Posted on 12/21/2004 7:05:23 AM PST by Max Combined
Company says security glitch in search tool is fixed
A security flaw that could have caused big trouble for Google and its new Desktop Search tool has been fixed, thanks to a Rice University professor and two of his graduate students.
Left unchanged, the glitch could have made accessible via the Internet private data stored on personal computers.
Dan Wallach, an assistant computer science professor at Rice University, and students Seth Nielson and Seth Fogarty, were doing a project for a computer security class designed to see if Google's Desktop Search tool was safe for users.
They discovered that an attack Web site could be set up to trick the Google program, which integrates desktop and Internet searches, into believing it was communicating with the Google software. Instead, it would retrieve private data from personal computers.
"Had somebody been able to exploit this attack, they would not be able to read complete files on your machine," said Wallach, "but they could make searches against your machine."
In other words, the searches could have exposed small but important snippets of text from the files. "So, if you, for example, had a file of credit card numbers or Web passwords, I might be able to read that," Wallach said.
Nathan Tyler, a Google spokesman, said: "We were very thankful to Mr. Wallach and his team for working on it."
Google made the security problem public over the weekend. When Google unveiled a test version of Desktop Search in October, it said it was built to respect user privacy. The tool, which can be downloaded for free on the Google Web site, allows users to search documents, Web history, e-mails and even archived instant messaging chats on a PC's hard drive.
The glitch was found in a feature of the software where search results can be blended so they scour PCs and the Internet simultaneously.
Prior to the fix, for a user of the software to be exposed to attack, they would have to visit a Web site that was specifically targeting someone using the Google Desktop feature, Wallach said.
Google said there was no evidence any attacks have occurred.
Google earlier this month replaced the vulnerable version with one that Wallach said he and his students retested and confirmed safe.
Google said in a statement that the problem has been fixed "so that all current and future users are secure." Anyone who downloaded the software after Dec. 10, doesn't need to be updated, Wallach said.
Wallach said Google's Desktop Search is the only local search engine that was vulnerable to this type of attack. Last week, Microsoft launched its test version of a desktop search engine as part of its MSN Toolbar Suite. Microsoft's version does not attempt to seamlessly integrate PC searches with those of the Internet.
Wallach is no stranger to taking on computer security for the sake of privacy concerns.
When Wallach was a graduate student at Princeton University, he said he was part of a team that found serious flaws in the security of small Java computer programs known as applets, where an attacker could use the Web browser to access the contents of a user's PC.
Earlier this year, Wallach co-authored a study that made national headlines on significant flaws he said were in high-tech voting machines, enabling one person to vote multiple times.
Google is great. But as with any computer program or system, there will be holes that some enterprising, crafty person with too many smarts for their own good will find some way to exploit. It's the technology age version of the old adage that every rule can be broken.
Might want to check out Copernic desktop search. It seems to have more features.
http://www.copernic.com/
Not true -- 100% secure software is possible, just much more difficult to develop -- code written the right way can be mathematically proven to be secure.
Though if it is running on top of an operating system or a BIOS that has a flaw, there will still be a security problem; the most you can do is guarantee that a piece of software doesn't create any new security holes. To get a totally secure software system you need to build the operating system and the BIOS from scratch. For extremely critical applications, this has been done. (Even then the system is vulnerable to hardware sabotage, so you need to combine this with strong physical security measures.)
Where there is a will, there is a way to subvert it.
You may consider looking at www.blinkx.com for a great (blinkx) desktop searcher that is free. From my experience 2nd only to dtSearch (approx. $179).
I had looked at blinkx and downloaded it, but haven't installed it yet. I liked the tv part, but wonder whether it is part of the desktop or only webpage.
Its peer2peer sounds interesting now that Torrents are disappearing. I'll have to check it out.
For ordinary software, there is a vulnerability to a hacker with more imagination than the programmers; for software verified with proof-theoretical techniques, only an explicit and clearly detectable error can lead to a security hole; so the process of testing and verification is much simpler and more reliable (though the development of the software is much more difficult).
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.