Archive for Google

Australia Finds Google Misled Users Over Data Collection

Posted in Commentary with tags on April 16, 2021 by itnerd

Australia’s federal court found that Google misled users about personal location data collected through Android mobile devices between 2017 and 2018, the country’s competition regulator said Friday. That would qualify as a #Fail:

The Australian Competition and Consumer Commission (ACCC) — which launched legal proceedings against Google in 2019 — said the ruling was an “important victory for consumers” with regard to the protection of online privacy. Google misled Android users into thinking the search giant could collect personal data only if the “location history” setting was on, the ACCC said. The court found that Google could still collect, store and use personally identifiable location data if the setting for “web and application activity” was on — even if “location history” was turned off. “This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers,” ACCC Chair Rod Sims said in a statement.

Google is likely to appeal this. But this is a great decision that I hope that other countries copy. That would send a message that Google and other companies will notice. On top of that, I hope that Australia really lays the smack down on Google.

Google Voice Outage Caused By Expired Certificates…. REALLY?

Posted in Commentary with tags , on March 1, 2021 by itnerd

Back in mid February, Google Voice went down for about four hours. That left users unable to log in and use their Google Voice accounts. That’s a problem if you rely on Google Voice. And a lot of people and companies do given the times that we live in. Well, Google has released an incident report [Warning: PDF] and it is eyebrow raising. The outage was caused by expired TLS certificates:

Google Voice uses the Session Initiation Protocol (SIP) to control voice calls over Internet Protocol. During normal operation, Google Voice client devices aim to maintain continuous SIP connection to Google Voice services. When a connection breaks, the client immediately attempts to restore connectivity. All Google Voice SIP traffic is encrypted using Transport Layer Security (TLS). The TLS certificates and certificate configurations used by Google Voice frontend systems are rotated regularly.

Due to an issue with updating certificate configurations, the active certificate in Google Voice frontend systems inadvertently expired at 2021-02-15 23:51:00, triggering the issue. During the impact period, any clients attempting to establish or reestablish an SIP connection were unable to do so. These clients were unable to initiate or receive VoIP calls during the impact period. Client devices with an SIP connection that was established before the incident and not interrupted during the incident were unaffected.

And this is what they are going to do to stop this from happening again:

To guard against the issue recurring and to reduce the impact of similar events, we are taking the following actions:

  • Configure additional proactive alerting for upcoming certificate expiration events.
  • Configure additional reactive alerting for TLS errors in Google Voice frontend systems.
  • Improve automated tooling for certificate rotation and configuration updates.
  • Utilize more flexible infrastructure for rapid deployment of configuration changes.
  • Update resource allocation systems to more efficiently provision emergency resources during incidents.
  • Develop training and practice scenarios for emergency rollouts of Google Voice frontend systems and configurations.

Now I expect a small or medium company to have issues keeping track of when certificates that power their infrastructure expire. But for a company the size of Google to have this issue is mind blowing.

Chris Hickman, chief security officer at Keyfactor (www.keyfactor.com), a provider of cloud-first PKI as-a-Service and crypto-agility solutions has this to say:

An outage happens when expired certificates fail to authenticate or establish secure communication tunnels. A certificate expiration on its own is not necessarily a security response incident but is disruptive and can lead to outages like that experienced by Google Voice customers. Certificate expiration is an important mechanism to make sure certificates are still being issued to a valid system, similarly to why a driver’s license or passport needs to be renewed periodically. It offers a check and balance system, in the form of workflow and approvals, to maintain legitimacy and authorization. Changes implemented last year by the CA/B forum reduced the lifetime of an SSL/TLS certificate to 398 days and therefore has compounded the issue of keeping up with expiring certificates.

Recent research found that 73% of enterprise respondents experienced unplanned downtime and outages due to mismanaged digital certificates. More than half of those organizations said they experienced four or more certificate-related outages in the past two years. Service outages due to expired certificates are fairly common – and avoidable. Whether you’re a large enterprise or a small business, certificates expire. The key is maintaining visibility to every certificate on the network to stay ahead of expirations and renewals or better yet, using automation to ensure certificates are renewed prior to expiration without the need for human intervention.

These steps can help IT teams avoid similar outages and potential disruptions: 

  • Conduct an audit to understand how many digital certificates the organization has.
  • Build an inventory to identify where certificates live and what they’re used for. 
  • Document the hash algorithm they use and their overall health. 
  • Flag certificate expiration dates. 
  • Assign or note who owns every certificate.
  • Map the methods used to protect valuable code-signing certificates. 
  • Ensure a centralized method is used to securely update every certificate.”

Maybe Google should reach out to Keyfactor as clearly this is a weak point for them.

TELUS & Google Announce Strategic Alliance

Posted in Commentary with tags , on February 9, 2021 by itnerd

Google Cloud and TELUS today announced a strategic alliance to co-innovate on new services and solutions that support digital transformation within key industries, including communications technology, healthcare, agriculture, security, and connected home. The 10-year collaboration will also accelerate TELUS’ IT and network modernization initiatives, enabling further operational agility and supporting improved customer experiences. 

As part of the partnership, TELUS and Google will collaborate on the following initiatives:

  • Reimagining the future through co-innovation: Google Cloud and TELUS will generate new industry solutions and go-to-market strategies that will drive growth in adjacent industries, commencing with communications technology, healthcare, agriculture, security and automation. One of the areas of focus will be on redefining the way healthcare and agriculture solutions are delivered, increasing collaboration and efficiency between healthcare providers, providing consumers with fresher and healthier food by improving traceability, and enabling business customers to streamline their IT and network operations. Both companies will also collaborate on the evolution of entertainment and smart home technology, bringing state-of-the-art connectivity, control, and convenience to more families and businesses.
  • Accelerating TELUS’ digital transformation: TELUS will accelerate its public cloud adoption on Google Cloud’s enterprise platform to drive greater operational efficiency of its core IT and network infrastructure. Through this partnership, Google Cloud will also become one of TELUS’ partners in the delivery of 5G services and Multi-Access Edge Computing (MEC), which leverages Google Cloud’s managed application platform, Anthos. TELUS will utilize Google Cloud Contact Center AI to reinvent the customer experience, improving customer interactions and realizing significant savings. To increase growth opportunities, TELUS can expect enhanced agility, scalability, and reliability across its wireless and wireline services and numerous lines of business including security, agriculture and healthcare. 
  • Embracing sustainability and social responsibility: As recognized global leaders in corporate social responsibility, TELUS and Google Cloud will prioritize working together to improve the social, economic, environmental, and health outcomes for Canadians. TELUS and Google Cloud will strengthen their respective commitments to building a more sustainable world through technology by reducing TELUS’ carbon footprint, creating value along the entire supply chain for businesses significantly impacted by COVID-19, and optimizing industry solutions for social impact through data analytics and machine learning.

TELUS and Google will continue to partner with TELUS International, a digital customer experience (CX) innovator that designs, builds and delivers next-generation solutions for global and disruptive brands, to help enterprises achieve their digital transformation goals.

Microsoft Defender ATP is Detecting Yesterday’s Chrome Update As A Backdoor Trojan

Posted in Commentary with tags , on February 3, 2021 by itnerd

While there are some that say Google’s software is a backdoor to them gathering as much info on you as possible, this is the first time that I have ever heard of antivirus software actually flagging Google software as a backdoor trojan. Microsoft Defender Advanced Threat Protection (ATP), the commercial version of the ubiquitous Defender antivirus and Microsoft’s top enterprise security solution, is currently having a bad day and labeling yesterday’s Google Chrome browser update as a backdoor trojan:

The detections are for Google Chrome 88.0.4324.146, the latest version of the Chrome browser, which Google released last night. As per the screenshot [embedded in the linked story], but also based on reports shared on Twitter by other dismayed system administrators, Defender ATP is currently detecting multiple files part of the Chrome v88.0.4324.146 update package as containing a generic backdoor trojan named “PHP/Funvalget.A.” The alerts have caused quite a stir in enterprise environments in light of recent multiple software supply chain attacks that have hit companies across the world over the past few months. System administrators are currently awaiting a formal statement from Microsoft to confirm that the detection is a “false possitive” and not an actual threat.

The consumer version isn’t behaving the same way. Thus my assumption is that this is a mistake by Microsoft in terms of it’s detection engine and we should have official confirmation of that at some point. Until then, the safe thing to do is to wait until Microsoft comments publicly on this just in case it is a real threat.

YouTube Has Extended Trump’s Suspension From The Platform….. Twice

Posted in Commentary with tags , on January 27, 2021 by itnerd

YouTube on Tuesday said it is extending its suspension of former President Donald Trump, who’s been banned from posting videos to his channel since Jan. 12. Comments on Trump’s videos will also remain disabled indefinitely. Apparently, this is the second time that they have extended his ban:

“In light of concerns about the ongoing potential for violence, the Donald J. Trump channel will remain suspended,” a YouTube spokesperson confirmed to CNET. “Our teams are staying vigilant and closely monitoring for any new developments.” YouTube first extended Trump’s suspension last week, saying it would reevaluate the situation in a week. The company gave no indication on Tuesday of how long the latest extension would last. 

YouTube has a three-strikes policy when it comes to policing its platform. Three infractions within a 90-day period results in being permanently kicked off the platform. The first strike typically comes with a one-week ban that prohibits the posting of new content. A second strike comes with a two-week ban.

To me, this sounds like Google who owns YouTube are trying to walk some sort of line. Clearly they think that Trump is a bad actor, but they don’t want to punt him from YouTube. So they extend this ban rather than Thanos snapping him out of existence. A bit of a weak response if you ask me. But I guess someone who makes a lot of money thought that this was the correct course of action.

Google Hasn’t Updated Its iOS Apps In Ages…. Is It Because Google Has Something To Hide?

Posted in Commentary with tags , on January 22, 2021 by itnerd

As of December 8 Apple has been requiring developers to provide privacy label information to their apps. The Purpose is to outline the data that each app collects from users when it is installed. Many app developers have included the labels, but there’s one notable outlier. And that’s outlier is Google:

Google has not updated its major apps like Gmail, Google Maps, Chrome, and YouTube since December 7 or before, and most Google apps have to date have not been updated with the Privacy Label feature. The Google Translate, Google Authenticator, Motion Stills, Google Play Movies, and Google Classroom apps do include privacy labels even though they have not been updated recently, but Google’s search app, Google Maps, Chrome, Waze, YouTube, Google Drive, Google Photos, Google Home, Gmail, Google Docs, Google Assistant, Google Sheets, Google Calendar, Google Slides, Google One, Google Earth, YouTube Music, Hangouts, Google Tasks, Google Meet, Google Pay, PhotoScan, Google Voice, Google News, Gboard, Google Podcasts, and more do not display the information. 

On January 5, Google told TechCrunch that the data would be added to its iOS apps “this week or the next week,” but both this week and the next week have come and gone with no update. It has now been well over a month since Google last updated its apps.

You have to wonder what Google has to hide? Is it perhaps that their data harvesting activities are so invasive that if people knew what Google was actually doing, they’d dump Google apps en masse? This is why I don’t have Google apps on my iPhone 12 Pro. I simply don’t trust Google, and to be frank, neither should you. Especially given that there are alternatives to pretty much anything that Google offers.

BREAKING: Google Punts Parler From The Play Store

Posted in Commentary with tags , on January 8, 2021 by itnerd

Google has one upped Apple. You see Apple had threatened to remove Parler because planning for the assault on the Capitol this past Wednesday. Google has now banned Parler for being a “ongoing and urgent public safety threat.”

“In order to protect user safety on Google Play, our longstanding policies require that apps displaying user-generated content have moderation policies and enforcement that removes egregious content like posts that incite violence,” a Google spokesperson told ZDNet today.

“All developers agree to these terms and we have reminded Parler of this clear policy in recent months.

“We’re aware of continued posting in the Parler app that seeks to incite ongoing violence in the US. We recognize that there can be reasonable debate about content policies and that it can be difficult for apps to immediately remove all violative content, but for us to distribute an app through Google Play, we do require that apps implement robust moderation for egregious content.

“In light of this ongoing and urgent public safety threat, we are suspending the app’s listings from the Play Store until it addresses these issues,” the spokesperson said.

I am no fan of Google, but this is the right thing to do and I applaud them for deep sizing Parler. Now we’ll see if Apple will follow suit.

Google Sued By States for Abuse of Search-Market Dominance

Posted in Commentary with tags on December 17, 2020 by itnerd

A bipartisan coalition of states sued Alphabet’s Google Thursday alleging broad antitrust violations in the online search market, marking the third U.S. case against the search giant in two months:

The lawsuit, led by Colorado, Iowa and other states, marks the latest escalation of the antitrust battle against Google. It comes a day after 10 Republican state attorneys general led by Texas sued the company for anticompetitive practices, and follows an October complaint by the Justice Department. “Combined with the other recent lawsuits filed against Google, never before have so many states and the federal government come together to challenge a company with such power,” Iowa Attorney General Tom Miller said a statement. “Google has more data on consumers, and more variety of information, than perhaps any entity in history.” The lawsuit, filed by 38 attorneys general, accuses Google of illegally monopolizing internet search and search advertising through a series of anticompetitive contracts and conduct, hurting consumers and advertisers in the process.

Clearly the US Government is on an all out mission to go after big tech and anything that big tech does. That means that this lawsuit won’t be the last one that you will see. And it’s a safe bet that this isn’t going to change under the incoming Biden Administration.

So…. Am I The Only Person Who Finds That It’s Weird That Google Had An Extension To Exclude You From Their Ad Tracking?

Posted in Commentary with tags on December 16, 2020 by itnerd

I tripped over an browser add-on that appears to be from Google that has this function according to them:

To provide website visitors with the ability to prevent their data from being used by Google Analytics, we’ve developed the Google Analytics opt-out browser add-on for websites using the supported version of Google Analytics JavaScript (analytics.js, gtag.js). 

If you want to opt out, download and install the add-on for your web browser. The Google Analytics opt-out add-on is designed to be compatible with Chrome, Internet Explorer 11, Safari, Firefox and Opera. In order to function, the opt-out add-on must be able to load and execute properly on your browser. For Internet Explorer, third-party cookies must be enabled. Learn more about the opt out and how to properly install the browser add-on here.

So, if I am not in favor of Google tracking my every activity, I need to install this add-on that I am somehow supposed to trust. That really doesn’t make sense to me as trusting Google to protect my privacy sounds like an oxymoron to me. And does the existence of this add-on mean that options such as Privacy Badger and uBlock Origin aren’t as effective? That isn’t clear. But the existence of this add-on from Google creates more questions than answers.

BREAKING: Gmail Is Having Some Sort Of Catastrophic Failure

Posted in Commentary with tags on December 15, 2020 by itnerd

If you’re trying to send an email to a Gmail account, you are likely getting this error message:

550-5.1.1 The email account that you tried to reach does not exist.”

This is to a valid Gmail address that I have been sending email to for years.

I have seen this since early this evening and Google confirms this on its services dashboard, writing at 1:30 PM Pacific that they’re impacting a “significant” number of users. But they also claim that the issues are resolved. However, I’m not seeing that as I still can’t send emails to Gmail users. So maybe Google is as premature as a virgin by declaring this as fixed. I’ll continue to watch this and update accordingly.

UPDATE: Gmail seems to be working as per this Tweet from Proton Mail: