Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Google Solves Sharing Bug In Google Docs

timothy posted more than 5 years ago | from the use-of-journal-achievement dept.

Bug 69

RichardDeVries writes "Three weeks ago, I contacted Google about a bug in Google Docs that shared documents without permission. The issue has been resolved and affected documents have had their collaborators removed. The documents' owners have been notified: 'To help remedy this issue, we have used an automated process to remove collaborators and viewers from the documents that we identified as being affected. Since the impacted documents are now accessible only to you, you will need to re-share the documents manually.' See my journal entry for details on my contact with Google. Although I think Google handled the issue admirably, this raises questions (again) about cloud computing, as well as Google's eternal beta-status for a lot of their services."

cancel ×

69 comments

Sorry! There are no comments related to the filter you selected.

I'll keep my docs offline thanks (4, Insightful)

syousef (465911) | more than 5 years ago | (#27106301)

Prime reason to avoid online office suites and the like. Another good reason is that even these days Internet access is not a given 24x7 every place you want to be.

Re:I'll keep my docs offline thanks (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27106317)

Who did you give a HJ to in order to get a response out of google?

Re:I'll keep my docs offline thanks (0)

Anonymous Coward | more than 5 years ago | (#27110617)

Who did you give a HJ to in order to get a response out of google?

QFT.

Re:I'll keep my docs offline thanks (0)

Anonymous Coward | more than 5 years ago | (#27110675)

what's a HJ? you can't even get a two letter abbreviation of an insult right? drunk idiot. it was human resources, if you have to know.

Re:I'll keep my docs offline thanks (0, Funny)

Anonymous Coward | more than 5 years ago | (#27106349)

Boobies

Re:I'll keep my docs offline thanks (2, Interesting)

thetoadwarrior (1268702) | more than 5 years ago | (#27106383)

I don't see what the big deal is. You can download your document and have it online so there is no way you can be without it.

This little bug is nothing compared to all the crap we've had to go through with MS Office security issues.

Of course using google docs requires common sense. Like don't keep a documented list of your credit card details on it but it's not wise to do that on your desktop either.

Re:I'll keep my docs offline thanks (4, Insightful)

Anonymous Coward | more than 5 years ago | (#27106487)

The big deal is getting a response out of google. It's akin to praying at the Wailing Wall and having God come on down to buy you a Manischewitz.

Man-O-Manischewitz What a Wine!

Re:I'll keep my docs offline thanks (0)

Anonymous Coward | more than 5 years ago | (#27107113)

Eh? He reported the bug and they responsed by fixing it... What more can you ask? Software has bugs, offline or online. This would be a story about google being bad IF it has been them not fixing it or blowing it off without looking into it.

That being said, google docs may be useful for some and not for others. If you want offline, open office already exists anyways. Google is just providing a service that it thinks may be useful to people. Things like something like for school assignments using some precautions can make it very useful.

It's facebook too (2, Interesting)

rs79 (71822) | more than 5 years ago | (#27107581)

Similar bug is in FB. Grant an app perms; delete some friends, the app still has write perms on you when your delteted friends do something. As a programmer I'm making a wild guess it's grabbing your friends list when you sign up, not when you run it.

I suppose it's more of a "practices" thing than a "bug in facebook". But envision some scenario with, uh, you can figure it out.

Re:It's facebook too (1)

batkiwi (137781) | more than 5 years ago | (#27110397)

Were facebook actually DESIGNED instead of "oh shit, people showed up, what now?" evolved, this would not be a problem.

Instead of apps getting access to your data, they should get event notification ability + write access to your wall.

So you subscribe to the "Friend used this app" event, and facebook notifies that app that someone launched it, and they take action.

Take it a step further, give them an identity key which changes per event, with rescripting.

So your friend (bob) does X. FB notifies the plugin that "ID555 did X and is friends with you." For anything they want to post to the wall they use the key ID555 and FB turns that back into "bob" on their side. "ID555" changes EVERY event, so the plugin cannot build a profile of who you are friends with.

Re:I'll keep my docs offline thanks (1)

nxtw (866177) | more than 5 years ago | (#27108059)

This little bug is nothing compared to all the crap we've had to go through with MS Office security issues.

MS Office is not the only offline office suite. No desktop application (including MS Office) I've used has shared my documents with other people on the Internet without my permission.

Re:I'll keep my docs offline thanks (1)

thetoadwarrior (1268702) | more than 5 years ago | (#27108447)

The simply don't keep it online and download it.

MS will copy Google and do the same thing. Then you'll get the best of both worlds; sharing concerns and security flaws.

Re:I'll keep my docs offline thanks (1)

NateTech (50881) | more than 5 years ago | (#27109949)

That's what we all said about the first small Microsoft bugs too. Word 4 only had a few annoying little bugs. LOL!

Re:I'll keep my docs offline thanks (1)

ILuvRamen (1026668) | more than 5 years ago | (#27106385)

Besides accessability and glitches, you really shouldn't give anything secretive to a 3rd party to control and store anyway. Anyone who got some private information accidentally shared by this glitch definitely deserves it.

Re:I'll keep my docs offline thanks (5, Insightful)

stesch (12896) | more than 5 years ago | (#27106739)

People don't care. Really. There was a worm a few years ago that sent office documents to random e-mail addresses. I received an Excel price list from a bike shop. A co-worker some Word documents from a doctor. People don't care. They continue to use this kind of software and putting documents on Google's site isn't less secure than what they are doing right now.

Google's eternal beta-status (5, Insightful)

ddrueding80 (1091191) | more than 5 years ago | (#27106303)

It seems Google treats their beta products better than most treat their production stuff. Fitting, considering Google has more users of their beta stuff than other companies have paying users.

Re:Google's eternal beta-status (0)

Anonymous Coward | more than 5 years ago | (#27107561)

It seems Google treats their beta products better than most treat their production stuff. Fitting, considering Google has more users of their beta stuff than other companies have paying users.

We are all in eternal beta-status - always something needing to be debugged, including my typing.

Anonymous Coward Kim Hannemann
http://novarealestate.wordpress.com

Re:Google's eternal beta-status (0)

Anonymous Coward | more than 5 years ago | (#27109061)

Disregard that, I suck cocks.

Anonymous Coward Kim Hannemann
http://novarealestate.wordpress.com/ [wordpress.com]

Re:Google's eternal beta-status (2, Insightful)

NateTech (50881) | more than 5 years ago | (#27109953)

Conveniently calling everything "Beta" gives them the leeway you're handing them, you do realize? Some companies actually have to release version 1.0 to keep customers happy.

Re:Google's eternal beta-status (1)

Daengbo (523424) | more than 5 years ago | (#27111409)

Insightful? More like troll.

Google is beta for the Standard Version and supported (i.e. 1.0) for the Premium Version [slashdot.org] . Stop FUDding.

Re:Google's eternal beta-status (1)

NateTech (50881) | more than 5 years ago | (#27113407)

No, this is a troll...

"Truth hurts, doesn't it?!"

Re:Google's eternal beta-status (1)

Joren (312641) | more than 5 years ago | (#27110375)

It's the eternal beta of the spotless cloud!

It took them 3 weeks (1, Interesting)

Anonymous Coward | more than 5 years ago | (#27106313)

...to understand what you meant when you reported had a bug in Google Docs.

Well (5, Insightful)

mysidia (191772) | more than 5 years ago | (#27106329)

It raises more immediate questions about SAAS, which Google docs is, not cloud computing. (Google docs is software as a service, not a cloud computing service like Amazon ec2.) Someone else's custom app can have a bug, and leak your data.

So can your provider's closed-source proprietary cloud computing applications, user provisioning, storage, etc.

If, however, the provider uses an open-source hypervisor (like KVM), and open-source provisioning, management tools, and scripts (so the wrong user isn't given access to your storage), cloud computing should be much more secure than a SAAS platform like Google docs.

But yes, it does raise some question about services like ec2, because they're fairly opaque and using proprietary software, how can you possibly prove that their provisioning system is secure (in that YOUR elastic block store can't accidentally be provisioned onto someone else's ec instance)?

One possibility is to use full-drive encryption on all your volumes, and require interaction with custom software on your side to boot your instances.

Re:Well (1)

thethibs (882667) | more than 5 years ago | (#27106617)

how can you possibly prove that their provisioning system is secure

You can't; nobody can. "Prove" and "secure" in the same sentence is almost guaranteed nonsense. If you'd like, I can recommend some books that can teach you basic security concepts.

Re:Well (1)

poopdeville (841677) | more than 5 years ago | (#27106689)

I suggest you hit those books, because provable security is not only possible, it is expected in many contexts.

Re:Well (0)

Anonymous Coward | more than 5 years ago | (#27106823)

Do tell... show me these books where something like security is provable.

Correctness proofs are only possible for highly constrained computer programs/languages/problems.* I'd say correctness is a prerequisite for provable security. Given that most systems involve lots of programs written in languages that don't support correctness proofs, provable security is not possible.

Of course, a general solution for correctness would also be a solution for the halting problem. If you don't understand the significance of that statement, you should probably go hit the books.

*that's not saying that those languages aren't useful. Cryptographic languages have been developed that allow for correctness proofs, but these languages are constrained to a very specific problem to allow for that.

Re:Well (0)

Anonymous Coward | more than 5 years ago | (#27106987)

Well, I know what theory says about the halting problem, but in practice, almost all practical routines people usually write can be proven to eventually terminate, since they mostly contain only trivial control flow and simple iteration over finite data structures...

Re:Well (1)

mysidia (191772) | more than 5 years ago | (#27107021)

Do tell... show me these books where something like security is provable.

Algorithms and processes can be rigorously proven to be secure, or at least to be as secure as something that is well-accepted to be secure enough.

Being able to prove that something has a certain level of security under given circumstances is both useful and important. 100% security against every conceivable attack may be hard, but that doesn't make it useless to prove there's no attack except X, where X is very very hard.

In this case, proving that a third party breaking into your data through certain means is equivalent to solving a very hard problem is good enough.

As for other means, like a bug in the software implementation of a virtualization platform (that allows malicious software to gain illicit access to your running instance),

You can't 'prove' that as in a mathematical or logical proof, but the system can be "proven" by the open source community by testing, and hackers' failed attempts to compromise it.

Whereas, proprietary software is really not 'proven' in the sense, that hackers have a harder time, it takes longer to find holes and stage their attacks, but when they _do_, the results are much more devastating, than if the software was proven properly in the OSS community (bugs get patched quickly)

Re:Well (2, Insightful)

maxume (22995) | more than 5 years ago | (#27107563)

So what's wrong with the wikipedia article:

http://en.wikipedia.org/wiki/Provable_security [wikipedia.org]

Quoting:

Part of the problem stems from the fact that it can be misleading to non-practitioners, since security is not being proved; only a reduction from security to some other unproven assumptions.

According to that, provable security doesn't mean that anything has been proven to be secure.

Re:Well (1)

mysidia (191772) | more than 5 years ago | (#27108507)

The article is accurate; provable security is about proving that algorithms are secure when certain assumptions hold true.

It's not a proof of correctness of computer software.

Validation and testing of software is another matter.

But when software is closed source, it is very difficult to see what algorithms and protocols are used throughout the system, let alone apply other methods (like testing) and more importantly code-auditing, to validate the software.

Provable security is about being able to analyze all the processes and algorithms used to accomplish certain tasks, and validate that the communication protocols are unbreakable, if certain strongly-held assumptions are true.

Re:Well (1)

maxume (22995) | more than 5 years ago | (#27108889)

Sure, I assumed it was moderately reliable, but in the event that the article is correct, my parent poster is some combination of confused, deliberately obfuscatory and bizarrely narrow in his interpretation of the grandparent (who was alluding to the fact that security becomes rather Rumsfeldian, not looking to quibble over jargon).

Re:Well (0)

Anonymous Coward | more than 5 years ago | (#27113321)

A good security consultant will tell you that provable security is bullshit in practice (i.e. real world situations).

A consultant who makes "provable security" his selling point is:
a) a conman
b) incompetent/ignorant

Analogy: even if your accounting software is provably correct (proven to add stuff up correctly), pesky humans can get in the way of correctness.

Despite all that software, systems, policies, all the $$$ auditors can tell you is whether in their opinion the accounts present a true and fair view. They can not prove it, nor is there a way to make it provably 100% correct all the time. Too often someone still manages to pull something off.

Re:Well (1)

thethibs (882667) | more than 5 years ago | (#27113963)

Exactly! That's why one of the important events of the process is when we've made sure the client understands the Residual Risk and is willing to accept it.

Raises questions? Really? (5, Insightful)

ozric99 (162412) | more than 5 years ago | (#27106347)

Although I think Google handled the issue admirably, this raises questions (again) about cloud computing, as well as Google's eternal beta-status for a lot of their services.

Really? I don't use Google Apps but I don't think the act of fixing a bug in any way raises questions about the overall concept any more than Microsoft fixing a bug in Sharepoint would raise questions about closed source Windows services, or fixing a bug in KnowledgeTree would raise questions about similar open source services.

Software application has bug; bug gets fixed. Jesus people, why is this different from any other similar bug being fixed? Oh, it's Google, better get blogging.. Gotta get those ad impressions up.

Re:Raises questions? Really? (3, Insightful)

nametaken (610866) | more than 5 years ago | (#27106363)

When there's a bug in my internal doc collab and versioning service, it isn't exposed to the entire world.

I think that's the question raised.

Re:Raises questions? Really? (5, Interesting)

Firehed (942385) | more than 5 years ago | (#27106667)

Well let's say that you're using SharePoint internally, and there's a bug in it. It's not exposed to the entire world, but it IS exposed to the entire organization (which can be just as bad, depending on the bug). More importantly, it's on a hundred thousand different sysadmins to patch said bug on their own MOSS installations, rather than a SAAS company patching it once and having the bug fixed for everyone.

Imagine for a moment if IE was somehow SAAS instead of a desktop app. That would mean that IE6 would NO LONGER EXIST, and that everyone would have an up-to-date version of IE7. And as soon as IE8 comes out of beta, IE7 will also die - instantly, worldwide - and then web developers everywhere will rejoice.

Obviously that simply doesn't work for a web browser (well, it could, but not as it's done now - and it's obviously not the most practical approach), but for all of the problems that SAAS can bring, it also solves a tremendous number of other issues. For something where security is priority number one, it's often not the best choice, but you can't beat it for keeping things up to date. And when you're dealing with closed-source software, that's already beyond your control so you might as well reap the benefits of the instant updates.

Re:Raises questions? Really? (0)

Anonymous Coward | more than 5 years ago | (#27107569)

Not true. There are SaaS sites that role out new versions and keep the existing version running so that users can migrate on their schedule. There are training considerations and some might just plain prefer the existing version (e.g. simpler interface)

Re:Raises questions? Really? (1)

nametaken (610866) | more than 5 years ago | (#27107611)

I get the impression you thought I was grousing about people using SAAS. In fact we use SAAS for some applications at work, as a direct result of my recommendation. Salesforce.com, et at.

I was simply pointing out that there ARE questions to consider when it comes to internally hosted vs. SAAS apps, and there's nothing silly about asking them. Sensitivity of your information and relative exposure are certainly a couple of the questions everyone should answer before choosing.

Re:Raises questions? Really? (1)

nametaken (610866) | more than 5 years ago | (#27107635)

The other major factor that should be considered, is that companies like Google, Salesforce, Intuit, and many of the other companies out there have lots of money and human resources dedicated to keeping your stuff safe.

Hosting internally typically relies on fewer people with smaller skillsets and a smaller budget. Your security is often (in some way) a result of obscurity.

Re:Raises questions? Really? (1)

SnowZero (92219) | more than 5 years ago | (#27109273)

RTFJ, these documents were not shared with the entire world, just people that other selected documents had already been shared with. So, if you selected N documents, and added one user "bob", instead of adding only "bob" to all the docs, it would instead share all N docs with the union of all people the N docs were shared with + "bob".

Yes it's a bug, but it's the kind of bug that could happen in any sharing system (unexpected UI behavior leading to wider sharing than intended / not some exploitable security backdoor).

For example, if you never shared documents beyond your company, this bug would not share documents beyond your company. However, this is exactly the sort of bug that would do embarrassing things like share the performance reports of every employee with everyone rather than just HR + the individual employee for each doc. It could also expose docs you share with a customer with other customers.

What's with the lemming movement in IT... (3, Funny)

tjstork (137384) | more than 5 years ago | (#27106397)

My god, every time someone comes up with a solution in IT, we have this built in expectation that everyone should fall on board. Cloud computing is just the latest. Are we to now upgrade every system to use the "cloud". Are we to do web applications for everything? This isn't an engineering profession, its a fashion one. We're not like Mr. Spock from Star Trek. We're like the guy on America's Next Fashion Designer.

Engineers engineer what is requested of them... (1)

mrflash818 (226638) | more than 5 years ago | (#27106587)

...so it could be argued that it is exactly true: If something is engineered as a web application, it is precisely because resources and staff were allocated by management for it to be built?

Re:What's with the lemming movement in IT... (1)

whoop (194) | more than 5 years ago | (#27106655)

This is Slashdot, home of TCBOO, there can be only one. For every one person that says "Hmm, this could be useful for me," cue a hundred others, "Don't trust X, they are evil!! Just set up a Linux box, install A-J packages, configure them, secure them, tweak them, and voila, it's about as good and The Man doesn't have ahold of your nuts."

Re:What's with the lemming movement in IT... (0)

Anonymous Coward | more than 5 years ago | (#27106983)

You must be n...^H^H^H^H^H^H^H^H^H^H^H

The fact is, if you have the time and the will, a linux box with A-J packages properly configured could be better for the most part... Of course there are a lot of implicit IF on that sentence.
If you can use linux on that organization.
If you know what you are doing.
If you have the time to do it.
If you have the will to do it.
If you can keep it running and updated.
If ...

Re:What's with the lemming movement in IT... (1)

monkeythug (875071) | more than 5 years ago | (#27106913)

Don't worry, these things invariably fail to live up to the hype.

Look back at the "write-once-run-anywhere" Java hoohah. About 10 years ago this was the "next big thing", everyone would be doing it this way, blah blah blah. I even remember evangelising it a bit myself at the time - oh how naive I was back then!

Fast forward to the present and what actually happened? Sure, Java's still there if you want to use it and it's taken over a niche or two - but it completely failed to take the world by storm didn't it?

I strongly suspect we'll see much the same outcome for cloud computing.

Java is the most successful failure ever. (1)

tjstork (137384) | more than 5 years ago | (#27107647)

I think the thing with Java is that it had to live to almost impossible hype. I was disappointed it when I first tried it out way back in the days of AWT. But, there's a lot of stuff out there written in Java and Java is a very popular language. If I had a language that failed as much as Java has, and just sold the book on it, I'd be pretty damned happy.

Re:What's with the lemming movement in IT... (1)

jwambach (151360) | more than 5 years ago | (#27108315)

If by niche, you mean enterprise software development, then sure, java is a niche language.

Re:What's with the lemming movement in IT... (3, Insightful)

Teckla (630646) | more than 5 years ago | (#27107545)

My god, every time someone comes up with a solution in IT, we have this built in expectation that everyone should fall on board. Cloud computing is just the latest. Are we to now upgrade every system to use the "cloud". Are we to do web applications for everything? This isn't an engineering profession, its a fashion one. We're not like Mr. Spock from Star Trek. We're like the guy on America's Next Fashion Designer.

There are a bunch of good reasons web applications have become popular.

First, they're easy to deploy. Put up a web page, point the users to that web page, and you're done. No need for an installer. No need for an updater. No need to convince users to download and run an executable (which is a scary and complex undertaking for many of them).

Second, they're relatively safe for the user. Which puts the user at less risk, navigating to a web site, or downloading and running an executable which may or may not contain malware?

Third, they're cross platform. With a little effort, your web application will run on Windows, OSX, and Linux. This should make Linux users very happy, since it helps even the playing field between Windows and Linux!

Fourth, in many cases, web application providers can offer superior document management. For example, regular users aren't good at keeping backups, and in the old days, just plain said goodbye to their archived email if their hard drive crashed. Or, if they upgraded from a Pentium 3 computer to a Pentium 4 computer, they spent hours trying to configure their new email program, and then more hours trying to move their archived email from their old computer to their new computer. Compare that to web email, which Just Works.

Do web applications involve risks and tradeoffs? Yes, this article demonstrates that. But it's up to individuals to decide what risks and tradeoffs are worthwhile, and many, many people choose web applications because the advantages are worth it to them.

Claiming that web applications are successful only because they're fashionable to developers these days is, well, just plain stupid. The fact is, web applications are the best choice among the alternatives for many users, and plenty of developers recognize that fact and leverage it by building web applications instead of thick client applications.

Re:What's with the lemming movement in IT... (0)

Anonymous Coward | more than 5 years ago | (#27110317)

Second, they're relatively safe for the user. Which puts the user at less risk, navigating to a web site, or downloading and running an executable which may or may not contain malware?

Because the browser certainly isn't known to be a widely popular vector for attack via things like XSS vulnerabilities and various browser vulnerabilities. We also know phishing attacks are certainly very rare amongst popular websites containing desirable data as well.

Third, they're cross platform. With a little effort, your web application will run on Windows, OSX, and Linux. This should make Linux users very happy, since it helps even the playing field between Windows and Linux!

Because we all know that every browser adheres to the same modern standards to ensure full capability.

...many, many people choose web applications because the advantages are worth it to them. The fact is, web applications are the best choice among the alternatives for many users, and plenty of developers recognize that fact and leverage it by building web applications instead of thick client applications

Last time I checked an Office Suite was not inherently a client-server application as you explicitly stated, and I can pull out random facts out of my ass too. Many, many people have Desktop office suites and don't use web applications for the same thing because amazingly communication is not ubiquitous, communication bandwidth and connections are rarely free and fast, some do not wish for their data to leave a controlled environment, and the web browser is alot more restricted in terms of interface engineering compared to a dedicated piece of software. Stop trying to shove every damn application in a client-server model and claiming many people would prefer some niche solution with little benefit over solid mainstream solutions.

Cloud Computing / Online Service Debate (2, Insightful)

troll8901 (1397145) | more than 5 years ago | (#27106427)

Not trying to jump to Google's side, but just want to consider other aspects...

From TFA's readers comments:

---
"Richard de Vries" (submitter of this Slashdot story) - March 7th, 2009 at 2:04 am PST

It's legit alright. I reported this issue to Google on February 24th. Last Thurday I was notified it had been fixed.
I knew this would cause a few discussions about cloud computing and the beta-status of most of Google's applications. I work for a small company. We use Google Docs a lot and we unintentionally shared some internal documents with a few clients. None of these were ultrasecret and the issue was quickly discovered, but you can imagine what could go wrong.
I can say, however, that I'm very happy with the way Google handled this. The e-mails were polite and helpful, the issue was resolved fairly quickly and they have gone out of their way to correct erroneous shares and they sent e-mails to all affected users. They knew they would get reactions like this article, but they did the right thing.

Regards,

Richard

---
"Alyx Flannery" - March 7th, 2009 at 1:33 am PST:

Please. Let's see how many millions of documents were shared.. oh wait, there weren't. Unlike all the recent Credit Card compromises we have heard about. And those would be from not what we would consider "super-naive" companies. This is FUD plain and simple.

But perspective folks, this isn't the sky falling. A poorly configured server exposed to the Internet will give more info away and is a larger threat due to bots and zombies.

---
"Musashi" - March 7th, 2009 at 3:07 am PST

Cloud Computing Questions:
1. Who owns the data/documents/content?
2. How much access do the data custodians have to your data?
3. How much access SHOULD they have?
4. During an outage, what, if any, recourse do you have to continue doing business with your various collaborators?
5. How secure is your data in the cloud? How patched is the cloud environment? How well monitored is it for violations?
6. Just how interconnected are the various Google sites? Calendar, mail, Docs etc.

I only use Google docs for convenience of sharing a few minor docs. Until I get satisfactory answers to the above questions, nothing business critical or remotely private will be going up.

---
"Musashi" - March 7th, 2009 at 4:21 am PST

Classified business files being shared between business partners over in the cloud can be extremely valuable - especially to a competitor!
Just imagine you're discussing a new product (a new killer app, or product) amongst your colleagues before you've patented the idea and that leaks out (without their knowledge); I'm sure you'll be more worried about that.

Many small businesses are using the cloud (Google or others) to do just that. Their Intellectual Property is extremely valuable to them.

---
"Jean Vincent" - March 7th, 2009 at 9:42 am PST

Sharing information on the web will always have some limitations, but the risk of sharing data without our knowledge can happen with any digital device, including personal computers or companies servers.

Small businesses need to make the choice by assessing their abilities to secure their documents better than Google or other online services.

I think that in that specific case Google could have handled the matter faster and should also have responded to the email from Andy. The final response seems appropriate, they have fixed the problem and notified users.

I also agree that the Beta-forever practice that Google has pioneered is not responsible and undermines users' rights on the web.

Finally there is a lot of confusion in this article and others between the term 'Cloud Computing' and 'Online services'. Cloud Computing is a deployment technology for service developers competing with web hosting, dedicated servers, collocation, this is NOT an end-user service. Google Docs is an online service, not Cloud Computing.

---

I think I'm jealous. It seems that their signal-to-noise ratio (for this article, at least) is no worse than Slashdot's. We must beat them!

Re:Cloud Computing / Online Service Debate (1)

icebike (68054) | more than 5 years ago | (#27106993)

> I think I'm jealous. It seems that their signal-to-noise ratio (for this article, at least) is no worse than Slashdot's.

Speaking of signal to noise ratio!!

You quote this huge long excerpt for a one line (content less) drive by sniping?

What the hell were you thinking?

Re:Cloud Computing / Online Service Debate (2, Insightful)

troll8901 (1397145) | more than 5 years ago | (#27107237)

Well, I thought some of the comments in TFA were pretty good, so I quoted them here. After posting, I realized I wasn't adding value to the discussion.

I was being entirely redundant. My apologies. I must have been drunk.

Here we go (1, Informative)

whoop (194) | more than 5 years ago | (#27106585)

Here we go, another battle of the I-won't-let-Google-host-my-company's-top-secret-documents people vs the Pay-for-Google-Apps-and-run-it-internally-so-your-top-secret-documents-aren't-exposed people.

yeah, like... (2, Insightful)

speedtux (1307149) | more than 5 years ago | (#27106597)

Yeah, like people never accidentally share [thetechherald.com] secret documents from their desktop machines.

Re:yeah, like... (0)

Anonymous Coward | more than 5 years ago | (#27106683)

I go out of my way to share my secreted documents.

Still better than traditional solutions (2, Insightful)

Synn (6288) | more than 5 years ago | (#27106619)

I'd say the security for SAAS is still probably better than most company/home built installations out there.

I mean, is the HR finances spreadsheet really more secure on the file server for most businesses out there? I doubt it.

At least with Cloud Computing the patches are automatically rolled out to everyone. No "this server hasn't been patched in 2 years because of X, Y, Z" issues.

Re:Still better than traditional solutions (1)

dickens (31040) | more than 5 years ago | (#27107467)

If some C-level person has access to said spreadsheet, and keeps his password on a sticky under the mousepad, it doesn't much matter whether you're using SaaS or not. Hey it's in his *office* which must be sacrosanct.

Beta status (0)

Anonymous Coward | more than 5 years ago | (#27106663)

this raises questions (again) about ... Google's eternal beta-status for a lot of their services.

Yeah, because a non-beta product which has been released never has problems.

Re:Beta status (1)

Daengbo (523424) | more than 5 years ago | (#27111489)

I realize you didn't make the assertion that Google is in eternal beta, but I'd like to use your post to refute that statement, anyway. Google Apps aren't beta when you pay for them [slashdot.org] (i.e. Premium Edition).

Y2uo F4il It (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27106767)

All 0ver America

Using Google docs == uploading photos to facebook (1)

sulfur (1008327) | more than 5 years ago | (#27106939)

If you upload something to any computer outside of your control, you have to assume the worst. I wouldn't upload any documents to Google Docs that I wouldn't want general public to see. It is a nice tool to share your resume/schedule/etc though. In the same way, you shouldn't upload your photos to facebook/myspace/insert_social_network_here that you would mind if they "leaked" to the public.

private online project/code collaboration sites (0)

Anonymous Coward | more than 5 years ago | (#27113431)

- contact/financial information
- certain types of websites that need some of your info in some document format
- online tests
- airline reservation
- stock market data
- online financial services for corporates (not only the http web)

Will you stop using the internet for anything that costs money?

just another reason why my spreadsheets (2, Funny)

Anonymous Coward | more than 5 years ago | (#27107033)

are on a laptop I have owned since 1989 (NEC UltraLite), before government wised up to the need for back doors, which I use (with only original software) through a glove-box I built of seven layers of alternative seran-wrap and aluminum foil and which I view through a pinhole. It is run off a car batteries, also electromagnetically isolated from the outside world, which I wired in parallel and that I remove and charge (from my actual car) about three times per year. Mostly I just use it to keep track of my charging scheduling though.

From your journal (1)

dbcad7 (771464) | more than 5 years ago | (#27107127)

safer option for sharing documents is software on our own server, but that won't be bugfree, either.

I think I am having trouble with figuring out what you are trying to do.. I am guessing that you have documents that you want some people to be able to see but not modify, but also have this group of others that you want to be able to allow to modify the documents ? .. you have your own domain.. http://www.deondernemers.nl/ [deondernemers.nl] which I imagine runs 24/7 but you would prefer to do this sharing thing through google ? ?

My suggestion is this.. convert to OpenOffice docs, put the docs on your web server, make all those with editing power carry a copy of oO, and give them access through FTP.. make it standard procedure to convert your docs to pdf's for access by the "non" editing group that you want to be allowed to see.. More work I know, but more control if you implement it properly.

Re:From your journal (3, Informative)

Synn (6288) | more than 5 years ago | (#27112043)

More work I know, but more control if you implement it properly.

I seriously doubt you're going to get your average user to use FTP successfully and I doubt most companies could "implement it properly".

What Google offers instead:

Jane goes to http://docs.mycompany.com, creates the document. Clicks on sharing and shares it with Bob in accounting. Simple and easy.

Is this solution open to bugs in Google Docs? Sure is. But your web/ftp server solution is also open to exploits in both pieces of software AND since it's more complex it's more open to user error.

How does Jane upload it so only Bob and not Bill in accounting can edit it? How does she make it so only Mark, Matt and Jessie in development can view it?

Google Docs makes that trivial to do. Also Bob and Jane can work on the document at the same time and any changes go out instantly to the viewers. Plus the document has versioning built in.

You seem surprised for some reason (1)

duncan (16437) | more than 5 years ago | (#27107847)

this raises questions (again) about cloud computing, as well as Google's eternal beta-status for a lot of their services.

What do you mean it raises questions again? Did the questions get put down between the last time a flaw was found in 'the cloud' or Google's beta services and this time?

The questions are the same. The answers are the same. If you're not happy with it don't participate in it.

Martin (0)

Anonymous Coward | more than 5 years ago | (#27110087)

Sorry, but I think in many cases is late. I tried many times using Docs and Groups and both have important failures. I suggest Gdevelopers to improve quality before go production.... please, don't repeat Redmon style!

Not unusual for Google (1)

jwkckid1 (636776) | more than 5 years ago | (#27110309)

First, thank you Richard for highlighting this bug
and the overall problems with Google support for
Apps., ect.
Second, some time ago ( I don't recall exactly when )
one of my engineers that does security pro-active
testing of SAAS apps., and many others, found this
very problem and reported it to Google accordingly,
and got the first response Richard got repeatedly
after repeatedly reporting this bug. This seems to
be very concerning as some of you may know that
Veveck Kundra is very pro Google and will be looking
towards Google to help the USG's many interactive Apps.
as a solution, as he has done in the past. So when
Google takes 3 weeks to finally address an already
previously reported bug, and than finnaly addresses
it, such becomes very worrysome and not boad well
for applying Google based Apps. solutions to USG's
needs, even if the price is right.

    To me, as a security professional ( CTO ) this
concerns me and other security pros like myself
rather significantly.

Regards,

Spokesman for INEGroup LLA. - (Over 284k members/stakeholders strong!)
"Obedience of the law is the greatest freedom" -
      Abraham Lincoln
"YES WE CAN!" Barack ( Berry ) Obama

"Credit should go with the performance of duty and not with what is
very often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B;
liability depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]

Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS.
div. of Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail
jwkckid1@ix.netcom.com
My Phone: 214-244-4827

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>