Archive for Google

Google Left Some G Suite Passwords Unhashed For 15 YEARS…. WTF?

Posted in Commentary with tags on May 22, 2019 by itnerd

Google says a small number of its enterprise customers mistakenly had their passwords stored on its systems in plaintext. The exact number was not disclosed. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey:

The search giant disclosed the exposure Tuesday but declined to say exactly how many enterprise customers were affected. “We recently notified a subset of our enterprise G Suite customers that some passwords were stored in our encrypted internal systems unhashed,” said Google vice president of engineering Suzanne Frey.

Passwords are typically scrambled using a hashing algorithm to prevent them from being read by humans. G Suite administrators are able to manually upload, set and recover new user passwords for company users, which helps in situations where new employees are on-boarded. But Google said it discovered in April that the way it implemented password setting and recovery for its enterprise offering in 2005 was faulty and improperly stored a copy of the password in plaintext.

Google has since removed the feature.

No consumer Gmail accounts were affected by the security lapse, said Frey.

I’m sorry, but Google didn’t make a mistake. What you see here ladies and gentlemen is incompetence. This is a multi-billion dollar company failing at basic security and not finding their mistake for 15 years. Sorry, Google, you don’t get to claim anything but your own incompetence and stupidity when it comes to this security screw up.

#EpicFail

Advertisements

Google Slapped With $1.7 Billion Fine

Posted in Commentary with tags on March 20, 2019 by itnerd

European regulators have slapped Google with a $1.7 billion fine on charges that its advertising practices violated local antitrust laws:

Margrethe Vestager, the European Union’s top competition commissioner, announced the punishment at a news conference, accusing Google of engaging in “illegal practices” in a bid to “cement its dominant market position” in the search and advertising markets. The new penalty adds to Google’s costly headaches in Europe, where Vestager now has fined the tech giant more than $9 billion in total for a series of antitrust violations. Her actions stand in stark contrast to the United States, where regulators — facing a flood of complaints that big tech companies have become too big and powerful — have not brought a single antitrust case against Google or any of its peers in recent years, reflecting a widening transatlantic schism over Silicon Valley and its business practices.

For those keeping score at home, that’s the third time in three years that they’ve been hit by fines by the EU for bad behavior. At this point if you’re Google you have to wonder what you have to do to stop this from happening. If I were running the company, maybe I would start with altering the company’s behavior as it has to be clear to anyone that they are clearly doing something either wrong or something that goes against their meaningless mantra of “do no evil “.

Google Announces Stadia Gaming Service

Posted in Commentary with tags on March 19, 2019 by itnerd

Google today launched its Stadia cloud gaming service at the Game Developers Conference (GDC) in San Francisco.

Stadia is not a dedicated console or set-top box. The platform will be accessible on a variety of platforms: browsers, computers, TVs, and mobile devices. In an onstage demonstration of Stadia, Google showed someone playing a game on a Chromebook, then playing it on a phone, then immediately playing it on PC — a low-end PC, no less –, picking up where the game left off in real time. Stadia will be powered by Google’s worldwide data centers, which live in more than 200 countries and territories, streamed over hundreds of millions of miles of fiber optic cable, Google CEO Sundar Pichai said.

Phil Harrison, previously at PlayStation and Xbox, now at Google, said the company will give developers access to its data centers to bring games to Stadia. Harrison said that players will be able to access and play Stadia games, like Assassin’s Creed Odyssey, within seconds. Harrison showed a YouTube video of Odyssey featuring a “Play” button that would offer near-instant access to the game. Pichai announced the new platform at the Game Developers Conference, saying that Google want to build a gaming platform for everyone, and break down barriers to access for high-end games.

Users will be able to move from YouTube directly into gameplay without any downloads. Google says this can be done in as little as 5 seconds. At launch, Stadia will stream games at 4k resolution, but Google claimed in the future it will be able to stream at a video quality of 8k.

Here’s the catch, will this service be around in the long term given that Google has a habit of abandoning stuff. But I guess we’ll find out as I can’t blame them for wanting to jump into this space.

Do You Have A Nest Secure? There’s A Hidden Mic That Google Never Told You About

Posted in Commentary with tags on February 20, 2019 by itnerd

From the “so much for do no evil” file comes the disclosure by Google of a microphone on their Nest Secure which was meant to be used with Google Assistant:

Apparently this could be enabled or disabled at any time via the Nest mobile app, and via this blog post it further explained that it was an opt-in feature, and that customers will receive email explaining how to activate it.

One slight problem, this wasn’t disclosed for over 18 months. Thus people who bought the Nest Secure without knowing that there was a microphone present. And during those 18 months or so the potential existed for the bad guys, hackers or whomever to hack in and listen in.

Not cool Google. Not cool.

The fact is that if your IoT device secretly contained a microphone, which was previously undocumented, would you be happy when the device maker announced an over-the-air update that can enable the microphone? Of course not. You should be enraged and call for heads to roll. Now Google does admit that they screwed up, but it wasn’t intended to be a secret. But that will do little to calm people who own one of these devices and discovered this added feature.

By the way, you have to wonder how many other IoT devices have similar “features.”

Google Has Access To Apple’s Enterprise Certificates Again

Posted in Commentary with tags , on February 1, 2019 by itnerd

It appears that Google much like Facebook before it has left the “sin bin” as Apple has restored the company’s access to enterprise certificates. The ones that got them into so much trouble when they were caught using them to sideload applications outside the app store. This was confirmed by Tech Crunch and by this tweet:

I would have liked to have been a fly on the wall of that conversation as one has to wonder what was said and what Google had to do to make nice with Apple. In any case, like the tweet says, all is well with the world. Except that it isn’t as I fully expect other companies to be “sin binned” by Apple as it’s a safe bet that Apple is taking a very deep look at their enterprise certificate program to find anyone more companies who are flouting the rules.

Apple Lays The Smack Down On Google For Abusing Enterprise Certificates

Posted in Commentary with tags , on January 31, 2019 by itnerd

That escalated quickly.

Not more than 24 hours ago it came to light that Facebook was not the only one abusing Apple enterprise certificates, but Google was doing that as well and for a much longer amount of time. In the case of the former, Apple revoked their enterprise certificate which is causing chaos within Facebook. Now it appears that Google has had their enterprise certificate revoked by Apple:

Apple has now shut down Google’s ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week. A person familiar with the situation tells The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps have stopped working today, alongside employee-only apps like a Gbus app for transportation and Google’s internal cafe app.

“We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” says a Google spokesperson in a statement to The Verge. Apple also appears to be working more closely with Google to fix this situation. “We are working together with Google to help them reinstate their enterprise certificates very quickly,” says an Apple spokesperson in a statement to BuzzFeed.

From the above statements, it sounds moderately more cordial than the Facebook situation. But if I am a betting man, I am guess that there’s a lot of one way conversations going on with the one way being from Apple to Google. Hopefully they along with other companies get the message that tis behavior isn’t acceptable.

Google Pulls A Facebook By Using Enterprise Certificates To Bypass App Store

Posted in Commentary with tags , on January 31, 2019 by itnerd

Clearly the use of Apple’s enterprise certificates to bypass the App Store so that one can load any piece of software they want onto their iDevice is a bigger problem than Facebook. I say that because Google has been caught doing a version of what Facebook was caught doing. According to TechCrunch, Google has been distributing an app called “Screenwise Meter” using the enterprise certificate installation method since 2012. Google has apparently been privately inviting users aged 18 and up (or 13 for those part of a family group) to download Screenwise Meter, an app that is designed to collect information on internet usage, including details on how long a site is visited to apps that are downloaded. The Screenwise Meter app that Google uses lets users earn gift cards for sharing their traffic and app data. It is part of Google’s Cross Media Panel and Google Opinion Rewards programs that provide rewards to people for installing tracking software on their smartphones, web browsers, routers, and TVs. Or put another way, they were paying people without actually handing out cash the way Facebook was.

So much for Google’s motto of “do no evil.” But to be fair, the ship has sailed on that motto years ago.

And there’s this little detail about the app:

Putting the not-insignificant issues of privacy aside — in short, many people lured by financial rewards may not fully take in what it means to have a company fully monitoring all your screen-based activity — and the implications of what extent tech businesses are willing to go to to amass more data about users to get an edge on competitors, Google Screenwise Meter for iOS appears to violate Apple’s policy.

And to nobody’s surprise, once this became public, this happened:

So now that’s two companies who have been playing fast and loose with Apple’s enterprise certificates. One has to think that more companies are doing exactly the same thing. The question is how many are doing the same thing and how bad is this going to get?