Google Solves Sharing Bug In Google Docs 69
RichardDeVries writes "Three weeks ago, I contacted Google about a bug in Google Docs that shared documents without permission. The issue has been resolved and affected documents have had their collaborators removed. The documents' owners have been notified: 'To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually.' See my journal entry for details on my contact with Google. Although I think Google handled the issue admirably, this raises questions (again) about cloud computing, as well as Google's eternal beta-status for a lot of their services."
I'll keep my docs offline thanks (Score:5, Insightful)
Prime reason to avoid online office suites and the like. Another good reason is that even these days Internet access is not a given 24x7 every place you want to be.
Google's eternal beta-status (Score:5, Insightful)
Re:I'll keep my docs offline thanks (Score:1, Insightful)
Who did you give a HJ to in order to get a response out of google?
Well (Score:5, Insightful)
It raises more immediate questions about SAAS, which Google docs is, not cloud computing. (Google docs is software as a service, not a cloud computing service like Amazon ec2.) Someone else's custom app can have a bug, and leak your data.
So can your provider's closed-source proprietary cloud computing applications, user provisioning, storage, etc.
If, however, the provider uses an open-source hypervisor (like KVM), and open-source provisioning, management tools, and scripts (so the wrong user isn't given access to your storage), cloud computing should be much more secure than a SAAS platform like Google docs.
But yes, it does raise some question about services like ec2, because they're fairly opaque and using proprietary software, how can you possibly prove that their provisioning system is secure (in that YOUR elastic block store can't accidentally be provisioned onto someone else's ec instance)?
One possibility is to use full-drive encryption on all your volumes, and require interaction with custom software on your side to boot your instances.
Raises questions? Really? (Score:5, Insightful)
Really? I don't use Google Apps but I don't think the act of fixing a bug in any way raises questions about the overall concept any more than Microsoft fixing a bug in Sharepoint would raise questions about closed source Windows services, or fixing a bug in KnowledgeTree would raise questions about similar open source services.
Software application has bug; bug gets fixed. Jesus people, why is this different from any other similar bug being fixed? Oh, it's Google, better get blogging.. Gotta get those ad impressions up.
Re:Raises questions? Really? (Score:4, Insightful)
When there's a bug in my internal doc collab and versioning service, it isn't exposed to the entire world.
I think that's the question raised.
Cloud Computing / Online Service Debate (Score:2, Insightful)
Not trying to jump to Google's side, but just want to consider other aspects...
From TFA's readers comments:
---
"Richard de Vries" (submitter of this Slashdot story) - March 7th, 2009 at 2:04 am PST
It's legit alright. I reported this issue to Google on February 24th. Last Thurday I was notified it had been fixed.
I knew this would cause a few discussions about cloud computing and the beta-status of most of Google's applications. I work for a small company. We use Google Docs a lot and we unintentionally shared some internal documents with a few clients. None of these were ultrasecret and the issue was quickly discovered, but you can imagine what could go wrong.
I can say, however, that I'm very happy with the way Google handled this. The e-mails were polite and helpful, the issue was resolved fairly quickly and they have gone out of their way to correct erroneous shares and they sent e-mails to all affected users. They knew they would get reactions like this article, but they did the right thing.
Regards,
Richard
---
"Alyx Flannery" - March 7th, 2009 at 1:33 am PST:
Please. Let's see how many millions of documents were shared.. oh wait, there weren't. Unlike all the recent Credit Card compromises we have heard about. And those would be from not what we would consider "super-naive" companies. This is FUD plain and simple.
But perspective folks, this isn't the sky falling. A poorly configured server exposed to the Internet will give more info away and is a larger threat due to bots and zombies.
---
"Musashi" - March 7th, 2009 at 3:07 am PST
Cloud Computing Questions:
1. Who owns the data/documents/content?
2. How much access do the data custodians have to your data?
3. How much access SHOULD they have?
4. During an outage, what, if any, recourse do you have to continue doing business with your various collaborators?
5. How secure is your data in the cloud? How patched is the cloud environment? How well monitored is it for violations?
6. Just how interconnected are the various Google sites? Calendar, mail, Docs etc.
I only use Google docs for convenience of sharing a few minor docs. Until I get satisfactory answers to the above questions, nothing business critical or remotely private will be going up.
---
"Musashi" - March 7th, 2009 at 4:21 am PST
Classified business files being shared between business partners over in the cloud can be extremely valuable - especially to a competitor!
Just imagine you're discussing a new product (a new killer app, or product) amongst your colleagues before you've patented the idea and that leaks out (without their knowledge); I'm sure you'll be more worried about that.
Many small businesses are using the cloud (Google or others) to do just that. Their Intellectual Property is extremely valuable to them.
---
"Jean Vincent" - March 7th, 2009 at 9:42 am PST
Sharing information on the web will always have some limitations, but the risk of sharing data without our knowledge can happen with any digital device, including personal computers or companies servers.
Small businesses need to make the choice by assessing their abilities to secure their documents better than Google or other online services.
I think that in that specific case Google could have handled the matter faster and should also have responded to the email from Andy. The final response seems appropriate, they have fixed the problem and notified users.
I also agree that the Beta-forever practice that Google has pioneered is not responsible and undermines users' rights on the web.
Finally there is a lot of confusion in this article and others between the term 'Cloud Computing' and 'Online services'. Cloud Computing is a deployment technology for service developers competing with web hosting, ded
Re:I'll keep my docs offline thanks (Score:4, Insightful)
The big deal is getting a response out of google. It's akin to praying at the Wailing Wall and having God come on down to buy you a Manischewitz.
Man-O-Manischewitz What a Wine!
yeah, like... (Score:3, Insightful)
Yeah, like people never accidentally share [thetechherald.com] secret documents from their desktop machines.
Still better than traditional solutions (Score:3, Insightful)
I'd say the security for SAAS is still probably better than most company/home built installations out there.
I mean, is the HR finances spreadsheet really more secure on the file server for most businesses out there? I doubt it.
At least with Cloud Computing the patches are automatically rolled out to everyone. No "this server hasn't been patched in 2 years because of X, Y, Z" issues.
Re:I'll keep my docs offline thanks (Score:5, Insightful)
Re:Cloud Computing / Online Service Debate (Score:2, Insightful)
Well, I thought some of the comments in TFA were pretty good, so I quoted them here. After posting, I realized I wasn't adding value to the discussion.
I was being entirely redundant. My apologies. I must have been drunk.
Re:What's with the lemming movement in IT... (Score:4, Insightful)
My god, every time someone comes up with a solution in IT, we have this built in expectation that everyone should fall on board. Cloud computing is just the latest. Are we to now upgrade every system to use the "cloud". Are we to do web applications for everything? This isn't an engineering profession, its a fashion one. We're not like Mr. Spock from Star Trek. We're like the guy on America's Next Fashion Designer.
There are a bunch of good reasons web applications have become popular.
First, they're easy to deploy. Put up a web page, point the users to that web page, and you're done. No need for an installer. No need for an updater. No need to convince users to download and run an executable (which is a scary and complex undertaking for many of them).
Second, they're relatively safe for the user. Which puts the user at less risk, navigating to a web site, or downloading and running an executable which may or may not contain malware?
Third, they're cross platform. With a little effort, your web application will run on Windows, OSX, and Linux. This should make Linux users very happy, since it helps even the playing field between Windows and Linux!
Fourth, in many cases, web application providers can offer superior document management. For example, regular users aren't good at keeping backups, and in the old days, just plain said goodbye to their archived email if their hard drive crashed. Or, if they upgraded from a Pentium 3 computer to a Pentium 4 computer, they spent hours trying to configure their new email program, and then more hours trying to move their archived email from their old computer to their new computer. Compare that to web email, which Just Works.
Do web applications involve risks and tradeoffs? Yes, this article demonstrates that. But it's up to individuals to decide what risks and tradeoffs are worthwhile, and many, many people choose web applications because the advantages are worth it to them.
Claiming that web applications are successful only because they're fashionable to developers these days is, well, just plain stupid. The fact is, web applications are the best choice among the alternatives for many users, and plenty of developers recognize that fact and leverage it by building web applications instead of thick client applications.
Re:Well (Score:2, Insightful)
So what's wrong with the wikipedia article:
http://en.wikipedia.org/wiki/Provable_security [wikipedia.org]
Quoting:
Part of the problem stems from the fact that it can be misleading to non-practitioners, since security is not being proved; only a reduction from security to some other unproven assumptions.
According to that, provable security doesn't mean that anything has been proven to be secure.
Re:Google's eternal beta-status (Score:3, Insightful)
Conveniently calling everything "Beta" gives them the leeway you're handing them, you do realize? Some companies actually have to release version 1.0 to keep customers happy.