Security


Privacy & Security & Sillycon Valley Biz06 Jun 2006 03:04 pm

Today Google launched “Google Spreadsheets,” the latest in a long line of ideas tossed out the door before it was done cooking — I think the term is “half-baked” — and slapped with the “beta” complaint-deflector. Already the uncritical fawning has begun, with predictions of mass self-immolations in Redmond, WA, soon to follow.

According to C|Net’s News.com, it’s Google’s intent to make Microsoft quake in its boots, fearing that an advertising-littered web-based spreadsheet will be more attractive to consumers than Microsoft’s overpriced Office suite. So the theory goes, once Google can win over millions of consumers, enterprises will be forced to adopt it, and then the days of the villainous paperclip will finally be over.

Setting aside for a moment the abysmal history of consumer-oriented web companies who tried to create enterprise versions of their products, I think the deeper question is: Who in their right mind would trust their critical personal and financial data to the data mining machinery of Google? And assuming you could find individual takers, what company would do the same?

Google makes its money by sifting through the world’s data and dotting it with advertisements. Assuming you want to be bombarded with ads while you’re wrestling with some amortization formula (and no doubt thinking to yourself, “wow, a mocking advertisement for lessons in using spreadsheets would be handy right about now!”), all that data will be residing on Google’s servers, where it can be sifted through looking for advertising opportunities.

Even if you assume that Google keeps true to its “don’t be evil” mantra, there’s still the small matter that systems get hacked, employees get greedy and larcenous, and government investigators get overzealous and demand service providers keep data for two years.

Will that data include your “undos”? Think about the time when you entered in bogus tax data into a spreadsheet, just to see what your finances would look like if you didn’t report some extra taxable income. Would that be introduced as evidence of intent to defraud?

What if their algorithms, while searching through your spreadsheet to find relevant ads to serve, discover you have indeed been cheating on your taxes? Will they serve up ads for tax attorneys and bail bondsmen before the Feds come after you? Will they know the Feds are coming because they turned over your records to the IRS in one of the government’s regular subpoena “fishing expeditions” and illegal warrantless search and surveillance schemes?

These are not insignificant questions, and Google doesn’t have a track record of inspiring faith in their foresight and thoughtfulness on the tough questions of how data will stay private and secure. These are critical questions that Google will have to answer, not only to the satisfaction of clueless consumers and analysts but also to corporate privacy and security experts, before Google Spreadsheets can be taken as a credible alternative — much less a threat — to Microsoft Excel.

Privacy & Security27 Oct 2005 04:13 pm

According to News.com, two researchers at the SANS Institute have discovered a problem with the security architecture of Oracle’s database software, allowing them to easily obtain the passwords of database users.

The technique Oracle uses to store and encrypt user passwords doesn’t provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway College, University of London. Wright gave a presentation on the matter Wednesday at the SANS Network Security conference in Los Angeles. … Wright and Cid identified several vulnerabilities, including a weak hashing mechanism and a lack of case preservation–all passwords are converted to uppercase characters before calculating the hash.

In its rivalry to be bigger and better than Microsoft, Oracle has cut some of the same kinds of security corners. According to the article, Oracle has been increasingly scrutinized, and criticized, for a lax security architecture and failure to release security patches in a timely manner.