Comments on: Gmail Scam Signal Of A Much Bigger Security Issue

By: music

music — Sun, 14 Dec 2008 20:20:17 +0000

nothing in this world is free, you pay for it one way or another.

By: Angus Logan's Blog : Please take my credentials. No really - take them!

Angus Logan's Blog : Please take my credentials. No really - take them! — Thu, 03 Apr 2008 23:00:51 +0000

[...] UPDATE: techCrunch weighed in on this [...]

By: Episode #5 - Luminary Thumb - UnNamed Tech Podcast

Episode #5 - Luminary Thumb - UnNamed Tech Podcast — Thu, 27 Mar 2008 20:06:47 +0000

[...] Security. - slashdot Girls and young women most prolific web users – Times Online - TimesOnline Gmail Scam Signal Of A Much Bigger Security Issue - Techcrunch Software: Keypass If IP Is Property, Where Is the Property Tax? - Slashdot [...]

By: היום שבו נכתוב מסמך בלי Word

היום שבו נכתוב מסמך בלי Word — Mon, 24 Mar 2008 05:37:55 +0000

[...] אבל לפני שבועיים אירע מקרה שמעיד שהשלב הזה עדיין לא פה: הונאה שהתרחשה ברשת גרמה לשמות המשתמש והסיסמאות של אלפי בעלי חשבונות [...]

By: Hugues de Saint Salvy

Hugues de Saint Salvy — Sat, 15 Mar 2008 07:40:11 +0000

> Gmail is the entry point into a vast array of Google office
> services – including Google Docs and Google Apps. Those
> services allow users to share documents with others. If
> one user’s email credential become compromised, all of
> those sensitive documents become available to the bad
> guys, too.

Amen to that.
I’ve been lobbying for an additional layer of security in Google Docs for this very reason. See my blog article about this here:
http://lepetitr...ecurity-in.html

By: Java Man

Java Man — Tue, 11 Mar 2008 19:13:35 +0000

Nice exception handling!

By: Hemanth John Jose

Hemanth John Jose — Tue, 11 Mar 2008 06:03:39 +0000

If anybody is interested in seeing the Code:

http://img374.i...archiverij6.jpg

By: Hemanth John Jose

Hemanth John Jose — Tue, 11 Mar 2008 05:28:23 +0000

Damn clever.. I can see the email and password in the code. It is

The developers took it down from their website and this is what they have to say about it:

“What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version.

We sincerely apologize and assure you that this coding mishap was in no way intentional.”

http://www.garc...at-happened.htm

By: Bill

Bill — Tue, 11 Mar 2008 03:14:08 +0000

LMAO – Google sucks.

By: Hendra

Hendra — Tue, 11 Mar 2008 02:09:54 +0000

IMHO, just another anti-Google and pro-Mugro$oft post

By: richcasto

richcasto — Tue, 11 Mar 2008 01:06:20 +0000

It is spelled SecurID not “SecureId” – http://www.rsa....de.aspx?id=1156

By: Kyle

Kyle — Mon, 10 Mar 2008 22:58:27 +0000

Smart and on-point- nice article!

By: magicheader

magicheader — Mon, 10 Mar 2008 21:12:27 +0000

Damn! I had never seen so many people missing the point since G.W.Bush’s re-election!

In short, Google is NO TO BLAME for this incident.
If you would like technical details you should visit http://develope...efts-story.html
It is pretty clear who is to blame.

First the developer then the users.

By: Erik

Erik — Mon, 10 Mar 2008 20:45:37 +0000

Nice piece, Michael. Since I’ve been a bit too harsh in comments before I feel the need to compliment something I like. Anyway, thanks for highlighting an important issue. I’m sure you saw that not coincidentally Google posted a defense of their security this morning:

http://googlebl...nformation.html

Anyway, this is an important issue and thanks for highlighting it. Bill Gates may have been more than just posturing when he said Google doesn’t understand the needs of the business market.

By: Barb Hibino

Barb Hibino — Mon, 10 Mar 2008 20:41:27 +0000

I have the same concerns about google checkout as 46Rod. close call! I’m one of those entrepreneurs that was thinking of using gmail. Is there another system people recommend that is more secure, with similar search and tag functionality?

By: Mohanjith

Mohanjith — Mon, 10 Mar 2008 20:24:46 +0000

ppl, don’t be so naive.

This is not even news. G-Archiver commits that there was a security flaw. See http://www.garc...at-happened.htm.

By: AnJ Inc's Weblog

AnJ Inc's Weblog — Mon, 10 Mar 2008 18:46:31 +0000

The Evils of Some Programers…

Gmail Scam!!
Read article at TechCrunch
……

By: HA!

HA! — Mon, 10 Mar 2008 18:42:39 +0000

The “Google -Riech” will not be happy with you disclosing this sensitive information. NO BAD PRESS about the “STATE” off to work camp for you.

By: Brian T

Brian T — Mon, 10 Mar 2008 18:01:45 +0000

Well FREE is never free, you pay for it somehow and in the long run! When are people going to get this? Soon.

By: Bryan

Bryan — Mon, 10 Mar 2008 17:53:04 +0000

Thinking it through – if I have your gmail address and your password, I have all your mail. But if your company uses Exchange/Lotus/other, I would need your email address, your password, and the address of your VPN server or email web gateway and some inkling of the protocol used (especially if it’s a VPN). So, the comments noting that many businesses uses single sign-on and are just as vulnerable – not quite true. It wouldn’t be hard for a real techie to find out these extra peices of information, but they do represent extra speedbumps. (Please don’t use the old ’security by obscurity’ objection. All authentication-based security works by obscurity, one way or another!) A more advanced admin team might do certificate based auth, adding another speedbump. Or RSA tokens …

The point being that security is a series of speedbumps – some relatively minor, some major. The question is whether the owner of the data has considered its value and emplaced the correct number and type of speedbumps around that data.

Also I was glad to note the several comments which take Michael to task for assigning low levels of sympathy to people who used G-archiver. Very little of the ’security wisdom’ handed out to normal users includes any way to determine how trustable any given app is. In fact few users seem to have ever heard any suggestion that they should consider this question at all.

I was glad to be reminded that if someone subpeonas your data – it’s Google who gets the subpeona, not you. That’s a good thing for IT architects to remember when outsourcing any of their infrastructure.

By: antje wilsch

antje wilsch — Mon, 10 Mar 2008 17:44:51 +0000

Unfortunately a lot of people could fall for that. Recently, we got a weird email from a third party “Security Metrics” saying that our merchant account “First Data” and Citibank required us to use their service to be PCI compliant. There was not a lot of information about what exactly PCI compliance is, who was requiring it (just said all the major ccards needs this) and asked us to go online, submit our DNS information and get tested. We ignored it. What kind of security company would send out out a security notification via email only?? They sent us a “fail” message and said that our online charge capability could be cut off. The email said “Go to the site for instructions” and linked to their generic home page. We ignored them again, but did send an email to FirstData asking if this was legit.

Got another email from Security Metrics saying we had to be compliant and were in danger of losing merchant ability, so went to the to set up an account, asked us for a bunch of data, then we stopped during the procedure because we had to pay a fee (for what? it was totally unclear).

Finally got a call from the merchant account First Data via Citibank that we do need to do this. Security Metrics was completely arrogant and acted as though we were the only company to possibly question why we should just accept an email telling us to go to a site and enter all our merchant data so they could test compliance of our site.

By: Rod

Rod — Mon, 10 Mar 2008 17:24:22 +0000

I’m concerned that Google Checkout seems to be protected by the same password as all the other Google services. Since Google encourages users to stay logged in to receive the benefits of a personalized search page (iGoogle), browser synchronization, etc., not having a separate password to protect Google Checkout seems dangerous to me. Ideally I’d like to see users be able to specify different passwords for each service and possibly use secondary authentication methods such as SecureID.

The obvious workaround requires maintaining 2 Google accounts, one for sensitive information like documents, email, and Checkout’s financial information and the other for other personalized but non-sensitive information.

By: Tara Kelly

Tara Kelly — Mon, 10 Mar 2008 16:13:45 +0000

@SSO
iMacros – which is very comfy for automating FF processes, no doubt – archives its data in the clear (correct me if I’m wrong).

If a program is not encrypted it’s best not to use it for passwords and logins.

Re: Roboform is born as a form filler but it does have a sound security foundation. Of course, as a PassPack founder, I prefer an online solution — but yes, Roboform is valid.

By: damon

damon — Mon, 10 Mar 2008 15:57:23 +0000

“These users should have known better than to type their email credentials into a third party service, so sympathy levels are at a minimum.”

You mean like you do at Mint.com and Wesabe.com?????

By: TheChris

TheChris — Mon, 10 Mar 2008 15:53:45 +0000

Common Arrington, let’s hear a reply about Mint. There’s no doubt in my mind you intentionally left it out of your post.