Google, Microsoft and scores of other companies are pushing us all into the “cloud”—where all of our information is stored online and is instantly accessible from any internet-connected device. This instant, universal access is a phenomenal benefit for most people. And since many of these cloud-based services are “free” (in the sense that they are subsidized by advertising) and are reliable and mostly maintenance-free (automatic software upgrades) virtually all of us are inexorably living more of our online lives in the cloud.
This also means we’re increasingly trusting the companies that provide these services to keep our data and personal information secure. Based on my personal experiences reporting on many companies that offer cloud-services and talking with them about security measures, this trust is generally well-founded.
But what happens if something goes wrong? For example, imagine an extreme case—what if your Gmail account was hacked, and even worse, if the hacker succeeded in deleting all of your email?
This horrific scenario happened recently to Deb Fallows, wife of The Atlantic national correspondent James Fallows. I had the pleasure of spending a few days with both Deb and Jim at a search conference in China several years ago, and can attest that both are technically savvy and not likely to be careless with their online “security hygiene.” So when I came across Jim’s story about Deb’s Gmail account being hacked, I read it—very, very carefully.
People who read Jim know that he’s written about technology for ages, and is one of the sharpest analysts of all things tech (I mean that both in the sense that he has a keen understanding and is also never shy about skewering inferior or faulty products or services). What some people don’t realize, however, is that Jim is also very knowledgeable about search, and Google in particular—for years he’s been a moderator and interviewer at Google’s exclusive Zeitgeist events. To help his wife recover her Gmail account and learn more about how such a catastrophic event could occur in the first place, he went to Google and spoke with people ranging from senior officials who set security policy to the engineers in the trenches who constantly monitor Google for threats and wrangle the systems to thwart the bad guys.
What he learned is eye-opening, but also reassuring. In my mind, his article Hacked is a must-read for anyone who uses Gmail, or any other cloud-based service. It’s a balanced look at the tradeoffs we all must make between enjoying the convenience of working in the cloud vs. the security risks we take—despite the serious and comprehensive measures companies like Google take to keep our data secure. A few interesting passages from the article:
“My wife’s password was judged as “strong” when she first chose it for use with Gmail. But it was a combination of two short English words followed by numbers, so if it didn’t leak from some other site, it might just have been guessed in a brute-force attack. For reasons too complex to explain here, even some systems, like Gmail’s, that don’t allow intruders to make millions of random guesses at a password can still be vulnerable to brute-force attacks.”
“At Google I asked Byrant Gehring, of Gmail’s consumer-operations team, how often attacks occur. “Probably in the low thousands,” he said. “Per month?,” I asked. “No, per day,” followed by the reassurance that most were short-lived “hijackings,” used to send spam and phishing messages, and caused little or no damage, unlike our full-out attack.”
“Against this assault, the Google security team, like its counterparts at other companies, is constantly monitoring activity across its systems, toward the end of detecting break-ins and hijacks before damage has been done, and even before the owners know that something has gone wrong.”
To its credit, Google was able to retrieve and restore Deb Fallows’ deleted emails. This wasn’t necessarily preferential treatment because of Jim’s contacts within Google—Google has an official “Undeletion Project” to assist people who’ve had their accounts hacked. Last month, Google also began offering a live help line for email recovery.
Fallows ends his article with some practical tips on protecting your cloud-based data. He followed up yesterday with a Q&A style blog post offering specific recommendations for making your Gmail account more secure. As said, both of these should be must-reads for anyone using Gmail or other cloud-based services:
Both Jim and Deb are prolific bloggers, and well worth following for the wide-ranging and interesting stories they write: