Top 10 Reasons Google Has Culpability in Gmail Security Breach — Security is Google Achilles Heel Part XII
June 3, 2011
Google’s deep aversion to accountability was in full view in its blog response to the latest gmail security breach, in which Google placed most all of the blame on users and others, while largely trying to absolve Google of its responsibility and accountability in the matter as the world’s largest source of private, sensitive and secret information.
Top 10 Reasons Google Has Culpability & Needs More Accountability:
- No other entity has a mission to “organize the world’s information and make it universally accessible and useful.” This gives Google a unique responsibility to aspire to be the world’s leader in information security.
- No other entity actually collects all the world’s information, making mirror copies of the entire Internet many times daily involving 5 exabytes of data every two days, the amount of information created from the beginning of time and 2003.
- No other entity stores all of its information in one unified “BigTable” database eschewing the normal security protocol of compartmentalizing information to prevent catastrophic universal data breaches.
- No other entity so plainly and corporately prioritizes speed and efficiencyof accessing data over the security, privacy, and other internal controls of data.
- No other Fortune 500 company so officially relieson the crowd sourcing of their non-expert users and others to be their primary line of security defense, rather than taking corporate responsibility for maximizing the security of the information and people entrusted to safekeeping and protection at Google.
- No other entity universalizes its password access to more products and services (more that 500) than Google, a practice Google Security expert Greg Conti describes as a “single point of failure” problem.
- No other entity that we know of has had their entire password security code stolen wholesale by hackers like Google has — per John Markoff’s front page expose in the New York Times. This is relevant given Google’s representations to the public that “it is important to stress that our internal systems have not been affected — these account hijackings were not the result of a security problem with gmail itself.”
- No other entity has made more personal profiles (35 million Google Profiles) publicly accessible for easy downloading by hackers to effectively aid and abet spearfishers than Google per a recent studyby a University of Amsterdam PHD student Matthijs R. Koot. This is relevant to this latest gmail security breach because it was spear-fishing-driven.
- No other entity has been accused by the U.S. Department of Justice in court documentsof publicly misrepresenting that a suite of Google software that is related to gmail was FISMA certified. This is relevant here because Google misled that it was security-compliant with the Federal Information Security Management Act when it was not, which could have led Government employees who used gmail, and were compromised by the latest gmail breach, to believe they were secure in using gmail when they were not.
- And the most disturbing reason of all, Google is the only entity in the world to decide at the highest executive levels to index Julian Assange’s Wikileaks stolen cables and make them universally accessible and useful to bad actors, terrorists, crooks and hackers like the ones in the latest gmail breach of senior U.S. Government officials.
- (This is highly relevant in this case because spear fishing depends on learning intimate accurate details of groups and their communications about secret information that would enable a hacker to successfully fraudulently misrepresent themselves to gain officials trust, that would not have happened but for the hackers knowledge of secret Wikileaks documents made available by Google search.)
In sum, not only is Google not taking responsibility and accountability for its users security like one would expect any top brand and purported good corporate citizen to do, Google has made a series of strategic and tactical corporate decisions that have systematically and materially facilitated the success of security breaches like occurred this week with gmail.
- Most troubling of all is the fact that Google’s willful disregard for national security secrets, confidential sensitive government communications, and privacy, in deciding at the highest levels to make Julian Assange’s Wikileaks stolen cables universally accessible and useful to hackers like the ones that hacked Google’s gmail, appears to potentially have aided and abetted our Nation’s enemies in compromising our national security.
- At a minimum, appropriate oversight by inspector generals and Congressional Oversight Committees should want to investigate the connection between this latest gmail spear-fishing attack and the stolen government cables released by WikiLeaks and publicly indexed by Google’s search engine.
- The purpose of this oversight would be to bring accountability to the situation, and to help prevent future gmail or other data breaches in the future to the best extent possible.
***
Previous parts of the “Security is Google’s Achilles Heel” Series:
- Part I: “Why security is Google’s Achilles heel”
- Part II: “Google values security much less than others do”
- Part III: “Google: “Security is part of our DNA” (Do Not Ask)
- Part IV: “Why Security is Google’s Achilles Heel”
- Part V: “Google Apps Security Chief is a magician/mentalist”
- Part VI: “Google-China: Implications for Cybersecurity”
- Part VII: “Did Google Over-React to China Cybersecurity Breach?”
- Part IX: “Google’s Titanic Security Flaws”
- Part X: : “A Google Android Botnet Problem”:
- Part XI: “Google’s Deep Aversion to Permission”
For even more information, see the Security section of PrecursorBlog’s sister site: www.GoogleMonitor.com; or read the “Security is Google’s Achilles Heel chapter of my Book: Search & Destroy Why You Can’t Trust Google Inc. at www.SearchAndDestroyBook.com.
I’ve long thought there was a big untold story about Google, essentially a book all about Google, but told from a user’s perspective, rather than the well-worn path of Google books told largely from Google’s own paternal perspective.
(You can buy the book, Search & Destroy Why You Can’t Trust Google Inc. at www.SearchAndDestroyBook.com, Telescope Books, Amazon, Kindle, Kindle Apps, Barnes & Noble, The Nook, and The Nook Apps.)
Given that Google is the most ubiquitous, powerful and disruptive company in the world, it seemed logical to me that users, and people affected by Google, had a lot of important and fundamental questions about Google that no book had ever tried to answer in a straightforward and well-defended manner.
- Questions like:
- Can I trust Google with my information?
- Does Google respect my privacy?
- Does Google respect others’ property?
- Is security a priority for Google?
- Is Google as ethical as it claims to be?
- Is Google dominating what information people access?
- Does Google have a hidden political agenda?
- Where is the Google juggernaut taking us?
- Do we want to go there? and if not,
- What can be done about it?
- Search & Destroy Why You Can’t Trust Google Inc. answers these questions based on the facts.
- I believe anyone who reads the book won’t be able to look at Google Inc. the same way again.
- I also believe the book stands on its own.
- After four years of research, 726 endnotes, and over 150 quotes from Google executives, the evidence and case is overwhelming that most people’s trust in Google Inc. is seriously misplaced.
You can find out more about the book, what people are saying about it, news and interviews about the book, and all the places you can buy it, at www.SearchAndDestroyBook.com.
- My outstanding co-author and publisher is Ira Brodsky of Telescope Books.
Below is a summary of the book from the book jacket to give you a better sense of what the book is all about.
“This is the other side of the Google story—the unauthorized book that Google does not want you to read. In Search & Destroy, Google expert Scott Cleland, shows that the world’s most powerful company is not who it pretends to be.
Google pretends to be a harmless lamb, but chose a full-size model of a Tyrannosaurus Rex as its mascot. Beware the T-Rex in sheep’s clothing.
Google has acquired far more information, both public and private, and has invented more ways to use it, than anyone in history. Information is power, and in Google’s case, it’s the power to influence and control virtually everything the Internet touches. Google’s power is largely unchecked, unaccountable—and grossly underestimated. Google is the Internet’s lone superpower—the new master of the digital information universe. And Google’s power depends almost entirely on the blind trust it has gained through masterful duplicity. Google routinely says one thing and does another.
Cleland proves the world’s #1 brand untrustworthy. He exposes the unethical company hiding behind a “don’t be evil” slogan. He uncovers Google’s hidden political agenda. And he reveals how Google’s famed mission to organize the world’s information is destructive and wrong. Cleland is the first to critically examine where Google is leading us, explain why we don’t want to go there, and propose straightforward solutions.
Google’s unprecedented centralization of power over the world’s information is corrupting both Google and the Internet—a natural result of unchecked power. Google is evolving from an information servant to master—from working for users, to making users work for the Internet behemoth.
Search & Destroy conclusively demonstrates that Google’s goal is to change the world by influencing and controlling information access. Ultimately, Google’s immense unchecked power is destructive precisely because Google is so shockingly-political, unethical and untrustworthy.”
I look forward to your feedback on my new book: Search & Destroy Why you Can’t Trust Google Inc., and would greatly appreciate you sharing this link with your friends and colleagues. Thank you!
Google’s Deep Aversion to Permission — “Security is Google’s Achilles Heel” — Part XI
March 10, 2011
Google’s deep aversion to securing the permission of others before doing something that affects them is central to Google’s famed “innovation without permission” ethos. Sadly, it is also the wellspring of Google’s infamous privacy and security problems.
Where does Google’s deep aversion to permission come from? From Google’s founders, Larry Page and Sergey Brin, according to their mentor Terry Winograd, in Ken Auletta’s book “Googled.”
- “Winograd describes his former students as impatient: ‘Larry and Sergey believe if you try and get everybody on board, it will prevent things from happening. If you just do it, others will come around to realize they were attached to the old ways that were not as good.’ The attitude, he said ‘is a form of arrogance.’”
This week we witnessed the latest high profile example of Google’s deep aversion to getting the permission of others.
A few days ago, Google announced that it remotely disabled malware-infected Android applications without the permission of 260,000 Android users who bought or downloaded infected applications from Google’s app store.
- This is significant because Google is the only major company that remotely modifies its software on users devices without the affirmative permission of the user or owner of the device.
- Other companies responsibly employ a permission-based protocol on a device as a necessary and responsible user security line of defense against malware and bad actors.
This lack of permission in remotely taking back what a user bought at ones store would be like if representatives of Best Buy walked into your house unannounced and without permission, rummaged around to find what they were looking for, and then took back some of the products you had bought from Best Buy.
- It appears Google’s definition of “openness” means Google need not respect any closed doors, or normal boundaries of others’ privacy, property or sovereignty.
- This Google assumption of no permission for entry is troublesome because what is to stop Google from remotely peeping on a person’s device like the Google engineer did who stalked and taunted teenagers?
- Google’s first use of its remote snooping and retrieval open window into all Android devices begs the question, what information exactly does Google take and record from Android devices?
- Simply, how “open” are Android devices to Google’s remote intervention without a user’s authorization?
Ironically, Google’s aversion to permission was also a big cause of Google’s security problem this week. Amazingly, Google’s app store still does not review or approve applications before they are offered in the store to the public — like Apple and others responsibly do.
- Google’s aversion to having developers ask Google for permission to offer apps to users that can be infected with dangerous and harmful malware, would be like an airport that did not believe that people should have to ask for permission to get on an airplane because requiring a passport/ID or a physical examination of their bags for bombs or weapons — would not be “open.”
- Clearly openness comes before security for Google; and that may be good for Google but not good for Google users.
Interestingly, we learned something else this week from All things Digital that Google does without asking anyone’s permission and that puts users in greater danger to identity theft or phishing fraud.
Google is now actively engaging in identity aggregation and creating “AuthorRanks” (Google’s euphemism for a user profile/social graph) without permission – in order to better compete with Facebook.
- Remember in September when Google CEO Schmidt creepily warned that if Facebook did not give Google’s search engines crawling access to the private Facebook data they wanted, they had other unmentioned means to get that social graph information on users?
- Well now Google has told us how they are able to target users based on their social graph like Facebook does.
- Please see Liz Gannes excellent piece in All Things Digital on this, where Google’s rep said:
- “We actually do try to map to one true person… the more we can do to associate content to one person, the better… …we measure everything at Google.”
- The security implications of this are obvious. Google has long been the biggest target for hackers, phishers and fraudsters, and now Google has the best user profiles in the world to steal to use for fraud and other bad acts. (And per a front page New York Times story, we know that Google’s entire password system of security was hacked and stolen in late 2009.)
- Google now has probably the most complete and valuable user profiles on people in the world — and all done without the users’ permission.
There are other high-profile examples of how Google’s aversion to permission has played out and has put users’ at greater risk to harm.
- Google’s conscious decision to make all Wikileaks stolen documents available to the world via Google search without asking any of the owners of that private or secret information for permission put untold lives at risk around the world.
- Google’s Streetview videographing of peoples homes without permission has created privacy and security consternation in most all countries Google has videographed.
- Google’s WiSpy recording of everyones WiFi private communications without permission of the people affected, may be the most high profile example of what happens when Google puts others at risk for its gain without their permission.
In sum, there are obvious privacy and security reasons why societies expect that if one is going to negatively affect or endanger another by ones actions, one needs to get their permission first so that the person affected can decide if they are willing or able to accept the risk involved.
Google’s business assumption and standard practice that they largely do not need the permission of others is reckless and irresponsible, and may make Google the Internet’s worst security menace.
***
Previous parts of the “Security is Google’s Achilles Heel” Series:
- Part I: “Why security is Google’s Achilles heel”
- Part II: “Google values security much less than others do”
- Part III: “Google: “Security is part of our DNA” (Do Not Ask)
- Part IV: “Why Security is Google’s Achilles Heel”
- Part V: “Google Apps Security Chief is a magician/mentalist”
- Part VI: “Google-China: Implications for Cybersecurity”
- Part VII: “Did Google Over-React to China Cybersecurity Breach?”
- Part IX: “Google’s Titanic Security Flaws”
- Part X: : “A Google Android Botnet Problem”
For even more information, see the Security section of PrecursorBlog’s sister site: www.GoogleMonitor.com.
Mobile Content: Google’s Commons vs. Apple’s Market
February 17, 2011
Mobile content producers do not have a truly competitive choice between Google’s 10% fee One Pass service and Apple’s 30% fee subscription service, as much as they have a value system choice between Google’s Internet commons model and Apple’s property-rights-driven market.
- Google’s One Pass offering looks eerily like its Google TV offering, where major video content owners faced the platform choice between dumb content and Content is King.”
- Given that choice, content-is-king-oriented owners broadly rejected Google’s property-hostile, dumb-content system/model.
- As mobile content providers and carriers threatened with “dumb content” and bandwidth/spectrum commodification from Google’s “free” commons model assess their real long term strategic competitive and value-creation options, they will increasingly look toward, and forward to, the nascent Microsoft-Nokia alliance offering and RIM’s offering for content-is-king allies and true competitive choices.
As much as Google tries to fool Little Red Riding Hood content owners that their Grandma always had such big eyes and big teeth, most mobile content providers will spot the Google commons wolf in disguise.
- Content owners are not naive, they are painfully aware of Google’s decade long consistent scofflaw pattern of disregarding the property rights of others.
- To review, without permission, Google:
- Has copied 13 million books (Google Book Settlement); hundreds of thousands of videos (Viacom vs. Google); and billions of news articles and headlines via Google News;
- Has sold the trademarked brands of others to their competitors — for profit (Rosetta Stone vs. Google); and
- Has infringed on the patents of Oracle, Apple, Microsoft, the French and others, to offer a free operating system that does not compensate key patent owners a cent (Oracle vs. Google).
- Why Nokia rejected Google Android, and why most all major video content programmers have rejected Google TV to date, is that content owners and others don’t trust that Google is aligned with their interests in protecting and monetizing their property or their interests in being able to differentiate from their competitors.
Let’s contrast the Google commons with the Apple market to see the real “choice” between what Google Acting CEO Schmidt calls the “openness” of Google and the “closedness” of Apple.
First, from a mobile content producer’s perspective:
- Google’s “Open” means a peer2peer share-fest, a pirate/Wikileaks-sympathetic commons, and a Google ad-dominated ecosystem, where Apple’s “closedness” means a protected, guarded, and subscription-fee monetizable marketplace.
- Google’s open means wide open transparency and little user privacy, where Apple seeks to protect users privacy.
- Google’s open means users are on their own in the open wild west because Google shifts most all responsibility for safety and security to others, whereas Apple appreciates that users want a sheriff in town to protect their safety and security from malware, scams, and harm — and provides security protection as an integral part of their Apple platform.
Second, Google and Apple both are control-freaks, but Google denies and hides that it is, while Apple wears its obsession with control as a badge of honor.
- Google Android chief, Andy Rubin said about Android: “One of the reasons we’ve achieved such adoption is because we have removed all control.”
- Savy content owners know that Google’s claim is not true.
- Google has tried to eradicate any control by competitors or competitive complement services to commodify them, but Google still keeps iron grip control over the way users find content (search monopoly) and over the metadata of most all Internet interactions, i.e. their monopoly of market inside information of user demand signals, and advertiser and publisher supply signals.
Third, Google’s Acting CEO Schmidt misrepresents Google’s approach in calling Google’s One pass a “very publisher-friendly approach… we basically don’t make any money on this,” per the FT.
- Given Google’s well known commons approach to free information, and their admission here that they don’t want to make money on One Pass, why should mobile content owners trust that Google wants them to make money long term when it is clear Google sees little value in content itself and sees all the value-creation on the web in brokering who wants what content?
In sum, Google’s modus operandi is to lure content owners into the Google platform in any way they can because Google wants to collect all the business-valuable metadata involved with the content: i.e. user traffic demand and private user-hot-buttons; advertiser/publisher supply of advertising including the exact user demographic they are seeking — so that Google can be the centralized and dominant infomediary on the Internet, where everyone else is dependent on Google to succeed in matching up their content with users on the Internet.
- Little Red Riding Hood mobile content should easily spot the Google commons wolf in Grandma’s clothes here, the huge-toothy smile and drooling are dead giveaways.
5 Questions for the FCC on Net Neutrality
February 15, 2011
Here are five questions that would be helpful to have the FCC answer concerning Net Neutrality.
- If the purpose of current telecom law is “to promote competition and reduce regulation,” why does the FCC’s Open Internet order do the opposite and promote regulation and reduce competition?
- Why did the FCC basically implement in its Open Internet order the full thrust of a former House-introduced bill, HR 5353: The Internet Freedom Preservation Act of 2008,” which never was voted on at any level of the House or Senate?
- Given that the word “open” has 88 definitions per Dictionary.com, why did the FCC never define what it meant by the central term “open” in its order to make clear what definition of “open” the FCC meant? (It seems a very important term to define given that an “open market” is widely known to mean — not regulated.)
- Was the FCC fair to the broadband industry in officially classifying their business as a “Broadband Internet Access Service” that has the pejorative acronym of “BIAS?” Does this mean that the FCC has concluded, without any evidence, that the entire broadband industry is BIAS-edand can’t be neutral? (In other words will the burden of proof be on broadband providers to prove they are not guilty of bias or non-neutrality, rather than being assumed innocent of illegal bias until proven guilty?)
- If the FCC is claiming to have largely unbounded legal authority to regulate the Internet to protect consumers, why did the FCC only choose to regulate competitive companies without market power that haven’t done anything wrong, while ignoring a monopoly like Google that has a dominant position and market power per the DOJ and FTC; that is under antitrust investigation by the EU for not being neutral, and that is facing several private antitrust cases in the U.S. and Europe for not being a neutral search network?
