Does another odd post to one of Google official blogs mean Google losing it
in terms of security? It spurred Michael Arrington to fire up a list over at
TechCrunch of other security issues, a couple I wouldn’t agree were breaches.
But I can add to the list as well, and there’s no doubt these type of things
hurt Google when during its expansion, it needs all the goodwill and trust it
Yesterday, Google Blogoscoped
about a strange post on Blogger Buzz, the
official blog for Google’s Blogger. It
turned out to
be a case of someone who writes for the Blogger Buzz accidentally posting
something meant for her personal blog on Blogger to the official one.
I can completely sympathize with this. About two weeks ago, I posted
something to the Search Engine Watch Blog that I meant for my personal blog
Daggle. Both use Movable Type, on completely
different systems. But I had browser windows open to both of them and just
picked the wrong one.
Unfortunately, the mistaken post (which is still up on Blogger Buzz for me)
comes about a week after the Official Google Blog was hacked with a
Add that to some other things, and people might be getting worried.
That’s certainly Michael Arrington view at TechCrunch. He
The fact that unauthorized document access is a simple password guess or
government “request” away already works against them. But the steady stream of
minor security incidents we’ve seen (many very recently) can also hurt Google
in the long run. Running applications for businesses is serious stuff, and
Google needs to be diligent about security.
Another minor incident came up this evening – a Google employee intended to
post on her personal blog and wrote on the official Google blog covering
Google product teams work in cells, which allows them to quickly launch and
iterate products. However, there could be a disadvantage to this as well with
regard to security, as their does not seem to be one central policy or
security group ensuring strict compliance across the entire company. Every
security incident damages Google’s credibility and reputation. Microsoft has
been dealing with security issues forever – Google may need to start fighting
the same war.
The post includes eight examples of security incidents since 2004. Some I
don’t agree with, but others I do — and there are more not on the list. I
posted about these at TechCrunch, but my comments aren’t showing yet (and
possibly didn’t go through properly). Here’s what I wrote:
Goodness knows I’m not going to defend them on a lot of this stuff. The
repeated problems with Blogger security are becoming absurd. Three strikes on
their own blog? But Mike, some perspective is probably in order.
Accidentally released Platypus? Sounds like Philipp has a contact at Google
that leaked it to him. I suppose that’s a security issue, but it’s not really
a user security issue. Lumping it in there doesn’t feel fair. And if you’re
going to do that, then any time someone from any company leaks you something,
you should be reporting that as a security breach from that company.
Some of the other items are iffy on the user security side. They left stuff
in a Writely doc, similar to how they left stuff in that analyst presentation
a few months before. Sloppy, yes. Security breach, no. Worthy of concern? Yes,
because sloppy there could mean sloppy elsewhere.
To add others to your list:
- December 2004:
Blocking Santy Worm
"Security is something that we have to have even more renewed focus on,"
Google said about the case
- Nov. 2005:
Hacked, Google Says
You note this above. To be fair, you’d have had to been so incredibly stupid
to make this happen. Really, really stupid.
- Nov. 2005:
Security Flaw With Google Sitemaps Stats
This was a fun one, allowed me to
for the US White House. Many others used it to see stats for other big
- Nov. 2005:
Security Issue Patched
Security company praises Google for reacting quickly.
- Feb. 2006:
Account Security Breach with Book Search
Another case where there’s a security flaw if you’re stupid. It’s somewhat
similar to saying credit cards have a flaw that if you give someone your
number, they might be able to buy things with it. At least in this case,
it’s more possible someone would send a URL rather than a specific
authentication code as with the Nov. 2005 case.
- March 2006:
They fixed it quickly.
- June 2006:
XSS Security Holes
Overall, I agree with you. These incidents hurt Google’s reputation and the
trust users may have with them. What I can’t tell is how they stack up in
trust compared to someone like Microsoft. I suspect they’re still well ahead
there. But it’s not "may need" to fight the war. They’re in that war now, and
every new app increases their exposure to exploits.