Schneier on Security
A blog covering security and security technology.
« Behavioral Assessment Profiling |
| Universal Surveillance Doesn't Make Us Safer »
November 29, 2004
Desktop Google Finds Holes
Google's desktop search software is so good that it exposes vulnerabilities on your computer that you didn't know about.
Last month, Google released a beta version of its desktop search software: Google Desktop Search. Install it on your Windows machine, and it creates a searchable index of your data files, including word processing files, spreadsheets, presentations, e-mail messages, cached Web pages and chat sessions. It's a great idea. Windows' searching capability has always been mediocre, and Google fixes the problem nicely.
There are some security issues, though. The problem is that GDS indexes and finds documents that you may prefer not be found. For example, GDS searches your browser's cache. This allows it to find old Web pages you've visited, including online banking summaries, personal messages sent from Web e-mail programs and password-protected personal Web pages.
GDS can also retrieve encrypted files. No, it doesn't break the encryption or save a copy of the key. However, it searches the Windows cache, which can bypass some encryption programs entirely. And if you install the program on a computer with multiple users, you can search documents and Web pages for all users.
GDS isn't doing anything wrong; it's indexing and searching documents just as it's supposed to. The vulnerabilities are due to the design of Internet Explorer, Opera, Firefox, PGP and other programs.
First, Web browsers should not store SSL-encrypted pages or pages with personal e-mail. If they do store them, they should at least ask the user first.
Second, an encryption program that leaves copies of decrypted files in the cache is poorly designed. Those files are there whether or not GDS searches for them.
Third, GDS' ability to search files and Web pages of multiple users on a computer received a lot of press when it was first discovered. This is a complete nonissue. You have to be an administrator on the machine to do this, which gives you access to everyone's files anyway.
Some people blame Google for these problems and suggest, wrongly, that Google fix them. What if Google were to bow to public pressure and modify GDS to avoid showing confidential information? The underlying problems would remain: The private Web pages would still be in the browser's cache; the encryption program would still be leaving copies of the plain-text files in the operating system's cache; and the administrator could still eavesdrop on anyone's computer to which he or she has access. The only thing that would have changed is that these vulnerabilities once again would be hidden from the average computer user.
In the end, this can only harm security.
GDS is very good at searching. It's so good that it exposes vulnerabilities on your computer that you didn't know about. And now that you know about them, pressure your software vendors to fix them. Don't shoot the messenger.
This article originally appeared in eWeek.
Posted on November 29, 2004 at 11:15 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Just to echo Dan's point, the underlying problem is the operating system. When Microsoft started on New Technology, the lead designer wanted to make "A better Unix than Unix".
A nice objective to go for, however MS had too much invested in "MS-DOS" and "16 bit Windows" so the OS had to be able to support 99% of the legacy software without breaking it. Due to the complexity of this and the limited resources of the time NT started to develop an "all in one basket" approach which might originally have had clear interfaces within it but they quickly became blured and out of sight.
Another problem was the "single user" attitude, that the Personal Computer engendered that got carried forward into NT (remember the old joke about NT being C2 secure provided there was no floppy and network connected).
Untill recently MS had no incentive to sort out the mess NT had become, it was full steam ahead with bells and whistles. The result was that security was all but ignored so much so that in versions of NT it was not possible to know that a process was actually running on the machine if the process decided not to broadcast it was there.
Was this MS's fault (partly) but you need to remeber that companies who put the effort into security usually went out of business as their products did not develope at the speed users expected them to. The message was clear to most organisations "security does not pay in the market place" so they activly avoided it.
The result we have an OS that still tries to support 20 year old applications that where designed for an insecure, resource limited, single user, single tasking, 16Bit OS...
Sorting it out is a bit like the old joke about the farmer being asked the way to somewhere, after some carefull thought he replies "If I was you I wouldn't start from here". Unfortunatly MS does not have this option the market place won't let it start from scratch.
It has becom fairly clear that Business is happy with XP and 2000/2003 and has no intention of upgrading any time within the next five years. MS needs a very large pile of cash going through the door just to keep the lights on.
MS have a real problem (and so do we all) put simply,
1. It's OS's have gone as far as it's main
2. It gets a lot of bad publicity about the
OS's and their security,
3. The market says security does not pay,
4. There are several non MS OS's available
for nothing, some of which have a lot less
in the way of security issues,
5. The functionality of non MS application
software (some of it free) has the features
most people want and used only to get from MS,
6. MS's need for cash each year exceeds the GDP
of a hundred or so countries.
This is a significant problem for MS and us as consumers in the market place. I am not sure where MS is going to go but I would expect to see,
A. More FUD
B. More litigation by proxie
C. More direct litigation
D. More preasure on law makers world wide
for new laws for things like patents,
copyright, reverse engineering etc.
E. Other "protective" measures such as the
"Trusted Computing" initiatives.
None of which are good for the market place or inovation.
Mad as it might be to some people we need to support MS to get security into their OS's and we need to convince the market place that security does need to be there and payed for.
In many ways security is like the roads we drive on, if roads are either not there or of poor quality we go nowhere slowly and are horizons are very limited.
We generally pay for roads through the "commons" ie central and regional taxation, unfortunatly there is no mechanisum like this in place for software security.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.