Does another odd post to one of Google official blogs mean Google losing it in terms of security? It spurred Michael Arrington to fire up a list over at TechCrunch of other security issues, a couple I wouldn't agree were breaches. But I can add to the list as well, and there's no doubt these type of things hurt Google when during its expansion, it needs all the goodwill and trust it can get.
Yesterday, Google Blogoscoped wrote about a strange post on Blogger Buzz, the official blog for Google's Blogger. It turned out to be a case of someone who writes for the Blogger Buzz accidentally posting something meant for her personal blog on Blogger to the official one.
I can completely sympathize with this. About two weeks ago, I posted something to the Search Engine Watch Blog that I meant for my personal blog Daggle. Both use Movable Type, on completely different systems. But I had browser windows open to both of them and just picked the wrong one.
Unfortunately, the mistaken post (which is still up on Blogger Buzz for me) comes about a week after the Official Google Blog was hacked with a fake post. Add that to some other things, and people might be getting worried.
That's certainly Michael Arrington view at TechCrunch. He writes:
The fact that unauthorized document access is a simple password guess or government “request” away already works against them. But the steady stream of minor security incidents we've seen (many very recently) can also hurt Google in the long run. Running applications for businesses is serious stuff, and Google needs to be diligent about security.
Another minor incident came up this evening - a Google employee intended to post on her personal blog and wrote on the official Google blog covering Blogger instead....
Google product teams work in cells, which allows them to quickly launch and iterate products. However, there could be a disadvantage to this as well with regard to security, as their does not seem to be one central policy or security group ensuring strict compliance across the entire company. Every security incident damages Google's credibility and reputation. Microsoft has been dealing with security issues forever - Google may need to start fighting the same war.
The post includes eight examples of security incidents since 2004. Some I don't agree with, but others I do -- and there are more not on the list. I posted about these at TechCrunch, but my comments aren't showing yet (and possibly didn't go through properly). Here's what I wrote:
Goodness knows I'm not going to defend them on a lot of this stuff. The repeated problems with Blogger security are becoming absurd. Three strikes on their own blog? But Mike, some perspective is probably in order.
Accidentally released Platypus? Sounds like Philipp has a contact at Google that leaked it to him. I suppose that's a security issue, but it's not really a user security issue. Lumping it in there doesn't feel fair. And if you're going to do that, then any time someone from any company leaks you something, you should be reporting that as a security breach from that company.
Some of the other items are iffy on the user security side. They left stuff in a Writely doc, similar to how they left stuff in that analyst presentation a few months before. Sloppy, yes. Security breach, no. Worthy of concern? Yes, because sloppy there could mean sloppy elsewhere.
To add others to your list:
- December 2004: Google Now Blocking Santy Worm
"Security is something that we have to have even more renewed focus on," Google said about the case
- Nov. 2005: Gmail Never Hacked, Google Says
You note this above. To be fair, you'd have had to been so incredibly stupid to make this happen. Really, really stupid.
- Nov. 2005: Major Security Flaw With Google Sitemaps Stats
This was a fun one, allowed me to see stats for the US White House. Many others used it to see stats for other big sites.
- Nov. 2005: Google Mini Security Issue Patched
Security company praises Google for reacting quickly.
- Feb. 2006: Google Account Security Breach with Book Search
Another case where there's a security flaw if you're stupid. It's somewhat similar to saying credit cards have a flaw that if you give someone your number, they might be able to buy things with it. At least in this case, it's more possible someone would send a URL rather than a specific authentication code as with the Nov. 2005 case.
They fixed it quickly.
- June 2006: Google Fixes XSS Security Holes
Overall, I agree with you. These incidents hurt Google's reputation and the trust users may have with them. What I can't tell is how they stack up in trust compared to someone like Microsoft. I suspect they're still well ahead there. But it's not "may need" to fight the war. They're in that war now, and every new app increases their exposure to exploits.