September 22, 2007. There are two recent articles on Slashdot that I wanted to chat about for a moment. The first discusses MediaDefender's deception. The second discusses GHOle exploits. Both of these articles discuss Gmail, a popular web-based email tool. I myself use Gmail because of its interface. I'd warrant that if there were an open-source equivalent available, I would not use Gmail as I have my own domain. That point aside, I would like to briefly point out security.
What amazed me what the underlying security flaw in the MediaDefender article was never mentioned by the top commentators. What happened in the MediaDefender article was that an executive of that company had all of his corporate email forwarded to his Gmail account. I have read in other places where people recommend this practice. Please think about this: you are willingly sharing your company's intellectual property, and perhaps even trade secrets, with a company that has a primary mission of data mining. After all, when viewing your Gmail contents, Google offers targeted advertisements. What else are they doing with the proprietary information you are sharing?
The second problem with the MediaDefender article rests with the fact that the victim of the invasion used the same password on multiple sites. If you are going to use the same password on many sites, at least have the courtesy of only using that password on sites that will cause no direct harm or invasion. It is more disconcerting that the invasion was because the victim used the same password on a BitTorrent site. This is disconcerting because it means that the BitTorrent password is stored in the clear, rather than encrypted, in the database. Technically, that is a passcode; not a password. However, this means that all other users of that BitTorrent site (is this a protocol-wide flaw?) are likewise vulnerable to invasion or identity theft.
As for the Gmail security flaws, this is likewise alarming. However, the advantage is the single sign-on feature offered by Google is centralized. That allows Google to heal its black-eye by quickly fixing the flaws. I anticipate a report to come out where Google has resolved this problem. However, as for passcodes and BitTorrent, I am glad I never used one of those peer-to-peer protocol.
Copyright © 1997-2010 Benjamin C. Wilson · All Rights Reserved.