EYE ON SECURITY

The World of Secure Development.

November 2007

So the rumors over Google's online storage ambitions continue to swirl, stirred this time by a report in the Wall Street Journal that cites its sources as "people familiar with the matter." You sort of get the impression that WSJ reporters had to meet their shadowy sources in a darkened Silicon Valley parking garage in order to glean this bit of news.

Questionable sources aside, I don't need much convincing that Google is planning some sort of "GDrive" to compete with the online personal data storage currently offered by Microsoft, AOL, Apple and others. It's a logical move if your ambition is to move the bulk of users' computing experience onto the web. I have no doubt Google could do it well -- probably better than anyone else, actually.

But wow, do you have to have a high level of trust in any organization if you're going to start storing your personal files en masse on someone else's servers, especially when part of the infrastructure of said system includes a file-sharing capability, and when those files are going to be potentially read by an indexing program to make them searchable (one hopes, only to you).

I'm sure Google plans to lock this down as tight as they possibly can. I can also hear a chorus of "online data storage is the future, man -- get used to it" building in the world of tech punditry. But color me reluctant. I've used Google Docs and Spreadsheets almost since the day it was introduced (I was a JotSpot user before Google bought it), but never have I put any information up that could get me in trouble or allow someone access to my personal information. If I were to start using an online service to replace some of the need for my hard drive, I would necessarily start being more indiscriminate about what got stored there. Even if you try to be careful, your sensitive data will begin to migrate online the more you depend on such storage.

Can that data be secured as well as it can on your hard drive? I just don't think it can. It's going to make a tempting target for hackers: all that juicy personal data hanging from Google's tree of knowledge, waiting to be plucked. Whereas my hard drive is pretty hard to get to: It rarely leaves my house, and it's secured on a machine that offers no file sharing services, listens on no ports, and is itself hidden away behind a pretty tight network firewall. Furthermore, my drive is just one person's information. If someone cracks the Google system, they're potentially able to access the data of thousands or millions of people.

At some point we have to ask ourselves just how good our security technology can ever be. At best, we can stay one step ahead of data thieves. We're all just one slip-up away from a break-in. So maybe sometimes the question we should be asking is not "How can we secure this data?" but instead "Do I really need to expose this data to risk?".

Even Google's own internal information doesn't always stay secure. The last paragraph of the WSJ story claims, with no apparent awareness of irony, that:

A document Google inadvertently released on the Web in March 2006 said it was moving toward being able to "store 100% of user data," citing "emails, Web history, pictures, bookmarks" as a few examples.

"Inadvertently"? As in "unintentionally"? The point being that Google is an organization made up of flawed humans who will someday, inevitably, spill the contents of your hard drive onto a public sidewalk.

Posted by Kevin Carlson at 12:04 PM  Permalink |

Given that much of the recent growth in the Firefox user base has come at the expense of Microsoft due to security problems with Internet Explorer, I don't find it surprising at all that Mozilla continues to bet on security enhancements as a big selling point for Firefox. The long-anticipated beta of Firefox 3 is now out, and the Firefox developers have kept the security momentum going.

The list of enhancements to the browser is fairly extensive, but you'll notice that the security enhancements top the list. From the release notes:

• One click site info: Click the site favicon in the location bar to see who owns the site. Identity verification is prominently displayed and easier to understand. In later versions, Extended Validation SSL certificate information will be displayed.

• Malware Protection: malware protection warns users when they arrive at sites which are known to install viruses, spyware, trojans or other malware. You can test it here (note: our blacklist of malware sites is not yet activated).

• New Web Forgery Protection page: the content of pages suspected as web forgeries is no longer shown. You can test it here.

• New SSL error pages: clearer and stricter error pages are used when Firefox encounters an invalid SSL certificate.

• Add-ons and Plugin version check: Firefox now automatically checks add-on and plugin versions and will disable older, insecure versions.

• Secure add-on updates: to improve add-on update security, add-ons that provide updates in an insecure manner will be disabled.

• Anti-virus integration: Firefox will inform anti-virus software when downloading executables.

• Vista Parental Controls: Firefox now respects the Vista system-wide parental control setting for disabling file downloads.
  

What I like about most of these features is that many of them are focused on not just preventing mischief, but on informing the user. Better feedback to the user about security I think works in an application's favor. Of course, "better" should not be equated with "more." Firefox seems to be on the right track here — explicitly warning users when necessary, but otherwise, putting the security information where users can get at it, but not presenting it in a way that forces them to swat away dialog and warning boxes every five minutes.

So, kudos to Mozilla. But there's always a catch. In this case, it's the fact that, by Mozilla's own estimate, this new version of Firefox represents two million new or changed lines of code. That's an awfully big landscape for new bugs to hide in. And some of those bugs are bound to be security related. But hey, that's what beta testing is all about, right?

Posted by Kevin Carlson at 10:52 AM  Permalink |