A Second Google Desktop Vulnerability 80
zakkie writes "According to InfoWorld, Google's Desktop indexing engine is vulnerable to an exploit (the second such flaw to be found) that could allow crackers to read files or execute code. By exploiting a cross-site scripting vulnerability on google.com, an attacker can grab all the data off a Google Desktop. Google is said to be investigating. A security researcher is quoted: 'The users really have very little ability to protect themselves against these attacks. It's very bad. Even the experts are afraid to click on each other's links anymore.'"
Experts? (Score:3, Insightful)
Umm.. Google desktop runs on Windows.. Seriously, how many "security experts" do you know running Windows?
Re:Experts? (Score:4, Insightful)
Since most of the money (and challenges) for security is on Windows, I supose they could hardly be using anything else.
Re:Experts? (Score:3, Insightful)
Certainly.. they run it just like it's supposed to be, as a VMWare image sandboxed inside their *nix/BSD workstation. Again, anyone that's using a web browser running under the same account permissions as any sensitive data on that machine is _not_ a security "expert".
Why Google Desktop is too frustrating to be used (Score:5, Insightful)
More infuriatingly, Google Desktop also doesn't understand that emails that it indexes in my Outlook Inbox won't stay there forever due to restrictions on server mailbox size, and doesn't re-index them when they move to an offline
Google Desktop still doesn't support the use of '-' to join two words, i.e. "foo bar" can be written as foo-bar. And the Google Desktop results within Outlook are still not a proper Outlook result list (as with Outlook Find), so you can't just drag items into a new email as attachments - no, you have to open up the email (if it can find it...), use Outlook to copy it to a temp folder, then drag from that folder into the new email.
Google Desktop is simply too annoying to use any more, even though I've used it from version 1, and is actually a very un-Google-like product. Unlike the core Google.com search, which has been quietly optimised over the years to add stemming, proximity, spelling correction, etc, Google Desktop is actually a rather mediocre and barely usable desktop search tool whose primary benefit is that it integrates well with Google Toolbar.
The root cause and how I avoid it (Score:5, Insightful)
I realise there are many other people who see Web 1.0 as too limited for all the usual reasons, e.g. because they want interactivity features, or Flash movies, or proper CSS support for different display devices, etc, all of which are good reasons for them and do require the use of Javascript / AJAX. I don't need any of that, however, so I disable Javascript. I have yet to find a website with textual information that could not have been written or read by me based on good old HTML. Another reason I prefer websites that avoid relying heavily upon Javascript, even to make simple links between webpages, is that they can be properly indexed by search engines.
Quick fix (Score:5, Insightful)
Re:Google Desktop pre-loaded on Dells (Score:5, Insightful)
Those Dells should have been wiped and had a secure configuration reloaded. Yeeeesh
What hospital are you at, so I can avoid it?
Re:Why Google Desktop is too frustrating to be use (Score:3, Insightful)
It gets worse: GDS actually "forgets" about documents it has previously indexed (so results get *worse* over time, not better). And its index keeps growing (yes, even though its results are getting worse). And as the parent mentions, it doesn't have a "re-index now" option, so you are forced to uninstall and re-install.
The only good thing about GDS is its integration with google.com (who's embracing and extending now?). I am no MS apologist and I put up with GDS for over 1.5 years, but I switched to Windows Desktop Search and never looked back: WDS is head-and-shoulders above GDS (BTW, it can be downloaded into XP and is pretty much the same as the WDS in Vista): better results, better UI, way better integration with Windows, smaller index, ability to re-set the index whenever and faster to index the drive than GDS to begin with. WDS started life as Lookout, a third-party freeware app that was bought by MS, and it was better than GDS back then (oh what 4 years ago?).
If only developers would embrace WDS to fix some obvious shortcomings (no Firefox/Thunderbird indexing, no hotkeys like GDS). I doubt Microsoft has anything to fear from Google competing for the desktop if GDS is any indication...