# Be careful with Google's desktop search tool for now !



## mimo2005 (Oct 2, 2004)

Gartner: *Google desktop search not enterprise-ready*

December 14, 2004, 1:40 PM PST
By Dan Ilett and Andrew Donoghue 



Research company Gartner has issued a statement warning businesses to steer clear of Google's desktop search tool until a more robust, enterprise-ready version is released. 

While the tool is potentially extremely attractive to employees, Gartner states in a recent research note, IT managers should discourage users from adopting it and instead opt for a more business-ready, secure search engine. 

"We have no problem with it being used for personal use," said Gartner research director Maurene Grey. "Our concern is (that) when it is used in a corporation, we have some security and privacy issues. Google says it will collect only nonpersonal data, but in a corporation how can you monitor what's being collected?" 

Gartner claims that the relative immaturity of the Google product leaves businesses without a solid background of sensitivity to security and support. In particular, Gartner says, Google's "Consent to Collect Nonpersonal Information" is a one-sided contract in that the user must trust Google will make the right decisions as to what information it will collect. 

Grey said that while Gartner is not suggesting that Google is doing anything malicious, there are issues around the sensitivity of data.

"We're just saying it's not good practice for business organizations to do this," she said. "If the desktop tool was owned by the company, that would be fine. But (data) is going out of the office, and there's no way of knowing what that data is."

Responding to Gartner's comments, Dave Girouard, Google's general manager of enterprise products, said that the tool was never intended to be an enterprise-ready application in its current incarnation and that the company is working on a more robust version for large-scale deployments.

"Google Desktop Search is a beta product and isn't at this point intended for broad corporate distribution," he said. "Among other efforts, we are working on a version of GDS that is intended for corporate use. In the meanwhile, we encourage corporations to try the GDS beta in pilot settings in order to assess its usefulness and provide feedback to Google." 

*Desktop search tools have also faced other criticisms this week from leading security experts who claim they could be used by virus writers to create more targeted malware.*

Google went live with its desktop beta in October, but other search providers are chasing its lead hard. Yahoo and Ask Jeeves are planning similar releases, while Microsoft on Monday announced the availability of an MSN brand desktop search tool. The company introduced a beta version of its MSN Toolbar Suite, which lets people search the contents of their hard drives, including Microsoft Outlook e-mail, calendar items and contacts, as well as Office documents.

Gartner claims that personal search will be a volatile market through 2006, with the competition between Google and Microsoft being particularly vociferous. The company says that by launching desktop search, Google has got a jump on Microsoft in gaining consumer mind share. "Microsoft will undoubtedly use aggressive tactics to combat Google as it seeks to integrate desktop search as part of its desktop user interface," the research company said in a statement.

*Google: We've fixed desktop search tool flaw*


December 20, 2004, 7:52 AM PST
By Dan Ilett and Graeme Wearden 



According to a statement issued Monday by the Web search company, it has rolled out a fix for the vulnerability. The flaw in the tool was discovered in late November by a Rice University computer scientist and two of his students. 


A Google representative said, "We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure." 

*Dan Wallach, an assistant professor of computer science at Rice University, discovered the vulnerability while working with graduate students Seth Fogarty and Seth Nielson. Wallach describes it as a composition flaw--where a security weakness is caused by the interaction of several separate components. 

According to The New York Times, which first reported the discovery of the flaw, Wallach, Fogarty and Nielson found that the Google desktop tool looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search. 

They managed to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them. This would only work after a user had visited an attacker's Web site, upon which a Java program (as created by the Rice group) would be able to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site. * 
The disclosure of this flaw comes just days after research company Gartner warned businesses to steer clear of Google's desktop search tool until a more robust, enterprise-ready version is released. 

Security experts have also warned that virus writers could use desktop search tools to make their malware more efficient.


----------

