Google wants to speed up a key part of the Internet's inner workings called the Domain Name System and is inviting technically savvy folks to try their ideas out.
CNET News Poll
The DNS is a crucial part of the Internet. It converts the text addresses people can remember into the numeric Internet Protocol addresses actually used to locate information on the Internet. For example, CNET.com's IP address is 216.239.122.102.
When you visit a Web page, a DNS server that's part of a vast distributed network often must perform that conversion--called resolving a host--many times. With the Google Public DNS service, Google wants to be that server.
"Our research has shown that speed matters to Internet users, so over the past several months our engineers have been working to make improvements to our public DNS resolver to make users' Web-surfing experiences faster, safer, and more reliable," said product manager Prem Ramaswami in a blog post introducing the Google Public DNS service.
Google's search service already has made it central to the workings of the Internet. If its DNS service becomes popular, Google could become even more significant.
For those who want to give it a whirl, Google posted instructions on using the Google Public DNS service. For those worried about what traces your Web surfing will leave in Google's records, check the Google DNS privacy page.
... Read more
With most computers threatened by attacks coming through Web applications, it's no surprise that security would be a key piece of Chrome OS, Google's browser-based operating system that stores data in the cloud.
In this video, Google security engineer Will Drewry explains how Chrome OS separates user data from root or system data, which makes the system more secure and easier to re-install the operating system.
(Credit: Google)Google showed off its new lightweight operating system designed for Netbooks and cloud computing on Thursday. As anticipated, it will rely on many of the same security features and concepts used by the Chrome browser.
"The browser is the operating system. We've expanded the browser to add operating system functionality," Caesar Sengupta, a group product manager at Google, said in an interview.
Chrome OS uses a combination of operating system-level protections and exploit mitigation techniques to limit the attack surface, or amount of code that can be targeted in an attack, and to reduce the likelihood of an attack being successful. "The biggest security impact is that all applications run within the browser," Sengupta said.
Chrome relies heavily on sandboxing, keeping different processes and applications in separate partitions. This limits the interaction between applications and the OS kernel.
For example, with conventional operating systems, if an application crashes, it can crash or otherwise affect other programs that are running, Sengupta said. "But if everything is sandboxed, that becomes more difficult to do," he added.
Many systems are compromised by deceptive attacks, such as when a user opens an innocent-looking PowerPoint file which unleashes a virus or other malware that can get access to everything on the computer.
With Chrome, "applications can't just download any binary and run it," Sengupta said.
Chrome has a verified boot process that uses cryptography to ensure that the Linux kernel, the nonvolatile system memory, and the partition table are not tampered with when the system starts up, according to a security overview of Chrome. (Google security engineer Will Drewry explains the security concepts of Chrome OS in a video on YouTube.)
"Right now, on your conventional operating system, any kind of process can run, which makes it difficult to predict what any process will do," Sengupta said. "On Chrome, because the whole operating system is essentially signed by Google, there is a lot we can do to make it secure."
If an application manages somehow to break out of the browser sandbox, to get through the kernel hardening and processing infrastructure, and manages to change something on the operating system, the changes will be detected the next time the user boots up the machine. "As soon as it detects something is different and not signed by Google, it will warn the user and try to clean itself again," Sengupta said.
Cleaning up is easier than with a standard operating system, too, because the system data is separated from the user data, which includes user preferences, system settings, and a local cache of data stored on the Google servers in the cloud, he said.
All user data stored by the operating system, browser, and any plug-ins are encrypted and users cannot access each others' data on a shared device, according to the Chrome OS security page.
Meanwhile, Chrome will automatically update to get the most recent software and patches for the operating system, just like the Chrome browser updates in the background while users are online, Sengupta said. Users will not run the risk of having their system get infected or compromised before they can install updates, as happens with Windows and other software.
In addition, the antiphishing technology found in the Chrome browser will protect Chrome OS users from inadvertently visiting malicious Web sites, he said.
Google is publishing detailed design documents on Chrome OS, which will allow security experts to scour the code for weaknesses over the next year before the operating system is released to the public, according to Sengupta.
There are some security and networking technologies that are supported in other operating systems that Google is passing on, at least for now.
Google will keep an eye on biometric authentication technologies, but believes that the cost/reliability trade-off is not where it needs to be just yet, according to the security overview for Chrome OS. Smart cards and USB crypto tokens are "interesting technology, but we don't want our users to have to keep track of a physically distinct item just to use their devices," the overview concludes.
Google is likewise not interested in Bluetooth, a wireless protocol widely used in laptops and handheld devices, for authentication. "Bluetooth adds a whole new software stack to our login/screenlocker code that could potentially be buggy, and the security of the pairing protocol has been criticized in the past," the security overview says.
Updated November 24to clarify that Bluetooth is not being considered for authentication.
Google's biggest threat is no longer Microsoft. It is itself.
As the company harvests copious quantities of personal data, it becomes dramatically better at serving customer needs...
...and at freaking them out over privacy concerns.
In other words, Google gets stronger with every Google Doc created, every Google Voice call dialed, and every Gmail e-mail sent. It becomes stronger because data is the heart of the Web's biggest businesses, as Redmonk analyst Stephen O'Grady implies.
But in so doing Google also becomes more threatening to the very consumers it is trying to serve.
Google Dashboard is meant to change this by putting consumer data back in the hands of consumers. It's a move that follows on Google's earlier pledge to "open data" and its Data Liberation Front.
As CNET reports, Dashboard lets people review the personal data Google has stored for them, delete it, and alter future collection policies. It's a great way for Google to mollify concerned users, putting control back in their hands.
Still, it's almost certainly never going to be used by the vast majority of Google users. Ever.
Why? Because for all our hand-wringing over privacy--and for good reason--the reality is that most of us, most of the time, really don't care. Or, rather, if accessing useful services or getting work done more efficiently requires some privacy concessions, we gladly concede.
It's not that we don't value our privacy. It's just that in many contexts, we value other things as much or more. We weigh the risks versus the benefits, and often the benefits trump the privacy risks.
It's the same thing with file formats. For years we've been agonizing over Microsoft's lock-in of customers through proprietary file formats (.pst, .doc, etc.). Now Microsoft is opening up the specifications for file formats like .pst (Outlook file format), and yet it will almost certainly change little to nothing in what products most people use most of the time.
People don't use Microsoft Office because they're forced to. They do so because it's convenient. (Yes, an argument can be made that it's convenient because Microsoft has forced network effects through lock-in.)
This, incidentally, is exactly the reason that Wednesday night I declared a ban on Microsoft Office in our family in favor of Google Docs--and didn't opt for OpenOffice (which we also use). I got sick of having to recover documents and perform other IT tasks related to a locally installed office suite, open source or proprietary. And I find it easier to let Google handle the back-end IT operations.
I wasn't trying to evade lock-in. I was trying to increase personal happiness.
Am I concerned about Google snooping on the documents we write and store in Google Docs? Let's just say I worry more about my time fixing Office than whether Google gleans any information from my 12-year old's seventh-grade essay.
Dashboard leaves Google in the prime position of being able to honestly say that it doesn't control user data, while still delivering increasingly beneficial services based on that data. It will not change the way that the vast majority of consumers use Google, but it just might change the way they think about Google.
A very smart move by Google, one that all data-driven businesses should emulate.
Follow me on Twitter @mjasay.
As of 2:15 p.m. Tuesday e-mail delivery had started to return to normal for some Postini customers, although problems remained.
(Credit: Screenshot by Tom Krazit/CNET)Some customers of Google's Postini e-mail security product experienced significant problems Tuesday, with reports of hours-long delays in e-mail delivery that are still affecting some customers.
Threads throughout Google's Postini forums spread involving the issue, which seemed to begin overnight on System 7--one of several systems used by the service--and was still affecting some customers as of Tuesday afternoon, although e-mail delivery had resumed for others. Users also reported problems accessing the management consoles used to log into the Postini service, preventing them from understanding exactly what was happening.
Postini, acquired by Google in 2007, offers e-mail security services to businesses. Postini scans all e-mails directed to the networks of its customers for viruses, malware, and spam, passing along the genuine messages to the network once they have been cleared. However, Tuesday it appeared that for a significant portion of the morning, all messages for customers using System 7 were blocked before they reached their destination, and customers could not log into their accounts to see what was going wrong.
A Google representative acknowledged the e-mail delivery delays in a statement. "We're aware of an issue that's causing a delay in mail delivery for some Postini customers in the US, and are working to fix it as quickly as possible. We know how important mail is to our users, so we take issues like this very seriously, and apologize for the inconvenience. We encourage anyone having technical difficulty to visit the Postini support portal at https://www.postini.com/support/support_login.php."
It has not been a good week for the cloud. Hosted applications and services such as Postini were sure to get a second look following the debacle at Microsoft involving the Sidekick and possible data loss.
It's also another example of Google's growing pains with customer support. Google Checkout customers reported significant issues for over a month without any resolution, and angry e-mail administrators on Postini's message boards complained that Google support personnel were very difficult to reach during Tuesday's issues.
Google support technicians promised some Postini customers--who pay between $12 per user per year and $25 per user per year--that their e-mails were not lost, which is at least some good news for customers affected by the problems. But running a business without e-mail in the 21st century is a very difficult thing to do.
Hotmail users aren't the only ones who've been hit by a phishing scheme over the past week. Google told BBC News on Tuesday that Gmail users have also been affected by the hackers who posted passwords online.
The problem is far more widespread than was disclosed on Monday, possibly affecting Yahoo and AOL e-mail accounts as well, according to BBC News.
Google described the issue as an "industrywide phishing scheme." BBC News said it has seen two lists posted online with "more than 30,000 names and passwords" from Gmail, Yahoo, AOL, Microsoft's Windows Live Hotmail, and other service providers.
"We recently became aware of an industrywide phishing scheme through which hackers gained user credentials for Web-based mail accounts including Gmail accounts," a Google representative told me in an e-mail.
The representative said that Google immediately "forced passwords resets on the affected accounts."
In an e-mail to CNET, a Google representative said that the company had to reset the passwords on fewer than 500 Gmail accounts so far. However, that figure could change.
Despite Google's and Microsoft's awareness of the problem, it doesn't seem that users are out of the woods just yet. Google's representative told CNET that it will continue to force password resets on any newly affected user accounts.
Like Microsoft, Google was quick to point out to the BBC that the phishing scheme was a "scam to get users to give away their personal information to hackers" and not an internal security issue. It didn't say how users fell victim to the scheme.
Google's admission that Gmail users were affected by the phishing scheme comes on the heels of Microsoft acknowledging that over 10,000 Live Hotmail accounts were compromised by the scam. The passwords apparently first hit the Internet on October 1.
Updated at 9:10 a.m. PDT to include Google's comments.
Don Reisinger is a technology columnist who has written about everything from HDTVs to computers to Flowbee Haircut Systems. Don is a member of the CNET Blog Network, and posts at The Digital Home. He is not an employee of CNET. Disclosure.
A sensitive e-mail mistakenly sent by a bank to a Gmail address that prompted a court to order Google to deactivate the account was not viewed by the recipient and has been deleted, the bank said on Tuesday.
The e-mail, sent by an employee of Jackson, Wyo.-based Rocky Mountain Bank on August 12, contained names, addresses, Social Security numbers, and loan information of more than 1,300 bank customers.
The bank sent another e-mail asking that the data be destroyed and went to court to get Google to intervene on its behalf. Last week, a judge in U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied. Google and the bank quickly resolved the matter and the court granted their motion to dismiss the case and allowed Google to reactivate the Gmail account.
"Rocky Mountain Bank, working with Google (through court order), confirmed on Thursday of last week that the e-mail containing client information was never opened and has now been permanently destroyed by Google's system," Tina Martinez, general counsel for Rocky Mountain Capital, wrote in an e-mail response to questions.
"As a result, no customer data of any sort has been viewed or used by any inappropriate user during this data lapse," Martinez wrote. "Rocky Mountain Bank acted to protect its customer's confidential information. That objective was accomplished. The matter is now closed and the TRO (temporary restraining order) entered on September 23, 2009 is now vacated."
Asked for comment, a Google spokesman said: "To protect the privacy of our users, we do not comment on their use of Google services."
The case poses some interesting questions. For instance, should the person who registered the e-mail address lose access to the account or have items deleted without his or her permission, particularly through no fault of their own?
And what recourse would the bank have if the data had been sent via regular mail to the wrong address? The U.S. Postal Office certainly doesn't have the ability to see the envelope sitting on the recipient's desk and vaporize it.
Update 4:35 p.m. PDT:The bank did not take any action against the worker who sent the e-mail, the bank's lawyer said.
Mozilla and Microsoft don't always see eye to eye when it comes to browser technology, but they agree broadly on one thing: thumbs down for Google Chrome Frame.
Chrome Frame is a plug-in that puts Google's browser engine under the hood of Microsoft's Internet Explorer, and Google argues that it can modernize IE versions 6, 7, and 8 with faster page loading and JavaScript performance. It kicks in only on Web pages that Web developers have labeled with a specific tag. After Google announced it, Microsoft criticized it as creating a potentially increased risk to browsing security.
Google Wave is one site that suggests IE users install Google Chrome Frame.
(Credit: Google)Mike Shaver, vice president of engineering for Firefox backer Mozilla, published a different concern in a blog post Monday night.
"I certainly share that longing for a Web in which the vast majority of Web users enjoy the performance and capabilities we see in Chrome, Safari, Firefox, and Opera. Unfortunately, I don't think that Chrome Frame gets us closer to that Web," Shaver said.
Specifically, Shaver said Chrome Frame can disable IE features and muddle users' understanding of Web security matters. And users of the reviled IE 6 browser, he added, often won't be able to run Chrome Frame anyway because their computer is locked down to prohibit changes or lacks sufficient power in the first place.
"As a side effect, the user's understanding of the Web's security model and the behavior of their browser is seriously hindered by delegating the choice of software to the developers of individual sites they visit. It is a problem that we have seen repeatedly with other stack plug-ins like Flash, Silverlight and Java, and not one that I think we need to see replayed again under the banner of HTML5," he said.
Shaver's advice is to rely on that ages-old technique: an upgrade suggestion on the Web site.
"It would be better for the Web if developers who want to use the Chrome Frame snippet simply told users that their site worked better in Chrome and instructed them on how to install it," Shaver said. "The user would be educated about the benefits of an alternate browser, would understand better the choice they were making, and the kudos for Chrome's performance would accrue to Google rather than to Microsoft."
A bank that accidentally sent sensitive customer information to a Gmail address and persuaded a judge to order Google to deactivate the account has resolved the issue with Google and the companies have filed a motion to dismiss the case.
Google spokesman Andrew Pederson declined to say exactly how the issue was resolved or to identify the owner of the Gmail account.
The problem began August 12 when a worker at Rocky Mountain Bank inadvertently sent an e-mail containing names, addresses, Social Security numbers, and loan information of more than 1,300 customers to a random Gmail address. When the worker realized the mistake, a subsequent e-mail was sent to the address asking that the recipient contact the bank and destroy the data, but the bank heard no word, according to a MediaPost report.
The bank asked Google for information on the owner of the Gmail address, but Google said the bank had to get a court order to get access to that information. Last week, a judge in the U.S. District Court in San Jose, Calif., ordered Google to deactivate the Gmail account and Google complied, Pederson said.
"After notifying the account owner, we complied with the court's order. However, after working with Rocky Mountain Bank and the court, we resolved the issue around the bank's error, and both sides have agreed to vacate the TRO and dismiss the case," he said.
"While we regret that the user has been locked out of their account through no fault of their own, we're not legally able to reactivate the account until the court approves our motion to dismiss the case and vacate the TRO," Pederson added. "We're hopeful that the court will act quickly, and as soon as the motion is approved, we'll reactivate the account."
Calls to Rocky Mountain Bank and the court clerk were not immediately returned on Monday.
Update, September 29, 9:35 a.m. PDT: Google spokesman Pederson said the court granted the motion to dismiss the case on Monday, allowing the company to re-activate the Gmail account.
As a result of a bug in a Google Apps e-mail migration tool, some students at Brown University found other students' e-mail in their in-box over the weekend as Google was moving their e-mail from Exchange to Gmail, Google confirmed on Friday.
The problem affected a "handful" of organizations that use Google Apps, a spokesman said. He declined to specify how many were affected or how many individual users were affected.
Brown University newspaper the Brown Daily Herald reported that e-mail for 22 students was misdirected starting on Friday, that the university notified Google about it on Saturday, and it was fixed on Tuesday.
However, the Google spokesman said the company found out about the problem on Monday, disabled the affected accounts within hours, and then restored the accounts within a day.
"A very small number of Google Apps domains using the IMAP migration tool last weekend encountered a bug that caused a handful of their users' mail to be migrated to the wrong accounts," the spokesman said in a statement. "We quickly identified and fixed the issue, which affected less than 0.002% of users, and worked with the organizations to restore the affected accounts to their original state. We have extensive safeguards in place to ensure that users' mail is safe, and we're confident this was an isolated incident."
Donald Tom, director of IT support services at the school, complained to the newspaper that the school was not notified before the affected e-mail accounts were suspended. However, he did praise Google for moving swiftly to fix the problem.
Asked to respond to that criticism, the Google spokesman said: "In this case we made the judgment call that the safest and most expedient course of action for the affected users was to suspend affected accounts as soon as possible. In our conversations with our customers, they've appreciated our prompt actions and have been satisfied with the outcome."
Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person's computer.
With one attack on Google's V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox.
Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser.
Google won't release details of the vulnerabilities until "a majority of users are up to date with the fix," Engineering Program Manager Jonathan Conradt said in the blog post.
