Educause Security Discussion mailing list archives

Re: Google Docs abuse

From: Dan Han <s2dhan () VCU EDU>
Date: Sat, 21 Jul 2012 02:49:05 -0400

I agree that Google should notify Google Apps administrators and perhaps
even delegate certain management rights, such as disabling a form hosted
within the institution, to the local Google Apps admin, but do we know
whether if Google actually notifies App administrators of affected
institutions, or whether if the local Google Apps admins have these
management capabilities? We are fairly new to Google Apps here, any Google
Apps veterans care to chime in? Thanks.

-Dan

Dan Han
Information Security Officer
Virginia Commonwealth University

On Sat, Jul 21, 2012 at 1:10 AM, Jeffrey Schiller <jis () mit edu> wrote:

On Fri, Jul 20, 2012 at 5:03 PM, Bob Bayn <bob.bayn () usu edu> wrote:

 ...

It also seems like Google should have the tools and capacity to intervene
automatically when someone makes a form that looks like a password
collector.  Or they could send us the entries for our domain when they
decide to respond to an abuse complaint.


Having Google automatically intervene when something "looks" like a
password collector would be a horrible precedent. They should investigate
forms when an abuse complaint is made. If the complaint is for an "apps"
domain they should notify the administrator, which should respond in some
reasonable period of time.

If Google has multiple complaints about a particular Apps domain, and that
domain's administrator(s) fail to respond, then they should take action.
That action should be spelled out in the contract for the Apps domain.

We should not expect someone (or worse, someTHING) at Google to act as
prosecutor, judge, jury and executioner. Just as we don't give the police
that power in the non-cyber world.

Yes, this means that some phishing sites will be up for longer then we
might like, but that ultimately is the cost of due process.

Because this is a security list, we should remember that one of the
important security goals is "availability". Google should not make your
services unavailable without careful consideration.

-Jeff

--
_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
 Massachusetts Institute of Technology
77 Massachusetts Avenue  Room E17-110A
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis () mit edu
http://jis.qyv.name
_______________________________________________________________________

Current thread:

Google Docs abuse Dan Han (Jul 20)
- Re: Google Docs abuse Jeffrey Schiller (Jul 20)
- Re: Google Docs abuse Bob Bayn (Jul 20)
  - Re: Google Docs abuse Jeffrey Schiller (Jul 20)
    - Re: Google Docs abuse Dan Han (Jul 20)
    - Re: Google Docs abuse Tracy Mitrano (Jul 23)
    - Re: Google Docs abuse Jacob Steelsmith (Jul 24)