"Going Google" Exposes Students' Email 244
A ReadWriteWeb piece up on the NY Times site explores the recent glitch during the move of a number of colleges onto Google's email service that allowed a number of students to see each others' inboxes for a period of more than three days. Google would not give exact numbers, but the article concludes that about 10 schools were affected. "While the glitch itself was minor and was fixed in a few days, the real concern — at least at Brown — was with how Google handled the situation. Without communicating to the internal IT department, Google shut down the affected accounts, a decision which led to a heated conversation between school officials and the Google account representative. In the end, only 22 out of the 200 students were affected, but the fix was not put into place until Tuesday. ... The students had access to each other's email accounts for three solid days... before the accounts were suspended by Google. Oddly enough, this situation seems to be acceptable [to Brown's IT manager, who] 'praised Google for its prompt response.' (We don't know about you, but if someone else could read our email for three days, we wouldn't exactly call that 'prompt.')"
3 Days Turnaround (Score:5, Interesting)
Is that three days after they were notified, or did the affected students keep it quiet for a couple of days for 'research purposes'.
Brown (Score:1, Interesting)
Re:Still more secure than most school systems (Score:4, Interesting)
I bet most of us could read everyone else's email at school...
Not convinced. Mine used Solaris's default maildrop security, which is pretty effective, and I think was fairly standard practice until recently.
Re:3 Days Turnaround (Score:4, Interesting)
It's a safe bet that that's only a few hours after they found out, and 3 days after the first student did.
Re:methinks he doth protest too much (Score:3, Interesting)
Well, that's one reason why those passwords aren't sent in clear. Breaking into someone's email account to get access to a forum/blog/website account is relatively easy - preventing them from catching on is hard to impossible.
Another security feature is to force you to leave your account unused for a week, to make sure the account is really not accessible. Few sites actually use it, unfortunately (Gmail does) - it's a substantial convenience trade-off, and people always value convenience above security.
Re:Someone has high demands. (Score:5, Interesting)
What the fuck.
This is a really big deal. And if the excuse is that 3 days (admittedly, 2 of them weekend days) turnaround on an absolute security breach is what you get for free, and to expect better you must pay for it, then the proper response is to pay for better and not use this service because it's shit-broken. It is my understanding that Google Apps for Education is not a tiered service -- you're a school, you get it free; there is no paying for better. If there IS paying for better, then we should spread awareness that the free version is bad.
Might I point out that losing privacy on your email and THEN losing access is pretty much the worst possible failure mode? This is an enormous fuck-up. This has nothing to do with Microsoft. Why would you bring up Microsoft? YOU are the one twisting something into what it is not to make some other company look bad. If I were as paranoid as you, I'd suggest that Google or Apple or somesuch was paying you to do this, but in fact, I know that you're capable of being fuckwitted all on your own.
Jesus Christ. Google Apps' security fails utterly, and that's Google kicking Microsoft in the groin to you? Maybe Google can start a puppy-stomping program; I bet that's just like Google ripping Microsoft's arms off.
I'd be a lot more comfortable if Google said "yeah, we fucked up, here's what we're going to do to prevent this from happening again". Instead we get the self-contradictory "it was a small hiccup [...] it's an issue we've taken extremely seriously".
Re:Someone has high demands. (Score:2, Interesting)
My impression is that this incident is a fuckup at the customer end of things. The problem was getting the emails out of Exchange into the right account in Google Apps.
This is something where i personally have missed a couple of times and its very common since there are always some accounts that are broken in an exchange system.
Re:Minor glitch! I think not (Score:3, Interesting)
FERPA (Score:5, Interesting)
Re:Breach of privacy (Score:2, Interesting)
Re:FERPA (Score:2, Interesting)
As a college student, the possibility of having my own personal emails with faculty members exposed concerns me, but nowhere near as much as the confidential student data emailed between me and the staff members I work for.
Comment removed (Score:3, Interesting)
Re:Google: Lowering standards for the rest of us (Score:5, Interesting)
we've decided to migrate everything to some giant, well-liked third party with a reputation for excellence,
Does Google actually have a reputation for excellence? Apart from their search engine and maybe Google Maps, is anything they make "excellent"? Does anything excel; is anything groundbreaking and complete in utility and quality? I remember when a lot of their releases stayed in extended-Beta, which is code for "it's free, it's out there so use it at your own peril". I find a lot of their stuff nifty, and I think they head in interesting new directions, but they seem to be always short of excellence. Personally I think that they have gained years worth of kudos - and, by extension, a reputation for excellence - by creating a great search engine (not to mention the big plus of not being Microsoft) and are spending it.
Re:3 Days Turnaround (Score:2, Interesting)
Are these students not paying fees, and (were it to occur in most other countries) taxpayers paying also?
Re:Breach of privacy (Score:3, Interesting)
My understanding is that's it's actually for accounting purposes. The equipment can't be written off the same way if they are donated, or something like that. I'm neither an accountant nor a tax specialist.
Re:The IT manager is praising them (Score:3, Interesting)
This will make me unable to moderate, but what the hell?
Brown had a unix based backend for years. A few years back, they got a new IT head, who insisted on off-the-shelf packages for everything. So out went postoffice, and in came Exchange. It's been running Exchange since then, and yes, untold numbers of problems (though nothing like this). We're not even on the most recent version of Exchange, which will make my office's future transition to Snow Leopard problematic since afaik the native Mail interoperability with Exchange that comes in 10.6 won't work with anything but the latest.
AFAIK, the plan is to move everyone to Google eventually, departments too. Once they get all the security figured out. This isn't helping, of course.
Re:Breach of privacy (Score:3, Interesting)
And that's why the American legal system is FUTA. In most sensible countries, you *can* sue them *if* you have experienced a major problem due to their behaviour - eg, if you can show that you have lost money/posessions/safety etc as a direct result of someone else having access to your emails. You can't just go "I feel slightly aggrieved that someone read my email - give me a bajillion dollars!!!!".
Spoken like someone whose only expose to the American legal system is via television...
Re:Someone has high demands. (Score:3, Interesting)
I don't think anyone, except you, is suggesting the colleges can't run an email service.
Email is time consuming and expensive to provide. 10, 20 or 30 thousand accounts, all demanding storage - and these days you can't give folk 100MB quotas. Accounts that are all attracting spam that requires either constant tweaking of anti-spam rules, or outsourcing spam and virus checking. Add in off-site backups, support, abuse and you are quickly spending tens of thousands on equipment and more on staff.
Then they get a call, or an email saying Google will offer all that for free. For a school facing budget constraints it's a very tempting offer. It says more about their budget than their technical ability.
Re:Someone has high demands. (Score:3, Interesting)
That is, unless you think that 'free' means 'no hard currency was exchanged'.
Yea, that's pretty much what we all think. do you really think someone is reading your post and going
"holy crap, he's right - they DO look at my data! and tv DOES have ads! none of this is FREE!!!!"
Yea, we all know we are giving up time, or letting company X gain something by giving our time, or whatever, but most of the general public (including me!) considers only their pocketbook when thinking about whether or not something is "free". Hell, even if i have to spend 20 minutes doing something (lets say filling out a rebate on something so that the final price is $0), i STILL consider it free!
Re:Still more secure than most school systems (Score:3, Interesting)
Gmail must not ve very secure, and their reaction to glitches makes me want to stay away from it. I had a Gmail account, one day it wouldn't let me log on, saying it had been used for "improper purposes", odd since I'd only used it to email friends, never forwarding anything or sending a mail to more than one person at a time. One of the questions it asked was "do you think your accout was compromised"? I probably should have said yes, because they took the account away. No big deal, they're no better or worse than any other free web based email service, but their attitude was really shitty and there seems to be no way to contact a human at Google.
Re:3 Days Turnaround (Score:1, Interesting)
so you're giving them kudos for good customer support because they don't work on Sunday? Hey Google, this is the big leagues. Put on your uniform and show up to work on time.
Re:Google: Lowering standards for the rest of us (Score:4, Interesting)
Apart from their search engine and maybe Google Maps, is anything they make "excellent"?
I have to say, I'm really glad to hear someone share this opinion. I've been a long time "fanboy" of Google, seldom questioning any of their choices (while finding all manner of things to be critical of with Microsoft, Apple, and *nix/open-source). On reflexion after reading this, I've come to realize something: Google is what would result from my IQ being doubled and a thousand clones made from me. They find some problem-space, develop something with really cool potential, get bored when it comes to refining the product and making it viable, then find some shiny new problem to work on. It's like they're grad students getting paid by a commercial entity to do research.
Re:3 Days Turnaround (Score:4, Interesting)
Is this still the gmail that you don't pay for btw?
Actually, having worked for a "university" who outsourced e-mail services to Google, it's not free. Not at all.