[unisog] Google Desktop (cNET inquiry)

Russell Fulton r.fulton at auckland.ac.nz
Tue Feb 14 00:35:01 GMT 2006



Gary Flynn wrote:

> 
> I'll play devil's advocate 

and I have a few no, buts...  :)

for a minute and say that this
> doesn't seem to be too different than GoToMyPC.
> Does anyone monitor or block them?

No, but GoToMyPC is no where nearly as widely deployed as GD.
> 
> Do you ban P2P on faculty/staff desktops? Monitor for
> proper configuration so they're not sharing sensitive
> information?

No, but we do monitor p2p network traffic and pick up anyone who is
using it.  We then check if the use is legit or not...
> 
> What about third party email servers? Is everyone forced
> to use your organization's email server rather than possibly
> send, store, or forward confidential information through
> HotMail?
> 
> IM?

No, but these require conscious intent to export material.  The thing
that worries me about GD is that it sits invisibly in the back ground
and as soon as that draft exam paper hits an academic's HD it it being
copied off site.
> 
> Do you allow people to expose Windows Remote Desktop
> to the Internet?

Yes, but again it is a conscious decision that requires the involvement
of Faculty support staff to achieve.  There are only a few desktops
running RDP.
> 
> Would I run it? Not on your life. But I wouldn't run a
> lot of other commonly installed programs either. :)
>

Me neither :) and no I'm not panicking either.

What we have done so far is warn users of he dangers of 'search across
computers' while we take stock and work out what the best approach is in
 the long term.  We are looking at the possibility of using GPO to make
sure the option is turned off (not sure if we can do this or not) and
I'll be deploying Michael's Snort rules to detect network activity the
same as we do with P2P applications.

I think the things that concerns me most are that I suspect that most of
our users would be more easily tricked into revealing their Google
credential than their university access credentials and the fact that
although we make considerable efforts to make sure our users use strong
credentials on their university accounts but we have no control over
what they use with google. Thus the data is considerably more vulnerable
when on Google than it is on one of our servers or a laptop HD.

I believe that this is the nub of the matter.  The legal issues raised
by the EFF are minor compared with the lack of control over access and
the strength of credentials used on sites such as GD.

Russell


More information about the unisog mailing list