James Governor's Monkchips

First Google Desktop breach breach already

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

While i accept my recent post on Google Desktop Search (GDS) could be considered somewhat imflammatory, i have also been somewhat surprised to see the opposite view writ so large.

It seems extraordinary to me that the security editor at ZDNet Larry Seltzer could categorically state that GDS presented no security risk (or maybe that’s just the headline writers, the article is more nuanced to be fair). Maybe i just don’t get it but i tend to defer to Bruce Shneier on matters security related – and he repeatedly makes the case that there are no absolutes in security, only risks to manage.

But Seltzer was confident enough to say:
“Privacy hysterics bring old whine in new bottles to the Internet party. The desktop search beta from this Web search leader doesn’t do anything you can’t do already.”

Like the web is secure right now?

I guess i must be in touch with my female side because privacy issues do tend to make me feel a little hysterical. (by way of explanation, the origins of the word “hysteria” come from theories that women are more unstable because they have wombs-the same derivation in “hysterectomy”.)

Anyhow – i was not in the least bit surprised to see the first news story looking at google’s first GDS breach fix.

Jim Ley found the flaw 2 years ago. Google announced a fix this week. nice.

One thing i wanted to clarify im my post about google and Sarbanes-Oxley. I should have made it clear this was a second order audit issue – that is while Sarbanes-Oxley itself is not that granular about IT controls-it does posit a requirement for an operational controls framework; COSO, ISO17799 and Cobit are all emerging as potential answers in that space, and all offer prescriptive guidance on authorization, authentication and identity issues. Auditors using these frameworks could well refuse to certify an organization without clear policies, strategies and processes in this regard. I would like to point you to Chris Byrne who first brought the GDS issue to my attention. He has been taking some lumps for doing so – learning new words such as poxy.

So back to passion and unreasoned analysis then. It seems we are already turning red or blue – we are either google apologists or attackers. go figure. it doesn’t take long to create partisan hackship now does it. Ideally i would like to be in the reality based community though.

This red or blue binary is true within RedMonk- my business partner Stephen is inclined to give GOOG the benefit of the doubt, while i believe we should all encourage google to open up now rather than later.

As we know from Microsoft, worrying about ethics after the fact just doesn’t work. We must use web transparency, a la Dan Gillmor to persuade google it needs to open up on governance and policy. that will benefit everyone – Google included. Indeed why don’t we make google the target/poster child for the new transparency movement.

So lets keep agitating. Lets keep an eye on google.

One comment

  1. it’s not that i’m giving them the benefit of the doubt, brother. it’s that i think much of the hue and cry around GDS is

    a.) hyping “vulnerabilities” (search of IE cache, e.g.) have been around for a long time

    b.) underhyping the real concerns (local web server in every machine)

    c.) highlighting Google without casting a similar eye towards its competitors (X1, Copernic, etc), nor acknowledging that other applications (Kazaa, etc) pose similar if different threats

    i’m by no means an apologist, and on record as being concerned with the way that GDS goes about its business. but i do think that the alarm around the application to date has been more hype than substance. IMO, of course. and i think a lot of this is b/c public sentiment has shifted on Google, from private darling, to tech juggernaut.

Leave a Reply

Your email address will not be published. Required fields are marked *