Google Desktop Search: Security Threat?

Google may not be surprised but I am. It's definitely made my opinion of the new Google Desktop Search do a complete 180. Yesterday I was thinking about just how handy it is, now I'm considering just how invaded I'll feel when someone else that uses my computer can routinely pull up my email and chat logs.

anyone who uses your computer can access these files anyway, this is not a google security issue.

Yes, it might not be a feature everyone wants. Agreed. But, you can VERY easily disable those deatures where it caches the secure site and logs IM chats. You also don't have to have it log email. During install you simply check what features you want. It isn't rocket science.

This will be a great tool for IT departments wanting to view the web pages and webmail that employees have been accessing. Before we had to go manualy through the internet cache, Now we can do it via google.
On the other side of the rule, if you don't want this to happen to you delete your cache by following one of the many directions to do so available on the net. (Note: using delete files in IE does not remove all cache)

Very little surprises me anymore, but I'll bet Tom Ridge is ecstatic! Now 'Homeland Security' will be even easier to crush under the jackbooted feet of this 'War on Terror' that makes all good citizens suspects & calls the massive invasion by Illegals from all over the world (coming through Mexico) merely 'guest workers'. Go figure. Then visit Peroutka2004.com and learn how a 3rd party vote will help rid us of 'wars' on US. Does Tom Ridge own stock in Google? My website: PropertyRightsResearch.org

Seems like complete transparency is not far off. No one should ever consider e-mail 'private' anymore. How long before this technology gets used to search remote PCs via the internet.My ex-wife will love that!

Regardless of the reasons, I hope the columnist who wrote this is aware that by simply accessing this data he has broken data protection & computer misuse laws.

Besides - anyone who sends/stores sensitive information/information they care about in their email obviously has no clue about security and will, inevitably, have their details read.

It's very easy to set google desktop to not store secure web pages. That's what i did. No problems here.

I agree with Scott's comments. You can handle it the way you want according to your security rules.

Your problem is that you are using Internet Explorer to access your webmail. Use a browser Google doesn't support, like Opera, and you a e fine.

I agree that Google desktop search should have an access password though!

What Spring has found here is the common lack of security in email applications. Security of email is an illusion if the method of access contains no security provisions.

The 'Find Files' feature of every Windows desktop has a feature that allows you to find any file containing specific keywords; this can equally be used to "compromise the [non-existent] security" of email, and it is built-in!

Spring, as a member of the PC World staff, certainly knows this; his omission of this fact in his blog entry shows a desire to sensationalize a non-story.

This is hard to defeat. Delete the temporary Internet files and google suddenly can't find them. Wow. That was tough.

Encrypt your entire hard drive so that only the person with the password can decrypt the HD to boot it up and be done with it!

As already said, you do not need Google to find this information... but of course, tihs will be used to raise issues. f.x. property rights - what a joke!

Google Desktop Search is not a security threat. Did you try searching for "compose" using the rather simple search feature that comes with windows xp? Sure, it doesn't cache, but you should stop kidding yourself that just because webmail is behind a password that it is at all safe. Your communications are only as safe as the OS you use, and, well, Windows doesn't exactly have a great track record for security...

Absolutely correct Robert Martin. Can you trust PC World to be a reliable source of IT information???

whatever, this is knee-jerk journalism at its worst.

Google isn't breaking into your PC or your webmail accounts - they are simply scanning the INTERNET EXPLORER CACHE that already exists on your computer. likewise for the AOL CHAT LOGS that AOL Instant Messenger AUTOMATICALLY saves to your computer.

it's the fault of Microsoft that they leave every file you download from the web in the Temporary Internet Files folder. Mozilla/Firefox, Safari, and other browsers put the cache into a single, encrypted file.

it's the fault of AOL that newer versions of their Instant Messenger software leave a log of each chat session in an undisclosed location on your PC.

additionally, it's YOUR fault for not learning the ins and outs of the software you use - clearing IE's cache after each browser session, and enabling the setting in AOL Instant Messenger that disables chat logs, will get rid of these issues.

This article is an overreaction.

Maybe this will be a wake-up call to people who don't understand how computers work. If it's easier to bust somebody for being a slacker then they deserve it. We are just extending that old axiom "Ignorance is not a defence" to a new level.

Yes it's a bit of a shock but Google has done non technical users a favour. Guess what, you leave a trail with every keystroke, so be careful what you type you never know when Tom Ridge might drop by for a cup of strong Java.

Would google collect the information i have in my computer? They will know me better than i know myself. I will be the perfect target for advertisement. Now everytime I see an add it will be for something that I wasn't looking for but that I probably need. Need some wood anyone

May be Tom should stick to the wonderful Window's search

Will said: "Regardless of the reasons, I hope the columnist who wrote this is aware that by simply accessing this data he has broken data protection & computer misuse laws."

Not quite. As he stated, this was a public computer at a tech show. In addition, the cache google searches through is not encrypted. There was no computer misuse either, as he didn't try to break into anything. This is equivalent to leaving letters mailed to opened on top of a table at a restaurant. It's "private," but it's at a public pace with free access to it.

I would be much more nervous to leave my real email address on this site waiting for it to be harvested by a spammer...

What an awesome quote - "this is not a bug, but a feature". I'ma need to start using that at work.

"OMG, I can find ALL of the stuff on my computer, Oh the humanity."

On another note, the sky is falling.

I think Google has just opened up a big question on the lack of security on either our web system or the windows system in the overall design of things.

anyone tried it on unix,linux, etc...

1. OPEN GOOGLE DESKTOP
2. CLICK ON 'desktop preferences'
3. UNCHECK THE EMAIL, IM AND WEBHISTORY BOXES.
4. AND DONT FORGET NOT TO WORRY

People who use public machines for private mail must know how to protect themselves. If they don't, it's their own fault.

Do we blame compaies that provide desks for their employee and these employees leave their files on the table?

I have just installed it and I love it already.

Hmmmm... If you are worried about Users on your PC being able to read your e-mails that's one things. Yahoo!, Google, AOL, and the multitude of other Free email services have can get into your e-mail anyday of the week they want, Are you going to know? Absolutely not! You don't own the server space that your e-mail resides on and you don't know the peopel who work there.

These sites can be hacked easily. Who has that stong of a password that they can't get into your account? We all know your user name right off the bat, so the password if they know you, shouldn't be that hard to get. Besides, who would send anything via email that would be so senstive that they would be concerned if people read it or not? If that is the case, you shouldn't use these free services. Use the phone, or are you scared it might be bugged???

Here's my opinion. Anyone out there who is shocked by this article is tech-illiterate. Everyone who knows anything understands that you don't access anything personal on a public computer. Secure your own system in a way that you feel comfortable with based on your security requirement.

This desktop search is a convenient tool for me because my system is locked down in a way that will make it extremely difficult for anyone, other than myself, to use it.

If someone can defeat my security, they don't need google desktop search to find what they are looking for.

Use a typewriter and burn the ribbon

you know, if you really want to keep something secret don't write it down,

no in email. not in telex, no in fax, not in code, don't even write it in lemon juice!

if you write it, in any form it can be recalled & read, by anyone.

Even if you delete your temporary internet files, Google Desktop search has archived a copy in its own cache. Deleting the files doesn't delete them out of the Google Search, and you can pull the e-mail up postmortem. You have to manually remove them from Google by clicking the "remove checked results" button (as described in the help file) after finding them via search.

Why are we yelling at Google having the problem. The problem is web mail applications that cache personal information.

As another commenter noted: the problem isn't Google desktop, it's people using their insecure webmail applications on public machines.

Blame the webmail app.

This is NOT a problem of any sort.
This is NOT a problem of Google.

As far as IT is concerned any midly competent shop can store any access to any data through a corporate network to the internet.

This is NOT something that even requires access to the computer that did the viewing.

All Google did was EXPOSE what was already there for others who didn't know better or otherwise to become alarmed at.

This is quite simply tantamount to having a private diary and then handing to a stranger so that they can use some of the unused pages.

The computer had to have the information in order for it to be displayed.

The computer, and access to it is what needs to be secured.

This is simply the same as all things have been through-out history.

Sharing can be bad, so it needs to be approached with caution.

Needles, wives, toothbrushes, and now computers.

I would be surprised if Google didn't have an option to disable some of the filtering/caching/etc that it does for security purposes to limit direct access of collection of this information.

Here's another flash for those that are concerned about this!

For those that travel around and find WiFi hotspots, do understand that ANYTHING that is access or entered VIA a hotspot to/from the Internet can be collected.

There is NO indication of your end what is being collected, what is being saved, it all depends on how the hotspot was setup.

YES, there are those with malicious intents that have setup hotspots in cities looking for passwords, and credit card numbers.

Those that use WiFi hotspots for anything other than simple browsing are potentially opening themselves up for a lot of harm.

Yes, "HTTPS" helps but it isn't fool proof when you go through someone elses network where they can capture ALL packets in an Internet conversation.

OK guys, web based email is no more insecure with the Google tool than without. It is merely indexing what people already have access to. There is no breech of security. Let's not throw the baby out with the bathwater because some people (like this journalist) don't have the common sense to delete their cache!

Chris said : If someone can defeat my security, they don't need google desktop search to find what they are looking for.

Got that right! It is almost as easy to find all those files on your PC without the search tool. I monitor employees internet access as part of my job... If someone wants to find out something about your computer habbits they can. period. Unless of course, you know how to modify the system registry as well as erase your tracks from internet logs etc. Lets face it, if you don't want someone to find out... don't do it!

on the same note... don't communicate with a un-encrypted email system if you are worried about someone reading your mail.

But hey, unless you have enemies or you make the news, most poeple are NOT interested anyway.

( And as far as the sub-topic goes... vote Bush! Kerry's promises are unrealistic, ran the numbers myself... )

People who don't know how to use computers properly shouldn't use them at all. Any technology can be dangerous in the wrong hands. Especially to the hands wielding the technology!

Let's go back to using catapults to protect our castles. I got mine here- www.CatapultKits.com

Simple, don't compose private email on a public computer.

Any organization (and most homes) that requires sharing of computers should setup separate accounts on each machine. For a given user, Google Desktop Search would only index the user's designated drive partition. This is easily done on Windows and MacOS machines.

Did this Rainbow Brite just move over from Details magazine or People Magazine where he was covering fall fashion? Maybe he's short-selling Google stock. What an idiot!

Next thing he's going to tell me is that there's thing on his computer that allows him to read all these articles WITHOUT buying the actual newspaper. It's something he calls a browser! Watch out! It's the end of the world! YOUR BASE BELONG TO US!

i love the catapult watch

LMAO!!!!!

I hate to break this to the author, but email is probably the least secure means of communication in the world. Sending out an email to someone is the same as shouting across a crowded room. ANYONE can hear you if they choose to listen. Most ISPs and email providers regularly make backups of stuff to ensure that they can recover from a crisis. Your secret email could be saved by someone you dont know for decades. If you are going to be sending email to someone that you dont want others to read, you had better encrypt it. enough said

Great tool... I love it. I agree that a password option might be a good idea, but I don't really want my web based email or IM chats to be stored, so I just turned those functions off. It's great being able to search my outlook emails, my files, etc within seconds. LOVE IT!

Hey! My computer has a pop-out cup holder. Neat!

Folks... Grow up.

You should assume that anything you type into any computer is there forever for anyone to read. If you can't deal with it at this point, that's your issue. Google kicks but.

google is actually ran out of the NSA headquarters. they are caching all electronic-intelligence throughout the world. if you are on-line, you are part of the google system. all W or Ashcroft has to do is type into their computer "bomb" and they will scan your computer for your plan to take over the world. That's what http://toolbar.google.com/dc/offerdc.html is all about. and i'm making all of this up. the only threat to security is stupidity. and that's why everyone is voting for Kerry and Bush, two morons. Vote Badnarick http://badnarik.org/

That is the most ridiculous "security threat". I can just walk in and few that stuff anyway. In reality, you take a risk when you send private information at a public terminal. The public terminal should be completely wiping the system between users anyway. Using a public terminal for private information is like using an unsecured wireless network. The only thing inbetween the victim and the perpetrator is the data.

I might add, how many public terminals give users the admin rights needed to install software?

hmmmm.

The only way you can view the cache is if you have access to the google desktop search, which is only accesible by the person who installed it on the machine. If they have access to the machine with your password, you have bigger issues than what's left on the cache, they have rights to anything you have on the network and local machine as well.

Turning off the indexing of secure web pages prevents it from being indexed, along with keeping it out of your IE cache as well, which is the way that someone who's concerned about security would have it set up already.

All said and done, Desktop Search tool is only useful on a single-person -used machine for life.

So, useful only for HomePCs of bachelors who screen-lock/logout the PC whenever out of home.

WHY ASK FOR PRIVACY? Google should not have implemented such an asinine disrespect for personal security to begin with. Now I have a simply Google application I can keep with me on thumb drive any time I want to read other people's email.

I blogged about my personal experience with Google Desktop here:
http://www.lenfocenter.net/lenblog

Just like the other people have said - security threat?
Here's why it is not (or cannot be defined as)

#1. you can disable searching EMAILs and IM from 'Preferences'
#2. you can and you are taught to empty your IE cache everytime you use a public computer (I for one do not even use IE.)
#3. switch to Firefox that has encrypted caches - GDS cannot touch it.
#4. use Thunderbird for EMAIL - GDS cannot read your emails.
#5. Use Windows' "Find" feature and then search within files just to see that the same info can be gotten like that.

People, emails and web email logins were never private because:
1. your computer can have a keylogger installed (Soft or hard)
2. your browser passes on in CLEAR TEXT the passwords you send out for your accounts, throughout the entire INTERNET. Try to see HTTP headers to see if I am kidding you.
3. everyone know that IE stores sensitive info in its Temporary folders.
4. Your computer could have an undetected trojan that is phoning home.
5. Your computer could have a virus that emailed your emails to all other people (thanks to MS email clients).
6. M$ is already tracking the info you enter and phones it home (just observe that Windows always submits information at startup. It has been shown on other forums that the info is of a keylogger-type.)
7. do you really believe that you know your computer inside-out? How many breaches allow other to remotely monitor your XP?

C'mon people, Google is making your life easier, and it is only reminding you that your computer ain't safe.

From: HeadHancho of GDS user chat,
Hey, ought visit their gripes on private PC list of failures. Now, this makes any PC in public taboo, just in case some jerk put Googling there so everbody can oggle.
What startles us is same value as makes download worth our time is that NO mention as SAFE even tips to get behind firewalls, novices are stranded as hacker bait, indexed tips to ourselves so password intensive, often with account names, misspelled or not, just more to the lure. Surely dozens of ideas if not working versions are about to impact enough identity thefts for notice. But a 'squirrel' fellow takes quite a name calling exception to reporting by you. You'd be free, too, to visit for a chance to better set ole squirrel straight than I...

GDS can't index files in .zip format. So a lot of data is still intact !! Thats nice and also if its a single user system, then I need to do a complete overhaul of my .zip files to leverage GDS so that it can find all that funky stuff which I zipped away.. it sucks in one way ..but in another way.. if my GDS ever wants to call into the mothership, my contents is not mustered .. you here me ??? :)-

All of this begs the real question -- will this new Google search program "play friendly" with Windows? Are we just asking for major incompatability issues down the road if we put this on our computers?

Would be nice, and was hoping that Google Search would be able to find JPEG photographs embedded comments, to allow add and edit, and the option of displaying those 'comments' as footings when one views photographs.

JPEG is probably the most popular photographic file formats, with some of us having many, many such files on our computers.

It would be nice Google would specifically manage that attribute of a JPEG, and only those that we choose to put comments to, which are the minority of the pictures actually in a computer. Something like exif.exe does. But exif.exe, unfortunately does not have search capability.

The nice thing about using comments on JPEG's is that they are independent of the graphic contents.

-mbl-

I think the author may have meant well, but the concerns/comments about security need to be contextualized (as other posters have done) or else it's a reactionary piece. The Google tool is probably a tool for a personal computer (meaning, 1 private person) not an open terminal. If you use ANY open terminal - kinko's, a university, a cafe - you probably don't even think of wondering, "hm, I wonder if there is monitoring software on this computer." They could have installed the most sophisticated spyware that extracts credit card numbers and your spouse's birthday. Not only would you be UNAWARE, you'd never even wonder. So to think that Google's desktop is something insidious is just a weak angle for writing an article. In truth, it's a pretty slick application that in one day of use has pretty much converted me from the various things I've tried before (not that it was hard). It's remarkably fast, efficient, and I wouldn't even care if there were adwords. It's great software and I'd probably buy it if it weren't free. PC World editors should have caught this.

Google is bad!! They just wants tons of marketing information like everyone else! They are slowing creeeping into everyones lives.

The Google Desktop is unquestionably an outstanding example of cutting edge programming; how anyone can complain about it is totally beyond me.

This is not Google's problem. It's a Microsoft problem. If the file system was more secure, then you wouldn't have access to Google's index. Noone has any right calling Google's software "spyware" cause it's not. If you click on start --> Search --> for file or folders ... and enter appropriate criteria, you would be able to access the same content that google's software is accessing. If their software has access to it, it wasn't protected in the first place.. Granted Google's software might make it seem a little easier to access this information cause you might not know how to use the search options built into windows. But really .. it isn't that hard to figure out .. This is not a security threat in my opinion.

What you people don't seem to understand is that Google Desktop Search will allow you to look at documents that you wouldn't otherwise be able to look at. A multi-user Windows system will not allow you to look at the contents of other people's "Documents and Settings" folder, so using the Windows "search" function or browsing the hard drive's contents will NOT allow you to look other user's files.

The problem is that Google Desktop Search makes copies of users personal files in a place where they can, in fact, be viewed by others. That is the problem the author is describing.

Before you attack somebody for their apparent stupidity please make sure you understand what it is you are criticising. You act like you're such experts, but your comments betray you.

Ok, Google Desktop Search does NOT access files that the user did not originally have permission to. All it does is index them and make them easier to find. There is NO breach of security - merely it makes pre-existing security problems more apparent and easily exploitable.

If the author of this article had half a wit he would not have had all those emails stored on his hard drive and publically accessible. What a twit.

^ werd

I don't think many posters understand the nature of this security issue. Anyone with GUEST (or non-admin) access to a workstation running Google Desktop Search can view cached "copies" of documents and webpages of content stored in the protected ADMIN directories. Normally these files are inaccessible during a real-time Windows Search if you don't have the privileges. Desktop Search is different. It indexes all the content and creates a copy of it for anyone searching (regardless of access privileges) to view in the results.

(I'm not posting my email address because this blog does nothing to protect it from being harvested by spammers. You can contact me by visiting Landolinks.com)

"Ok, Google Desktop Search does NOT access files that the user did not originally have permission to."

No. What it does is make copies of some of your files while you're logged into your account. Once you log out those files will be available to other users through Google Desktop Search. These files would not be available to other users if Google Desktop Search didn't make copies of them whenever you're logged in (and therefore when it DOES have permission to do so).

Oh my god what a stupid "article" this was.

"Some software can find my cache-files"
"OH MY GOD!!! IT'S LIKE, TOTALLY BIG BROTHER!!"

Dude - George Orwell called, he wanted is paranoia back.

Complete fluff-piece. So you can pull up email info from a public terminal. Guess what: Given physical access to a machine, any and all security is out the window. If the attacker can physically reach out and touch your PC, you've already lost.

This is not a problem, not for Google and not for Microsoft (as has been suggested in comments).

The guy is using a public PC in a demo booth. He is probably running as the same user who's "private" email he "found". How is the Google Desktop or the Windows OS to know that the person at the keyboard is somebody else when they don't log out or in? Solution: don't use public terminals for private messages.

The article doesn't say that the Google Desktop caches files and makes them available to other users. The reporter is using the computer as the same user who send the mails.

This article is just sensationalism. This is a total non-issue. The guy is basicly saying: "I use a public PC, with a public user account, to send private messages. OMG... The next guy who comes along, with the same public user account, can see my web-cache!!!" Of course he can, to the system it's the same person.

The world is too lax on security.
The internet is wildly insecure for the average user. Even if you have a thoroughly locked down system, as things are, some flaw will emerge to allow access. It is a constant battle to keep your desktop functionality and remain secure.

Google have highlighted an issue but are also negligent in their duty. The default options should not allow searching of private items. I know this is the purpose of the new tool, the user needs to be the authorising party and have sensible defaults.

This is also another way to infiltrate your PC. I have no doubt security flaws allowing unauthorised access to your google cache will emerge.

At the moment theres is way too little security preventing access from your PC to the internet.
How easy is it for a user to find what program is consuming your bandwidth or is even accessing the internet? A desktop Firewall should be able to give you this information if configured, but a hardware firewall is hard pressed to know anything about the processes running on your PC.

You need to know far too much and be able to keep up with far too much. Even then you are still prone to unknown exploits as are found all the time.

This doesnt even take into account what information is accessible on a shared computer!

I dont wish to be the prophet of doom, just a realist. This is the reality.

Julie and her "jack-bootjed thugs" of homeland security shows us what a small, simple mind she has. How pathetic to hear such parroting out of the mouths of the ignorant. I have not seen one single jack-boot or thug trying to harm anyone since the instigation of homeland security. However, one can only hope that julie and her easily duped cronies will be first on the list if we ever do decide to get rid of the simple-minded.

Julie and her "jack-bootjed thugs" of homeland security shows us what a small, simple mind she has. How pathetic to hear such parroting out of the mouths of the ignorant. I have not seen one single jack-boot or thug trying to harm anyone since the instigation of homeland security. However, one can only hope that julie and her easily duped cronies will be first on the list if we ever do decide to get rid of the simple-minded.

The cache is in the Application Data folder of the User, so its just as well protected (or unprotected as a whole boat load of sensitive caches, IE's cache for example).

There is no escalation of priveleges to be found here.

Google Search can only be run by one user on a machine. It attempts to protect its web service by making what looks like some sort of key for the URL to work.

Other users are not presented with the Google Desktop interface, unless they somehow come up with that key used to acces the local web interface. There is the only security hole I see (tho I have no idea how you could come up with the key unless you had access to both accounts.)

Hate to break the news to you guys, but if someone wants to find out info on your computer, there are much better apps to do it than the Google Desktop Search. The Govt. uses EnCase, made by Guidance and it will find EVERYTHING. The Desktop Search is an extremely lite tool compared to what will be used if someone really wants to find out info.

This isnt a Google issue, it's a Microsoft issue with the way the OS allows access to the system from applications. The MS systems weren't designed for security, so if you're using a multi-user windows machine and you're worried about security, don't do anything you wouldn't want publicly exposed...because it can and will can be, unless the right precautions have been made.

This article is FUD, pure and simple. The writer probably received a bonus from Redmond for this piece.

I fail to see any real issues here. If I have a PC, I can run what I want on it. If I don't want anyone to search for stuff, then I won't install Google Desktop.

The author of this article is a complete spastic. Honestly, what next. "Flaw" in OpenOffice allows person to stand behind shoulder of computer user and "steal" personal letters using a camera. Jesus.

I agree with the Author with some extent. One usecase,

I am a customer/worker/owner in cybercafe. I somehow managed to install Google Desktop in one of the workstations there. I configure it to cache everything, it can.

I check the cached stuff later, someday I might get some stuff...which i useful to me...

ohh this google thingie seems to be the mother of all spyware. Its their first step to building the infrastructure to index the whole damn world.

Unless you are ok with someone finding out all about your personal stuff either now or in the future, avoid this google desktop like the plague..

Stupid people should not be allowed to use computers.

Learn how computers work before you pretend to know what a security hole is.

Google does not forcefully cache these items. They are already on your hard drive. Google is only chaching what is already available.

YOU PEOPLE ARE ALL IDIOTS!

At least the people who thing that this is news worthy.

Google isn't doing anything that can't already be done. They are just doing it in a new way. And this is NOT SPYWARE! Spyware sends its findings back to another computer; Google does nothing of the sort.

Go back to the National Enquirer, Tom Spring, where you're sensationalistic and misleading stories belong.

it seems to come down to: Lock Your doors when you leave.

but the question is: how long will it take for genral users to realise it?

This was a very informative article for someone who is a casual user of computers.,

Based on the petulant and self-absorbed tone of most of the sophisticates above, Ill continue to try to remain as detached a user as possible.

Thanks for the information, Tom Spring, and continue to write for an audience that includes people at my level

I don't get the fuss, set the options correctly and only use it for apps that you feel are safe. I think it's great for a home user, not so sure about business use , yet.. but there are many other programs co's use to 'spy ' on employees internet usage that go WAY beyond this.

I don't see an option for installing it across a network. I have a home network and not able to search what my kids are doing on their computers from my computer , it would have to be installed on each system . So unless there is a feature for network installation , i don't see how this is harmful and if you share a computer use the seperate identity feature for each user, on XP anyway and there shouldn't be a problem.

Now , since I am very new here, besides this silly issue, will someone PLEASE tell me how to stop windows messenger from logging me on without my even seeing that it is on ? I have been trying to correct this for months now , it stops for awhile, then suddenly someone is IM'ing me when I am not aware that i am logged onto windows messenger, NOT MSN messenger, the windows messenger , it is very annoying and THAT to me is more of a privacy concern than this indexing ..

Oh and If anyone knows if there is a way after searching all that google indexes , and finding files and stuff you don't WANT To be there or traceable any longer , is there a way to delete them right from the search page ? I don't see that option but THAT would be great. Instead of finding it's location and then going back and deleting it. I really found many things I don't really WANT on my computer , hard to beleive what sticks.. is there a way to get rid of it completely short of wiping out the hard drive and starting over ? Cool feature in that regard to know how much is stored that you thought was gone, a little scarey but if there is a way to really clean it out it's worth the google feature just to find a quick way to know what is there ! that you need to get rid of , but how ?

The messenger thing is what's really bugging me , i am annoyed at not being able to 'fix' it to STOP opening at will , sometimes the buddy list doesn't even show up in outlook contacts so it's not outlook, unchecked allow to run in background, no litttle green guy icon on the toolbar, yet there's a buddy, in the middle of a quick let me check my email.. knowing i'm online and that is just not cool .. anyone ???

Thanks !

You can view any user's personal info with Windows set up the aithor describes. Who cares if Google indexes things a hacker would need no index for?

You can view any user's personal info with Windows set up the way the author describes. Who cares if Google indexes things a hacker would need no index for?

When I first installed it, I felt over whelmed and excited. There is one tool, by which you can, not only search documents but also mails and presentations. No more messy outlook search, window XP horrible search such plane type the keyword and hey, you got your document.
It didn't take me a long to realize the potential security risk. Anybody can come across to my computer, make a simple "password x-service" search and can access all my documents that may contain password!!!
Not only that, on shared machine people can just logon with there name and can read documents as well as emails of other person without any problem!
The other issue is Google shall show context sensitive advertisements (like in google.com). The implication, my machine content transferred over web to get a contextual advertisement for me.
The major issue shall come with some unknown window flaw. A new virus can be design to search all emails/password from local hard disk if Google desktop bar is installed and send it to spammer/cracker.
I think this product have great features, however security concern are definitely too high. CTO and CIO should see this as a potential risk to security of system.

hey whats this? Google.com can search insecure websites for user names and passwords?

......2 years later.....

hey whats this? Google Desktop can search this insecure computer for user names and passwords? - This is the same revolution google put forth for the internet, except now on the desktop. It makes EVERYTHING easier.

Anyone ever hear of pgp or gnupg? They are easy to use and are considered very secure. Just do a little bit of reading to get it down (not much really, you can get the basics in 30 minutes.)

For windows:

http://www.pgpi.org/products/pgp/versions/freeware/

For windows or *nix:

http://www.gnupg.org/

sounds cook to me... just that i have rr's EZ antivirus and i was not able to download it
hey, if you are not doing anything illegal who cares, and who has time to even read their own stuff, much less others, ..whew!! too much info as it is
just clear your temp files, encrypt the rest,duh!!
and as Bubba Johnson sayz "eat mo' fish"
senorpescado.com rules......

As far as I can tell, most people seem to miss the point that only ONE user account on a computer can install and run GDS. If you are stupid enough to allow other people to use YOUR account, they will be able to find all this info anyway. GDS just makes it easier. Solution: Give everyone who uses your computer their own account (even if this means creating a "guest" account with restrictions for those "one time freinds"). Then install GDS in your own account, keep your account password private and all is fine. Other users can't look at your files or your GDS cache (or even use GDS at all) - assuming you've set up accounts with appropriate access rights.

As for shared computers, that's already been covered. Don't use them for private transactions or expect them to be accessable by anyone.

There is no security issue with GDS here. There is, however, a security issue with computer configurations and people's use habits. Which brings us back to the point, if you don't know what your doing with a computer you either shouldn't be using it for sensitive purposes, get someone who knows something to set it up properly or don't complain about things like this. It is YOUR fault.

cool!

this is great technology.... Think about how convienient this is. This allows you sto quickly and easily find your data from a long time ago... It will also get small and personal sites on google. This will push google ahead of competetors. Why does everyone want to be so secure anyways... what do you have to hide? If you think you do, you are either paraoid, or involved in some illegal activities. There are many ways for one to look at this technology. But look on the bright side, more information is better. Besides, email is incredibly insecure anyways... get off of it.

Its beta software which, jusdging by the fact that Google have a request form for it, is not feature complete.
All they have to do is add an optional password feature to use the tool and its fixed. Even better, they could still allow minimal searching and only allow full searching when the password is entered

For those complaining about security, it's not like Google is forcing this down your throats, it's your choice to use it or not. If you do not like its "features", then why download and install it in the first place?

I am going to Barnes an Nobles to find a book with the name of "Pandoras Box"

Ok, this must be a great technology since it was made by google....

...but, when I tried to install it it said that it was not compatible with other programs in my system. Those programs are my antivirus program. Doesn't that throw up a red flag to anyone? I guess this is something from google that I am going have to live without.

LOL all you people that are all paranoid "OMG OMG GOOGLE IS HACKING ME OMG OMG" wow you got options, disable what you don’t want google to scan or don’t use it, stop complaining about your damn security. There is way bigger problems on the net and you guys have time to complain about google? Google is a major part of the net rite now. How many problems have we had with them? Or was it just you paranoid "computer users"?

i do tech support. anyone who has modest intelligence and concern can secure a computer. that's a very small % of users. for MOST people, MOST of the time, this feature is a gaping security hole.

so? that's their problem. do they leave their car running and go into a store? some of those folks get cars stolen. whose fault is it? the idea that 'user friendly' means 'idiot proof' is a fallacy. learn, or NOT.. your choice.

and as regards kerry/bush.. what we do NOT need is another trifecta of republican control. it's not kerry.. it's 'checks and balances' that we lack. as kerry is the only one NOT-Bush, (who is an ignorant figurehead at best) we should vote in kerry. not for his virtues, not for the hope he'll be better.. but because he's one tiny shred LESS BAD than 4 more years of 'business as usual'.

i weep that america has forgotten truth, accepted spin, and thinks the position of privilege we are wasting will endure.

it won't. but that's uncomfortable to contemplate....

Hey...

I care.. I'm concerned at how easy it is for anybody to find old e-mail. And if this IS a "feature and not a bug" how come mr sping had to view CACHED pages and not the normal search links. It seems to me that if GDS wanted to give you the ability to view old Web-email than you wouldn't have to view CACHED pages.

I think this is a major f*#$@ up on Google's part.

bob

OMFG!! Internet Explorer is unsecure... it stores password protected pages on your hard drive!!

I better go write an article.

PS: Google cant index Firefox's cache because it's encrypted.

It's about time someone teaches Microsoft how to develop good, bugless software. God bless Google. Security is a state of mind. Each lock's got a key.

Sounds like an overreaction at best for a simple soul whose only PC is in his bedroom (next to the cabinet where I keep my valuables, such as the Orphan Annie Decoder Ring and Mugs).

I'm adding "fuzzy thinking" to this e-mail to see if it gets indexed by Google as well.

creepy stuff, uninstalled it before it could complete the indexing ...

This could still be a great tool for parents to "monitor" what thier kids are doing, or a cheating wife having an online affair!

This tool could be the savior to declining American family!

I nominate goolge for next years Nobel Peace Prize.

By reading the replies to this article one can easily find out the truth "How one can get blinded in love?" especially with Google.
Author of this article is right. He has just found out one security issue out of many by Google DeskTop search.
As a Security Analyst I can see many hole in Google Desktop Search. Since it is running as web server you can expect new viruses in near future. What I feel that “By Default” Google should have disabled all options and make user to enable these options. This will make user to aware of his privacy.

hello
any one have a packet sniffer running than install google desk search!!! i think you will be surprised in what you find!

Kedar said "
What I feel that “By Default” Google should have disabled all options and make user to enable these options. This will make user to aware of his privacy."
True. This approach is good for any application that logs what you have done.

I would like also address the problem that Windows doesn't respect your privacy nor doesn't have stealth mode.

Local security can often be the weakest link.
Physical access and User accounts are already covered.

Maxium usability---------Privacy/Security

Here are some tips that improve your Windows (XP) privacy, some of them are for paranoid only, but this is to just show how much Windows stores information when you use it.

-use file shredder program to delete sensitive files. (If you didn't know, files can be easily recovered, if they are not securely deleted)
-destroy sofware's MRU's registry entries and IE-temps with MRU.Blaster
http://www.javacoolsoftware.com/mrublaster.html
-Do not save encrypted pages to disk
-Disable histoty (registry hack)
-Disable cookies folder (registry hack)

-Don't use Recycle Bin
-Disable Indexing Service
-Disable Hibernation
-Disable RecentDocsHistory (registry hack)
-Disable Instrumentation (registrry hack)
-Disble thumbnail cache
-(Disable System Restore or set space to minium)?
-Clear swap file at shutdown (registry hack)
-Disable prefetcher (registry hack)
-Disable NTFS last accessed timestamp (registry hack)
-Disable Search Assistant auto complete
-Use Classical folder view
-Disable History lists from programs like Media Player.
-Use AR RAM Disk and assign temp folders to ram drive if you have lots of ram (1 GB) you can also assign Windows swap file to physical memory.
-Make sure that there are no keyloggers etc. present.

I would recommend Firefox for browsing. If needed it is easy to configure Firefox so that it doesn't write anything to disk during your surffing sessions. (Remeber that Windows uses swap file as memory if needed, this can be privacy risk with any program)

sometime yuo wish there are less stupid people, who hotmail credit card numbers, check their email on a computer in a trade show, reading other people's email in a trade show... ect. then again a waitress gave me %10 extra change so maybe not

Kedar K

Some security analyst you've just proved yourself to be. A simple netstat -an shows that GDS runs only on 127.0.0.1, is not lan accessible and runs only when the user is logged in. Maybe a virus could install itself, access the service and send results to some hacker, but it could do the same with searching local disks anyway.

So stop reading security texts and start working with the real world tools.

Google Desktop Search is not insecure, as many stated before.
Its just that Microsft Windows is not really a Multi-User system,
because it does not really know the users, it does not check who owns wich files and what your permissions are.
So how could GoogleDesktopSearch now wich file belongs to who?!?!?

So do not complain to Google, but complain to Microsoft! Or look for a more secure Operating System. I'm using Linux now and i do not run a virus-detector program just because there are no virusses. I heard microsoft is going to sell its own AntiVirus-program, that would be really crazy, Because they should patch the system and not bring out new software and make money because they made a bad OS!!!!?!

People open your eyes and see the truths, Micro$oft 's bad OS is the problem here.

RTFM Kids...

Read the Google Privacy. Google isn't saving anything.
I'm surprised PC world let Spring mislead.
And I want to know what this gal is smoking and where can you get it?

Posted by Julie Smithson on Friday, October 15, 2004, 08:02 AM (PST)
Very little surprises me anymore, but I'll bet Tom Ridge is ecstatic! Now 'Homeland Security' will be even easier to crush under the jackbooted feet of this 'War on Terror' that makes all good citizens suspects & calls the massive invasion by Illegals from all over the world (coming through Mexico) merely 'guest workers'. Go figure. Then visit Peroutka2004.com and learn how a 3rd party vote will help rid us of 'wars' on US. Does Tom Ridge own stock in Google? My website: PropertyRightsResearch.org

By the way, she's got a Google Search on her web site.

Amazing, I can't believe you all think this is no big deal! Yes email is unsecure, yes all of this can be had locally & over the net in other ways. But does that mean we should make it easier for those unscrupulous hackers/spyware writers. Wow, how easy do you want to make it for them to get all your history, document info, emails, chats, etc. in one place! Google is certainly my search engine of choice but this is unbelievable, don't use it!

How secure is your WINDOWS PC, do think people can't get to this index!?

Security writeup draft on Google desktop search (GDS) on Windows 2000 professional.
1. Google desktop search is a user mode (not a service) application.
2. Google desktop search started from HKCU\Software\Microsoft\Windows\CurrentVersion\Run. This mean it started only for user who installed it, run under this user account and have credentials of this user account (not SYSTEM or Administrator). Other user logged into this computer just will not be able to see presence of Google desktop search, unless navigate to "c:\program files\google" (but see N3).
Running under user credentials Google desktop search will not be able to index files not accessable to the user.
3. GDS stores in HKLM tree the user name and SID of the user who installed it. It doesn't allow to be installed by other user under one more user account. It doesn't allow to be started by other user.
4. The index files by default are stored in user profile and have access security of user profile (Administrator, SYSTEM, owner). This mean that even these raw files can not be accessed by other user

Conclusion - the Google desktop search will not decrease security of shared multiuser OS with properly secured file separation.
GDS however can defeat security through obscurity on already insecured shared singleuser OS, for example on kiosk public terminal
without separate user profiles.

Alexander Tarasul, CISSP, GCWN, MCSD, MCSE

Although there are many settings that you can easily change or disable - most users are already overwhelmed by what they have to do to manage their computers and will not investigate security issues presented by Google Desktop Search.

The industry needs to be more proactive in protecting unaware consumers from potential threats inherent in their software. All software should begin with the highest level security defaults (password-protected, caching disabled, etc.). During setup there can be CLEAR explanations of what it would mean to change these settings.

Of course, software developers create their programs mainly in order to generate profits. This means targeted marketing and if they make anything too secure they won't get the information they need.

Basically: beware of anything that's free. It's never really free.

One thought after reading this and people's comments...

If Google Marissa Mayer told pc world it never intended its search software to be used on shared or common computers than how come Google installed Google Desktop Search on computers at its booth.

This is another privacy screw up by Google and it's trying to save face by saying otherwise.

Google creates its own cache and doesn't tap into Internet explorer's cache.

If Google wanted people to be able to view old yahoo email why do you have to access the cached version of yahoo email?

Pc world should of asked some harder questions of Google.

As it stands Google is becoming a pushy company that is following Microsoft's lead and not apologizing for its screw ups.

I love it "it's a feature not a bug" - ya we've heard that before..

Google is playing with fire... and the public is going to get burned.

Well now, I haven't got Google Desktop Search or a PC so this article doesn't really apply to me, but I must say that reading all these comments was truly entertaining. I'm waiting for a download to finish and I was a bit bored.. ^_^

OMFG

Look people if an administrator or whoever decides to log everyone on as Local Administrators this is bound to happen....

this is the whole point of M$ seperating user profiles into there own folder... this aint the days of Win 98 people... all you cache, history, emails everything is stored under documents and settings under your own profile... people with "User" or "Power User" cant see each others profile and hence cannot access any of the infomation in there....

This whole "Security Issue" is not googles fault its because most computer administrators are lazy and inorder to eleviate some of the hassle on them they make everone who logs ino a PC a "Local Administrator"

thosands of security issues are caused by this one fact....

If you make a PC open to everone guess what everyone can find anything they want.. all the Google Desktop Search Application does is do it very efficiently... and thats what its supposed to do

Get with the Program some of you!!

If I make a document in Word and save it on the computer with a password. Is it then possible to read it anyway via Goggle?

Guys -

GDS does invade your privacy big time.
Test it - Install GDS, run it, reboot your system, DO NOT run the GDS again or your web browser, configure your firewall so that it ask you each and every time any application request to connect to the Internet. Within few minutes GDS installed application will try to connect to google! Don't jump yet, GDS tries to connect to google even if you have disabled EVERYTHING in
preferences.

GDS users who believe Google is not upto something bad, please explain why would GDS want to phone home? Is Google keeping track of my usage without informing me or stealing my data? (I know it is crazy to say if they are stealing the data :), but, they are doing something!).

And, please this is not the matter of innocent or not so innocent information on one's PC, Google is lying and misleading.

"I think Google has just opened up a big question on the lack of security on either our web system or the windows system in the overall design of things."

More like Google has exposed how ignorant people are of computers. The only security issue in this case is the idiot at the keyboard...

I was very excited to see the prduct finally released. Like a lot of users, I have a lot of emails and docs (attachments) in outlook and this seemd like a great way to be able to search them. I was shocked to find that all my outlook emails were cached and any user on the machine could access them by a simple search - No need to provide outlook password!!

This is a great tool but Google needs to address these privacy issues. For now, it is off of my machine. I have been using LookOut for outlook and document searchs and will likely stick to it.

hmm

i used this from my office comp...turns out every mail has been cached...i'm glad i caught this before too many people came to know of it.

i deleted all the caches, cleaned the reg. and stocked up on cache killers.

i suppose everyone needs a wakeup shake every now and then.

using firefox from 3...2...1....

Nobody should be getting mad at Google over this. They should be getting mad at the companies who provide them with insecure IM clients and insecure email.

The data has always been there. Google desktop is merely an easier way to access it.

OK I cant seem to confirm what AFar says about GDS connecting to google for some reason or another.. that is a bit suspect if true though BUT

I still cant see everybodies problem with it.. yes it caches all your data for faster searches but so does the indexing service built into XP... yes it does store its cache within your own profile folder (ie C:\Documents and Settings\%username%) but people if your PC is set up securily then this Infomation is secured by NT with your password when you logon to the your PC.. if it isnt then its not googles fault and is probably yourself or whom ever administers that PC

If someone can make it then someone can break it BUT the point is to make it hard to break into

It search its result only on IE, doesn't fit my need, try another great product, Turbo Searcher at http://www.knownsoft.com.

Like I said earlier, a lot of you have missed the point with respect to caching. If someone can view your GDS cache, then it follows that they must also be logged into your account (unless you've really screwed up your computer