18 August 2018

Lying About "Security" Is Evil

… and that's totally inappropriate for a company with an alleged directive to its employees to "not be evil," Googleminions. Especially when the purported "security advice" is sent in a multi-level insecure form. In no particular order:

  • When you send me an e-mail imploring me to improve my security practices, do not send it as an HTML-formatted e-mail with both embedded graphics and a bunch of links, some of which do not match the display because there are session cookies embedded in the code. Including a direct link to log in to the account… which is exactly how phishing schemes work.
  • Do not generically classify a POP e-mail reader — that enables me to read e-mail as plain text (so that the code differences are startlingly visible, as in the free Thunderbird e-mail client) — as a "less-secure app." It may well be a "less-remunerative app because POP users don't see all of our ads or get all of our tracking cookies," but that is not the same thing as — or even closely related to — "less secure." (And the less said about the number of phishing schemes, malware-infested/pointing messages, and just plain spam that my client filters out that your own system doesn't, the better.)
  • As a bonus, using POP means one does not stay logged in to the central server constantly, so no penetration of the central server will necessarily enable access to anything of mine. Unjustifiably arrogant about your own security practices much? (Hint: I've hacked your system testing my own security.)
  • While we're on the subject of "inherently less secure," I've turned off every location-tracker on my phone, including half a dozen that aren't documented. I'm increasingly pissed off at your imprecations that I enable what you misleadingly and incorrectly call two-factor authentication for my Google accounts that would decrease security both by disclosing an unlisted number to you (the phone's Android activation is via a throw-away account accessed only fleetingly via a VPN) and requiring me to turn that location-tracking back on, because your purported two-factor authentication doesn't work if location-tracking is disabled.
  • When I wipe cookies off my system during an OS reinstall, or use a VPN on a public network when away from home (spoofing the IP address to look like one of your business partners!), don't block access to my more-secure-than-your-system-presumes POP reader (see the second and third bullet points above) on the ground that my device is "unrecognized" (even though retrieving the MAC address is trivial, and don't pretend otherwise)… especially when I've routed the VPN connection through, say, Dallas to hide my actual location as an additional security measure. Needless to say, I'm at least 1000km from Dallas at all relevant times.

Googleminions, your credibility on "security" is just about as good as the TSA's. Stop pretending that the "security advice" you're offering is anything other than "improved data collection validation." And the less said about any other aspect of your "security" systems — such as not enabling comments on websites through Google account verification if location data is turned off, and your continued unwillingness to mention the terms "EEFI" and "traffic analysis" (PDF) anywhere because their provenance as intelligence-gathering and covert-surveillance tools just might tip people off to what's really going on — the better. I'm less worried about the "surveillance state" than the "surveillance industry"… and, sadly, Google is actually a relatively good citizen in that industry. Or at least somewhat less evil than the default.

The irony of posting this screed through a Google-controlled system is purely intentional.