Google Apps Security - time to end the FUD

[Eclipse]

I would never use google for anything but a search engine. It just doesn't sound safe enough.

Split from another thread.

[Eclipse]

Everyone is free to have their own opinion about flavor and texture, but it's time to end the constant FUD about Google (and other cloud services) not being "safe".

Define "safe".  Use email?  It's being scrapped 100 times between "send" and "receive", especially if you're using POP3.
Always log in via HTTPS?  Then anyone at the Starbucks who wants to can sniff your passwords in about 30 seconds.
Keep your machine in a locked, climate controlled vault with multiple redunanct backups?  You're more likely to get your notebook stolen then
to have data swiped from a cloud service.

On the Google side, first have have to clarify which product you are discussing - the free accounts?  Certainly safe enough for the average joe, who has nothing to hide, anyway.  Their search and ad algorithms are anonymous, but yes, they still have to scrape at the data somewhere.  A fair point from the perspective that "you get what you pay for".

However, on the paid apps services, including the free Apps for education (for 501(c)3's), it's a different story.  The biggest thing - no ads.  None.
How people can tolerate Yahoo, Hotmail, or others adding tags lines to their messages, especially in a professional environment is beyond me.

The QOS and SLA's are different, offer the same enterprise class support that you get from your tech guy in the basement, and you simply cannot beat the pricing ($50 per user per year, total?, crazy).

Apps for government is FISMA certified, and in use currently by the GSA and NHQ, so it's not like it hasn't been vetted.

Our recent "Excellent" eval used Google services extensively for a number of things, including the main status boards (yes, we had triple redundancy, blah, blah, stone age, etc., etc.), IT received an "Outstanding", BTW, and comments were made that this sort of thing will be propagated elsewhere.

I had an MSA at one of the spin-up practices sit down to update our log, and the first thing she said was "Google? I thought we weren't allowed to use that.

((*sigh*))

[manfredvonrichthofen]

That's nice... Still doesn't mean I like the idea of using it. It is really easy for someone to get into your email acct... It has happened to me, and oh yes, I practice OPSEC in overload. But once someone gets into your email they can get it all... Especially if you use yahoo or Facebook or MySpace, those guys are easier than snot to get into.

If you keep all of your important documents on your computer, and don't just leave your computer on the net 24-7 you will be better off. And yes it is possible to get your laptop stolen but you can take precautions for that too. But once you put your documents on the web they will be there forever and you can't get them back off.

[davidsinn]

That's nice... Still doesn't mean I like the idea of using it. It is really easy for someone to get into your email acct... It has happened to me, and oh yes, I practice OPSEC in overload. But once someone gets into your email they can get it all... Especially if you use yahoo or Facebook or MySpace, those guys are easier than snot to get into.

If you keep all of your important documents on your computer, and don't just leave your computer on the net 24-7 you will be better off. And yes it is possible to get your laptop stolen but you can take precautions for that too. But once you put your documents on the web they will be there forever and you can't get them back off.

What email account was it? I had my old yahoo penetrated because it was linked to facebook(the bane of internet security) and had the same password. That was dumb. That was my fault. It's only easy to get into email accounts when people do stupid things like I did.

[Eclipse]

If you use Yahoo, Facebook, or MySpace, you are basically turning over your life and deserve what you get.  None of them offer a paid service, and their TOS' indicate you're pretty much fair game for "whatever".  People who enable Facebook Connect might just as well leave their front doors unlocked at night.

Taking your machine off the net just means whatever malware you might have won't kick in until you turn it back on.  It doesn't make your machine any more, or less secure.  If you have your home network configured with a firewall, have the firewall activated on your workstation (or don't use Windows, or both), use a good adblocker, stay away from IE, there's not much area to really be exposed.

Spam?  I never see it.  Literally.  I can't imagine how people can use the net via Yahoo - between all the noise on the interface, the ads, and other nonsense, it's barely usable.  I have an account from BITD that I still use just for testing - it's got hundreds of messages in the INBOX when I log in, all
SPAM. 

Try Chrome with AD Block (Beta).  It's a transformative web experience.  Same with Mozzilla.  IE on the other hand makes it difficult to block ads at all.

Connected, when possible, using https is a big piece as well.

To each his own, but FUD is not cricket just to make apoint.

[manfredvonrichthofen]

I have enough bills, and free services work just fine... Also I use Ubuntu, so I don't have the weaknesses of windows anymore. Plus I just don't want anything that is CAP related that can give member info or anything on the web, it just puts it at that much more risk, and yes, anything hat is on the Internet is at risk.

[Extremepredjudice]

Ubuntu isn't any more secure than windows. They fall around the same time in competitions.

[manfredvonrichthofen]

Ubuntu isn't any more secure than windows. They fall around the same time in competitions.

The reason they fall in the same timeframe is because it is a competition and the people who make Ubuntu programs are in the competition. People who make a program aren't going to attack the program, because then no one would use their program. The safety is in knowing that the program is user made and people don't drop a turd on their own doorstep. That is why Sony gets hacked and Microsoft gets hacked and people who use Microsoft and song get hacked, I can't count the number of times I have heard of Microsoft users getting hacked, but I can count he number of times I have heard of Linux users getting hacked and it is zero.

[NIN]

Sorry, but everytime I hear someone say they don't like, say, "Google" but can't really articulate why they think its a problem, IMHO thats useless posturing.  We might as well have the "Ford-Chevy-Dodge" thing here. How about a picture of Calvin peeing on the an Apple?

I know a young man who swears up and down he codes his web pages in vi.  I think he's crazy, but OK.  Again: posturing.  I'm not a fan of Dreamweaver, but some people can make it sit up and beg biscuits.

Spend a week doing the kind of IT work I'm doing now, and you'll be like "Pffft. Google is 100x more secure than the dipstick firm owner that doesn't want his people to change the password that is the same on everybody's account.  Or the guy who refuses to buy a firewall because he's certain his server is 'secure enough'."   Google is like Fort Knox compared to 90% of the businesses I work with.

What next? "I won't use Microsoft Word, cuz Microsoft sucks!"  OK..

[Pylon]

I have enough bills, and free services work just fine... Also I use Ubuntu, so I don't have the weaknesses of windows anymore. Plus I just don't want anything that is CAP related that can give member info or anything on the web, it just puts it at that much more risk, and yes, anything hat is on the Internet is at risk.

Yes, anything on the Internet is at risk.  But then again, so is every single fricken thing in life.  Records in filing cabinets at squadrons and headquarters'  across the United States and overseas are also at risk.  Paperwork in snailmail transit between units and NHQ is at risk.  The CAP files I have at home are at risk.   Risk exists in the world, but you cannot fail to make forward progress because you are paranoid of the "what if".


Civil Air Patrol teaches ORM, right?  Applying ORM to both paper and electronic records and databases all will identify risk.  The point is that both the physical records and electronic versions all have reasonable risk management efforts in place to mitigate those potential risks.  In fact, I'd posit that it takes a lot less effort, time, and certainly less skill for someone to take a pair of bolt-cutters to the standard combo lock required on some CAP filing cabinets than it would be to break into a CAP member's Google Docs account.


You will never secure any information 100% so for an organization that doesn't work with national security information we should not be allowing fear-of-the-misunderstood to prevent us from advancing our technologies, reducing volunteer workload, and improving efficiency.


If you're really that concerned for the safety of your personal information, then you can better mitigate your personal risk by not joining organizations like CAP which by necessity of existing have to collect PII (personally-identifiable information) to operate.

[bflynn]

Define "safe". 

For me, "safe" means a reasonable belief that your data isn't being indexed and used to build a profile about you so that you can be targeted in the future with advertisements for the benefit of Google's bottom line.

I don't have that reasonable belief.

[Eclipse]

What's that got to do with "safety"?

It's also not a realistic expectation unless you disengage from the entirety of the banking system, internet, mobile phone use, cable / satellite television use, home phone use, all credit cards, insurance, and live in a mountain home using barter for your seed corn.

[Extremepredjudice]

What's that got to do with "safety"?

It's also not a realistic expectation unless you disengage from the entirety of the banking system, internet, mobile phone use, cable / satellite television use, home phone use, all credit cards, insurance, and live in a mountain home using barter for your seed corn.

Sir, you asked for his belief. 

Define "safe". 

For me, "safe" means a reasonable belief that your data isn't being indexed and used to build a profile about you so that you can be targeted in the future with advertisements for the benefit of Google's bottom line.

I don't have that reasonable belief.

Sir, you realize this conversation is being indexed for better ads?

Google isn't the only one doing this. all ad bureaus are trying to do what Google does. You probably have ad-ware and tracking stuff right on your computer right now.


Here opt out: https://www.google.com/settings/u/0/ads/preferences/?hl=en This page also lets you know what Google thinks of you. 

[crisptheyounger]

Here opt out: https://www.google.com/settings/u/0/ads/preferences/?hl=en This page also lets you know what Google thinks of you.

Google thinks I'm a guy for all three of my accounts. 

[Майор Хаткевич]

Define "safe". 

For me, "safe" means a reasonable belief that your data isn't being indexed and used to build a profile about you so that you can be targeted in the future with advertisements for the benefit of Google's bottom line.

I don't have that reasonable belief.

So...in other words, what is THIS safety for? Certainly not an issue with the safety of your data...

[Extremepredjudice]

Also, if you are concerned about 3rd parties, go to encrypted.google.com. Or you can download an extension on Chrome or FF that forces encryption

Here opt out: https://www.google.com/settings/u/0/ads/preferences/?hl=en This page also lets you know what Google thinks of you.

Google thinks I'm a guy for all three of my accounts. 

lol

[bflynn]

So...in other words, what is THIS safety for? Certainly not an issue with the safety of your data...

With confidentiality of data, yes.  While I'm about 95% certain Google would never purposefully release a document, I'm only about 25% certain they won't look at it.  They're not doing this because they're nice people, they're doing this because they want to know as much about you as possible so they can make as much money as possible.

I'm not down with that.

[a2capt]

The same could be said for pretty much any type of provider. Be it cloud, IT dept. heads, server admins, server daemon software vendor support people. ....

Email server software? I can read your email. Your attachments. Etc.

Do I?

No freakin' way in hell. Not even going to go there.

Is it in Google's best interest to even allow that kind of news to propagate in any form that could be construed as even somewhat serious?

Your data is way way way more vulnerable by your own stupid moves than "them" singling you out.

"I don't use my credit card on the internet. It's not 'safe'".

In just the time I typed that line, who knows how many credit card numbers were processed.  Do you use it at a restaurant? A hotel? .. "yes, but those are not online." LOLOLOLOL. Really? How do you think the transaction gets processed? Oh, and when you plunk the card down on the payment tray, and they take it away and bring it back to you -- whats to stop them from giving it to a friend at a table to make an imprint, use a phone camera, or ... simply write down the number?

The unscrupulous clerk at the 'Six, when you hand over your card for the nights charges, they could have an imprinter just around the corner when they take it behind that wall to "swipe" it. I checked into a "corporate" hotel near Dulles Airport one evening, no sooner than I got to my room, according to an alert I got the next day, a Fredericks of Hollywood order was placed.  *online*

Several of us found random charges on our debit cards, under $25 ... $24.84, $23.98, etc. What was the common factor? The only thing we could figure out was we'd all bought gas on base in the previous two days.  The processing companies won't even bother investigating under $25 - so they run a crapton of cards for piddle amounts.

[NIN]

Great point.

I asked a customer recently for his password so I could login to his machine following a restart while he was away from his desk.  He said "I can't give you my password, you might read my email."

I told him "I could read your email now, but why the hell would I?"

[Майор Хаткевич]

"I don't use my credit card on the internet. It's not 'safe'".

I work in e-commerce.

This is how my phone conversations go:

"Can I just give you my card number (and address, and expiration, and pin on the back!) over the phone? I don't trust using my card online".

First of all, sure, you can give me the card number, to a PERSON, who has to manually input it...into paypal...online.

Along the way I could copy it all down. It STILL ends up going online. AND I get all the extra benefits of seeing it.

People just don't get it. When I receive a paypal payment, at msot see their billing/shipping address. When they want to be 'safe' the give away ALL of the requisite information to a person, not an automated system.

Just gotta get with the times.