back to article Google gears Gmail for PC hack attack

Over the past year, dozens of web-based services have adopted new features that allow them to be used even when an internet connection isn't available. The technologies making this possible may offer plenty of convenience, but they also make end users susceptible to powerful new attacks, a security researcher warns. So-called …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Flame

    Why?

    Why do we need gmail to allow reading and editing of email when we're not on-line?

    It can already be used via POP/SMTP which happily allow you to read or edit mail when you're not on-line...

  2. Colin Millar
    Stop

    Cool applications?

    Har-de-har - what a winker.

    Whats the difference between (a) a client side application which you allow to interface as apropriate with the intertubes and (b) a cloudy piece of cool crap that you allow to access your PC?

    Answer - under (a) you have some degree of control over what is happening - under (b) you entrust people with a track record of trading security for cool with your info.

    No matter how the web 'community' tries to spin it - nothing, absolutely nothing remotely connected with a computer can ever be cool - kewl /= cool

    I can't wait for the day when the 'kewl' crowd fuck off and leave technology to those who can be arsed to do it properly.

  3. Rasczak
    Joke

    @AC 09:33 18th Feb

    What are you saying. Don't you realise that the entire internet is that blue E on the desktop, there is no other way to do it.

  4. Mike

    yup..........

    I thought just the same thing. The only thing I can think of is that you can use the GMail web interface. while offline

  5. David Hicks
    Linux

    This and the facebook thing

    Have just reinforced my traditionalist leanings.

    Why trust your private communications, photographs etc to a bunch of advertising companies? Why would I use flickr to host my pictures when I can do it myself? Why allow google mail and allow big G to profile it for advertising and potentially expose/lose everything? Why store your entire personal life on a "social networking" site that offers little more than early 90s style email and a homepage, when they can turn around and give themselves the right to do what they want with it?

    Yes, I'm the kind of geek that has a mail/web server under his bed, and I realise that's not for everyone, but this blind trust of your data to third parties, the increasing security risks around it and the increasing volume/value of stuff people put up...

    Yes, I know, thi smakes me a curmudgeonly old sod that's too concerned about contracts, EULAs, small print and security to be cool enough to join in with all this, but that's ok.

  6. Caoilte

    I like gmail offline

    So will noscript protect me from XSS attacks?

  7. adnim

    @David Hicks

    You are not alone. The Internet is a place where one gets information, information of varying accuracy and quality. It is not a place to which one should post personal, private or sensitive information regardless of how the "changeable without notice" T&C's may seem to protect your data.

    As far as I am concerned the moment my data any of my data is in the hands of a 3rd party I do trust them, I trust them to do whatever they want with it in order to spin a dollar. But I am not exactly new to the Internet, I have been online for over 12 years. In those 12 years I have never provided accurate and truthful information (name, address, postcode, sex, age etc.) to any website that demanded such info in order to access its content. I don't do social networking sites because people in general are vacuous, self-important, look at me types with all the depth of a puddle. Finding pearls, and I accept they do exist, amongst such dross is tedium in itself.

    Younger generations especially those who have grown up with the Internet seem to trust it and the corporations behind it blindly.

    Cloud computing and applications as a service are going to be a security nightmare. Not only am I concerned about unauthorised persons accessing my data via breaches, I am also concerned that my data will be mined for profiling and marketing purposes and sold on by those who hold it. Then there is the possibility rogue admins/contractors stealing the data for profit. I myself have had administrative access to servers belonging to some big name companies, this includes access to trade secrets, financial records and customer details. Not once did I undergo a background check. If I was a dishonest man I could be very rich, or doing time.

    Most T&C's expressly permit the site owner to share any information one posts with "partners" of the site owner. Now who determines who those partners should be? The site owner does, and there appear to be no regulations in place to determine who these partners are or should be. A partner could be anyone from the EFF to Phorm .

    Do I fully trust anyone outside my immediate circle of friends? No.

    Do I trust individual people? Sometimes.

    Do I trust businesses and multinationals? Never, or at least I only trust them to do what is in their own best interests.

    Is this paranoia or common sense?

    To paraphrase a popular saying:A fool and his data are easily parted

  8. W

    @ David Hicks

    "Why [...etc]?"

    I know what you're saying, but consider this:

    Most people buy bread from a supermarket that has bought it from a baker, who bought flour from a wholesaler, who made flour from the grain they bought from a farmer?

    Ok, so *some* people buy bread direct from a local baker, or might even bake their own bread, but do they grow their own wheat? You pays yer provider and you takes your choice.

    But the crux of the matter is price & convenience. And it's increasingly difficult for most people to justify even the modest costs and effort involved in self-hosting and coding when there are a bunch of folk queueing up to offer their fairly sophisticated wares for the price of a few Google ads.

    I'm surprised no-one has come up with a fully ad-supported supermarket yet.

    Imagine you're in an Iceland supermarket (who already sell tat at rock-bottom prices). And they'll give you a pile of free "food" if you're prepared to run a gauntlet of credit card hawkers (like at the airport), chuggers (high street charity muggers), Sky TV salesmen (as per any shopping centre of your choice), animated screen adverts that you're forced to watch for 5 mins (newer busses) and for copious quantities of junk mail to be hidden in amongst their products (a la any magazine or newspaper), and fill in a form full of your personal details etc etc etc. Sadly, loadsa folk would accpet the free food in exchange for the advertising harassment.

    ...Although thinking about it, these days, that scenario is eerily remniscient of what it's like to be in any UK town centre on a Saturday. So where's my free "food"?! :-)

  9. Rob
    IT Angle

    Lost

    Why have we suddenly started re-inventing things in the IT world?

    Cloud Computing - Mainframe computing

    Web 2.0 - The internet (looks pretty much the same as the Web 1.0 and offers nothing new that couldn't already be done)

    Offline web apps - cheap/free software you install on your PC

    I re-invent things too, done a car and a washing machine so far, took me a number of minutes to realise these devices were already in existence and usually because I'd drunk/smoked/injected/snorted too much [delete as appropriate, depending on which tech company you work for]

    (I know what the IT angle is, so call this the confused IT industry icon for this post)

  10. Alfazed
    Happy

    What is the web coming to ?

    Talk about nicking your stuff.

    A musician friend with a MAC connected t't Tinternet, recently imported into iTunes a couple of music tracks that he'd written/composed on a synth and multi track recording device.

    In this case the interwebs music database was queried by his iTunes application. Then iTunes renamed the related ownership fields for each of his tracks with the details of a complete stranger!

    Who needs Gmail or any of these deathtr apps ?

    ALF

  11. Michael Sutton

    Practical Example of csSQLi Using (Google) Gears Via XSS

    For those interested, a blog posting detailing the attack outlined in the article is available at:

    http://research.zscaler.com/2009/02/practical-example-of-cssqli-using.html

    --

    Michael Sutton

    VP, Security Research

    Zscaler

  12. Roger Heathcote
    Stop

    So let me get this straight...

    We get computers with floppy disks

    People write malware and all hell breaks loose

    It takes us 10 years to secure our systems to a tolerable degree

    We get computers with internet connections

    People write malware and all hell breaks loose

    It takes us 10 years to secure our systems to a tolerable degree

    Someone decides all software should run in your browser with data kept in your browser

    ...?

    ...?

    Javascript schmavascript, bollocks to Web2.0 and life in the cloud! Big business may like it but any self respecting nerd would rather have a computer than a corporate terminal. How are you supposed to use Compiz cube, play Warcraft or watch 1080p HiDef pr0n in a chrome tab eh?

    It seems we are now expected to just entrust a lifetime of personal data to companies who still have 3 hour outages, are funded by context related advertising, go bust at the drop of a hat, routinely give terrabytes of data to any authorities who ask for it and to access it all via a well filtered, well profiled pipe that can be shut off whenever there's civil unrest, the wrong type of snow, they fuck up your billing or a company on the other side of the world claims you have done 3 naughty things... fuck off.

    I'm off to my bunker with NOSCRIPT, TRUECRYPT, IMAP, SSL and a big fat spindle of DVDR.

This topic is closed for new posts.

Other stories you might like