post-page

Et Tu Google? Then Fail, Net Safety

105
responses
by
 
on
January 31st, 2009
in
Blogging Essays

I trust Google. I use GMail as my primary email address and store stuff in my mailbox that is of crucial importance to my existence as a citizen of this modern world. Over the past couple of months, Google’s Orkut has dealt a deadly blow to that trust that is making me rethink my allegiance towards anything Google.

I am the owner of a midly popular community on Orkut with about 25k users. Since I was given the privilege of being a beta tester on Orkut, I had created a community called Calcutta many years ago and that community has since, taken on a life of its own. It is run by moderators who report to me and I log in every so often to perform maintenance and help the moderators out. My existence is not only a mystery to the members of the community, it is also the source of much speculation and conspiracy theories, which was fine and dandy.

The Orkut application itself is full of holes and though Google seems to respond to major public reports of vulnerabilities, they keep coming back. Support for Orkut from Google is almost non-existent with what appears to be zero accountability. If one plows through the Google help sections to try and solicit help, they are either faced with a page not found or convoluted help screens that barely ever actually lead to a form to request support. Pleas for help and more often answered by the “Orkut hackers” than by actual Google employees. The Orkut application is so dangerous that people do not click on any links that are not Orkut generated and even then accounts and communities are compromised all the time. Hacking scripts and techniques are easily found via a simple Google search.

Now I am just as selfish of an individual as everyone else. I barely cared about any of these issues until something bad happened to me that I needed help for. I was the target of a phishing attack on Orkut and I fell for it hook line and sinker. My Google login is associated with my Orkut login. As soon as I realized that I had just sent my username and password to a phisher (within a few seconds of me hitting enter), I changed my Google account password. But alas, the damage had already been done.

This is where things get really weird. Apparently, a group of “hackers” had taken over my Orkut profile and were making drastic changes to the Calcutta community. Emails, IMs and phone calls started to roll in and I was in full panic. I was immediately concerned that my Google account was still compromised and all my personal stuff in my email would be in jeopardy. I went into damage control mode. I changed all my authentication credentials for everything Google.My Gmail account seemed to be untouched but my Orkut account, which uses the same login credentials (I know that was my own fault), seemed to still be under rogue control.

In spite of changing my passwords multiple times, changing login names, changing email addresses and trying all authentication tricks to fix Orkut, the miscreants still regained control of my profile. Instead of falling for the FUD about viruses and worms on my computer (many well wishers who reported the problem to me suggested that I format my computer because i had a key logger that was sending my password to the hackers, completely untrue), I decided to do some research on the problem. The more I learned, the less confidence I had in Orkut and Google’s intention and/or ability to fix the problems.

Now the only reason I disclose this issue is because I have not only reported it to Orkut (and received no answer), it appears to be the same an age old vulerability and one of many similar issues that were purportedly fixed. You can recreate this at home if you please.

The Orkut application stores cookies in such a way that if your cookie is ever recreated by someone else or transmitted to someone else, they can use that cookie to log in to Orkut as you. forever. No matter how you change your credentials, you have no recourse of regaining control. So if you ever get caught in a phishing scam that sends your password to someone else and they recreate your orkut_state cookie, they can login as you forever. I will not go into the technical details but the link above discusses it. If you log into your Orkut account using Firefox, using a cookie editing plugin, look for a cookie called orkut_state and copy the contents. Then log out of Orkut. After logging out, re-add the orkut_state cookie to Firefox with the cookie editing plugin and then visit www.orkut.com You will find yourself logged back in. Now I have tried changing my password, using a different browser, using a different machine from another location and other tricks with the same cookie and I have been granted access in all cases. From my research, it appears that Orkut expires the state cookie after 1 day (other reports talk about a 14 day expiration) but that problem is easily circumvented.

So essentially, I am completely at the mercy of the people that have re-created my orkut_state cookie using my old password that I disclosed on the phishing site. I have tried to contact Orkut help, posted messages in the help groups, emailed and complained to Google, emailed and complained via the Orkut complaint forms and even tried sending messages to places that are not meant to be Orkut related. It has been over two weeks and I have yet to receive a single acknowledgment. Nothing, nada, zip.

I don’t mind telling you that it is despicable for a company like Google to run an extremely popular application with a complete lack of care for its netizens. While I acknowledge that Orkut is not the most important product that Google offers, I think Google should still stand by their product. I also acknowledge that the fact that I am in this mess is my own fault, but shouldn’t there be some recourse? Would Facebook or MySpace do the same thing? Are we all under the false hope that someone in these big companies actually cares about the people that use their products? Is the online world doomed to failure in circumstances or are we willing to make a stand only when it affects us?

Who can I contact at Google that can even pretend to help? I am NOT “negotiating” with the hackers who have control over my profile, which has also been suggested and immidiately turned down by me. Or is my community a complete loss because I made a mistake and fell for a phishing attack?

I am not sure how I feel about trusting my life’s contents to Google if this is how Google treats compromises in security.

heading
heading
105
Responses

 

Comments

  1. Ajay says:

    Mark, Google’s total lack of support isn’t only with Orkut, but with almost every service it owns.

    I faced a terrible problem with Gmail recently when it locked me out. Writing to Google sent me into a vicious loop.

    Now, I’m trying to move my feedburner account and it has been throwing up errors of already existing feeds. And well, Google groups is the only support I get and it is non-existent.

    So, like you said, “it is despicable for a company like Google to run an extremely popular application with a complete lack of care for its netizens”

    • MrGroove says:

      If you think about it, just imagine how many users there are for google products. Just imagine how many support calls they would receive if they started opening up call centers to take those calls. Honestly, I can’t say I actually blame them in anyway for not supporting any of their users. Afterall, they are all free and available to people to use, or not….

      Personally, I think there are a lot of problems with google as mentioned here: http://www.groovypost.com/howt.....literally/

      I think it’s good that people are starting to hold Google accountable and questioning the Google (it’s Free) model.

      Afterall, I think people are starting to get what they pay for…. Nothing 😉

      • Greg says:

        I couldn’t agree more. This whole sense of entitlement by the open source community is mystifying and even a little disturbing. It seems that complaining about getting something for nothing and then complaining when that something has no one behind it when you have a problem is just silly. It’s even immature thinking. The whole world – and especially companies like Google – are not your parents giving you whatever you want whenever you want it. You want customer service and support? Well, that takes people and people deserve to be paid for their time, talents, expertise, and service. That pay comes from mostly from one place – the fair exchange of compensation (mostly in currency) for products and services. If you’re going to put your personal life in the hands of the open source community, then don’t complain when you can’t get help…..you chose not to pay for that support. Good luck!

        • Mark Ghosh says:

          Where is this question of entitlement coming from? My use of a product, while free for me to use, generates revenue for someone else. Why should I not expect a level of quality and care for my safety?

          When you receive Over The Air content from TV stations, you do not have to pay for the TV shows and news. Same goes for FM radio. However, I believe it is your right to complain if they deliver improper or questionable content to you or are somehow responsible for harming your family through misinformation. They make their money from advertisements and distribution rights deals and not from you but that does not make them impervious to scrutiny or give them the right to compromise your safety.

          • Greg says:

            I agree that you have a “right to complain,” Mark. I just don’t agree that anyone using free software should expect a high level of reliability or customer service. I think that’s true whether that free software comes from a for-profit company like Google or the open source community. That’s why I used the term entitlement – expecting to get something for nothing.

            You got something for nothing. To be sure, I feel for you and it would make good business sense for Google to worry about marketplace goodwill, but it’s not an obligation. Not when you get the app for nothing.

            I admit that I never have read Google’s use license, but I’d assume that it’s full of caveat emptor language – let the buyer beware. Had you paid something for the apps, then I’d be right there with you.

            Cheers!

          • Mark Ghosh says:

            See thats where we have to agree to disagree. I am paying for the application(s), maybe not in direct monetary exchange, but via services I use that then make Google money (e.g. Google checkout, AdSense, ads on my email etc.). “Paying” for a service does not necessarily mean shelling out cash. We pay taxes and expect that our roads will be repaired, even though we did not directly pay the contractor that repairs the roads. We pay taxes so public television can be produced even though we did not pay the local station (although, some of us support NPR).

          • MrGroove says:

            Mark, I really appreciate your article but…. I’m afraid I don’t fully agree with this comment. I love a good debate and it’s always nice to have a “Devils Advocate” so here I go. 😉

            1) RE: My use of a product, while free for me to use, generates revenue for someone else. Why should I not expect a level of quality and care for my safety?

            MrGroove’s Answer – Unless the Terms of Service for the service specifically state an SLA of service, the Service provided to you is provided at the will / pleasure of the Service provider. Even if they are making money from you providing content, the Terms of Service clearly states (Google’s TOS) that by uploading it to GOOGLE, you give them a Royalty Free license for them to do with it as they wish. So no, you don’t deserve anything.

            The only exception to this rule is if you provide the Provider Personal Identifiable Information or PII (Privacy Data) and they store it. In that case, Google must ensure your PII data is secured and remains secure as required by the legislation of your Country or State of Citizenship.

            2) RE: When you receive Over The Air content from TV stations, you do not have to pay for the TV shows and news. Same goes for FM radio. However, I believe it is your right to complain if they deliver improper or questionable content to you or are somehow responsible for harming your family through misinformation.

            MrGroove’s Answer – Broadcasters using Public Airwaves are governed by the FCC and are not allowed to broadcast what is classified by the FCC as Obscene, Indecent or Profane as this is not protected by the First Amendment. http://www.fcc.gov/cgb/consumerfacts/obscene.html

            Since Cable providers do not use Public Airwaves, they are not held to these rules by the FCC. If you want to use their services, you pay for it. If you don’t like what they provide, you cancel it. It’s that easy.

            With this in mind, until the Government decides to turn the Internet into a Public Space and begin governing it to a higher degree similar to Public Airwaves (rather than just laying down rules about PII), I see Internet Service providers like Google to be more like Cable providers. If you don’t like the service, cancel it and quit paying for it. If it’s free…. don’t use it. If they take your content and sell it (and those terms are not in the Terms of Service) sue them. Unfortunately per section 11 of the Google TOS, you give them all rights to everything for almost ALL the Google Services (Google Search, GMAIL, Docs, Picasa etc…).

            3) RE: but that does not make them impervious to scrutiny or give them the right to compromise your safety.

            MrGroove’s Answer – Now, this might be where you can get Google however you will probably need to hire an attorney. Unless it’s specified in the Google Terms of Service that they are not responsible for their services damaging your computer, they “COULD” be liable if the use of their services destroys your private property or allows your Identity to be Stolen (or results in the loss of your PII). This is probably a REALLY sticky one and you would need to have a good Attorney to argue Negligence.. of some sort but, I’m going to guess they have Legal Indemnification in their TOS somewhere…

            Lesson – You can expect what you pay for, nothing is free, read the fine print and be careful who you trust. After all, once in the cloud, always in the cloud….

          • Mark Ghosh says:

            Good arguments.

            the Terms of Service clearly states (Google’s TOS) that by uploading it to GOOGLE, you give them a Royalty Free license for them to do with it as they wish. So no, you don’t deserve anything.

            Correct. But if their service is causing me grievance due to their technical fault, I do have the right to request they fix their problem. Royalty free license has nothing to do with technical glitches.

            With this in mind, until the Government decides to turn the Internet into a Public Space and begin governing it to a higher degree similar to Public Airwaves

            You are again correct. The statements you made are all factually correct. However, the laws were borne out of the necessity to protect citizens. CPNI is one such set of guidelines that are directed towards protecting telecommunications customers. Forcing an all encompassing TOS on free loaders and making the TOS so absolute that consumers do not stand any chance of protecting themselves, is not something Google intends. It would be against their “do no evil” policy and would really hurt their credibility. I concede that OTA TV free and Google free are not legally the same thing. However, if Google uses their TOS to ignore and exploit consumers, which is what you are insinuating (and I do not agree with that claim), regulators will have a field day with them.

            I completely agree with your lesson. That is exactly what I was trying to get across. Google services are not free.

          • mrgroove says:

            I agree with you 100%. Given unlimited time and resources, Google would/will fix all Production Support issues including security exploits.

            At my Corp. job (not my groovyPost.com hobby…. Of course) I see this every day. It goes something like this:

            Dev
            “Boss, we have security issues with the site we need to fix.”

            Boss
            “Will this work delay the features / revenue generating work we promised Management?”

            Dev
            “Yes, this work will take 40 hours thus we will delay our committed work”

            Boss
            “Is there any Government Laws (Privacy) or Vendor Regs. (PCI) requiring we do this work ASAP?”

            Dev.
            “Um, I don’t think so. It’s just the right thing to do.”

            Boss
            “Ok, thank you for your high integrity and commitment to the customer. Let’s push that out until next quarter.”

            In order for Senior Management to prioritize Non-Revenue Generating support work over Revenue Generating work, they will need to be prioritized by either the Market, the Customer or the Gov.

            They are after all a Company in the business to make money. Although they may live by the “Do no evil” charter, the greater power at the end of the day is the all powerful Stock Holder.

            Now, is Google any worse than any other company out there? No. I personally LOVE Google services and 99.% of the time I have no beef with them. I use all their services for various reasons and they work well for me. I am after all, a GEEK! 🙂 I love technology and google has some of the best. I just feel it’s important to be an educated GEEK.

            So thank you Mark for your great Blog and great post. I really appreciate the discussion!

          • Shade says:

            hey mark i posted a comment some days ago, but it doesent appear? why?

            regards

      • billy says:

        …”just imagine how many users there are for google products. Just imagine how many support calls they would receive if they started opening up call centers to take those calls.”

        this is not a valid excuse for flaky customer service. if they are making money from each and every one of those customers, they have an obligation to support each and every one of those customers. it is not the customers’ fault that google didn’t plan out their infrastructure to support their userbase, however large that may be.

      • But could you imagine how much manpower would be require to provide support for hundreds of millions (maybe even a billion) people today or someday? Support for something like that isn’t really scalable, aside from maybe a forum type environment. I don’t blame them.

  2. matteo says:

    Google doesn’ care at all for their netizens – this is true.

    Some great Google employees like Matt Cutts, on a more personal side, have helped us netizens understand better and sometimes solve specifical (SEO) problems – but for example, I know people wich have had great problems like yours with some Google services, and got insufficient or no support.

  3. That is one lame loophole!!! Especially since it’s so old and well known (and doesn’t seem that difficult to fix).

    Good luck getting that fixed, keep us updated…

  4. John says:

    I empathize with you.Not long ago, a secondary Gmail address of mine was hacked and I was unable to recover it; Google support opted not to help me. I am *seriously* examining my use of Google products, which is fairly deep at this point. This dependence is a topic we ALL need to consider deeply, and as a community.

  5. Don’t trust Google. I had my Gmail account hacked two years and they did nothing to help me. My antivrus and firewall were upto date as were my other security measures.

    I am convinced the hacker got into my account via their system not mine as a group of other accounts were hacked at exactly the same time.

    I still use the account as my primary email but copy everything of REAL importance.

    I still don’t understand why google can’t offer a backup download? Sure I could use a local client but do I need to use another application to sabve other documents? No, of course not.

    CAn you imagine MS saying that to save any Word files you need another application to copy them? (Ok, it’s not an exact analogy but you get the idea).

    DOn’t get me wrong I love Google and almost everything they do but I really feel they hav’t thought of the users enough with this.

    /RANT OVER
    Apologies!

    • Nadiah Alwi says:

      I still use the account as my primary email but copy everything of REAL importance.

      —————————————–

      I agree with you on that one. A backup is necessary. So, even if we have to get rid of one account, at least we have its content somewhere else.

  6. Jeremy says:

    Dang. Thanks for posting this, Mark, as I have now realised I have the exact same logic flaw in one of the web applications I wrote.

    If you log in (either by password or e-mail confirmation), you are assigned a “token”, which is stored in the DB, and lasts, say, 7 days. When you log out, the token expires, and you are required to log in again.

    Well, if somebody manages to steal your token cookie, they are able to log in as you and impersonate you.

    Two fundamental flaws I have in my system:

    If the user changes their password, all existing tokens should expire.
    Each token should be tied to the user’s IP address. (This is where IPv6 would make it even more secure.)

    Fortunately, the site is quite small, so it has never had an XSS attack.

  7. madalin says:

    Indeed this is a lame loop. I think that google’s support (on request) is very small, if not even 0. I had the same problem one year ago, when one of my accounts also got hacked (probably server-side as i always keep my antivirus/firewall activated and i NEVER respond to emails asking for user/password) and i didn’t regain access to it. My opinion is that Google’s NOT-SO-BRAINIAC employees should start helping out. Or probably start a community that can be involved in dealing with this type of situation. Maybe provide some tools for the ordinary people to fix this type of situation. How about a FULL reset option on ALL applications ? That would be lovely.

  8. Jason says:

    Ouch … it seems that Google has forgotten that “Do no evil” creed they once touted so proudly. Ignoring a customer is certainly in the “evil” category.

    Email has always been super important for me, so I use a web app on my own web server rather than GMail or any of the other “free” services. This gives me quite a bit of flexibility and a better sense of security. But you’re right that so many people could have their entire lives stolen from under them.

  9. Aleta says:

    wow! I’m glad I’m not popular enough to want to be hacked! 🙂

    • Ajay says:

      You don’t need to be popular to be hacked. A phishing site targets anyone and everyone!

  10. Al says:

    Huh, another scary G-story. Let’s face it: Google is for selling ads plus data to whoever pays for it.

    • Phil Coffee says:

      You said it. All of their “free” products do one of two things (if not both): Collect data and sell advertising space.

      Google is an advertising company with a search engine.

      The more Google products you use, the more data they have on you, the greater risk you are to losing your privacy should something be compromised.

      Don’t be fooled by the pretty colors of their logo. They are a data collection machine – and in today’s world that data is very valuable.

      The old adage is true yet again: Don’t put all of your eggs in one basket.

  11. james says:

    can you pass the community on to someone else and remove yourself from said community. will that eliminate the ability for someone logged in to mod it??

  12. ret says:

    Getting support with Adsense is also terrible. Anybody could just copy your adsense code and click bomb it. The result would be you getting banned. There’s no protection and Google just doesnt care about the little guys.

  13. Just curious on a couple of points – 1) what was the phishing attempt and 2) are you using a Google paid service? Thanks!!

    Best-

    Rich Chuckrey

    • Mark Ghosh says:

      The phishing attempt was in the form of a “friend add” request in Orkut. I visited the Orkut link that redirected me to another site with the Orkut look and feel and asked me to log in.

      I am not using a Google paid service. However, all Google services are ad supported and I am an AdSense customer.

      • Unfortunate luck! But I’d say two things went against you: 1) taking part in a phishing attack – even though you didn’t mean to & 2) not being a ‘paid’ customer of Google’s.

        Google should start offering a pay-per-incident program!….

        • Vaibhav says:

          Actually, I was thinking the same thing. The reason there is such lack of support is because these services are free. I am sure if I looked in their TOS, it would say that there is no guarantee of support being provided when its needed.

          That is the one thing people don’t realize with free services. If you are in trouble, you are on your own.

          • shashank says:

            I understand that support is not guaranteed with Free services, but I also completely believe that a company like Google needs to stand behind what it is offering. I have been a beta tester for almost all Google and MS Live applications. I had to decide to move my account to Live Mail when I realized that MAPI was a far better Protocol with Outlook.
            Google has a habit of buying companies and then letting them die when it realizes that it has no use for them. It is a great company with wonderful products, but it seems more like Richie Rich, who has all the money to make or buy anything in the world, and then leave it on its own once you get bored.

          • Vaibhav says:

            Shashank, you are right of course on what Google should do. However, what they choose to do would be what makes them most money (and one of these things is that they shouldn’t lose money on non-paying customers).

            Everyone makes Google out to be some kind of Internet humanitarian, but at the end of the day they are a business. It is downsizing just like normal businesses do, in case of an economic crisis: http://www.onlineobservations......-to-earth/

            Which other company do you know which offer completely free services and at the same time provide premium support?

          • Mark Ghosh says:

            Google displays ads on all their “free” search pages and services including GMail from which they make tons of money. We, the people that avail of the “free” services, click on those ads and make money for Google.

            None of Google services are truly free. They are ad-supported. If Google search or YouTube could be corrupted via an XSS, would we be having this conversation?

          • Vaibhav says:

            Mark, once again. I am not defending Google (I have my very own long list of grievances against them). And I feel your pain. All I am saying is that it is naive of us to expect Google to be providing support for something that they are offering free (ad-supported or otherwise)…

          • Shawn says:

            You’ve hit it on the head right there: it’s ad supported. While YOU may not be paying for the service, the sponsors, those whose sites and products are being promoted on it, ARE effectively paying for it. Visit your Orkut site and start contacting those advertisers, asking them to go to bat on your behalf. If they threaten to pull their ad dollars from a service that allows this type of thing to happen, Google will sit up and take notice.

          • shashank says:

            I would want to say Microsoft! I know you would have your doubts but in the past, I have been closely watching the services of almost all SW companies, and I realize that MS does stand behind what it has offered. It is not one of the quickest, or the best, but trust me, I have had a perfect experience with Windows Live set of tools. The products are good, they provide support and most of all, they know what they are talking.
            MS doesn’t hide its errors behind a perpetual beta!

  14. P'tit Loup says:

    I’m not surprised at all. It’s become a widespread tendency nowadays that :
    1 – Webmasters or large site owners DON’T want to be contacted about troubleshooting issues. “Frankly, who’s got time for client support?”
    2 – Debugging is actually done by site users screaming a thousand times about what’s wrong instead of Webmasters testing, testing and retesting their new version before putting it online.

  15. David says:

    The only time google is quick to something is when it costs them money such as misclicks for adsense it took them 10 minutes after it happened to suspend my account and finally terminate it. So unless it turns into them losing money they really won’t care to much. I’ve had a lot of issued with big companies and they really don’t care much about the little people.

  16. arshad says:

    Oh my god !! This is terrifying.Why is google not caring about Orkut ? I have never come across such a case.I will try to be more careful.

  17. Morgan says:

    That’s absolutely despicable. I’d be ashamed to work for google after hearing something like that. A company that provides an active, community-based web application should have support solutions in a maximum of 24 hours.

  18. Sorry to hear about your troubles, Mark. I’m sad to say though that these scandals pop up every few months somewhere in the webmastering world. And you get a slew of comments to say “Oh, that’s terrible. Google are evil and we should all boycott them.”

    And within about 60 seconds of posting their comment, the same people are off checking their Google mail/analytics/adsense/reader account yet again.

    Myself included.

  19. Mike says:

    With these types of issues it seems like there is no source to go to for customer support. Fortunately we’re all out here to help each other out.

  20. OldLady says:

    You young fellas and your trust “in all things Google” has amazed me over the years. Google offers its services for free and has no obligation to support them. We do get what we *pay* for.

    • Joost says:

      The support an average Google user needs is I assume minimal, so when someone actually needs help Google should try to help them out. Especially hacks, bugs and exploits should be fixed very fast. Google webmaster central is even talking about exploits so why don’t they fix their own problems?

      • Rajesh says:

        Exactly…just because you are offering a service free, it does not mean that you are absolved of your social responsibilites.Particularly when you are big and have a good reputation.google know this very well and they would not want to damage themselves due to one rogue service.

        unfortunately, Google is consolidating all logins to one user id and password in the name of single sign on.Now, if only these hackers can log into google adsense account or gmail account, they can cause considerable damage.

      • Vaibhav says:

        What Google “should” do is a completely different thing from what it “has” to do. It doesn’t “have” to provide priority support on free services, and it “chooses” not to do so. It won’t make financial sense to have such a support anyway given the large amount of users Google has.

        • Rajesh says:

          What you say doesn’t make any sense….

          It need not provide support for individual users but it has to support its own product.Try to understand the difference.When you have gained reputation, you can’t leave your product with weaknesses, even if it is free.People use your product, because they trust the brand Google. Brand image does make a huge financial difference and you can’t allow it to get tarnished.If you cannot support your product, then take it away from public domain. Don’t let innocent users fall prey to hackers by allowing them to use your free product.

          you are wrong on all counts buddy…

          • Greg says:

            With all due respect, I think you’re the one who is mistaken, Rajesh. Your case about brand value is sensible at a theoretical level but not a practical one. The horse is out of the barn. Google’s brand is already strong enough to endure such occasional shortcomings because it is only a relatively small community of people who use it so extensively and then expect something for nothing.

            If people are willing to risk their real and online lives by placing absolute and blind trust into any company, including Google, that’s their choice. No one is forcing them to use free services. I just don’t think you get to complain when the free service fails or is hacked and there’s no one at Google to support you. You’re just expecting more than is realistic.

            You get what you pay for in this world, and you pay nothing for Google. And let’s not dredge up the tired arguments about ad revenues. That’s a red herring. What users of free service want is their cake and to eat it, too. There’s no such thing as free.

            Cheers!

  21. Torrent says:

    wow what a horrible experience. I have had similar experiences with Google with other services they run – so I think this may be endemic with Google as a whole and not so much just an Orkrut thing. However, I am shocked with the fact that they havent patched these old holes. This seems very un-Googlelike 🙂

  22. This reminds me of the time when i lost a 6 year yahoo email account with stuff from sign up to hundreds of sites, emails, contacts, lifestyle, memories evrything organised. Bang one day gone forever! Didn’t bother even contacting them. Opened a new gmail and been OK ever since. Stopped using all yahoo stuff. Once it was evrything yahoo before google.

  23. Ed says:

    Sorry to hear about your ordeal Mark, perhaps Matt Cutts could jump in and offer some assistance?

  24. I had some issues with orkut, way back when it was a lil’ start-up. I was playing with my google account settings and did a del of my orkut account and my entire google a/c was lost. I still dunno anyway of getting it back; neither do I find the pwd recovery assistance of google to be of any help at all.

    Incidents like this definitely puts google in a reverse gear. Of course the usual rant – ‘Hope some one does something about it!’

  25. Mark, with all due respect, I tried to contact this very site on a couple of occasions about correcting a WordPress theme that you folks here incorrectly attributed to me. I don’t recall ever getting a response from you or anyone else. I’m sure this was just an oversight but have to admit that I find it interesting and ironic that you write such a post.

    • Mark Ghosh says:

      We sincerely try to answer all messages that come our way but not only is there a difference in circumstances, there is also a very large difference in context. I hope our resources at this blog do not represent the responsibility or the resources that Google has at their disposal.

      • Greg says:

        Things that make you go, “hmmmm…” If the positions of this posting are to be held up as some sort of standard then regardless of size and context, shouldn’t Mike have a level of expectation for service if it’s ok to chastise Google for not supporting their services?

        So at what point would it be ok for Google not to support or respond? Put another way, at what point should a WordPress user expect a level of service and support?

        What’s good for the goose…..

  26. Alex says:

    Here is the thing. When a company is that big, its hard to get every case done right. While it is the cause of the company for these problems, sometimes they cannot be avoided and one must remember that they are just one of the million plus users of Google’s GMail, Blogger, Orkut and Docs.

  27. Suhail Abbas says:

    Thats very sad, but, no matter what kind of support Google gives, The first blame still falls on you, every time we enter our passwords the link/site needs to be checked for validity.

    I prefer to keep a (bcc) of every email i sent or receive to a back up email. Obviously that only saves your emails, but your complete account and all other services will be lost.

    btw, remember Google still is a commercial company, it still needs money to run, and provide good free services, and thus require a reason for its clients to use its paid services, where i hope the support will be much better.

  28. Brian Turner says:

    Ouch – sorry to hear about the issue, and that’s a pretty big security issue raised.

    It’s pretty unfortunate that Google have been aggressively chasing different services over the past couple of years, but don’t really publish accountability and support into these – because they are free.

    A serious problem I have as a forum admin is the number of scammer and spammers who use Gmail to register accounts – but despite the fact that Gmail accounts can be used to launch scripts and hacks, I can find *no* report abuse contact to warn Google that Gmail is being abused for cybercrime.

  29. malkie says:

    Google are untrustworthy, many of the Google services I have used over the last few years no longer work. One of my Gmail accounts seems to be shared between me and someone with a similar name. Why is Gmail still in beta after so long!

    It seems impossible to resolve issues with Google when problems happen.

    This is just not Google ‘free services’, as service suppliers to Google we always seem to have problems resolving issues which are Google’s fault.

    • malkie says:

      Further to my post above.

      I have now got an email intended for another person sent to my Gmail account, again they have a similar name to myself.

      Google faq’s state this cannot happen.

      • malkie says:

        I am now getting emails misdirected to my Gmail which are from a trade union who seem to have a paid for Gmail service. Some are of a sensitive nature concerning trade union activity.

        It looks as if I will have to dump my Gmail account.

        Points raised above regarding the common password for all Google services have got me worried, I think it is time to move on from some Google services as the problems seem to be getting worse.

  30. Dean says:

    Sorry to hear your troubles. I, too, had a problem with Google. I don’t know if I was phised, but I’m pretty sure a hacker somehow got into my Google account. My WordPress account was hacked at the same time (They had identical logins [Yeah, I know, dumb, what can I say?]).

    This is where the story gets interesting. I contacted WordPress support and had my account back within hours.

    I contacted Google support and the only thing they told me was that they couldn’t get back a deleted account. The feed for my Blogger blog is still giving me my posts. Got me.

    You can read a longer version here.

  31. Brajesh says:

    Hi Mark,sorry to hear about that.It’s really pathetic to see no support on google’s side.May be we should consider going back 2 the basics.I will seriously consider my google hosted mail to be moved to my own domain.

  32. pnaw10 says:

    Wow, this is shocking. I can’t believe such a “leading” company like Google would allow hackers to be able to get into accounts by using just one cookie… a cookie which works in any browser, and never expires even if you change your password. That’s just plain stupid.

    I also have to agree though; it’s horrible that Google provides little to no tech support. When they changed the look of iGoogle, I got to be one of the lucky, randomly-chosen beta testers. Even though I and several others posted complaints about the new look on their forums, there were very few responses from Google, and those that did appear were very generic. Very little changed before the new iGoogle design went public. I was especially frustrated that there was no way to reject the changes and continue to use the old version.

    Similarly, check out the support forums for Google Chrome. For many of the problems that are reported there, Google says they simply have no fix or solution for the problem. No timeframe for when a bug will be corrected or when certain basic-but-missing features (like Print Preview) will be added.

    Sure, I can understand a company like Google would get absolutely FLOODED with tech support queries, if they made it as simple as sending an e-mail or filling out a form. They probably don’t want to deal with thousands of stupid/simple questions that could be answered by FAQs. But I think the idea of a support form where “people help people” is absurd. You never know who’s providing answers — but you can guess who usually isn’t — Google’s staff.

  33. alhefner says:

    Google, Yahoo, MSN, are pretty much all anti-support unless they are losing money. I know that much of what they all provide is in the “free service” category but all those free services are designed as platforms for advertisement placement and THAT does make them money.

    It won’t be long before someone or a group comes up with better services with better oversight and attention to security. Then, and only then, the major players will start to renew a commitment to the public they say they want to serve.

  34. sly says:

    Shouldn’t have fallen for the phishing site. Their easy to spot, so its mostly your fault not google’s.

  35. Mike Fook says:

    Google is disgusting on support – 95% of the time nobody will need support – but, the 5% when you do – be prepared to throw shi* against the walls and curse for a couple hours because you’ll get not a damn good thing from non-existent support. STUPID, ridiculous, fricockulous system of message boards that nobody answers – and that are free to be answered in any way by any jackA88 that wants to. I’ve had the most horrible time with problems. Give me 1 decent alternative and I’m there just to get away from these clowns.

  36. Mike Fook says:

    PS: Shut up Sly you putz. It’s “they’re” not “their” – easy to spot, what a spankmonkey you are…

  37. Keith says:

    Just as my Google story; I was using my gmail account one day, woke up the next and couldn’t log in. To cut a long story short, the account had been ‘deleted’ and any requests for help through the support robot were met with a ‘we couldn’t find that account’ error. Because of the way everything’s linked, that meant I also lost my blogger and checkout accounts. To date, I still can’t figure a way to speak to a non-robot to discuss the issue. Thanks for nothing Google. You don’t know what you’ve got until…

  38. Peter says:

    What’s Google? 🙂

  39. Whew!

    So much for software as a service (or SaaS for those familiar with the concept)…

    In my humble opinion, Google is trying its best but obviously, Orkut has grown into a huge community. Perhaps they’re overwhelmed but you’re right about the fact that there should be a more convincing support team, especially for issues of such importance as yours.

  40. Rajib Miah says:

    I am astonished by this. I have always trusted Google and use their products for most of my online needs. I’ll need to rethink that strategy now.

  41. Marcus says:

    I’ve just had a lengthy problem with Google Checkouts and a UK computer dealership that owed my £197 and swore that they had returned the money via Google. Refund agreed January 6th, refund actually received (after repeated expensive phone calls to the computer dealership’s premium line) Jan 26th, first response from Google other than “we have forwarded your request to the dealer” Jan 28th.

  42. Owen Johnson says:

    An employee of mine recently attended a large national conference to which Google and Microsoft both sent teams to discuss their approach to developing a new (and large) market segment with another large company (apologies but I cannot into details). My employee briefed me on the proceedings but it all boiled down to a text she sent when both presentations were complete. Microsoft talked about their technology, how it applied to the problem, and how they would implement it, all in well thought-out detail.

    Google talked about how cool they are.

    That was it.

    Bottom Line: Deal with Google at your peril.

    • Greg says:

      Thanks, Owen, for summing it up so well. Google is cool – and that’s all they are.

      Therein lies the basic truth of it: Free means being cool; commercial means there’s actually a plan created by people with something more to accomplish than “coolness” and for that there’s a requirement that we pay something to compensate those people for their time and effort.

      This is, in my humble opinion, the classic example. People gripe about having to lay down 100 bucks for Outlook. We complain that the product stinks and that Mozilla Thunderbird or some other freeware with lots of add-ons developed by who-knows-who are better. So we keep our 100 bucks, thumb our nose at “the man” and use free cool stuff like GMail and Calendar and anything else Google has to offer that’s free and cool.

      And what happens when it fails? We complain that there’s no way to get things fixed. Our “friends” at Google who were so benevolent in the development and distribution of all these free apps are suddenly not our friends anymore! We feel violated and betrayed! We vent our anger and frustrations on blogs and commiserate with one another in our grief.

      Hey, I use GMail for one of my email accounts and a calendar to share with a few selected individuals. I’ve used Google Docs in the past, and I have a blog site there, too. Costs me nothing and I expect nothing. If the sites and all my email disappeared tomorrow, c’est la vie. I have no right to expect something that’s free to last forever, and I have no illusions about someone being there to help me when I didn’t pay anything.

      I don’t begrudge anyone their desires and abilities to fulfill their philanthropic, economic, or more likely, egomaniacal ambitions to develop and offer free solutions – including Google. If they offer me free apps and my use of them helps them to sell advertising, well I’m not pretending that that’s not the deal. No one should be so naive to believe otherwise.

      27 years in the technology business has taught me one immutable law – “free” should not be confused with “valuable.” If you want value, then you must shell out a few bucks to a commercial company so they can pay people to develop, deliver, and support a product. Otherwise, the old adage needs to be remembered – you get what you pay for.

      • zes says:

        Very nicely put! Google is cool coz its free. So for all of us let this incident be a valuable lesson. Thanks to Mark for sharing. Everyone here will benefit.

  43. M. Marshall says:

    Lets just say, “You get what you pay for”.

  44. ray says:

    Your first mistake was to trust Google. It has been said they have no accountability, this isn’t true, the trouble is accountability to whom? Don’t think for a second they won’t sell YOUR soul for the almighty dollar.

  45. I’ve been using several Google services and it is because free but I am still hoping that it will be reliable. That’s what the point of Greg (i think), how can you ask G to do something for you if you’re not paying anything for it. It is your choice to use their services. If you think their services is not good for anything, then you should leave it. I think G is trying the things that they should do to satisfy their patrons and we (or maybe I) should be thankful about it.

  46. Google probably spends more money on IT security than any other nongovernment organization. That’s a pretty amazing benefits he uses all their free services, however as in all IT security, the term itself is often not more than just a fuzzy feeling.

  47. WeNDoR says:

    This post begins like “The Godfather” 😆

  48. Shade says:

    I’m sometimes annoyed about the bad support of google, but what can we expect?! As said above, there are so many user for google products. And I also agree with greg – anyone using free software shouldn´t expect a high level of reliability or customer service. But I wish that there will be a better support in future. We´ll see!

  49. el ToRO says:

    There are a lot of problems Google has to deal with.
    But as long as they produce 2BIL+ yearly profit all of those who know its wrong doings will be in the “mist”
    Great article.
    greeting from Toronto
    El TORO



Trackbacks/Pingbacks

  1. […] stumbled across a post by a Mark Ghosh, an unhappy orkut user which covers a very basic and age old security flaw within Orkut, a social networking site similar […]

  2. […] Et Tu Google? Then Fail Net Safety […]

  3. […] Et Tu Google? Then Fail, Net Safety | Weblog Tools Collection (tags: Technology via:mento.info) […]

  4. […] more than 20,000 users. You can read his article “Et Tu Google? Then Fail, Net Safety” here. (I quite like the Shakespearian lilt to the title too.)  With social systems and social search […]

  5. […] Are you at the mercy of the poorly coded application, at the company or what? Check out this Blog Posting on what happens in that exact […]

  6. […] Google troubles? February 2, 2009 — thoughtfulconservative MArk Gousch shares a short essay at Weblog Tools Collection about his experience with Orkut, a social media-like app from Google. I trust Google. I use GMail […]

  7. […] is a nice and real story by Mark Gosh. Must read for all Orkut users: How Google Fails for Net Safety. I have verified and this trick […]

  8. […] Mark Ghosh of weblogtooscollection.com unfortunately had a similar experience. Take a look to see what he had to go through. […]

  9. […] aviso pra quem gosta de mexer no orkut horas e horas a fio por aí afora. Acabei de ler esse link, em que o cara conta que basicamente perdeu a sua conta do orkut pra hackers usando de […]

  10. […] a post by a blogger who has experienced a nasty experience with trying to reverse damage done by a phishing attack on his Orkut (and other Google) […]

  11. […] Poor Mark Ghosh. As someone who uses a ton of different email accounts, online community profiles and social networking tools, I really feel for this guy. Having any account compromised just plain sucks (I’ve had it happen to me, and I totally understand Mark’s reference to ‘panic mode’). […]

  12. […] I the only one who thinks that a company that cannot plug a simple security hole in their social networking site should not be trusted to automatically grab data from your […]

  13. […] Read this  sad story “Et Tu Google? Then Fail, Net Safety | Weblog Tools Collection“. […]

  14. […] Google products like Gmail or Google Docs – which are all free I must add. A case worth noting is Mark Ghoush’s recent problems with his Orkut/Google account getting hacked. In the case of Orkut, it is probable Google doesn’t consider it as high priority anymore. […]

  15. […] Ghosh of Weblog Tools Collection reported recently on Google safety and security after suffering from a phishing attack on Orkut, a Google service. Many bloggers rely upon Google […]

  16. […] they need to get a lot better about their support organization and how they handle account issues. Check out this story by Mark Ghosh for an example of what happens when things go wrong. What if you woke up tomorrow and your Gmail, Orkut, Docs, Reader, Google Checkout account was […]

  17. […] Malik points to this essay on the gaping security flaws underlying Google’s social network Orkut, with the caution: “Don’t trust Google [with] your digital life just […]

  18. […] companies offer proprietary services but unless they profit from these they do not feel they have a duty to maintain them or offer technical support. Such as Google’s Orkut. Their only duty appears to be to the almighty buck. So do we hire […]

  19. […] who says to be accountable for an Orkut community counting up to 25,000 users, tells the horrible story about the seizure of his account after the attack, the useless attempts to ask Google for help and […]

  20. […] Et Tu Google? Then Fail, Net Safety | Weblog Tools Collection (tags: social socialmedia media technology google email SECURITY gmail phishing orkut) Related Postslinks for 2009-02-14Prepare for Government-Enforced Digital TV by April 7, 2009links for 2009-01-10links for 2009-01-17links for 2009-02-18links for 2009-01-01Barack Obama Sushi Rollslinks for 2009-01-15links for 2009-01-06links for 2009-02-21 These icons link to social bookmarking sites where readers can share and discover new web pages. […]

  21. […] had this problem with Orkut which was experienced and voiced by Mark Ghosh on Weblog Tools. It ofcourse hurts when someone […]

Obviously Powered by WordPress. © 2003-2013

css.php