Does Google Have Security Problems Like Microsoft?

by Preston Gralla

Microsoft has gotten a fair amount of justified criticism for the myriad Windows and Internet Explorer vulnerabilities. But now the darling of the tech world, Google, is starting to take some heat as well.



The Google Desktop search tool, it was revealed soon after its release, could be used to ferret out secret information about someone who uses a public computer, including reading his private email. That's because it indexes all Web pages visited by Internet Explorer, including secure Web sites. So if you visit a site like Hotmail on a public computer and read your private mail, other people who use Google Desktop on the same PC will be able to read your mail, unless certain settings are tweaked.



That was a relatively minor problem, and easily fixed by a simple setting change. The last few days, though, have seen more serious security problems arise. Rice University researchers found out that a flaw in Google Desktop could be used to let intruders on the Internet secretly read the contents of your hard drive. Google fixed the security hole, and has automatically updated Google Desktop on people's PCs so that it's no longer vulnerable. But even though it was fixed, security experts warn that other similar holes may eventually surface -- and so the research firm Gartner has recommended the businesses not let their users install it.



Now it's been revealed that malware writers are using the Google search site as a way to attack vulnerable Web sites.



Why point the finger at Google? To show that Microsoft's security woes are not all of its own making. I've long said that one reason Microsoft software is targeted is simply because most people use its software. Now the same thing is happening to Google which is, in terms of popularity, practically the Microsoft of the Web.



So yes, it's true that Microsoft has a way to go to securing Windows and Internet Explorer. (Its recent acquisition of spyware vendor Giant Software, though, shows that it's taking the issue seriously.) But Google's security problems show that to certain extent, security holes are part of the price tech companies pay for success.


What do you think about Google's recent security problems?


16 Comments

menglis3
2004-12-22 00:49:35
Did I confuse successfull s/w with correctly working s/ware ?
Why point the finger at Google?
To show that speed to market (whether it be software, cars, whatever teh product or service) will (all other things being equal) result in less than perfect products.


I've long said that one reason Microsoft software is targeted is simply because most people use its software.
So it's OK for your late model car to be more vuilnerable to theft than, say, my Bonneville ? After all, there's a lot more cars than m/cycles about...


But Google's security problems show that to certain extent, security holes are part of the price tech companies pay for success.
I'm sick of this BS - Why is success defined in terms of the number of sales ? Why can't we define success in terms of quality ? I want a product or servcie that does these n things to a certain standard. And only these n things.

menglis3
2004-12-22 00:50:50
Did I confuse successfull s/w with correctly working s/ware ?
Slightly more readable version ...
Why point the finger at Google?
To show that speed to market (whether it be software, cars, whatever teh product or service) will (all other things being equal) result in less than perfect products.


I've long said that one reason Microsoft software is targeted is simply because most people use its software.
So it's OK for your late model car to be more vuilnerable to theft than, say, my Bonneville ? After all, there's a lot more cars than m/cycles about...


But Google's security problems show that to certain extent, security holes are part of the price tech companies pay for success.
I'm sick of this BS - Why is success defined in terms of the number of sales ? Why can't we define success in terms of quality ? I want a product or servcie that does these n things to a certain standard. And only these n things.

jwenting
2004-12-22 00:59:45
Did I confuse successfull s/w with correctly working s/ware ?
But Google's security problems show that to certain extent, security holes are part of the price tech companies pay for success.
I'm sick of this BS - Why is success defined in terms of the number of sales ? Why can't we define success in terms of quality ? I want a product or servcie that does these n things to a certain standard. And only these n things.


Guess what, it's about the money kid.
Sales == profit == income == happy shareholders.
Quality may drive sales but it's a tool, not the ultimate goal.
Perfection is unattainable, 95% may be possible but if it costs 1000 times as much as 90% and the customers are content with that then 90% is what you create.


I'm sick of the constant Microsoft bashing. They're doing a good job. They're not perfect but they're doing their thing in closing potential holes often before anyone outside the company even knows of them.
This has certainly been true over the last year when just about every single first report of a flaw in a Microsoft product was first indicated by Microsoft themselves.


If you're willing to pay $100k for an operating system and $250k for your word processor maybe then can you get near perfection.
But you'll be one of the few people using it since the vast majority will be quite happy to get a bit less perfection for their $100 OS and $250 word processor...

dscotson
2004-12-22 02:30:29
Gartner Report
I preferref The Register's take on Gartner's rather confused report:


So, the clear message is: "Don't use Google's desktop search because of security concerns. Instead, use an alternative. But since they don't exist, use Google."

paulwaite
2004-12-22 03:14:24
Popularity and security
Some computer scientists spent 4 years analysing the 7 million or so lines of code in the Linux kernel. They found 985 bugs. And by the time they'd published their results, many of them had been fixed.


You can be popular or unpopular, but if the hackers have fewer bugs to find, then you have fewer security problems.

drobert
2004-12-22 05:03:58
Did I confuse successfull s/w with correctly working s/ware ?
I dont' have to pay 100K for a good OS, I just have to use Linux and pay 0$. And before someone points to the lack of support, I should point out that the support you get with a paid copy of Windoze is mostly virtual (i.e. it exists only insofar as you don't try to use it).


Sales and share value is only an indicator of the company's success, not the product (you can make money with more than just products, as SCO is attempting to prove...). It's also quite possible to be succesful with a horrible product (e.g. FrancoAmerican's SpaghettiOs); financial (on paper) success is not a direct indicator of quality or of long-term viability (e.g. Enron before the fall).


The main problem is that people continue to buy M$'s horrible products, mainly because they have been convinced that there is no alternative.


And BTW: "every single first report of a flaw in a Microsoft product was first indicated by Microsoft themselves": I don't know where you got that, but in the case of the recent JPEG issue, it was reported by a Verizon employee, not a Microsoft employee...


"[Thanks to] Nick DeBaggis [ndebaggis@verizon.net] for reporting the JPEG Vulnerability (CAN-2004-0200)." cf Microsoft Security Bulletin MS04-028


I would suspect that this is the case for most of them...

emilper@gmail.com
2004-12-22 06:34:35
Did I confuse successfull s/w with correctly working s/ware ?
This has certainly been true over the last year when just about every single first report of a flaw in a Microsoft product was first indicated by Microsoft themselves.


maybe because they have the nice habit of demonizing security experts that make bugs public?

krames
2004-12-22 07:34:43
Google Desktop
Google Desktop might have some security holes, but come on...it's beta software! You shouldn't really even expect it to work properly.


Kyle

lshyphenfail
2004-12-22 18:05:41
Are you serious?!
BETA i'll say it again... BETA


the world needs to realize what beta software is. sure it's free, but you still have to pay a price. you are evaluating a product. IT WOULDN'T BE BETA IF IT DIDN'T HAVE BUGS.


i'm unsure of what revenue is going back to google for their pre-release, but it's certainly not full value. this is in comparison to microsoft. i ain't putting them down, microsoft is smart. they're getting back full revenue for a "pre-release" product as retail.


so, microsoft gets famous for bugs in their products, but makes a fortune. which doesn't matter anyway because they've got the market covered and will keep it that way.


Does Google Have Security Problems Like Microsoft?
NO. Not yet?

shiflett
2004-12-22 20:53:46
Too Much Misinformation
I'm trying to figure out whether this blog is meant to be taken seriously or whether it is just meant to attract responses. Perhaps I am just being trolled.


1. You're comparing Google beta software with Microsoft's production software, and you're "proving" that both are imperfect. This is like comparing my basketball talent to Michael Jordan's and pointing out that we both miss sometimes. On top of this, you're comparing my performance in a game to Jordan's performance in practice. It is a pointless comparison. Microsoft "misses" much more than any legitimate software company should, even if they were to label all of their software as beta. If anything, you've shown us that Google's labels (beta, etc.) are much more reliable than Microsoft's. I agree.


2. You're trying to suggest that Google is somehow insecure because it does its job so well that people use it to search for software vulnerabilities in other software, namely phpBB. So, not only does phpBB's poor security unfairly give PHP a bad name, you want it to do the same thing to Google. The only people who are influenced by such associations are the ignorant masses. As an O'Reilly blogger, you should not be so easily satisfied with ignorance and do a bit of research.

aristotle
2004-12-23 00:12:06
All software has bugs.
Film at 11.


Please pay attention to the real issue: MSFT has taken half a year to even acknowledge highly critical issues more than once. That is just ludicruous.


In contrast, I've seen it more than once that the Apache and Firefox teams acknowledged a problem, developed a fix, tested it, patched the current stable branch, and posted updated download packages within 24 hours. These projects are only examples off the top of my head; similar stories exist for most of the popular libre software projects. To be fairer, these cases aren't the norm, the average response time is much less impressive and probably around a week. Even that is worlds better than MSFT has ever managed in any case I can think of though.


Now since I don't care about the Desktop Search stuff at all I don't know how quickly Google reacted. But assuming their product is not completely bug riddled (and even MSFT's products are not really bad, if only the response time wasn't so galactically shoddy), their response time is what you need to care about.

menglis3
2004-12-23 19:11:48
Did I confuse successfull s/w with correctly working s/ware ? II
My whole argument is about a matter of degree, and I am holding google to a higher standard than I have come to expect from MS - mainly due to the fact I've come to expect a higher standard from google.
Guess what, it's about the money kid.
Sales == profit == income == happy shareholders

ummm no its NOT about the money. If it was, there would be no OSS movement. Your attitude is probably the root cause of porr quality work, whatever the field. For example, is it ethical for a manufacturer to decide that since the cost of x legitimate "Wrongfull Death" lawsuits is cheaper than cost of stopping their product from killing people, then they'll wear the cost of the lawsuits ? After all, its only about the money, even if it's your family that's killed.


IT WOULDN'T BE BETA IF IT DIDN'T HAVE BUGS.
Does it go GA
a) when we can't find anymore bugs, or
b) when we know there's no mroe bugs ?


Like a lot of other terms, BETA means different things in the software world compared to the real world... beta is meant to be a test phase, with a moderately large test population, not a full roll out. Google Desktop is generally (limited only by desktop O/S) available software, providing access to data that most users would reasonably believe not to be available.
* Actually, in google's case, the definition of beta to be ratehr adhoc - wouldn't they loose access rights to a lot of those news sites they scrape if google news went GA ?


I've seen it more than once that the Apache and Firefox teams acknowledged a problem, developed a fix, tested it, patched the current stable branch, and posted updated download packages within 24 hours.
I acknowledge that compared to many vendors (not just MS), google acheived a speedy turnaround (similar to the OSS examples quoted above). But, relating this back to the it's about the money kid quote, the Apache and FF teams are not driven by the dollar sign.
In other words, as google become more and more answerable to quarterly analysis, rather than a longer term view, I think we will see this sort of error happening more and more in their work.

carlaschroder
2004-12-24 14:23:55
windows is attacked more because it's EASY
Not because it is more popular.


There is absolutely no way to exploit a Linux system the way that Windows systems are exploited with such ease.


Think about it: Windows source code is top-secret. Linux source code is wide-open. Yet thousands of exploits are written for Windows. It is ridiculously easy to write a Windows exploit. But even with wide-open code, Linux exploits are difficult. They require much more knowledge and skill than tossing off a Visual Basic hack in 10 minutes. Windows is designed down to its core to support easy auto-execution of foreign code. Even if you lock users down, applications still have free run of system files and the Registry.


Microsoft blames users and denies responsibility, while simultaneously promising to make "security Job One." Yeah, whatever. Talk is cheap; the record speaks for itself. Windows represents a perfect combination of widespread use + easy exploitability. When Linux has ten times the market share as it does currently, you will not see a ten-times increase in exploits. You'll see a much safer Internet.

carlaschroder
2004-12-24 14:32:17
ps- Google's response
"But Google's security problems show that to certain extent, security holes are part of the price tech companies pay for success. "


Quite true. What makes the difference is how security holes are handled- how quickly are they patched? Does the vendor respond to reports of flaws, or do they stall and deny? Do they continally test for problems, and improve their code? So far, Google seems to be doing just fine. I don't believe any comparison to Microsoft is approrpriate.

softDownfxxz
2005-03-06 06:04:52
ps- Google's response
Thank you I am learning of new things all day! And it is good to know of my RSS already work. I think I need add button of


RSS to make this thing clear.
fxxzjavadown

hncjxiaoliang
2005-04-25 00:19:56
Did I confuse successfull s/w with correctly working s/ware ?
ÏÂÔØÓÎÏ·ÏÂÔØ
RealONEPP
href="http://www.52z.com/soft/ACDSee.html">AcdSee
Winamp
href="http://www.52z.com/soft/winrar.html">Winrar
CuteFTP
href="http://www.52z.com/soft/FlashGet.html">FlashGet