Cenzic 232 Patent
Paid Advertising
web application security lab

Wall Street Journal Article on Google Desktop

I know most of you haven’t seen it (I probably wouldn’t have either unless a few separate people had emailed it to me) but Riva Richmond interviewed me for the Wall Street Journal about the Google Desktop hack and the few issues found in Yahoo over the last few weeks. The article was pretty critical of Google’s take on security, which doesn’t surprise me too much given Google’s troubling past with security and privacy issues (it’s tough being an advertising company). However one quote from the article really struck me like a ton of bricks (Douglas Merrill is the CIO of Google):

Regarding security-flaw disclosure, Mr. Merrill says Google hasn’t provided much because consumers, its primary users to date, often aren’t tech-savvy enough to understand security bulletins and find them “distracting and confusing.” Also, because fixes Google makes on its servers are invisible to the user, notification hasn’t seemed necessary, he says.

I don’t know about you but the words “security flaw in Google Desktop” are pretty understandable by anyone I’ve ever met. Sure they don’t know or even care about the specifics of anything we work on, but I think they have a right to know when they are using an insecure platform. Consumers need to be armed with the information so they can make decisions, not so that Google can make another billion. Google feels otherwise (is that any surprise)? More than that, they feel consumers are incapable of understanding. That may be true regarding the nuances, but if they knew all their email was at risk (even at slight risk) they would feel differently about installing Google products. But I dare say that Google employees would have a tough time explaining what anti-anti-anti DNS Pinning is. Does that mean I shouldn’t tell them since they would find it confusing and distracting? That’s just ridiculous!

I had drinks with a newbie webappsec guy in the area last night and I told him how the Google Desktop exploit works. He’s pretty new to webappsec, so he wasn’t aware of how lots of the exploits out there worked. After ten minutes he was worried enough that he too said he would be uninstalling Google Desktop when he got home. Like it or not, he was a consumer. He was uninformed before I met him and after I met him he made an informed decision (I even warned him about how incredibly rare this type of attack is). When consumers are armed they can make informed decisions, even if that is against Google’s business model. Do no evil, Google. Follow your own mantra, Mr. Merrill!

5 Responses to “Wall Street Journal Article on Google Desktop”

  1. Awesome AnDrEw Says:

    I have to agree at the very least that a majority of internet users aren’t technologically savvy (see AOL Users, Senior Citizens, MySpace Users, Yahoo! Messenger Users, and Online Predators). That being said a little bit of knowledge often causes these people to believe they know what they are doing when it comes to online security. Case in point when my mother attended a seminar for her corporation where some über leet h4×0r taught everyone the power of “Google hacking”, but long after these tools had already been realized by the average interbutt user (which caused me to laugh at her). As much as they deserve to know the basics about the flaws it’s best to keep them in the dark about the technical jargon.

  2. Jordan Says:

    Didn’t they read the memo when Sony got caught trying to pull the same line regarding the rootkits?

    (my paraphrase):

    “We don’t need to inform our customers because they don’t understand what the real issue is, so it’s ok to leave them in the dark and do whatever we want.”

    It didn’t work with Sony, and I sure hope it doesn’t work for Google.

  3. Spider Says:

    @Awesome AnDrEw

    True enough, but there is a difference in explaining the technical details about something versus warning them of a threat in general terms.

    Think of this in terms of car recalls. I don’t understand the specifics of how my car works, tech savy as I may be, but the car companies are required by law to inform me and every grandmother out there if there is known safety defect in the anywhere in any system of the car. The warning usualy doesn’t go into specifics and just says something like ” Your car may explode if listen to certain radio stations”. It would be nice sometimes to know what radio stations could cause it to explode, but at least I know I can migrate the risk until it gets fixed by not listening to the radio.

    And thats the least that we should expect from google.

  4. Technocrat Says:

    Right on the money. What about all the businesses that have Google Desktop installed? Does Google not owe these businesses a warning about a possible security issue? Seriously?

    I don’t really care if the “general public” doesn’t want the details…the truth is, it is Google’s duty to warn the public of security issues. As it should be the duty of all companies that are providing products or services.

    Google isn’t the only kid playing this game however.
    http://blogs.securiteam.com/index.php/archives/744

    I, for one, don’t like it…and hopefully if we keep talking about it, they will all see that this is not the correct course to take.

  5. Hong Says:

    Google spokesman said that the desktop search software gets automatically updated, so users do not need to take any steps to protect themselves. Ironically, they provide Google Desktop without the Google Updater, and as I said before, Google Desktop won’t updated automatically if the system is not running as administrator.

    They must inform users about security issues of their product. I have to agree most of their users aren’t technologically savvy, but it is not an excuse, it is the problem which Google should not shirk, they must solve it.