back to article Do Google's search warrant police run IE6?

According to popular perception, Google is the anti-Microsoft: a new-age outfit bent on re-architecting a flawed interwebs using nothing but open source software. The company runs its own flavor of Linux. It funded the rise of Firefox. And it eventually fashioned its own open source browser, Google Chrome. But the reality is …


This topic is closed for new posts.
  1. Mike S

    Agents on the Inside

    I think the thing that makes the most sense in analysing these attacks is that there were malicious employees on the inside who facilitated these attacks.

    Obviously, the attackers had to know something about Google's internal systems, they had to have access to a number of different systems, they had to know not just what to look for but where to look.

    This would give Google a reason to (at least say) they were leaving China - it gives them an opportunity to get rid of employees who might have been involved.

    The particular vector for the attack is less interesting - it was an obscure one, and certainly others like it exist if you know where to look.

    1. BillG

      Inside Job

      "The attacks cracked a 'system' used to "help Google comply with search warrants by providing data on Google users."

      I completely agree - this MUST be an inside job. Only someone on the inside would be able to crack an internal system like this one.

  2. Pablo


    So Google has a system specifically designed for looting user data, and then they use it conjunction with the least secure browser available?

  3. MadonnaC


    Could I have access to the API - I just want to see what they hold on me, honest!

    [we need a face-plam icon]

  4. Turnip Boy
    Black Helicopters


    this is drivel it's a "who what where when huh... is that a goat in drag"

    Big deal google are using IE

    this article in a poorly constructed sentence "Oh gasp google are using IE6 in non QA departments" big deal at least it's not safari

    1. Bilgepipe


      If you think IE6 is a better bet than Safari, I'm glad you don't handle my IT security. I'd rather someone who was at least slightly competent.

      1. Turnip Boy

        ooh.. baiting

        A semi molten lump f swiss cheese is better than safari not fond of much made by the big banana

        No browser is better than any other the only difference between IE6 issues and bloatfox, harvester in training (chrome) and a trip to africa, is that IE6's issues have been laid bare more times due to years of neglect.

        1. Destroy All Monsters Silver badge
          Thumb Down

          "Baiting", eh

          No browser is better than any other?

          Go back to /b/

    2. Anonymous Coward
      Anonymous Coward


      If I had to chose between IE and Safari, I know which one I'd choose.

      (Hint. It's not shit and isn't made by Microsoft)

  5. Anonymous Coward
    Jobs Halo

    I have IE6 also

    I have ie6 on my desktop also. Once customer requires it.

    As to ad hoc QA testing, if you are an engineer who isnt curious if his code will work for his customers you arent very good.

    1. John Lilburne

      Having IE6 on your machine isn't the issue

      One can test things out in a browser without being connected up t' interweb. And even if you do need to connect live you don't need to be visiting malware laden pr0n, warez sites.

      1. Stoneshop Silver badge

        If those sites don't resolve

        then even IE6 is comparatively safe.

        A competent IT department should know how to see to that.

        I would expect Google to have a moderately competent IT dept.

        1. Anonymous Coward
          Anonymous Coward

          proxycfg -p "<local>" ...

          ...will be a good start at containing IE* - adding virtual machines wrapped around Windows will handle it even better. My guess is someone intelligent but less than competent, e.g. a mangler, would be able to bypass all that and use IE6 on the intartubes, with predictable consequences. Intelligent users can be a royal pain...

  6. Benny
    Thumb Down


    "Are we supposed to believe that QA isn't handled by a small, dedicated staff?"

    Errr, so you're saying that developers don't test their own code on multiple browsers before handing it off to QA? I know I've spent the best part of this week debugging some code so it works across the board, BEFORE I even contemplate giving it to the QA guys.

    On another note, you guys keep going on about this story, but it never seems to evolve, just the same thing over and over again...

    1. Stoneshop Silver badge

      Outside access

      "Are we supposed to believe that QA isn't handled by a small, dedicated staff?"

      Err, are we supposed to believe that the PCs of whoever at Google is using IE6 for whatever purpose, are easily accessed from the outside Internet, including China? Did they buy their firewalls from Colander, inc., and their IDS software from BlindEye Ltd.?

  7. Anonymous Coward


    Far be it from google to violate American law.

    Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001 (Enrolled as Agreed to or Passed by Both House and Senate)[H.R.3162.ENR]

  8. ElReg!comments!Pierre

    I might have missed sumfin

    But as far as the newsreports go, the attack was targeting Google "customers" using IE6, with Google being merely used as a vector fo end-user targeted exploits. The article you link to does reinforce this understanding. Sure, Google staff do use IE6 for QA purposes but did the attack actually compromise Google internal systems via this IE exploit? or was it (as journo-tech reports would suggest) an end-user exploit with Google services being mere vectors?

    For example, and among others, the Reg article covering this (and linked from here) stated: "The attack that hit Google in mid-December originated in China and was aimed at accessing the Gmail accounts of human rights activists"

    So which is it? If the attack only affected end users with Google as a medium -as stated in the reference-, this article is a waste of 3 perfectly good www pages. If not, we need more info!

    1. Adam White

      RE: I might have missed sumfin

      I think that means it was accessing data related to these customers, stored on Google's systems.

      1. Rod MacLean

        RE: I might have missed sumfin

        "I think that means it was accessing data related to these customers, stored on Google's systems."

        Like their email messages, for example?

      2. ElReg!comments!Pierre

        RE:RE: I might have missed sumfin

        "I think that means it was accessing data related to these customers, stored on Google's systems."

        Yeah, that's what _this_ article seems to imply. However, from what I had gathered previously, I thought that the attackers, using the spook-system as an entry point, injected code in selected accounts that would root the end-user machines using an IE6 hole (on end-user machines). That was actually much, much scarier. And that would explain why they stop supporting IE6 for their online apps. However I failed to find any definitive statement about what really happened (technically). Which also smelled like some Oompa-Loompas trying to hide the fact that the spook-system was used to penetrate Google servers and plant malicious code on selected accounts.

        Never mind that was probably me being paranoid again.

        I still would like a definitive answer though.

  9. James Hughes 1

    Jesus Christ - will you journos EVER think before you write?

    You seem to think that Google only use IE6 for testing. Why do you think that?

    It seem more likely (Look up Occams Razor) that they have thousands of office systems spread all over the Googleplex, that run a variety of browsers, some of which are IE6.0, just for, guess what, browsing the net. Not testing, but actually using the browser for what it was built for.

    Now, one could argue that Google, as the creators of its own browser, should have, by this time, got all its systems using it, but as with any large company there is an installed base to move over, and this takes time.

    One could also argue that Google should have been more careful with a known security hole ridden browser, but hey, the NHS use it, the DoD use it, so they are not alone there.

    They have stated they are upgrading, so at least they are doing something about it.

    But to try and dig out even more conspiracy theories from this is, shall we say, rather pathetic, and rather typical of recent Register articles about Google.

    1. Anonymous Coward
      Anonymous Coward

      Google != NHS

      Google, NHS, DoD, Orange UK - one of these is not like the others.

      Google is a "tech company". The saviour of t'internet (tm). The future. Etc. Etc.

      How are we supposed to believe Google is even remotely competent at its job if they are reliant on seriously flawed, outdated tech? It's like Orange using manual switchboards staffed entirely by women. Or the DoD sending troops out to Afghanistan with muskets. Or the NHS using leeches.

      1. ElReg!comments!Pierre


        Google is a huge globo-corp (and by "huge" I mean "freaking bloody _HUGE_, mon"), so it's fair to assume that they might have absorbed smaller outfits with IE6-only policies. Hence there might be some of the beast's tentagoogles that have not fully migrated out of their misled IE6 ways...

      2. John Watts

        Perhaps Google has little choice?

        How about thus - Google have to give access to some data to some US authorities.

        The authorities are able to directly connect to whatever server provides this data using http. The authorities insist on using IE6. Google use IE6 to access the server as the web-application has been coded specifically for IE6 as that's what the authorities insisted on at the time.

        You'd imagine that Google would be able write code that operates on more than one browser so the conclusion then is that Google are running software that they can't control / didn't write - presumably provided by the previously mentioned authorities.

  10. Anonymous Coward
    Anonymous Coward


    The info about the hacking of the human rights activist was obviously just there to generate more hot air around the issue (which they indeed did succeeded at) and to distract from the fact that also Google's very own internal systems were hacked. These attacks however were obviously completely separate (even if they were originated from the same group of hackers/chinese agents) and I bet hacking the mailboxes of hras happens at practically a daily basis anyway - still they aren't reported by Google usually. Guess why not?

    Also very interesting that it was an IE6 hole the hackers used to phish and penetrate Google's system, where obviously they could have used (and I'm pretty sure in a ot of previous attacks they did actually use) Chrome, Firefox, etc. vulnerabilities too, as the latter obviously contain just as many holes as IE (at least according to public databases, like Secunia's). I'm pretty sure in the past there were other attacks based on other softwares as well, but to make those public of course wouldn't be that suitable to bash MS/IE, as it was with this one.

  11. TeeCee Gold badge

    Hardly surprising.

    "China.....still clings heavily to IE6"

    Well, you don't get the Win updates if you're running a bent copy.

    1. ElReg!comments!Pierre

      re: Hardly surprising.

      "Well, you don't get the Win updates if you're running a bent copy."

      Joke appart, yes you do. Unless you also installed MS' wicked piracy detector (WGA). But in that case you might not get the updates for a legit copy, either...

  12. Chris Beach

    Still on IE6!

    Bank I work for is still on IE6, lazy web devs on a 'important' web app, means we didn't change when we went to XP (sp2), and there isn't the technical know-how at the higher levels to understand that you could keep ie6 for those using that app, and give ff or chrome or ie8 to the rest of us.

    1. xyz Silver badge
      IT Angle


      1) To install IE8 on XP you need to roll out XP SP3 otherwise IE8 keeps trying to get an update from MS which in a managed environment is *bad.*

      2) Using one browser cuts down development costs in an intranet environment...(no sh*t Sherlock) and if that browser is by the OS vendor and integrates fully, then that is what will be used as management is simpler.

      3) If you want the "full" internet experience during working hours on a browser that shows others you are technically savvy and cool, set up your own company and see how long that view lasts. It's been said before, you are at work to work, not to pratt on about your best "browser" find.

  13. MinionZero


    If Google is the anti-Microsoft then Microsoft must be the anti-Google.

    But what does that make Apple?

    Is Apple the anti-Google, in which case that makes them the anti-anti-Microsoft?

    So does anti-anti-Microsoft cancel out into just a Microsoft or is that anti^2-Microsoft?

    In which case, what does that make Sun?

    So are Sun the anti-Apple or the anti-Google?

    But that would make them either the anti-anti-Google and the anti-anti-anti-Microsoft or the anti-anti-Apple and the anti-anti-Microsoft!

    But wouldn't that make Sun the anti-anti-Google, canceling into a Google and an anti-Microsoft, or is that two anti-anti's canceling into an Apple and a Microsoft.

    So how does Oracle fit into all this?!

    As a Sun is now a half PR spin Oracle, then that means an Oracle is a half PR spin Google and a half PR spin anti-Microsoft!

    But as an Apple is an anti-anti-Microsoft then that makes them a half PR spin anti-Oracle as well as a half PR spin anti-anti-anti-Microsoft!!

    At which point the paradoxical underlying Microsoft anti-anti- status of the Apple triggers a rupture in the space time continuum, made even worse by the fueling effect of the implosion collapse of the half PR spin Sun/Oracle duality, resulting in a shower of anti-Google's that destroys our planet?!

    My head hurts. It must be a Friday. :)

    p.s. I'm now struggling to think how Intel, NVidia and AMD/ATI fit into all this?!

  14. Pheet
    Dead Vulture


    A company the size of google must hundreds of beancounters, lawyers, personel dept., etc. type of people who unless prevented will quite happily browse the interwebs with IE6.

    That Google uses linux on it's servers and has released an open source browser is completely irrelevant.

    1. heyrick Silver badge

      It is extremely relevant...

      "That Google uses linux on it's servers and has released an open source browser is completely irrelevant."

      Google, as a company, went to the time and effort to create a browser. Ever tried that? A basic HTML 2 browser is perhaps a weekend project. Today's expectations are somewhat higher.

      Google is a tech company. And as a tech company, you would expect them to have some sort of clue about basic security. Like, uh, NOT using IE6 (or, pref., any version of IE). Like NOT using Outlook. Like NOT running Adobe Reader with the JavaScript enabled...

      It isn't as if those are your ONLY choices, and any system manager with half a brain ought to be able to rig it so people that click on the IE icon get <insert favourite browser> instead. Hell, I did that for my mother and she doesn't use her computer for much other than the weather forecast...

      Major FAIL for Google's IT guys for letting IE6 talk to the world. If it is that necessary, sandbox it, or run it behind a firewall that lets it talk to anywhere inside the building and to specified sites outside (for testing stuff).

      But there is more. A hack applied to IE6 was able to access customer information? What, was this information sitting on those computers, or otherwise easily available? I can only assume it was, given it was a Windows machine broken into, and not the (non-Windows) server most likely to actually hold the personal information. No log-in/access control for this information? We're dangerously close to an Epic Fail here...

  15. Henry Wertz 1 Gold badge

    Other browsers.

    "Google also says: "We have been upgrading employees to the latest version of Internet Explorer for some time, wherever possible. As you'd expect, a large number of employees use other browsers and browser versions."

    Parsing this bit of Googlespeak isn't easy. "Other browsers"? Does that mean other than IE8? Or other than IE6? Does that "large number of employees" extend beyond QA engineers?"


    Parsing this is really easy, don't be dense. "Other browsers" means other browsers, IE is not even a good browser. This is Google we're talking about, they have their own Linux distro for internal use, so "a large number of employees" aren't even running Windows, so yes of COURSE it means other than IE8 or IE6. They aren't going to tell a software engineer "Here's your box with XP, Office, and IE6. That's locked down, you can't add more software". Given the geekiness level likely at Google, "other browsers" probably means almost all of them -- Opera, Firefox, mozilla, konqueror, lynx, and many other strange browsers. Maybe someone even has Mosaic stashed away. And obvoiusly this extends beyond QA. If I were a Google spokesman I would not call back about this question either.

    Secondly it's good Google's ditching IE6. What an awful browser. Seriously, it was not that good (compared to the competition) even when it was brand new. It's so far out of standards compliance (even compared to IE7) that people virtually have to make a seperate page just for IE6.

    1. ElReg!comments!Pierre

      What he said

      Section intentionally left blank.

  16. John Smith 19 Gold badge
    Thumb Down

    Let's ask an obvious question

    You are a *very* large internet services company.

    Your core apps are built on Linux

    You have some test machines running Windows/IE6 for QA purposes.

    Why do you connect *them* to the internet? Not a mini nets, not a simulator, the real thing.

    BTW Remember that "Patriotism is the last bastion of scoundrels." I'd check the small print on that act *very* carefully. I believe the average merkin will be quite surprised at what they have signed away.

  17. Herby

    Why doesn't Google publish a "proof of concept" code...

    That just destroys IE6. I mean just wipes as much of it off the face of the earth. Then when people search for a solution, it says "upgrade".

    Of course if would be a proof of concept and wouldn't be released to the wild. No, never!! And Google would never do it (they wouldn't need to!).

    As for Google being "the anti Microsoft", making Microsoft "the anti Google", what does that make Apple? It is answered in the old phrase:

    "The enemy of my enemy is my friend" (historical reference: WW2!).

This topic is closed for new posts.

Other stories you might like