Quote from: manfredvonrichthofen on March 24, 2012, 03:32:01 PM
I would never use google for anything but a search engine. It just doesn't sound safe enough.
Split from another thread.
Everyone is free to have their own opinion about flavor and texture, but it's time to end the constant FUD about Google (and other cloud services) not being "safe".
Define "safe". Use email? It's being scrapped 100 times between "send" and "receive", especially if you're using POP3.
Always log in via HTTPS? Then anyone at the Starbucks who wants to can sniff your passwords in about 30 seconds.
Keep your machine in a locked, climate controlled vault with multiple redunanct backups? You're more likely to get your notebook stolen then
to have data swiped from a cloud service.
On the Google side, first have have to clarify which product you are discussing - the free accounts? Certainly safe enough for the average joe, who has nothing to hide, anyway. Their search and ad algorithms are anonymous, but yes, they still have to scrape at the data somewhere. A fair point from the perspective that "you get what you pay for".
However, on the paid apps services, including the free Apps for education (for 501(c)3's), it's a different story. The biggest thing - no ads. None.
How people can tolerate Yahoo, Hotmail, or others adding tags lines to their messages, especially in a professional environment is beyond me.
The QOS and SLA's are different, offer the same enterprise class support that you get from your tech guy in the basement, and you simply cannot beat the pricing ($50 per user per year, total?, crazy).
Apps for government is FISMA certified, and in use currently by the GSA and NHQ, so it's not like it hasn't been vetted.
Our recent "Excellent" eval used Google services extensively for a number of things, including the main status boards (yes, we had triple redundancy, blah, blah, stone age, etc., etc.), IT received an "Outstanding", BTW, and comments were made that this sort of thing will be propagated elsewhere.
I had an MSA at one of the spin-up practices sit down to update our log, and the first thing she said was "Google? I thought we weren't allowed to use that.
((*sigh*))
That's nice... Still doesn't mean I like the idea of using it. It is really easy for someone to get into your email acct... It has happened to me, and oh yes, I practice OPSEC in overload. But once someone gets into your email they can get it all... Especially if you use yahoo or Facebook or MySpace, those guys are easier than snot to get into.
If you keep all of your important documents on your computer, and don't just leave your computer on the net 24-7 you will be better off. And yes it is possible to get your laptop stolen but you can take precautions for that too. But once you put your documents on the web they will be there forever and you can't get them back off.
Quote from: manfredvonrichthofen on March 24, 2012, 04:23:21 PM
That's nice... Still doesn't mean I like the idea of using it. It is really easy for someone to get into your email acct... It has happened to me, and oh yes, I practice OPSEC in overload. But once someone gets into your email they can get it all... Especially if you use yahoo or Facebook or MySpace, those guys are easier than snot to get into.
If you keep all of your important documents on your computer, and don't just leave your computer on the net 24-7 you will be better off. And yes it is possible to get your laptop stolen but you can take precautions for that too. But once you put your documents on the web they will be there forever and you can't get them back off.
What email account was it? I had my old yahoo penetrated because it was linked to facebook(the bane of internet security) and had the same password. That was dumb. That was my fault. It's only easy to get into email accounts when people do stupid things like I did.
If you use Yahoo, Facebook, or MySpace, you are basically turning over your life and deserve what you get. None of them offer a paid service, and their TOS' indicate you're pretty much fair game for "whatever". People who enable Facebook Connect might just as well leave their front doors unlocked at night.
Taking your machine off the net just means whatever malware you might have won't kick in until you turn it back on. It doesn't make your machine any more, or less secure. If you have your home network configured with a firewall, have the firewall activated on your workstation (or don't use Windows, or both), use a good adblocker, stay away from IE, there's not much area to really be exposed.
Spam? I never see it. Literally. I can't imagine how people can use the net via Yahoo - between all the noise on the interface, the ads, and other nonsense, it's barely usable. I have an account from BITD that I still use just for testing - it's got hundreds of messages in the INBOX when I log in, all
SPAM.
Try Chrome with AD Block (Beta). It's a transformative web experience. Same with Mozzilla. IE on the other hand makes it difficult to block ads at all.
Connected, when possible, using https is a big piece as well.
To each his own, but FUD is not cricket just to make apoint.
I have enough bills, and free services work just fine... Also I use Ubuntu, so I don't have the weaknesses of windows anymore. Plus I just don't want anything that is CAP related that can give member info or anything on the web, it just puts it at that much more risk, and yes, anything hat is on the Internet is at risk.
Ubuntu isn't any more secure than windows. They fall around the same time in competitions.
Quote from: Extremepredjudice on March 24, 2012, 05:21:19 PM
Ubuntu isn't any more secure than windows. They fall around the same time in competitions.
The reason they fall in the same timeframe is because it is a competition and the people who make Ubuntu programs are in the competition. People who make a program aren't going to attack the program, because then no one would use their program. The safety is in knowing that the program is user made and people don't drop a turd on their own doorstep. That is why Sony gets hacked and Microsoft gets hacked and people who use Microsoft and song get hacked, I can't count the number of times I have heard of Microsoft users getting hacked, but I can count he number of times I have heard of Linux users getting hacked and it is zero.
Sorry, but everytime I hear someone say they don't like, say, "Google" but can't really articulate why they think its a problem, IMHO thats useless posturing. We might as well have the "Ford-Chevy-Dodge" thing here. How about a picture of Calvin peeing on the an Apple?
I know a young man who swears up and down he codes his web pages in vi. I think he's crazy, but OK. Again: posturing. I'm not a fan of Dreamweaver, but some people can make it sit up and beg biscuits.
Spend a week doing the kind of IT work I'm doing now, and you'll be like "Pffft. Google is 100x more secure than the dipstick firm owner that doesn't want his people to change the password that is the same on everybody's account. Or the guy who refuses to buy a firewall because he's certain his server is 'secure enough'." Google is like Fort Knox compared to 90% of the businesses I work with.
What next? "I won't use Microsoft Word, cuz Microsoft sucks!" OK..
Quote from: manfredvonrichthofen on March 24, 2012, 04:40:41 PM
I have enough bills, and free services work just fine... Also I use Ubuntu, so I don't have the weaknesses of windows anymore. Plus I just don't want anything that is CAP related that can give member info or anything on the web, it just puts it at that much more risk, and yes, anything hat is on the Internet is at risk.
Yes, anything on the Internet is at risk. But then again, so is every single fricken thing in life. Records in filing cabinets at squadrons and headquarters' across the United States and overseas are also at risk. Paperwork in snailmail transit between units and NHQ is at risk. The CAP files I have at home are at risk. Risk exists in the world, but you cannot fail to make forward progress because you are paranoid of the "what if".
Civil Air Patrol teaches ORM, right? Applying ORM to both paper and electronic records and databases all will identify risk. The point is that both the physical records and electronic versions all have reasonable risk management efforts in place to mitigate those potential risks. In fact, I'd posit that it takes a lot less effort, time, and certainly less skill for someone to take a pair of bolt-cutters to the standard combo lock required on some CAP filing cabinets than it would be to break into a CAP member's Google Docs account.
You will never secure any information 100% so for an organization that doesn't work with national security information we should not be allowing fear-of-the-misunderstood to prevent us from advancing our technologies, reducing volunteer workload, and improving efficiency.
If you're really that concerned for the safety of your personal information, then you can better mitigate your personal risk by not joining organizations like CAP which by necessity of existing have to collect PII (personally-identifiable information) to operate.
Quote from: Eclipse on March 24, 2012, 03:41:15 PMDefine "safe".
For me, "safe" means a reasonable belief that your data isn't being indexed and used to build a profile about you so that you can be targeted in the future with advertisements for the benefit of Google's bottom line.
I don't have that reasonable belief.
What's that got to do with "safety"?
It's also not a realistic expectation unless you disengage from the entirety of the banking system, internet, mobile phone use, cable / satellite television use, home phone use, all credit cards, insurance, and live in a mountain home using barter for your seed corn.
Quote from: Eclipse on March 24, 2012, 09:59:39 PM
What's that got to do with "safety"?
It's also not a realistic expectation unless you disengage from the entirety of the banking system, internet, mobile phone use, cable / satellite television use, home phone use, all credit cards, insurance, and live in a mountain home using barter for your seed corn.
Sir, you asked for his belief. >:D
Quote from: bflynn on March 24, 2012, 09:46:11 PM
Quote from: Eclipse on March 24, 2012, 03:41:15 PMDefine "safe".
For me, "safe" means a reasonable belief that your data isn't being indexed and used to build a profile about you so that you can be targeted in the future with advertisements for the benefit of Google's bottom line.
I don't have that reasonable belief.
Sir, you realize this conversation is being indexed for better ads?
Google isn't the only one doing this. all ad bureaus are trying to do what Google does. You probably have ad-ware and tracking stuff right on your computer right now.
Here opt out: https://www.google.com/settings/u/0/ads/preferences/?hl=en (https://www.google.com/settings/u/0/ads/preferences/?hl=en) This page also lets you know what Google thinks of you.
Quote from: Extremepredjudice on March 24, 2012, 10:57:45 PMHere opt out: https://www.google.com/settings/u/0/ads/preferences/?hl=en (https://www.google.com/settings/u/0/ads/preferences/?hl=en) This page also lets you know what Google thinks of you.
Google thinks I'm a guy for all three of my accounts. :P
Quote from: bflynn on March 24, 2012, 09:46:11 PM
Quote from: Eclipse on March 24, 2012, 03:41:15 PMDefine "safe".
For me, "safe" means a reasonable belief that your data isn't being indexed and used to build a profile about you so that you can be targeted in the future with advertisements for the benefit of Google's bottom line.
I don't have that reasonable belief.
So...in other words, what is THIS safety for? Certainly not an issue with the safety of your data...
Also, if you are concerned about 3rd parties, go to encrypted.google.com. Or you can download an extension on Chrome or FF that forces encryption
Quote from: crisptheyounger on March 24, 2012, 11:09:38 PM
Quote from: Extremepredjudice on March 24, 2012, 10:57:45 PMHere opt out: https://www.google.com/settings/u/0/ads/preferences/?hl=en (https://www.google.com/settings/u/0/ads/preferences/?hl=en) This page also lets you know what Google thinks of you.
Google thinks I'm a guy for all three of my accounts. :P
lol
Quote from: usafaux2004 on March 25, 2012, 01:14:39 AM
So...in other words, what is THIS safety for? Certainly not an issue with the safety of your data...
With confidentiality of data, yes. While I'm about 95% certain Google would never purposefully release a document, I'm only about 25% certain they won't look at it. They're not doing this because they're nice people, they're doing this because they want to know as much about you as possible so they can make as much money as possible.
I'm not down with that.
The same could be said for pretty much any type of provider. Be it cloud, IT dept. heads, server admins, server daemon software vendor support people. ....
Email server software? I can read your email. Your attachments. Etc.
Do I?
No freakin' way in hell. Not even going to go there.
Is it in Google's best interest to even allow that kind of news to propagate in any form that could be construed as even somewhat serious?
Your data is way way way more vulnerable by your own stupid moves than "them" singling you out.
"I don't use my credit card on the internet. It's not 'safe'".
In just the time I typed that line, who knows how many credit card numbers were processed. Do you use it at a restaurant? A hotel? .. "yes, but those are not online." LOLOLOLOL. Really? How do you think the transaction gets processed? Oh, and when you plunk the card down on the payment tray, and they take it away and bring it back to you -- whats to stop them from giving it to a friend at a table to make an imprint, use a phone camera, or ... simply write down the number?
The unscrupulous clerk at the 'Six, when you hand over your card for the nights charges, they could have an imprinter just around the corner when they take it behind that wall to "swipe" it. I checked into a "corporate" hotel near Dulles Airport one evening, no sooner than I got to my room, according to an alert I got the next day, a Fredericks of Hollywood order was placed. *online*
Several of us found random charges on our debit cards, under $25 ... $24.84, $23.98, etc. What was the common factor? The only thing we could figure out was we'd all bought gas on base in the previous two days. The processing companies won't even bother investigating under $25 - so they run a crapton of cards for piddle amounts.
Great point.
I asked a customer recently for his password so I could login to his machine following a restart while he was away from his desk. He said "I can't give you my password, you might read my email."
I told him "I could read your email now, but why the hell would I?"
Quote from: a2capt on March 25, 2012, 03:48:27 AM
"I don't use my credit card on the internet. It's not 'safe'".
I work in e-commerce.
This is how my phone conversations go:
"Can I just give you my card number (and address, and expiration, and pin on the back!) over the phone? I don't trust using my card online".
First of all, sure, you can give me the card number, to a PERSON, who has to manually input it...into paypal...online.
Along the way I could copy it all down. It STILL ends up going online. AND I get all the extra benefits of seeing it.
People just don't get it. When I receive a paypal payment, at msot see their billing/shipping address. When they want to be 'safe' the give away ALL of the requisite information to a person, not an automated system.
Just gotta get with the times.
Honestly, I am not that concerned about identity theft, my credit card numbers being used, etc. Unless you are still using your credit card from 1978, that still uses the original card holder agreement, any legitimate card issuer is going to reimburse fraudulent charges, and send a new card.
If some undocumented worker wants to use my social to get a job, so be it. What's going to happen? The add more into my retirement account? Do I care if someone knows my power company login information? Are they going to pay my bill?
Sure, there are some aspects that are a little more troublesome to deal with when they happen, but I think people make a bigger deal out of it than it really is. "Oh no! Some rang up 7k in charges I'm not liable for!"
To me the risk certainly isn't worth not participating in the world around me and only paying for things in gold bullion...
http://m.networkworld.com/news/2009/071509-theft-twitter-docs.html?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dgoogle%2Bapps%2Bhack%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26client%3Dsafari#mobify-bookmark (http://m.networkworld.com/news/2009/071509-theft-twitter-docs.html?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dgoogle%2Bapps%2Bhack%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26client%3Dsafari#mobify-bookmark)
Even google has stated that their service is consumer grade and isnt meant to protect information, it is made for easy widespread Information sharing.
EDIT: it wasn't Google itself that said that, is was another. But it still stand security still isn't what Google apps was created for.
Quote from: manfredvonrichthofen on March 28, 2012, 02:52:22 PM
http://m.networkworld.com/news/2009/071509-theft-twitter-docs.html?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dgoogle%2Bapps%2Bhack%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26client%3Dsafari#mobify-bookmark (http://m.networkworld.com/news/2009/071509-theft-twitter-docs.html?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dgoogle%2Bapps%2Bhack%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26client%3Dsafari#mobify-bookmark)
Even google has stated that their service is consumer grade and isnt meant to protect information, it is made for easy widespread Information sharing.
EDIT: it wasn't Google itself that said that, is was another. But it still stand security still isn't what Google apps was created for.
Sorry, more FUD, and not even a current story, and exactly my point here.
In the above
"Insufficient password strength has been pegged as a root cause" if your password is "password" or "abc123", you deserve what you get. I've had clients try to make the same case, while their passwords were written on a post-it stuck to their monitor, or written on their calendar. If the combo lock to Cheyenne Mountain is the same as the commander's luggage, that huge door won't make much difference.
1, 2, 3, 4, 5 (http://www.youtube.com/watch?v=K95SXe3pZoY#)
Further from the article:
But Gartner analyst John Pescatore says customers should remember that "Twitter and most of Google Apps until, say, 18 months ago, were built as consumer-grade services to share information very widely and easily, not to protect information and prevent information from flowing."Also, which version? The article doesn't say, but there are about 5 major differences between the consumer
free version called "Gmail", and the various business-level services. Since this article was written, various versions of the product have been both FISMA and SSAE certified as applicable, among other industry certifications.
And lastly, to compare Twitter and GApps in the same article is silly, they don't provide the same services, and Twitter makes no bones that
everything you do is fair game. They are only in the same article because a Twitter guy used a bad password and his stuff was leaked,
anyone else surprised that a person inclined to make his location and meal habits public would also have poor judgement in regards to passwords?
Here's current information on Apps for Nonprofits privacy and security.
http://www.google.com/apps/intl/en/edu/privacy.html (http://www.google.com/apps/intl/en/edu/privacy.html)
I do not disagree, Twitter is about the stupidest thing a person can do, even Facebook when you allow it to update everyone in the world with where you are via googgle maps. And yes, everyone who leaves their password on their computer monitor deserves to get hacked, but when my password is somewhere around ten characters long mixed with uppercase and lowercase letters and numbers with punctuation marks, why is my stuff able to be hacked? No, I do t use google apps, I do use yahoo for the mundane junk, and Facebook as privately as possible with their setting options, why, if my stuff has a password that strong able to be hacked? It has happened to me, and that makes me weary of putting anything like rosters or operations stuff on the Internet. All it takes is a back door Trojan to mess everything up that the current software can't recognize.
Quote from: manfredvonrichthofen on March 28, 2012, 03:48:49 PM
I do not disagree, Twitter is about the stupidest thing a person can do, even Facebook when you allow it to update everyone in the world with where you are via googgle maps. And yes, everyone who leaves their password on their computer monitor deserves to get hacked, but when my password is somewhere around ten characters long mixed with uppercase and lowercase letters and numbers with punctuation marks, why is my stuff able to be hacked? No, I do t use google apps, I do use yahoo for the mundane junk, and Facebook as privately as possible with their setting options, why, if my stuff has a password that strong able to be hacked? It has happened to me, and that makes me weary of putting anything like rosters or operations stuff on the Internet. All it takes is a back door Trojan to mess everything up that the current software can't recognize.
A backdoor trojan is the fault of the user, not the service. You could have a 100-character alpha/numeric/special/case sensitive password, and if there's a key logger on your machine, it'll capture that, just the same as "abc123". You can't blame a server system for lax client security.
You're using Yahoo and Facebook - two services notorious for lax user controls, troublesome privacy policies, and hosting uber-spam. I'm not at all surprised you got hacked.
Transform your universe - switch to gmail, dump Facebook, switch to either Mozilla or Chrome with a good AD Blocker, and make sure you're using a
robust, low-footprint antivirus like AVG. Uninstall any and all toolbars on your machine, and run Spybot S&D and Malwarebytes until you get zero hits.
The web will literally be a different, more friendly place to play.
Use Mozilla AVG and Spybot, but I do still use yahoo, for simple and likely stupid fact that I have used it for the past 15 years. And the thought that it is the system that I used it 15 years ago, and no not the same account as 15 years ago, probably says something, but really, is it worth the $50 if I would still NEVER put anything sensitive out like that?
Quote from: manfredvonrichthofen on March 28, 2012, 04:24:17 PM
Use Mozilla AVG and Spybot, but I do still use yahoo, for simple and likely stupid fact that I have used it for the past 15 years. And the thought that it is the system that I used it 15 years ago, and no not the same account as 15 years ago, probably says something, but really, is it worth the $50 if I would still NEVER put anything sensitive out like that?
The base-level free Gmail is night and day better than Yahoo, regardless, so $50 isn't required, however if the only reason you won't use your machine
in a way that might make your universe easier is because you are afraid of it, then the $50 might be well spent.
The reality is that your needs may not require the kinds of Groupware apps that others do, or you're just not interested in them, but either way, you don't have to view your connected universe as somehow "less secure" or "scary" if yo take some simple steps.
If you're already using Mozilla, make sure you've got a good ad-blocker extension and dump all the toolbars, etc.