "jsmith", regardless of where you put the period. This led to some problems for my ex, who had "first.last@gmail.com" and someone else who just had "firstlast@gmail.com" because they would routinely get mail for the other one. Eventually, she contacted google and got an account name changed. If you had say, "j.smith" and "js.mith" as email accounts you were converting to google apps, it will probably see them the same way, and the inbox thing doesn't entirely shock me.

Greater than 10% is not small

Nor was the 18-36 hour outage that followed.

The only reason that this has been labelled small is because they only transitioned 200 accounts. Supposing they transitioned 20000 accounts (How many people are at Brown anyway?)

 

I think money drives the bus

[nimbius]

in this case. it seems in my experience more and more that most companies do not care how long the outage is or what caused it, or how poorly the service performs so long as the price is rock bottom and they avoid the IT department asking for more cash each year.
this is a self correcting problem as more industries move into a greater reliance on computers. you cant just make IT another blindly outsourced number at the end of the day, and the decision cant come from a group of boardmembers who think gmail is a typo.

Well, duh

[lymond01]

Clouds are translucent.

This is why the cloud will fail

The "cloud" is some trendy IT buzzword now and Google tries to be the frontrunner for it yet cannot keep their services up and secure when it hits the big time.

Why aren't these universities running their own mail servers? There are plenty of people who are tech savvy to run them and do not give away personal info to Google.

Yes, It's sad...

I am a student at St. Ambrose University, a medium sized Midwestern school that's recently 'Gone Google'.
Here was our old microsoft exchange authentication scheme -
username: Student ID (rp7830284)
password: randomly generated string (h38Kbht8)
Now withGoogle Apps -
Google Apps username: email address (LastFirstM@sau.edu)
Google Apps password: Student ID (rp7830284))
That's right, they used our student ID's as passwords! I immediately logged into a couple of my friends email accounts in disbelief. Worst of all, the IT folks just said 'well, they can reset it'. An informal poll revealed that practrically no one had done so, knew how, or even desired too.
Now consider that this is the fourth combination of usernames/passwords that Ambrose has given everyone for various web services.
WTF

Same thing happened to Slashdot

[skeeto]

This same thing happened to Slashdot a few months ago for an afternoon. Every time I, and others, refreshed the page I was logged in under another Slashdot account. Other people had reported this in article comments until it got fixed.

And this...

[TheSpoom]

...is why I still use POP3 or IMAP.

Give a dog a bad name ...

[LQ]

Little glitches like this just reenforce the idea that Google is not a safe pair of hands for confidential data. We just had a memo at work saying that Google docs was not suitable for confidential data and they are cutting off all access to the site. Now, I don't know the rights and wrongs of that decision but I guess Google are losing the battle for the confidence of system administrators.

It's e-mail!

If you're not encrypting your e-mail (and you really have no choice in some cases - such as those back-mailed passwords) - you have no real privacy.

'E-mail security' fits into the same group of word combinations as 'military intelligence' and 'honest politician'.