Gmail blog

[Ference Robert]

At the suggestion (admonition) of several members of this discussion group, I looked for, found, clicked on, and read the Gmail blog (couldn't find any App. Dashboard link on Gmail screen).

The blog more or less addresses my objections related to the lost email situation.

However, reading through the blog, substantiates my main objection:  there is no evidence of a give and take between product users and developers.

Example.  The two step verification.  Complexity does NOT ensure secure authentication.  Better, would be an intelligent use of encryption--on ALL Google stored data that belongs to us--contact lists, doc, spreadsheets, email (only email that is retained in Google storage), etc.

Setting aside the merits of two step authentication v. encryption, my point is Google did NOT solicit any user discussion on security.  Google just told us "here is THE  solution to your problem."  Take it or leave it.  Period.  The end. 

One additional point:  

Encryption is NEVER a considered solution by Google, because it thwarts their business model--Google wouldn't be able to mine our data and, subsequently, sell the results.

[Zack (Doc)]

I clicked, GMail Help, and the Blog was RIGHT THERE on the left hand side, and the App Dashboard was right inside the blog.

I would be slightly interested in how you would propose a better "give and take" model for the 100,000,000 users of GMail from a handful of developers.  The shear volume of feedback would be monumental.  I, however, fail to see this totalitarian system you seem to believe exists.  I'll use your example.

Two step verification.  I'll first say that it's not a requirement of account usage, so it's not forced on you, but presented as an option.  Given to you, but you don't have to take.

Secondly, the model Google is using here *IS* the currently accepted standard for secure authentication.  It's what's used by all the US' top security organizations, and I'd strongly suspect most of the world's governments.  "Something you know", and "Something you have".

Encryption of data, and authentication of users, are two completely different things.  Bringing them in the same discussion is like comparing apples and atomic bombs.  But aside from that, I have never seen proof, or even allegations that Google does not encrypt our data when stored.  And they DO encrypt the data when sent from their servers to my machine, I use HTTPS.  And as a Network and Security guy, I can tell you, your data is in far more danger between the server and your machine, than it ever is on their storage, or your screen.

I hesitate to respond to your paranoid trolling comment at the end, except to say, you have no clue about their business model, or how unsuccessful companies have proven to be when they DO have the exact model you refer to.  And further... If they were going to mine our data, encryption, BY THEM, would not be a deterrent.

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.
To post to this group, send email to gmail...@googlegroups.com.
To unsubscribe from this group, send email to gmail-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/gmail-users?hl=en.

[JohnW]

And just to back this up, see

[Sarah]

If you're accessing gmail as the full web interface, you can find the apps dashboard by clicking "Help" link at top of your gmail page, and on the help page there is a link on the left hand side - "service status" which is the "apps dashboard", and delivers info as to status of various services. Many people assume that it's not relevant to basic free gmail users, but it is (if you bother to read the spec); & it's one of the first places to check if you suspect your account is down due to a failure in google's service. While it's occasionally not bang up to the minute, it's pretty reliable, & most service issues, even if affecting a tiny proportion of users are listed.

On 9 Mar 2011 19:58, "JohnW" <john.w...@gmail.com> wrote:
> And just to back this up, see
>

> <https://lh4.googleusercontent.com/_8hUTpCnTO84/TXfS9wSRlGI/AAAAAAAAChM/RBUZgnWMygg/Help.png>

[Ference Robert]

There is no "GMail Help" on my Gmail screen & "the blog" was in tiny print (pt. 6) under my inbox display.

If you like, I'll send a screen image. 

On Mar 9, 2011, at 11:53 AM, Zack (Doc) wrote:

I clicked, GMail Help, and the Blog was RIGHT THERE on the left hand side, and the App Dashboard was right inside the blog.

I would be slightly interested in how you would propose a better "give and take" model for the 100,000,000 users of GMail from a handful of developers.  The shear volume of feedback would be monumental.  I, however, fail to see this totalitarian (my point is Google appears to be arrogant.  Their chief op guy refers to himself as Czar.  To solicit ideas & discussion, Google forms a sponsored COI with rules. It also establishes a trouble ticket resource or an "ask Google" moderated BB) system you seem to believe exists.  I'll use your example.

Two step verification.  I'll first say that it's not a requirement of account usage, so it's not forced on you, but presented as an option.  Given to you, but you don't have to take.  Apparently, its not now going to be offered as an option.

  

Secondly, the model Google is using here *IS* the currently accepted standard for secure authentication.  It's what's used by all the US' top security organizations, and I'd strongly suspect most of the world's governments.  "Something you know", and "Something you have".   NO argument,  except for your words "all" and "most."  and don't forget the "something you are" leg of the stool.

Encryption of data, and authentication of users, are two completely different things.  Bringing them in the same discussion is like comparing apples and atomic bombs.  But aside from that, I have never seen proof, or even allegations that Google does not encrypt our data when stored.  And they DO encrypt the data when sent from their servers to my machine, I use HTTPS.  And as a Network and Security guy, I can tell you, your data is in far more danger between the server and your machine, than it ever is on their storage, or your screen.

It is laudable that Google chooses to encrypt data in transport.  My data is completely in the clear when stored on Google servers.  Why the half-measure?  and I disagree w/your assertion that data in transit is more at risk than data stored on a 3rd party server.  We can debate this, but not here and now.  As to "how do I know."  I asked Eric Schmidt .

I hesitate to respond to your paranoid trolling (I take this remark by you as personal.  I am not trolling or paranoid.  I thought no ranting on this discussion group was the rule. Why are you exempt?) comment at the end, except to say, you have  no clue about their business model, or how unsuccessful com   panies have proven to be when they DO have the exact model you refer to.  (wow.  so much for constructive conversation) And further... If they were going to mine our data, encryption, BY THEM, would not be a deterrent.  What?   Are you saying that if Google controls the encryption mechanism, I control  the key that would not be a deterrent? I agree, but it would also compromise my password and any other security artifact Google offers to me.  You sort of make my point.

[Ference Robert]

I'm using IMAP via Safari 5.x running Mac OS 10.6.6 to "see"Gmail.

There is no "Help" link at the "top of your gmail page."

Unless you mean the ❋ symbol at top right of Gmail window.

[Michel Tribet]

Hi all,

Near your name, xxx...@gmail.com, on the top right corner of the gmail web site, there is the representation of the labs followed by "Settings : Help : Sign Out"

Between Settings and Sign Out, what do you read ? HELP !

It is on this link that you have to click !

Cheers, 

Michel

[Andy]

> Near your name, xxx...@gmail.com, on the top right corner of the gmail web
> site, there is the representation of the labs followed by "Settings : Help :
> Sign Out"

For many of us, including Ference Robert, that line has been condensed
into a drop-down menu with a starburst-like symbol in the upper right
corner. The link for "Help" is not visible until you open that
drop-down menu.

For those new to Gmail, it's not obvious to go there. There was a
discussion here a few weeks ago about this. I don't especially like
it either.

Andy

[Ference Robert]

My top right corner is different.

Here's a screen shot (hopefully)

[Jeff Grossman]

That is the new interface that many users are not a big fan of.  If you click on the gear symbol a drop down menu will appear.  There is a Help link in there.

Jeff

On Wed, Mar 9, 2011 at 7:14 PM, Ference Robert <robert....@acm.org> wrote:

My top right corner is different.

Here's a screen shot (hopefully)

--
You received this message because you are subscribed to the Google Groups "Gmail-Users" group.
To post to this group, send email to gmail...@googlegroups.com.
To unsubscribe from this group, send email to gmail-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/gmail-users?hl=en.

[Marko Vukovic]

On Wed, Mar 9, 2011 at 6:49 PM, Ference Robert <robert....@acm.org> wrote:

--8<--

Example.  The two step verification.  Complexity does NOT ensure secure authentication.  Better, would be an intelligent use of encryption--on ALL Google stored data that belongs to us--contact lists, doc, spreadsheets, email (only email that is retained in Google storage), etc.

Hi Robert

I don't see your point here. The two step verification is to ensure that only you can access your account even if your password is compromised. What does encrypted storage at Google have to do with this?

 

Setting aside the merits of two step authentication v. encryption, my point is Google did NOT solicit any user discussion on security.  Google just told us "here is THE  solution to your problem."  Take it or leave it.  Period.  The end. 

One would hope that they would have sufficient in-house security expertise to not need advice on that from users. 

 

One additional point:  

Encryption is NEVER a considered solution by Google, because it thwarts their business model--Google wouldn't be able to mine our data and, subsequently, sell the results.

I'm not following you. The connection between your browser and Google is encrypted if you are using SSL. If you use an IMAP client, the connection between that and Gmail servers is encrypted.

Google is not 'mining and selling' your data, you are simply pushed targeted ads. You are free to encrypt your email contents using a certificate, PGP or whatever, nobody is stopping you from doing that 

Regards
--
Marko

[Marko Vukovic]

On Thu, Mar 10, 2011 at 12:39 AM, Ference Robert <robert....@acm.org> wrote:

I'm using IMAP via Safari 5.x running Mac OS 10.6.6 to "see"Gmail.

How are you using IMAP via Safari? 

--
Marko

[Ference Robert]

Marko, my point is that strong authentication and strong encryption are complementary, not an either or proposition.

As you know, 2-step goes to ensuring you are who you say you are; encryption goes to ensuring the confidentiality and integrity of stored and transported data.

You say "You are free to encrypt your email contents using a certificate, PGP or whatever, nobody is stopping you from doing that."  I'm not sure I follow, unless you mean using something outside of Gmail, like a TextEditor, to compose an email, then encrypt it using any good available cryption program, and finally paste it into a Gmail compose window and proceed to send.  Awkward, but workable.  But to my broader pt.:  why not encrypt stored data?  I know with some factual certainty (not 100%) that Google at one time did data mine, with the intent to sell to marketing and advertising companies.  I can't factually alleged this a current, ongoing practice.  However, I'm sure you would agree that the Google disk farm is a priceless asset.  If I'm offending you or anybody in this forum, I apologize.  I am an encryption advocate.  I believe encryption should be more widely used by data custodians in all industries, not just Google.  However, the question remains.  Why not encrypt stored data?  Marko, thanks for your comments.

[Marko Vukovic]

I would be slightly interested in how you would propose a better "give and take" model for the 100,000,000 users of GMail from a handful of developers.  The shear volume of feedback would be monumental.  I, however, fail to see this totalitarian (my point is Google appears to be arrogant.  Their chief op guy refers to himself as Czar.  To solicit ideas & discussion, Google forms a sponsored COI with rules. It also establishes a trouble ticket resource or an "ask Google" moderated BB) system you seem to believe exists.  I'll use your example.

Robert

Please don't put your replies within others. It makes for very difficult reading and replying.

Who calls himself Czar? Sources please.

 

Two step verification.  I'll first say that it's not a requirement of account usage, so it's not forced on you, but presented as an option.  Given to you, but you don't have to take.  Apparently, its not now going to be offered as an option.

Source?

 

Encryption of data, and authentication of users, are two completely different things.  Bringing them in the same discussion is like comparing apples and atomic bombs.  But aside from that, I have never seen proof, or even allegations that Google does not encrypt our data when stored.  And they DO encrypt the data when sent from their servers to my machine, I use HTTPS.  And as a Network and Security guy, I can tell you, your data is in far more danger between the server and your machine, than it ever is on their storage, or your screen.

It is laudable that Google chooses to encrypt data in transport.  My data is completely in the clear when stored on Google servers.  Why the half-measure?  and I disagree w/your assertion that data in transit is more at risk than data stored on a 3rd party server.  We can debate this, but not here and now.  As to "how do I know."  I asked Eric Schmidt .

Ok, so let me get this straight. In a previous email you say that some of us seem to have inside information but now you are saying we must believe everything you say because 'you asked Eric Schmidt'. Really now...

Cheers

--
Marko

[Ference Robert]

No.

Misspoke.

Usually, IMAP via Apple Mail for Gmail

Occasionally, Gmail via Safari browser.

Sorry for any confusion.

[Zack (Doc)]

I know with some factual certainty (not 100%) that Google at one time did data mine, with the intent to sell to marketing and advertising companies.

Source?  This seems like an incredibly odd option since in one sense Google IS an advertising company (adsense).  Why would they send this type of incredibly useful information to another company.

[Ference Robert]

Here are my sources.

Czar.  

http://gmailblog.blogspot.com/2011/02/gmail-back-soon-for-everyone.html

2-step.

I can't find the exact citation now, but 

it was in or around: http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

Schmidt.

Believe or not.

I had occasion to meet w/Schmidt professionally.

I took the opp. to ask him questions.

It was part of my job.

[Marko Vukovic]

You say "You are free to encrypt your email contents using a certificate, PGP or whatever, nobody is stopping you from doing that."  I'm not sure I follow, unless you mean using something outside of Gmail, like a TextEditor, to compose an email, then encrypt it using any good available cryption program, and finally paste it into a Gmail compose window and proceed to send.  Awkward, but workable.  

There was a PGP plugin for Firefox but I see now that's been discontinued. There is also an S/MIME plugin.

Apple Mail and most other modern mail clients support S/MIME out the box. There is the GPGMail plugin for PGP encryption.

Regards

--
Marko

[Robert Ference]

I would venture the guess: economics.  For all I know, they may have discontinued the practice, or found it more profitable to retain in-house, or some combo of sell & retain.  Today, I can no longer speak with factual certainty.

Source.

I worked for an international audit/accounting firm some years back.  We were engaged by Google for a information security assessment.  I was part of the project team.  Among other things, I interviewed Google personnel, including some of the c-level execs.  Thats about all I'm prepared to disclose in this public forum.