| |||||||||||||
|
| |||||||||||||
It's the same as everywhere else...It's the same as everywhere else...Posted Dec 16, 2010 15:28 UTC (Thu) by khim (guest, #9252)In reply to: Storm clouds by paulj Parent article: Storm clouds
It seems like Google has very poor granularity in the systems that control & monitor access to their users' data. That basically all engineering/sysadmin staff get access to all user data. Citation needed! Seriously. Most articles about David don't forget the mention that he was "a member of an elite technical group"... but actually he was not. He was mere "Site Reliability Engineer" - but his work was specifically to keep GMail running. If you think there are noone @Amazon or @Rackspace who have similar level of access then you are sorely mistaken: it's very hard to troubleshoot system if you don't have a root access on the problematic system. And if you have root access you can add all kinds of monitoring-circumventing tools.
(Log in to post comments)
It's the same as everywhere else... Posted Dec 17, 2010 15:03 UTC (Fri) by paulj (subscriber, #341) [Link]
1. You say "citation needed!", presumably on poor access-control, but then note Barksdale was a "mere" SRE. Well, if a general admin has access to all user-data, doesn't that demonstrate the poor access-control?
2. Why mention other companies? I never did. Unless you're trying to offer a "everyone has poor access control" defence, which isn't a very good one. Am I aware certain problems require very wide-powers to fix? Well, duh, yes. Does technically that mean that *all* admins, regardless of their function, must have access to these highly-empowered roles? Of course not. More usefully, is it economically worth it to Google to take the cost of building-in more fine-grained access controls and better auditing in to their systems? Well that depends on whether or not sufficient users are concerned enough about this to avoid entrusting their data to Google if they don't address the apparent AAA problem they have wrt their staff and their users' data.
It's the same as everywhere else... Posted Dec 17, 2010 17:27 UTC (Fri) by khim (guest, #9252) [Link] You say "citation needed!", presumably on poor access-control, but then note Barksdale was a "mere" SRE. Yup. Is there a contradiction? Please read the whole sentence again: "He was mere "Site Reliability Engineer" - but his work was specifically to keep GMail running". The important part is after dash - and you ignore it completely. Well, if a general admin has access to all user-data, doesn't that demonstrate the poor access-control? Agree 100%. If "general admin" has access to the user data then there are big problem. But David was not "general admin". He was GMail SRE. His work basically was to troubleshot GMail servers and keep them running. I know of no companies (beyond military) where mail server admin can not read e-mail on said mail server. Few think they have such protection, but none actually do. Audit logs help if you need to prove that someone did wrong thing (how do you think Google was able to fire David?), but they rarely help to prevent break-in attempts from authorized personnel. More usefully, is it economically worth it to Google to take the cost of building-in more fine-grained access controls and better auditing in to their systems? Once again: why you think Google does not have such system? To prevent incidents like discussed one you need to have a system where even "root" does not have access to the whole information on the system - and while it's possible to design and implement said systems (military does it, after all), it's very expensive and goes far beyond "fine-grained access controls".
It's the same as everywhere else... Posted Dec 18, 2010 13:46 UTC (Sat) by paulj (subscriber, #341) [Link]
Of course email system admins can read email. Barksdale, despite his role, had access to *more* than just GMail data though. He was able to snoop on and reset user-blocks in Google Chat, and access Google Voice logs, according to reports. If I read between the lines of the reports, it seems he also had unfettered access to the user account systems. Note that it is far from clear that Googles' auditing systems played much part even in substantiating the claims against him and his dismissal - they didn't help in catching him it seems.
If your gripe with my original comment is that email admins technically effectively MUST also have access to IM, VoIP and user-ac systems, or even root-level systems access, then I disagree.
No doubt there are efficiency and integration arguments to be made for why GMail admins should have access to lots of non-GMail data. Those arguments must be balanced against the impact on user-privacy. Further, Google are extremely secretive about how they operate. So while Google gave assurances that they were continually improving their AAA systems in the wake of the Barksdale affair, we generally do not know what those improvements are or how effective Googles' systems for protecting user-privacy are.
So to answer your question: Neither I nor any other Google user can know what systems Google have. That's part of the user-privacy problem! We do however know those systems were very weak in the past. Further, the economics mean that it is not in Googles' interest to put in strong, internal AAA controls unless users' care a lot about this issue (and I think most don't still).
Note that I'm *not* making a qualitative judgement per se. If vast majority of users' (actual and potential) don't care about this issue, then why should Google go to the expense? All I did was give a *factual* counter-example to the original commentator that "Google" did not read users' data (at least some rogue SREs have) and make the *factual* statement that access control granularity has, given the reports, shown to be "poor" at some point in the past (poor in the sense of a lack of granularity, but I admit the loading on that word perhaps made it a bad choice).
|
|
||||||||||||