[Full-disclosure] blocking Google Desktop
nick at virus-l.demon.co.uk
Sat Feb 11 22:55:57 GMT 2006
> As a computer user, I certainly do have this choice. I'm certainly not
> going to install Google Desktop. In fact, I generally don't run Windows,
> so I don't even have the OPTIOn of running Google Desktop.
> This new "feature" still worries me though, and I want to find out how to
> block it. Why? Because of my JOB. I'm in a small group of people in
> charge of security for a company with hundreds of employees that are local
> admins to their desktops and laptops (for various reasons that I'm not
> going into here).
Well, in reality, you have to address that nonsense before you can hope
to usefully secure anything in your organization, but I assume _you_
understand that and the problem is some less clueful non-IT/non-
security folk elsewhere who insist that "we must use this crappy
> I'm not worried about MY documents ending on Google's servers. I'm
> worried about the documents belonging to a percentage of the company that
> either doesn't understand the security ramifications of using this
> feature, or just doesn't care.
I'll tell you how to _make them care_ AND _educate_ them at the same
Go to HR, explain that the new security policy about not running Google
Desktop is make-or-break and explain why. To achieve this you may need
higher-level management buy-in, so hopefully you can threaten exposure
under HIPAA, Sarbanes-Oxley or some such _IF_ the policy is ever
breached. Make it a matter of "if our IDS sees traffic from your
machine to desktop.google.com (or whatever) its an automatic HR
warning", and then let your standard (two, three, whatever strikes and
you're out) HR policy deal with enforcement.
> User education only works to a degree. A way to PREVENT accidental
> information disclosure is needed.
Despite claims to the contrary -- usually from palces where the very
notion of banning something like Google Desktop cannot even be
contemplated -- user education does not work at well _for this kind of
issue_. The way to make it work is to make the cost of not following
the policy very high and personally significant for the policy
breachers. Fire a few staff because they installed Google Desktop AND
make it widely known throughout the company that this is not only the
policy, but this is a policy that will be ruthlessly enforced.
If that doesn't work, you have a much bigger problem...
Full-Disclosure is hosted and sponsored by Secunia.