Slashdot Mirror
"Going Google" Exposes Students' Email
A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"
Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.
Invaders must die
I bet most of us could read everyone else's email at school...
...social networking.
Taking it to a new level, no joining or other conscious actions required to share everything about your life.
The Mothership
So that's the use of that button!
We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.'
Look, I think we can all agree that if there were some major security breach like this for which we were responsible and we sat around for 3 days before doing anything, then unilaterally suspended a bunch of accounts before finally fixing the problem, we'd be fired.
On the other hand, if I were the head of IT at some place and we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence, it'd be really easy to say, "That's just how tech is, it's hard to do right even for Google, get used to it. Oh, and while you're looking for ways to prevent such a 'catastrophe' from ever happening again, consider boosting the IT budget, will ya?"
I'll bet that IT manager is pretty happy right now, student complaints aside.
i could just imagine the awkwardness when you find your best friends gay porn collection due to a software malfunction
"Two things are infinite: the universe and human stupidity; and I'm not sure about the universe." - Albert Einstein
I'm French and if my personal or professional email were to be made public, that would be one hell of unsatisfactory service. Privacy is why I accept paying a provider for things that could be free (as in beer). If this expectation goes out, I will ask for damage. You know, the expectation for privacy is written in our constitution.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
I'm French
Just save us the trouble and surrender this argument now.
It's the American dream.
Fixed it for ya.
I don't think they are giving this away for free.
-- Linux user #369862
Yes they do: https://www.google.com/support/a/bin/answer.py?answer=139019
Disclaimer: This opinion was created without the use of any facts
Ah Brown, generally home to spoiled rich kids who's kids buy their way through college (all Ivy's have this, but Brown is the worst) and the least rigorous of any Ivy. Not surprised to see them shill a bit...
Google Apps for Edu is free.
24/7 support, ,complete monitoring, 1hr response time and 100% avail is not free.
HTTP/1.1 400
I'm sorry, perhaps you missed the part where students could read each others emails.
Microsoft participation is not required in this case.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
You do realise that google has to comply with terror-laws don't you? gmail has been used for years. Inteliigence suggests students are most likely to be the ones who will be recruited for terrorism or do school shootings or become a suicide bomber.
All cows eat grass!
While the glitch itself was minor and was fixed in a few days
Pardon my ignorance, the glitch was minor?
What?
The fact that emails contain back-mailed passwords to many kinds of online services, including those involving payments (which is stupid practice, but the online service providers do it anyway, they send you the password when you sign up)...
The fact that I can reset your password to any third-party online service account where I know that you use it and that you associated it with this email account...
Still minor glitch? Reading others emails? Really? I or TFA must be missing something.
What the fuck.
This is a really big deal. And if the excuse is that 3 days (admittedly, 2 of them weekend days) turnaround on an absolute security breach is what you get for free, and to expect better you must pay for it, then the proper response is to pay for better and not use this service because it's shit-broken. It is my understanding that Google Apps for Education is not a tiered service -- you're a school, you get it free; there is no paying for better. If there IS paying for better, then we should spread awareness that the free version is bad.
Might I point out that losing privacy on your email and THEN losing access is pretty much the worst possible failure mode? This is an enormous fuck-up. This has nothing to do with Microsoft. Why would you bring up Microsoft? YOU are the one twisting something into what it is not to make some other company look bad. If I were as paranoid as you, I'd suggest that Google or Apple or somesuch was paying you to do this, but in fact, I know that you're capable of being fuckwitted all on your own.
Jesus Christ. Google Apps' security fails utterly, and that's Google kicking Microsoft in the groin to you? Maybe Google can start a puppy-stomping program; I bet that's just like Google ripping Microsoft's arms off.
I'd be a lot more comfortable if Google said "yeah, we fucked up, here's what we're going to do to prevent this from happening again". Instead we get the self-contradictory "it was a small hiccup [...] it's an issue we've taken extremely seriously".
Wasn't aware of that, thanks. Still a pretty serious bug though.
-- Linux user #369862
Everytime i see an article like this all i can think is "what Microsoft backed puppet wrote this crap?". Microsoft is working very hard to make out Google as craptastic, greedy and customerhating as them.
Why are you diverting a serious matter like this into smearing a company that most likely had nothing to do with it? E-mail accounts can contain very sensitive data, ranging from bank papers to personal issues. And especially if people you know get access to this, it makes the problem more serious than ever.
I won't comment on Google's actions because I don't know enough details, but if I had my mails exposed, I would be pretty pissed. And the fact that it is free doesn't make it more acceptable. It's like saying that someone volunteering for a non-paid job can act whichever way he or she wants just because it's free. No, you still have to follow rules.
Comments like this make me realize why there are so many extremists in this world.
Full Tilt
"While the glitch itself was minor and was fixed in a few days"
That's not exactly what I would call a MINOR breach.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
My impression is that this incident is a fuckup at the customer end of things. The problem was getting the emails out of Exchange into the right account in Google Apps.
This is something where i personally have missed a couple of times and its very common since there are always some accounts that are broken in an exchange system.
HTTP/1.1 400
In Finland reading someone else's mail, of electronic or snail variety, is illegal. What about other legislations? This sounds like something that would be taken rather seriously here.
(Actually, due to how seriously this is taken a recent law has (unfortunately) been put in place, to explicitly allow employers to read employees' work mail. Google "lex Nokia" for more info.)
.: Max Romantschuk
What the FSCK! How lame is your college that it can't run an email system?
When you finally get out you might want to check and see if your diploma is signed.
In most (all?) states, universities that receive federal government funds have an absolute requirement to protect privacy-related information. That's one of the reasons nearly 20 years ago the California State University system switched from using SSNs as student ID numbers to some non-related numbering system. I know, because I was part of the group that challenged the use of SSNs. As IANAL, I don't know if what happened in the article email _might_ constitute the same thing, not do I know if the same would be true (i.e. whether it would constitute such a breach) if the system has a "If you use this system, you consent to monitoring" banner that pops up at login.
Bark less. Wag more.
"Why are you diverting a serious matter like this into smearing a company that most likely had nothing to do with it?"
Because Microsoft is running a big campaign in portraying Google as bad. Google is a really hard hit target right now for FUD. The fact that this was a big Microsoft Exchange customer before makes my radar tingle a bit extra for that reason.
"E-mail accounts can contain very sensitive data, ranging from bank papers to personal issues. And especially if people you know get access to this, it makes the problem more serious than ever. "
Yes, and the problem wasnt Google Apps in itself but getting mails out from exchange and into Google Mail to the right account. It was more a migration error than any security problem. Most times the problem with migrations lies in broken accounts in the source system.
"And the fact that it is free doesn't make it more acceptable. It's like saying that someone volunteering for a non-paid job can act whichever way he or she wants just because it's free. No, you still have to follow rules. "
The fact that its free does make it more acceptable. Where talking free market here, not soviet russia.
"Comments like this make me realize why there are so many extremists in this world."
Different view = extremist? Yay for talibans!
HTTP/1.1 400
They aren't paying anything for it. If someone gives you a car I doubt you'd sue them if the electric windows stopped working.
"I'm sorry, perhaps you missed the part where students could read each others emails."
If we are to be true, students could not reach other students inboxes. During migration mails wore put in wrong inboxes. Its a pretty big difference if the source system is on crack or if there is a security breach in the target system. In this case the problem could lie in the software used to migrate the users mails but it did not lie in Google Apps itself.
HTTP/1.1 400
Yeah, blame Susan, that's the spirit...
Worse than just a breach of privacy of email, students use their college-provided accounts to communicate with their faculty. If other students are able to see their emails, that constitutes a potential FERPA breach. As a college IT administrator, I would be screaming at Google for not sharing info and reacting immediately. Waiting a day to shut the accounts down temporarily is inexcusable.
probably because his neck is on the line, and he's trying to save face with management. Oops.
"I'm French and if my personal or professional email were to be made public, that would be one hell of unsatisfactory service."
Well, who do you think would want to read a Frenchman's mail, anyway?
More seriously, what does nationality have to do with privacy issues? You think that maybe a Ugandan needs more privacy than a Russian? Degrees of privacy are scaled from one nationality to another? Had you said something to the effect, "The Iranian government has grown really oppressive, so my mail being made public is a major threat to personal security", then your nationality and/or government might be a factor.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Or lack thereof.
This wasn't IT's fault, but in my university CS department, there was a period of about three months during which we had passwordless logon to our department course Wiki, which provided the option to use Perl in place of Wikicode as the source for a page. Said Perl ran with the webserver's username on the server.
As far as I know, nothing bad came of it. The seniors just enjoyed not needing to bother with passwords. (To be clear, we repeatedly notified the professor responsible for the Wiki, who repeatedly said he'd take care of it. After a couple weeks, it just kind of became normal.)
Actually, a lot of people probably would. One of the things that really annoys me is that large companies will dispose of their old IT equipment by throwing it in a skip rather than donating it to local schools who would benefit from them. One of the major reasons that they do this (from what I have heard) is because "if we give it away to a school and someone goes wrong, we would be liable and could get sued". I still don't understand why the school can't just agree (via a disclamer or whatever) not to sue, but that's probably because I'm not a lawyer and live in my own little make-believe world where people shouldn't sue just because they can get away with it.
99% sure that the admins at Brown thought the response was acceptable because the 'small glitch' was actually operator error on the part of said admins. I'd try to downplay the whole situation if it was my fault, and that seems to be what the admins at Brown are doing.
I think stating one's nationality implies that the writer is framing his/her comments as representing the expectation in one's country. What level of privacy one should desire from a pure philosophical standpoint, what is legally protected, and what the cultural norm expects can all be different.
.sig withheld by request
This has to do with the GGP stating "It's the American way."
In France, as in most European counties, this affair could even be a case for a criminal proceeding.
There's nothing like $HOME
Not paying anything? Tuition at Brown is $35,584, and some of that goes to IT services; the fact that they've contracted student email service out to Google is irrelevant.
.sig withheld by request
Off the top of my head... Facebook, student deals with software companies like Microsoft who verify you're on a .edu domain, people who are incapable of registering an e-mail address themselves etc. are things that come up to the top of my head.
Change is certain; progress is not obligatory.
Then again, in most sensible countries, punitive damages don't exist.
There's nothing like $HOME
When you move files from a user's hard drive onto a network share are you allowed to blame the user when you don't set the permissions the way they told you to?
A common problem with exchange? In that case the google side of the migration should have been expecting for it to happen and have had a plan to fix it before they went live.
Why was this feature^H^H^H^ bug present in the first place? It's not like this is the 1st time Google has had to implement email for 3rd parties.
Did Brown give a list of "superusers" to Google that had the ability to read global mails and someone botched it? O Oh.
"Ah.. CRAP. I think we cut and paste the wrong names on the God list." ... ? What do you mean NO? .... Oh yeah the whole space-time thing.... . Err.. can we just call it a Google bug? .... ? What do you mean we have to deal with our own PR?" ... click.
"What... Call Google, quick!"
"Hello Google.... can you spin back time... ?
My understanding is that's it's actually for accounting purposes. The equipment can't be written off the same way if they are donated, or something like that. I'm neither an accountant nor a tax specialist.
Depends on your version of "sensible".
They exist to hammer home wrongs done.
Unfortunately, in the past, they've been given for any willy-nilly thing instead of handing it down for egregious conduct. I know about egregious conduct- I'm experiencing it right now in a matter that I can't discuss for legal reasons.
Fortunately or unfortunately, depending on your viewpoint, there's a cap on just how much punitive damages you can get in most of the states. Texas' is three quarters of a million after computing 2.5 times the economic damages. It's similar in other states.
So, when you say "in most sensible countries, punitive damages don't exist", it implies you know little about how it all actually works. When someone sues someone else, it's mainly for economic or actual and potential (believable potential) harm. Now, since someone can file any stupid civil cause they want to (See SCO v. IBM...) we have at least a few people out there filing all sorts of actions that waste money, court time, etc. to see if they can extort money or score big on dumb blind luck in the courtroom. Except for rare cases, there is no pursuit in punishing barritry (the promulgation of a nonexistent case...) or for penalties being brought against a party that honestly believed they had a case and didn't because they didn't do all their work. In most sensible countries, you should have penalties for bringing a case of this sort to court- but there isn't so you see "sue em" happening all the time for things that shouldn't have ever been brought to court.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Somewhere at Google HQ there is a guy saying "I told you we still weren't ready to come out of beta!"
While the issue took three days to resolve, the unilateral shut down of the accounts prevented students from reading other students' emails during that period.
So for review, no one got to read others' email for three days, instead, they got to read no email for that time and email sent to the accounts which were routing wrong was bounced back.
What privacy? Those are Google's emails. They were sent by your friends to Google. That they are about you and you are allowed to read them makes no difference to their ownership.
/sarcasm ...?
It's troll because he's saying bad things about teh Google! We only bash Micro$$$$$oft here.
It isn't FREE, people.
Google advertises all over the place. They store your mail for an indeterminate period of time.
They link your gmail account cookie to your google account cookie, which is linked to various advertising streams.
Do you think TV is free? Really? Ever heard of commercials?
TV is a deployment method for commercial advertising. It's at breaks (standard commercials). It's during TV shows, with in show spots for products.. such as actors pumping various products. It's at the bottom of the screen, with dancing advertising logos and such, while you watch the show!
This is not free. This is an arrangement between two entities. You watch our shows, and we try to sell you things. Clearly your time has value, you watching has value, and that is why TV is on the air. It isn't on the air to be 'free'.
That is, unless you think that 'free' means 'no hard currency was exchanged'. If you do, then I suppose you help your friends move for 'free', and the beer and pizza after isn't compensation?
Gmail is not different. It isn't free. Google is making a PROFIT on this -- or if not, it will be. It will make money by examining the relationships between people that use gmail. It will make money by examining those relationships, and what you search for on the web. It will make the same money, by looking at those relationships, your financial data (Google finance), the places you search for on Google Maps, the apps you download with Andoird/Gphone, the people you call in your gphone, and on and on and on.
Google has become the largest depository of human interaction. They span more than email and searches. They know who you are in contact with, who you buy from, and the list goes on and on.
Further, they store this information for an indeterminate period of time.
Whether or not you like this, whether or not you approve, it is what you pay for using their service.
Free? Hell no!
If you really want something to be private you don't put in your emails anyway. This is pretty well known by now isn't it, that privacy on the 'net is a myth? Can we stop with the "omg, I thought it was private" b.s. now? When I communicate on the 'net (or on my mobile phone, now, too) I always treat it like I'm using a p.a. system, no matter how many people the communication is addressed to.
And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".
Spoken like someone whose only expose to the American legal system is via television...
Its a common problem in most mail systems. You often have a couple of accounts on acid, be it by corruption, useless tools or human error. The university side should definately have checked their system before the migration.
HTTP/1.1 400
Sigh. *exposure.
That's easy to handle.
Example.
During WWII, for the aeons before the US entered the war, they were 'neutral'. Neutral to all the death and slaughter, and cry for help from their allies.
Uh, sorry.. off track a bit there. :P
Seriously though, it wasn't all bad. For whatever reasons the US remained neutral, they weren't as neutral as could be. One thing they did, was 'accidentally' leave massive quantities of ammunition and weaponry right near the US border. Somehow, the Canadian military would fine out, and would 'steal' this weaponry and ammunition.. which was quickly transported to the UK, and then to the front lines... that is, whatever would make it across the German sub riddled sea.
Point being, there is no reason that this can't be the same way. You write off the equipment, you throw it in a dumpster in the back, and then someone tells someone that there are computers in the garbage.
At that point, they've been trashed. All is well on one side, and the other can act as they wish...
I don't think anyone, except you, is suggesting the colleges can't run an email service.
Email is time consuming and expensive to provide. 10, 20 or 30 thousand accounts, all demanding storage - and these days you can't give folk 100MB quotas. Accounts that are all attracting spam that requires either constant tweaking of anti-spam rules, or outsourcing spam and virus checking. Add in off-site backups, support, abuse and you are quickly spending tens of thousands on equipment and more on staff.
Then they get a call, or an email saying Google will offer all that for free. For a school facing budget constraints it's a very tempting offer. It says more about their budget than their technical ability.
That is, unless you think that 'free' means 'no hard currency was exchanged'.
Yea, that's pretty much what we all think. do you really think someone is reading your post and going
"holy crap, he's right - they DO look at my data! and tv DOES have ads! none of this is FREE!!!!"
Yea, we all know we are giving up time, or letting company X gain something by giving our time, or whatever, but most of the general public (including me!) considers only their pocketbook when thinking about whether or not something is "free". Hell, even if i have to spend 20 minutes doing something (lets say filling out a rebate on something so that the final price is $0), i STILL consider it free!
What the FSCK! How lame is your college that it can't run an email system?
When you finally get out you might want to check and see if your diploma is signed.
Higher education is all about money these days. It's not so much "can they do it?" as "can they do it for anywhere near the same price?"
A highly available email system for any large organisation like a college pretty much means a SAN and a cluster of some sort, which immediately implies a fair bit of hardware and a hell of a lot of work to get everything tied together. Even using free software everywhere you can, the hardware costs money and so does the engineer time to set up and manage it.
Google, OTOH, will provide the whole lot free. Leaving more money in the budget for that ivory back scratcher.
(FWIW, I've recently looked into this for my employer and reached a similar conclusion. At the price Google charges, the level of reliability they are hypothetically able to offer, spam-filtering that actually works and the extra features that don't have a UI that makes people want to gouge out their own eyes, I can't provide this any cheaper than what Google do. Hell, my co-located secondary MX server costs more per year than Google for every single member of staff)
Obviously I don't know how they managed the migration, but I'm looking at doing the same thing myself and I can see one glaringly obvious way how this could happen.
One of the migration mechanisms Google provide is you enable IMAP on your mail server and give them a CSV file listing IMAP usernames, the corresponding Google account username and IMAP passwords. Google's system then brings all the email across and puts it in the relevant accounts.
Of course, if the mechanism you use to generate the CSV file is slightly broken.....
A lot of things (not just higher education) are like this.
I contemplated writing my own or even hosting a pre-written photo gallery application since I have the skills to do so, for my family photos.
I then realized that Flickr, which exists already and has incredibly good tools is only $20/yr for unlimited bandwidth usage and unlimited storage, and its really not worth it for me to put any more than half an hour's work a year into doing it myself at that rate.
- Michael T. Babcock (Yes, I blog)
However, the real issue that concerned the university was the matter of communication between Google and the CIS department. Before fixing the issue on Tuesday, Google suspended the affected accounts, a necessary step that was taken so no more data was improperly shared. What angered the IT director, though, was that the accounts were suspended without first notifying CIS.
Translation: We sent you an email communicating the issue at hand. However, we had to disable your email account so nobody else could accidentally view it.
"I've spoken very forcefully with the account (executive), my boss, senior administrators at Brown -- including the president. (Google needs) to find a better way to communicate with us," said Tom.
Translation: We told them to stop or else we'll say stop again.
Ive encountered that numerous times when doing large imports and exports. Often the problem i have had is that the export from the source system has been incomplete because of missing info on the accounts or just corruption in the DB. cut -fn and pals does not like such things very much.
HTTP/1.1 400
Off the top of my head... Facebook
Are you suggesting that it's the school's responsibility for the students to use social networking tools?
"A plan fiendishly clever in its intricacies"- Homer Simpson
A few mailboxes (20 out of 200) had the wrong mail migrated into them. We don't even know the source of this problem yet, but the university could very well have TOLD Google to put sally.smith's e-mail into sally.jones' new mail box.
This isn't a google apps security problem. Please RTFA and get off your high horse.
Most probably, it means there are laws regarding "Unsatisfactory service". D'oh.
no sig
Reminds me about a story I heard about the math department at a university I attended (yes, I'm deliberately being vague here). They had a large number of computers for which they no longer had a use. However, they were forbidden by their purchasing contract from re-selling them, giving them away, or even disposing of them. So the machines were put into storage. On the loading dock. Outside. The contract didn't forbid the department from having the goods stolen.
No, I don't think you are correct in stating that you 'all' know. For starters, there are people here indicating that there should be no expectation for quality of service, since it is a 'free' service. You *are* paying for the service, and in exchange, you should demand a certain level of quality.
"Free" would be a download of Ubuntu. While there are certain social expectations that go along with using open source, none of them are ripped from you, whilst you use that product. The closest I can think of, is Firefox defaulting to Google's home page... which you can change at will.
In other words, you are free not to pay those hidden charges.
I've seen people state that they should buy pizza from company $x, because they give you a second pizza 'free'.
Er. There is no free pizza. You're paying for both of them.
Most people don't realise the true cost of things. They have been bedazzled by the constant corporate speak that pervades our lives. Heck, most people don't even consider the real world cost of *anything*.
So, yes.. some people realise it. For the large part, most don't.
As for yourself? You don't realise it, not really. You're supporting those that define 'free' as 'no government sponsored currency changed hands'. You probably use the word incorrectly... in fact, you advocated just that!
lol that was brilliant :D
I agree completely with you, in fact i was going to mention the 'buy 1 get 1 free' type of "free" in my post as well. What i'm saying is that since there is little, if anything, that is truly free nowadays, and the word has sort of shifted meanings to mean "doesnt cost any money".
I suppose we should also complain about people that claim they "saved" $50 on an item that was $100 w/ 50% off? (just joking, i know half of the people will read this and be foaming at the mouth just thinking about something saying that : ) )
in this case. it seems in my experience more and more that most companies do not care how long the outage is or what caused it, or how poorly the service performs so long as the price is rock bottom and they avoid the IT department asking for more cash each year.
this is a self correcting problem as more industries move into a greater reliance on computers. you cant just make IT another blindly outsourced number at the end of the day, and the decision cant come from a group of boardmembers who think gmail is a typo.
Good people go to bed earlier.
And I suppose that if a defense contractor leaked classified information then it's ok because you are a private company.
Point: Being a subcontractor doesn't let you off the hook when you're handling confidential information belonging to someone else.
Clouds are translucent.
It sounds like we're talking about a couple hundred accounts. I totally agree though.
While you idea does work, I for one think legal and tax codes which incentivizes throwing-away working equipment rather than donating/selling it to someone that can use it indicates some deeper problems with modern society. It's a wasteful misuse of resources and it's causing unnecessary trash. And no, I don't care if it adds a few more dollars per year to some PC manufactures bottom-line. Economies exist to serve their societies, not the other way around!
More seriously, what does nationality have to do with privacy issues? You think that maybe a Ugandan needs more privacy than a Russian?
From what I've learned from colleges, Europe has very strict privacy laws, especially with electronic information when compared to the US. What are departments allowed to see, store, etc. And failure to comply usually means all heck breaking loose.
No, according to this article, "The problem was on Google's end. They acknowledged a bug," and according to this comment, Google had upgraded their IMAP migration tool right before this happened.
Sounds like a case of insufficient testing on Google's part before rolling out the new version of their tool.
No, why don't you RTFA and get off your high horse. According to an article linked from TFA, Google acknowledged the problem was on their end, and an earlier comment from a Brown sysadmin indicates that Google upgraded their migration tool right before this happened. It may have "only" been 20 out of 200 accounts, but the problem is squarely Google's fault; stop blaming the Brown sysadmins.
22 / 2000 email accounts isn't a big deal, sorry. And most of those people probably don't check their school email every day (I don't, and most of my friends don't), and most of the people who did happen to check their email didn't even notice that their old emails weren't theirs. This really was a small hiccup.
"Google Apps' security fails utterly"
It wasn't a security issue. It was a data migration error, and there's a huge difference there. One is an application problem, the other is user error.
Don't take life so seriously. No one makes it out alive.
Comprehension fails. The above AC was pointing out that it's not a security problem with Google Apps, and he's entirely correct. It was a problem with migrating data into Google Apps. There's a distinct, important difference, and you appear to be missing it.
Don't take life so seriously. No one makes it out alive.
"I don't know if what happened in the article email _might_ constitute the same thing, not do I know if the same would be true (i.e. whether it would constitute such a breach) if the system has a "If you use this system, you consent to monitoring" banner that pops up at login."
Thanks for letting us know that you don't know.
Don't take life so seriously. No one makes it out alive.
This same thing happened to Slashdot a few months ago for an afternoon. Every time I, and others, refreshed the page I was logged in under another Slashdot account. Other people had reported this in article comments until it got fixed.
While I agree this could have been a really big deal, it also is a one time event. It happened during the migration, not as a result of day-to-day operation. It may have taken 3 days to resolve but as of this moment it HAS been resolved, so I don't feel that the proper response would really be to find another solution and migrate everyone all over again. Now if this was just the first of many batches of email accounts being migrated then they had better be absolutely certain that this isn't going to be a recurring problem, but other than that there really is no risk that the students will randomly obtain access to other accounts.
Personally, if I lost privacy on my email and my account had to be locked while they fixed it, I would be perfectly happy with them locking it. For me, I think the worst possible failure would have been a response of "oh, shoot. Well, what's done is done. There's nothing we can do about it now".
You do to join a network, as it always has been.
Change is certain; progress is not obligatory.
...is why I still use POP3 or IMAP.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Have you actually read the EULAs to googles services, or are you content to merely fearmonger and spread FUD about them? I hear this crap every time chrome, or gmail, or blogspot are mentioned-- that there is a google minion reading all your sordid affairs in some cubicle somewhere.
Possibly some day complaints will be based on legitimate issues with their services, rather than blatantly false attempts to rile up concern.
Works doubly if they had them insured against theft...
Your analysis is spot-on but your conclusion is wrong. I'm familiar, mostly in passing these days, with an effort at another Ivy College, to displace their home-grown, yet standards-compliant, e-mail system. The current system requires about 3FTE's to provide service for somewhere on the order of 50,000 e-mail accounts. They're discussing moving to Google or Exchange as alternatives. Now, perhaps Google could cut down on that staff load somewhat, but equipment costs can be traded for bandwidth costs, and the costs of interfacing with Google are non-zero. Now, then look at Exchange - by some estimates you need 1:1000 admins:users for Exchange. Even calling that generous, the license costs on top of the hardware costs, on top of the FTE's makes it very expensive. But it's on the table because it's 'normal' and the home-grown system is not. Or, so I've heard.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No they don't. There's networks for all sorts of things from Corporations to entire countries, and you don't need to use a specific email domain at all to join them.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
Little glitches like this just reenforce the idea that Google is not a safe pair of hands for confidential data. We just had a memo at work saying that Google docs was not suitable for confidential data and they are cutting off all access to the site. Now, I don't know the rights and wrongs of that decision but I guess Google are losing the battle for the confidence of system administrators.
Change is certain; progress is not obligatory.
I admit my grasp of how punitive damages actually work may be superficial, but as I understand it, they end up as being an incentive for silly lawsuits.
Coming from a different country, with a different legal system, I find weird the notion that punishment can be discussed in a civil court, instead of a criminal court where it belongs.
Granted, I'm not biased enough to ignore that I'm biased, but that's how I view it:
And anyone who tries to abuse the system should face some due consequence, I quite agree with that.
In a civil suit, for example, the costs of the proceedings plus, in severe cases, the defender's attorney fees. It's applied in some countries, just so you know.
There's nothing like $HOME