back to article Do Google's search warrant police run IE6?

According to popular perception, Google is the anti-Microsoft: a new-age outfit bent on re-architecting a flawed interwebs using nothing but open source software. The company runs its own flavor of Linux. It funded the rise of Firefox. And it eventually fashioned its own open source browser, Google Chrome. But the reality is …

COMMENTS

This topic is closed for new posts.

Agents on the Inside

I think the thing that makes the most sense in analysing these attacks is that there were malicious employees on the inside who facilitated these attacks.

Obviously, the attackers had to know something about Google's internal systems, they had to have access to a number of different systems, they had to know not just what to look for but where to look.

This would give Google a reason to (at least say) they were leaving China - it gives them an opportunity to get rid of employees who might have been involved.

The particular vector for the attack is less interesting - it was an obscure one, and certainly others like it exist if you know where to look.

1
0
Bronze badge
FAIL

Inside Job

"The attacks cracked a 'system' used to "help Google comply with search warrants by providing data on Google users."

I completely agree - this MUST be an inside job. Only someone on the inside would be able to crack an internal system like this one.

1
0
Silver badge
FAIL

Wow

So Google has a system specifically designed for looting user data, and then they use it conjunction with the least secure browser available?

1
0
FAIL

API?

Could I have access to the API - I just want to see what they hold on me, honest!

[we need a face-plam icon]

1
0
Black Helicopters

wth

this is drivel it's a "who what where when huh... is that a goat in drag"

Big deal google are using IE

this article in a poorly constructed sentence "Oh gasp google are using IE6 in non QA departments" big deal at least it's not safari

0
5
FAIL

Fail

If you think IE6 is a better bet than Safari, I'm glad you don't handle my IT security. I'd rather someone who was at least slightly competent.

1
0
Anonymous Coward

Safari?

If I had to chose between IE and Safari, I know which one I'd choose.

(Hint. It's not shit and isn't made by Microsoft)

0
0
Alien

ooh.. baiting

A semi molten lump f swiss cheese is better than safari not fond of much made by the big banana

No browser is better than any other the only difference between IE6 issues and bloatfox, harvester in training (chrome) and a trip to africa, is that IE6's issues have been laid bare more times due to years of neglect.

0
0
Silver badge
Thumb Down

"Baiting", eh

No browser is better than any other?

Go back to /b/

0
0
Jobs Halo

I have IE6 also

I have ie6 on my desktop also. Once customer requires it.

As to ad hoc QA testing, if you are an engineer who isnt curious if his code will work for his customers you arent very good.

6
3
Heart

Having IE6 on your machine isn't the issue

One can test things out in a browser without being connected up t' interweb. And even if you do need to connect live you don't need to be visiting malware laden pr0n, warez sites.

1
0
Silver badge

If those sites don't resolve

then even IE6 is comparatively safe.

A competent IT department should know how to see to that.

I would expect Google to have a moderately competent IT dept.

0
0
Anonymous Coward

proxycfg -p oh-forget-it.google.com "<local>" ...

...will be a good start at containing IE* - adding virtual machines wrapped around Windows will handle it even better. My guess is someone intelligent but less than competent, e.g. a mangler, would be able to bypass all that and use IE6 on the intartubes, with predictable consequences. Intelligent users can be a royal pain...

0
0
Thumb Down

Really?

"Are we supposed to believe that QA isn't handled by a small, dedicated staff?"

Errr, so you're saying that developers don't test their own code on multiple browsers before handing it off to QA? I know I've spent the best part of this week debugging some code so it works across the board, BEFORE I even contemplate giving it to the QA guys.

On another note, you guys keep going on about this story, but it never seems to evolve, just the same thing over and over again...

3
0
Silver badge
WTF?

Outside access

"Are we supposed to believe that QA isn't handled by a small, dedicated staff?"

Err, are we supposed to believe that the PCs of whoever at Google is using IE6 for whatever purpose, are easily accessed from the outside Internet, including China? Did they buy their firewalls from Colander, inc., and their IDS software from BlindEye Ltd.?

2
0
Headmaster

SEC. 206. ROVING SURVEILLANCE AUTHORITY

Far be it from google to violate American law.

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (Enrolled as Agreed to or Passed by Both House and Senate)[H.R.3162.ENR]

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3162enr.txt.pdf

1
0
Silver badge

I might have missed sumfin

But as far as the newsreports go, the attack was targeting Google "customers" using IE6, with Google being merely used as a vector fo end-user targeted exploits. The article you link to does reinforce this understanding. Sure, Google staff do use IE6 for QA purposes but did the attack actually compromise Google internal systems via this IE exploit? or was it (as journo-tech reports would suggest) an end-user exploit with Google services being mere vectors?

For example, and among others, the Reg article covering this (and linked from here) stated: "The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists"

So which is it? If the attack only affected end users with Google as a medium -as stated in the reference-, this article is a waste of 3 perfectly good www pages. If not, we need more info!

0
1

RE: I might have missed sumfin

I think that means it was accessing data related to these customers, stored on Google's systems.

1
0

RE: I might have missed sumfin

"I think that means it was accessing data related to these customers, stored on Google's systems."

Like their email messages, for example?

1
0
Silver badge

RE:RE: I might have missed sumfin

"I think that means it was accessing data related to these customers, stored on Google's systems."

Yeah, that's what _this_ article seems to imply. However, from what I had gathered previously, I thought that the attackers, using the spook-system as an entry point, injected code in selected accounts that would root the end-user machines using an IE6 hole (on end-user machines). That was actually much, much scarier. And that would explain why they stop supporting IE6 for their online apps. However I failed to find any definitive statement about what really happened (technically). Which also smelled like some Oompa-Loompas trying to hide the fact that the spook-system was used to penetrate Google servers and plant malicious code on selected accounts.

Never mind that was probably me being paranoid again.

I still would like a definitive answer though.

0
0
Silver badge

Jesus Christ - will you journos EVER think before you write?

You seem to think that Google only use IE6 for testing. Why do you think that?

It seem more likely (Look up Occams Razor) that they have thousands of office systems spread all over the Googleplex, that run a variety of browsers, some of which are IE6.0, just for, guess what, browsing the net. Not testing, but actually using the browser for what it was built for.

Now, one could argue that Google, as the creators of its own browser, should have, by this time, got all its systems using it, but as with any large company there is an installed base to move over, and this takes time.

One could also argue that Google should have been more careful with a known security hole ridden browser, but hey, the NHS use it, the DoD use it, so they are not alone there.

They have stated they are upgrading, so at least they are doing something about it.

But to try and dig out even more conspiracy theories from this is, shall we say, rather pathetic, and rather typical of recent Register articles about Google.

0
1
Anonymous Coward

Google != NHS

Google, NHS, DoD, Orange UK - one of these is not like the others.

Google is a "tech company". The saviour of t'internet (tm). The future. Etc. Etc.

How are we supposed to believe Google is even remotely competent at its job if they are reliant on seriously flawed, outdated tech? It's like Orange using manual switchboards staffed entirely by women. Or the DoD sending troops out to Afghanistan with muskets. Or the NHS using leeches.

1
0
Silver badge

RE

Google is a huge globo-corp (and by "huge" I mean "freaking bloody _HUGE_, mon"), so it's fair to assume that they might have absorbed smaller outfits with IE6-only policies. Hence there might be some of the beast's tentagoogles that have not fully migrated out of their misled IE6 ways...

0
0

Perhaps Google has little choice?

How about thus - Google have to give access to some data to some US authorities.

The authorities are able to directly connect to whatever server provides this data using http. The authorities insist on using IE6. Google use IE6 to access the server as the web-application has been coded specifically for IE6 as that's what the authorities insisted on at the time.

You'd imagine that Google would be able write code that operates on more than one browser so the conclusion then is that Google are running software that they can't control / didn't write - presumably provided by the previously mentioned authorities.

0
0
Anonymous Coward

Misleading

The info about the hacking of the human rights activist was obviously just there to generate more hot air around the issue (which they indeed did succeeded at) and to distract from the fact that also Google's very own internal systems were hacked. These attacks however were obviously completely separate (even if they were originated from the same group of hackers/chinese agents) and I bet hacking the mailboxes of hras happens at practically a daily basis anyway - still they aren't reported by Google usually. Guess why not?

Also very interesting that it was an IE6 hole the hackers used to phish and penetrate Google's system, where obviously they could have used (and I'm pretty sure in a ot of previous attacks they did actually use) Chrome, Firefox, etc. vulnerabilities too, as the latter obviously contain just as many holes as IE (at least according to public databases, like Secunia's). I'm pretty sure in the past there were other attacks based on other softwares as well, but to make those public of course wouldn't be that suitable to bash MS/IE, as it was with this one.

0
0
Gold badge
Coat

Hardly surprising.

"China.....still clings heavily to IE6"

Well, you don't get the Win updates if you're running a bent copy.

1
0
Silver badge

re: Hardly surprising.

"Well, you don't get the Win updates if you're running a bent copy."

Joke appart, yes you do. Unless you also installed MS' wicked piracy detector (WGA). But in that case you might not get the updates for a legit copy, either...

0
0

Still on IE6!

Bank I work for is still on IE6, lazy web devs on a 'important' web app, means we didn't change when we went to XP (sp2), and there isn't the technical know-how at the higher levels to understand that you could keep ie6 for those using that app, and give ff or chrome or ie8 to the rest of us.

1
0
xyz
IT Angle

FYI...

1) To install IE8 on XP you need to roll out XP SP3 otherwise IE8 keeps trying to get an update from MS which in a managed environment is *bad.*

2) Using one browser cuts down development costs in an intranet environment...(no sh*t Sherlock) and if that browser is by the OS vendor and integrates fully, then that is what will be used as management is simpler.

3) If you want the "full" internet experience during working hours on a browser that shows others you are technically savvy and cool, set up your own company and see how long that view lasts. It's been said before, you are at work to work, not to pratt on about your best "browser" find.

0
0
Happy

Confused?!

If Google is the anti-Microsoft then Microsoft must be the anti-Google.

But what does that make Apple?

Is Apple the anti-Google, in which case that makes them the anti-anti-Microsoft?

So does anti-anti-Microsoft cancel out into just a Microsoft or is that anti^2-Microsoft?

In which case, what does that make Sun?

So are Sun the anti-Apple or the anti-Google?

But that would make them either the anti-anti-Google and the anti-anti-anti-Microsoft or the anti-anti-Apple and the anti-anti-Microsoft!

But wouldn't that make Sun the anti-anti-Google, canceling into a Google and an anti-Microsoft, or is that two anti-anti's canceling into an Apple and a Microsoft.

So how does Oracle fit into all this?!

As a Sun is now a half PR spin Oracle, then that means an Oracle is a half PR spin Google and a half PR spin anti-Microsoft!

But as an Apple is an anti-anti-Microsoft then that makes them a half PR spin anti-Oracle as well as a half PR spin anti-anti-anti-Microsoft!!

At which point the paradoxical underlying Microsoft anti-anti- status of the Apple triggers a rupture in the space time continuum, made even worse by the fueling effect of the implosion collapse of the half PR spin Sun/Oracle duality, resulting in a shower of anti-Google's that destroys our planet?!

My head hurts. It must be a Friday. :)

p.s. I'm now struggling to think how Intel, NVidia and AMD/ATI fit into all this?!

0
0
Dead Vulture

Beancounters

A company the size of google must hundreds of beancounters, lawyers, personel dept., etc. type of people who unless prevented will quite happily browse the interwebs with IE6.

That Google uses linux on it's servers and has released an open source browser is completely irrelevant.

1
0
Silver badge

It is extremely relevant...

"That Google uses linux on it's servers and has released an open source browser is completely irrelevant."

Google, as a company, went to the time and effort to create a browser. Ever tried that? A basic HTML 2 browser is perhaps a weekend project. Today's expectations are somewhat higher.

Google is a tech company. And as a tech company, you would expect them to have some sort of clue about basic security. Like, uh, NOT using IE6 (or, pref., any version of IE). Like NOT using Outlook. Like NOT running Adobe Reader with the JavaScript enabled...

It isn't as if those are your ONLY choices, and any system manager with half a brain ought to be able to rig it so people that click on the IE icon get <insert favourite browser> instead. Hell, I did that for my mother and she doesn't use her computer for much other than the weather forecast...

Major FAIL for Google's IT guys for letting IE6 talk to the world. If it is that necessary, sandbox it, or run it behind a firewall that lets it talk to anywhere inside the building and to specified sites outside (for testing stuff).

But there is more. A hack applied to IE6 was able to access customer information? What, was this information sitting on those computers, or otherwise easily available? I can only assume it was, given it was a Windows machine broken into, and not the (non-Windows) server most likely to actually hold the personal information. No log-in/access control for this information? We're dangerously close to an Epic Fail here...

1
0
Gold badge

Other browsers.

"Google also says: "We have been upgrading employees to the latest version of Internet Explorer for some time, wherever possible. As you'd expect, a large number of employees use other browsers and browser versions."

Parsing this bit of Googlespeak isn't easy. "Other browsers"? Does that mean other than IE8? Or other than IE6? Does that "large number of employees" extend beyond QA engineers?"

------------

Parsing this is really easy, don't be dense. "Other browsers" means other browsers, IE is not even a good browser. This is Google we're talking about, they have their own Linux distro for internal use, so "a large number of employees" aren't even running Windows, so yes of COURSE it means other than IE8 or IE6. They aren't going to tell a software engineer "Here's your box with XP, Office, and IE6. That's locked down, you can't add more software". Given the geekiness level likely at Google, "other browsers" probably means almost all of them -- Opera, Firefox, mozilla, konqueror, lynx, and many other strange browsers. Maybe someone even has Mosaic stashed away. And obvoiusly this extends beyond QA. If I were a Google spokesman I would not call back about this question either.

Secondly it's good Google's ditching IE6. What an awful browser. Seriously, it was not that good (compared to the competition) even when it was brand new. It's so far out of standards compliance (even compared to IE7) that people virtually have to make a seperate page just for IE6.

1
0
Silver badge

What he said

Section intentionally left blank.

0
0
Gold badge
Thumb Down

Let's ask an obvious question

You are a *very* large internet services company.

Your core apps are built on Linux

You have some test machines running Windows/IE6 for QA purposes.

Why do you connect *them* to the internet? Not a mini nets, not a simulator, the real thing.

BTW Remember that "Patriotism is the last bastion of scoundrels." I'd check the small print on that act *very* carefully. I believe the average merkin will be quite surprised at what they have signed away.

0
0
Silver badge

Why doesn't Google publish a "proof of concept" code...

That just destroys IE6. I mean just wipes as much of it off the face of the earth. Then when people search for a solution, it says "upgrade".

Of course if would be a proof of concept and wouldn't be released to the wild. No, never!! And Google would never do it (they wouldn't need to!).

As for Google being "the anti Microsoft", making Microsoft "the anti Google", what does that make Apple? It is answered in the old phrase:

"The enemy of my enemy is my friend" (historical reference: WW2!).

0
0
This topic is closed for new posts.

Forums