back to article G Suite admins need to RTFM – thousands expose internal emails

If you're sysadmin of an organisation using Google Groups and G Suite, you need to revisit your configuration to make sure you aren't leaking internal information. That advice comes from Kenna Security, which on June 1 said it found 31 per cent of a sample of 9,600 organisations leaking sensitive e-mail information. The …

Silver badge
Alert

When enough people make a mistake, it stops being a user issue, and it becomes a UI issue. Maybe putting a big warning sign on the option would be enough to solve most of the issue.

27
0
Anonymous Coward

There are many good reasons why Amazon has books for migrating from Google Craps to O365 but not visa versa!

0
1
Orv
Silver badge

Oddly enough I've been with two places that migrated from O365 to Google, after running both in parallel for years. Reasons seem to be reliability and interoperability problems with O365. (I get the impression Google plays better with existing non-MS infrastructure, and these were large organizations with complex authentication needs -- LDAP, Shibboleth, etc.) O365 developed a reputation for repeatedly botching service updates and being picky about browsers.

1
0

Why is it even an option to expose your private stuff online?

1
0

Because not everything people send is private. There are good reasons for a company setting up a public group, such as a discussion list with franchisees, suppliers or customers.

3
0
Silver badge
Coat

> Why is it even an option to expose your private stuff online?

You mean you don't?

Mine's the dirty old one -->

3
0
Silver badge
Coat

Why is it even an option?

Why is it even an option to expose your private stuff online?

You're not the only person to find himself asking that. It is a question many people, including the guy himself, asked after Anthony Weiner sent dick pics to a minor.

0
0
Silver badge

I'm guessing that the manual was outsourced instead of being done in house. Either to interns who are clueless as to manuals or some place that's cheap.

1
0
Facepalm

If you feel it's been outsourced, try dealing with some of their "experts".

I have come across new 1st liners with better problem solving than them.

Hint:

Hi, you've (Google) have allocated the wrong type of account against our customer login.

OK sorted that for you, you now need to set up a new one

It says I can't because I already have an account.

OK you need to delete the old one.

I can't because I can no longer login.

That's because it's no longer associated with your account, you need to create a new one.

It says I can't because I already have an account.

OK you need to delete the old one.

I can't because I can no longer login.

That's because it's no longer associated with your account, you need to create a new one.

It says I can't because I already have an account.

OK you need to delete the old one.

I can't because I can no longer login.

That's because it's no longer associated with your account, you need to create a new one.

It says I can't because I already have an account.

OK you need to delete the old one.

I can't because I can no longer login.

That's because it's no longer associated with your account, you need to create a new one.

I seriously think I was talking to an early Bot.

7
2
Silver badge

How confusing can it be?

"Public on the Internet" vs. "private"... Hmmm... What might that mean?

To quote the problem description, ...the misconfiguration happens when Groups Visibility is configured to “Public on the Internet”.

I am sorry, but I don't find this confusing at all. Nor is it “complex terminology”, IMHO. All it is is PEBCAK.

4
1
Silver badge

Re: All it is is PEBCAK.

If your user interface design doesn't take users into account then it's not the users chair and keyboard that delimit the issue, it's yours.

9
0
Silver badge

Re: All it is is PEBCAK.

If your user interface design doesn't take users into account,,.

I wish I could upvote you more than once.

1
0
Orv
Silver badge

Re: How confusing can it be?

The problem is Google's admin tools don't show you the status of groups in the group list. The only clue you get is a group type of 'Custom', which can mean anything. If you click it, you get another page, which also doesn't tell you the group's permissions. You have to click "Role and permissions" in order to see the settings. This means if you have more than a few groups, it's a very tedious and error-prone process to audit the permissions on them.

The group owner(s) can change the permissions at any time, so all it takes is one click where someone hits "Anyone on the Internet" instead of "Anyone in the organization" directly below it, or misunderstands the difference between who can post and who can view.

1
0

You have to create or set permissions for your group as Team which is the default, and tick the box that says "Also allow anyone on the internet to post messages". Not really sure what extra training needs to be done to highlight that you are exposing your group to public internet ?

2
0
Anonymous Coward

because you can (could, haven't done it for sometime) get a bizarre situation where people external to the company get a bounce back if they try to email a group address, unless it was public.

1
1

Is there a glossary? If so, how does it have "Public" defined?

Public: "The seven BILLION people on Planet Earth! No username or password required for anyone."

0
0
Orv
Silver badge

Now try auditing several dozen groups to see if anyone ticked that box. It takes two clicks per group just to see what the permissions are. Hope you didn't have plans for the day.

1
0
Silver badge

It is confusing

When we moved to Google Apps for email, I'd expected to be managing a mail system like I was familiar with: users, with aliases that apply to a particular user or a set of users. But instead of a "group alias" google has this weird "groups" setting, which seems to try to merge the concepts behind a newsgroup or public mailing list and a simple group alias address.

Personally I find it annoying and yes, confusing the first time we set it up. If google simply offered a normal group email address like you might find in, for example, exim, sendmail or any of the other systems their customers would be migrating from, this wouldn't have been an issue.

Oh and for all the clever-clogs saying RTFM - that might have flown when Google Apps launched, but it is showing all the signs you'd expect after all these years: scope creep, poor mergers of acquisitions with different concepts, abandoned approaches etc. in the documentation. You are in a twisty maze of hyperlinks, all alike.

10
0

Re: It is confusing

To be fair they used to have exactly this functionality and it worked great.

Sadly when they introduced the much more marginal case of google groups for domains they decided that since they both had the word "group" in they must be the same thing, and decided that you can't have both on a domain

0
0

It wasn't broken.

Why did anyone think it needed fixing?

0
0
Bronze badge

Defense in Depth

I've always been very wary of things that allow exposures by a single setting. I generally won't use such products unless forced to.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018