I know most of you haven’t seen it (I probably wouldn’t have either unless a few separate people had emailed it to me) but Riva Richmond interviewed me for the Wall Street Journal about the Google Desktop hack and the few issues found in Yahoo over the last few weeks. The article was pretty critical of Google’s take on security, which doesn’t surprise me too much given Google’s troubling past with security and privacy issues (it’s tough being an advertising company). However one quote from the article really struck me like a ton of bricks (Douglas Merrill is the CIO of Google):
Regarding security-flaw disclosure, Mr. Merrill says Google hasn’t provided much because consumers, its primary users to date, often aren’t tech-savvy enough to understand security bulletins and find them “distracting and confusing.” Also, because fixes Google makes on its servers are invisible to the user, notification hasn’t seemed necessary, he says.
I don’t know about you but the words “security flaw in Google Desktop” are pretty understandable by anyone I’ve ever met. Sure they don’t know or even care about the specifics of anything we work on, but I think they have a right to know when they are using an insecure platform. Consumers need to be armed with the information so they can make decisions, not so that Google can make another billion. Google feels otherwise (is that any surprise)? More than that, they feel consumers are incapable of understanding. That may be true regarding the nuances, but if they knew all their email was at risk (even at slight risk) they would feel differently about installing Google products. But I dare say that Google employees would have a tough time explaining what anti-anti-anti DNS Pinning is. Does that mean I shouldn’t tell them since they would find it confusing and distracting? That’s just ridiculous!
I had drinks with a newbie webappsec guy in the area last night and I told him how the Google Desktop exploit works. He’s pretty new to webappsec, so he wasn’t aware of how lots of the exploits out there worked. After ten minutes he was worried enough that he too said he would be uninstalling Google Desktop when he got home. Like it or not, he was a consumer. He was uninformed before I met him and after I met him he made an informed decision (I even warned him about how incredibly rare this type of attack is). When consumers are armed they can make informed decisions, even if that is against Google’s business model. Do no evil, Google. Follow your own mantra, Mr. Merrill!