Google Apps Security - time to end the FUD

[jimmydeanno]

Honestly, I am not that concerned about identity theft, my credit card numbers being used, etc.  Unless you are still using your credit card from 1978, that still uses the original card holder agreement, any legitimate card issuer is going to reimburse fraudulent charges, and send a new card.

If some undocumented worker wants to use my social to get a job, so be it.  What's going to happen?  The add more into my retirement account?  Do I care if someone knows my power company login information?  Are they going to pay my bill?

Sure, there are some aspects that are a little more troublesome to deal with when they happen, but I think people make a bigger deal out of it than it really is.  "Oh no!  Some rang up 7k in charges I'm not liable for!"

To me the risk certainly isn't worth not participating in the world around me and only paying for things in gold bullion...

[manfredvonrichthofen]

http://m.networkworld.com/news/2009/071509-theft-twitter-docs.html?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dgoogle%2Bapps%2Bhack%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26client%3Dsafari#mobify-bookmark

Even google has stated that their service is consumer grade and isnt meant to protect information, it is made for easy widespread Information sharing.

EDIT: it wasn't Google itself that said that, is was another. But it still stand security still isn't what Google apps was created for.

[Eclipse]

http://m.networkworld.com/news/2009/071509-theft-twitter-docs.html?mm_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fq%3Dgoogle%2Bapps%2Bhack%26ie%3DUTF-8%26oe%3DUTF-8%26hl%3Den%26client%3Dsafari#mobify-bookmark

Even google has stated that their service is consumer grade and isnt meant to protect information, it is made for easy widespread Information sharing.

EDIT: it wasn't Google itself that said that, is was another. But it still stand security still isn't what Google apps was created for.

Sorry, more FUD, and not even a current story, and exactly my point here. 

In the above "Insufficient password strength has been pegged as a root cause" if your password is "password" or "abc123", you deserve what you get.   I've had clients try to make the same case, while their passwords were written on a post-it stuck to their monitor, or written on their calendar.   If the combo lock to Cheyenne Mountain is the same as the commander's luggage, that huge door won't make much difference.

1, 2, 3, 4, 5

Further from the article:
But Gartner analyst John Pescatore says customers should remember that "Twitter and most of Google Apps until, say, 18 months ago, were built as consumer-grade services to share information very widely and easily, not to protect information and prevent information from flowing."

Also, which version?  The article doesn't say, but there are about 5 major differences between the consumer free version called "Gmail", and the various business-level services.  Since this article was written, various versions of the product have been both FISMA and SSAE certified as applicable, among other industry certifications.

And lastly, to compare Twitter and GApps in the same article is silly, they don't provide the same services, and Twitter makes no bones that
everything you do is fair game.  They are only in the same article because a Twitter guy used a bad password and his stuff was leaked,
anyone else surprised that a person inclined to make his location and meal habits public would also have poor judgement in regards to passwords?

Here's current information on Apps for Nonprofits privacy and security.

http://www.google.com/apps/intl/en/edu/privacy.html

[manfredvonrichthofen]

I do not disagree, Twitter is about the stupidest thing a person can do, even Facebook when you allow it to update everyone in the world with where you are via googgle maps. And yes, everyone who leaves their password on their computer monitor deserves to get hacked, but when my password is somewhere around ten characters long mixed with uppercase and lowercase letters and numbers with punctuation marks, why is my stuff able to be hacked? No, I do t use google apps, I do use yahoo for the mundane junk, and Facebook as privately as possible with their setting options, why, if my stuff has a password that strong able to be hacked? It has happened to me, and that makes me weary of putting anything like rosters or operations stuff on the Internet. All it takes is a back door Trojan to mess everything up that the current software can't recognize.

[Eclipse]

I do not disagree, Twitter is about the stupidest thing a person can do, even Facebook when you allow it to update everyone in the world with where you are via googgle maps. And yes, everyone who leaves their password on their computer monitor deserves to get hacked, but when my password is somewhere around ten characters long mixed with uppercase and lowercase letters and numbers with punctuation marks, why is my stuff able to be hacked? No, I do t use google apps, I do use yahoo for the mundane junk, and Facebook as privately as possible with their setting options, why, if my stuff has a password that strong able to be hacked? It has happened to me, and that makes me weary of putting anything like rosters or operations stuff on the Internet. All it takes is a back door Trojan to mess everything up that the current software can't recognize.

A backdoor trojan is the fault of the user, not the service.  You could have a 100-character alpha/numeric/special/case sensitive password, and if there's a key logger on your machine, it'll capture that, just the same as "abc123".  You can't blame a server system for lax client security.

You're using Yahoo and Facebook - two services notorious for lax user controls, troublesome privacy policies, and hosting uber-spam.   I'm not at all surprised you got hacked.

Transform your universe - switch to gmail, dump Facebook, switch to either Mozilla or Chrome with a good AD Blocker, and make sure you're using a
robust, low-footprint antivirus like AVG.  Uninstall any and all toolbars on your machine, and run Spybot S&D and Malwarebytes until you get zero hits.

The web will literally be a different, more friendly place to play.

[manfredvonrichthofen]

 Use Mozilla AVG and Spybot, but I do still use yahoo, for simple and likely stupid fact that I have used it for the past 15 years. And the thought that it is the system that I used it 15 years ago, and no not the same account as 15 years ago, probably says something, but really, is it worth the $50 if I would still NEVER put anything sensitive out like that?

[Eclipse]

Use Mozilla AVG and Spybot, but I do still use yahoo, for simple and likely stupid fact that I have used it for the past 15 years. And the thought that it is the system that I used it 15 years ago, and no not the same account as 15 years ago, probably says something, but really, is it worth the $50 if I would still NEVER put anything sensitive out like that?

The base-level free Gmail is night and day better than Yahoo, regardless, so $50 isn't required, however if the only reason you won't use your machine
in a way that might make your universe easier is because you are afraid of it, then the $50 might be well spent.

The reality is that your needs may not require the kinds of Groupware apps that others do, or you're just not interested in them, but either way, you don't have to view your connected universe as somehow "less secure" or "scary" if yo take some simple steps.

If you're already using Mozilla, make sure you've got a good ad-blocker extension and dump all the toolbars, etc.