Google has released a video showing at least some of the security and data protection techniques used in its worldwide network of data centers. The video plays like a souped-up advertisement for the search giant and its Google Apps suite of online business applications – there are more than a few visual allusions to the Tom …
All that security ?
Any tom dick or harry can now find out your location thanks to Google not securing your wifi MAC address and location details
and link to the map / tool
Why do they bother with the physical security ? They have failed at data security at least twice (Chinese hackers, and Buzz fiasco) that i know of.
If they were in the UK i would have sent them a data protection act disclosure request, anyone else tried this ?
Exactly my thoughts
IMHO this is pure marketing drivel, designed to stop the great unwashed asking questions about their privacy. Methinks they doth marketh too much, if I may paraphrase (probably badly).
You know something stinks when a company takes out seriously expensive marketing campaigns to get you to use Chrome, which is free. Any organisation needs a Return On Investment, which logically means you are providing that somehow. Ergo "free" isn't.
In short: I don't buy it (pardon the pun).
Can we have an "evil Google" icon?
"Any tom dick or harry can now find out your location thanks to Google not securing your wifi MAC address and location details"
This is hysterical nonsense. Security flaws in your browser/OS not withstanding, I cannot know your router's MAC address, unless I first go to your location. The MAC address is not sent by you over the internet.
It's no more transmitted over the internet than the house number on your front door. In fact your door number displayed on the front of your house is a pretty good analogy. Google noted this number as their Streeview car drove by, and I have the ability to note it as I go by. Google is simply providing latitude and longitude co-ordinates to the passer-by, which is useful if the passer by has his GPS switched off.
If your MAC address was systematically transmitted by you to the Internet, then you would have a problem; but it's not. If you find that it is being sent, then you've been hacked. So, can everyone stop being so hysterical about this "issue" and get a grip please.
Did you read the article?
"I cannot know your router's MAC address, unless I first go to your location. The MAC address is not sent by you over the internet."
But every Android smartphone that goes by your house does grab the MAC address and sends it to Google. So Google does have your router's MAC address and aren't keeping that information secure.
Which... is not so much different than every tenth passerby looking at the number on your front door and tapping that into Google Maps to try to figure out their location for non-GPS-enabled phones...
Again, a MAC is pretty much only useful if you're actually there, or if you've already compromised security enough to allow it to be read and broadcast. But in the normal run of things, MACs are machine to machine only. Not like IP addresses.
Change your MAC
Who cares about your MAC addy anyway. It's only good for someone in wireless range of your router. Also, You're the one broadcasting a signal for anyone to grab. There have been wardriving maps around for years. Google is just doing it wholesale now.
Anyway if you have a wifi router that supports DD-WRT you can reflash your modems MAC to whatever you want.
Mines the one with DE:AD:BE:EF in it.
Yes, I read the article, and I understand every aspect of what is going on. The article itself is low-grade tabloid journalism, which is nothing but flame bait.
The point is, your router's MAC cannot be used to track you on the internet. There is no privacy issue. Google know that a certain MAC address is at a specific latitude and longitude. As does your neighbour and any "tom dick or harry" that passes your house. As long as you're using WPA2, they don't know the public IP of your access point or anything about you.
The passer-by with an Android phone sends your MAC to Google using *his* IP address. So, what have Google learned about you at this point? Nothing; they simply know that the Android phone owner saw a very anonymous MAC. Google cannot gain from knowing your MAC, other than using it for geo-location services. That's the bargain that Google is making. Android owners are going to improve google's geo-location service in exchange for having a better service.
It think people panicking about this issue have confused MAC addresses and IP addresses. If I could geo-locate you by IP address, that would be a serious issue. I can know your public IP address if you go to my web site, but I cannot know your MAC address, and neither can Google.
The article makes one interesting, but ultimately moot point. They point out that an Android phone owner spends more time at home or work, and will give inevitably submit their own MAC using their own Internet connection, thus enabling Google to geo-locate their IP address. Remember, this is an opt-in feature, so the Android owner has volunteered to do this.
It's a moot point anyway, because Google already know where Android and iPhone and Blackberry owners spend time because they've probably used location based services in the past anyway. Any time you use Google maps or Navigation on a smartphone, Google know where you are. If that doesn't freak you out, but google knowing your MAC does, you've got your priorities all wrong.
This piston through drive BS should impress no one with tech credentials. If as they say the filesystem is encrypted anyway why do they bother with so much show?
What really seems to matters for a system like Google is security at the network level, what happens to packets as soon as they come out of the NICs of those machines. What do they do to ensure no one can sniff or tamper with them? Is that even mentioned in this video? No.
Google has said in the past that SSL connections are expensive for them. They even have to do a complex dance around the servers to provide their SSL service. So I wonder how encrypted their internal network really is.
Google Apps customers will have to depend in the entire network being safe, from the NIC port in Google's server up to their users' browser. That's completely different from securing the internal network of a company.
Can Google guarantee this end-to-end security? Not really, and this movie changes nothing regarding that.
<insert witty title here>
>> If as they say the filesystem is encrypted anyway why do they bother with so much show?
Because it looks good?
>>What do they do to ensure no one can sniff or tamper with them?
They have their own DCs right.. they don't share with people that might sniff traffic as it goes around the DC.
>>Google has said in the past that SSL connections are expensive for them.
They have also recently changed their mind on that.. I think the figure was something like 1% extra CPU utilisation and an extra 48k of ram per user or something. The weird thing about time as while is elapses things change and things happen.
>> So I wonder how encrypted their internal network really is.
Why does their internal network need to be encrypted? Do you mean inside a single DC or between DCs? I'm pretty sure if it encryption is needed somewhere.. i.e. over public links they would be doing encryption. I would think that the big interconnect links google will be using will be multiplex in such a way that it isn't that easy to steal data from others sharing the channel...
>> NIC port in Google's server up to their users' browser.
Why does the internal network matter so much to you?
>> internal network of a company.
So in your company you have everything encrypted even though you know that there really isn't any need?
>>Can Google guarantee this end-to-end security?
The data between your browser is secured with SSL until it gets inside googles network. The only people that should have any access to packets floating around their network should be working for google,.. so they would have access to the machines on the network anyhow.
My point is that while they put on all this show about physical security and futuristic personnel access control, I suspect they then have some of the actual data travelling around their internal network (both within and between DCs) unencrypted for anyone and anything in the middle to see.
It's not that hard to then imagine that some rogue employee at Google could be collecting it and selling user secrets to the highest bidder if companies start picking this up.
Maybe they've got all that covered, but that's not something that they made clear and worries me more than if encrypted disks are being crushed (which is also highly polluting btw, far better to recycle as a whole when components can still be separated)
Crushing the disks
"If as they say the filesystem is encrypted anyway why do they bother with so much show?"
Possibly because it's easy, cheap and definitive.
The disk is going to be destroyed anyway during recycling. If you crush it before it leaves the premises, which takes moments and costs peanuts, you don't need to worry about someone sneaking disks out of the recycling chain and trying to extract data.
It's just theoretically possible for someone to extract fragments of data from an encrypted, erased drive Once it's crushed, that becomes ludicrously uneconomic - so why *not* do it when it's so easy? Belt and braces - even if something goes wrong (which on the scale Google operates at is pretty well certain to happen sometimes) the data is still safe.
"It's not that hard to then imagine that some rogue employee at Google could be collecting it and selling user secrets to the highest bidder if companies start picking this up."
Isn't that just a standard part of the advertising analytics?
By 2020, Google = GLaDOS
You mark my words...
We do what we must, because we can
Just don't trust their attempts to get into the slimming dessert market...
google has robust physical security? Biometric scanners? Oh that reminds me, I need to drop off a book on Larry's desk this weekend.
Daily Mail mentality
By any standards these are impressive datacenters. The access controls and multiple layers of data security make sense to anyone who understands this environment - those saying the crushing is for show are talking rubbish.
Any concerns around Google's business practices, including collection of wifi locations, are not related to their datacenter operations. Lumping everything together and saying Google = evil black/white highlights a real lack of clue about any of this (just think of the money Google could save if they did away with all their ops and listened to commenters on The Register!)
In otherwords, try the Daily Mail website where you will find your simplistic, expert opinions can be offloaded all day to the thumbs-up approval of like-minded chimps.
When a "cloud" service has all your data ...
... and loses it, how do your prove it ever even existed?
You need a Doris
What that calls for is a data-psychic to contact the ether(net) loking for echoes of bytes still wandering the blogosphere.
I know this works 'cos I checked with the iChing by tossing memorysticks in the air and noting their positions when they landed.
> if an unauthorized person did gain access to a hard drive, the data could not be read by the human eye.
my eyesight's not too bad, but I really, really struggle trying to read the data on any of my unencrypted hard drives, never mind the encrypted ones - and I have the same problem with CDs. DVDs, USB sticks, floppies - in fact, I've not be able to read data directly off storage since I stopped using punched cards and paper tape...
Of course they take *their* data security seriously
Have spent so much time and effort "collecting" the data from their *users* they don't just want any potential *customer* to be able to send someone in and snaffle a copy of it, or rather the final product they derive from it.
I've seen this phenomenon before. Sometimes the business with the fairly low value transaction takes *much* better care of its IT infrastructure than one for whom IT is *supposedly* their core activity.
They actually said very little about data security
Such as how the data are encrypted and keys managed and how is access via the 'Net controlled.
Looks very sunny and plenty of trees around, although the guy in the jeep, rushing off to inspect some disturbance, looked a little too sweaty for my liking!
Anyone else see the yellow avo with "GOOGLE" scribbled on the end, just in case someone from another company stops by to borrow that guys tool's! I doubt he's allowed to take anything electrical out of the building so what's the point in writing "GOOGLE" on it in big, black felt tip?!
Do they realy use tape backup? How quaint (About 4:05 in)