
Major University Dumps Gmail Over Security Concerns - transburgh
http://mashable.com/2010/05/05/uc-davis-gmail/
======
va_coder
Your email may be less secure in the hands of a local sysadmin than with a
company like Google, which has a valuable reputation to defend and
sophisticated systems in place to guard your data.

A legitimate reason to not use Google is their history of less than perfect
customer service; they excel in technology, not in customer service.

~~~
zerokyuu
I completely agree. My university required you to change your password every
90 days. Not such a bad idea, however, they compare your new password against
all previous passwords to make sure they are significantly different (e.g. you
can't change your password from abcdefg to abcdeff). I'm assuming this means
they save your passwords in clear text somewhere. Not exactly the type of
people I'd trust with sensitive information.

EDIT: meastham makes a good point and he/she could definitely be right about
generating hashes of all slight variations of each password. In response to
what fname said, I'm wondering if there are any security concerns about being
able to find similarities in hashes for similar passwords.

~~~
nopassrecover
Why are you assuming that? You can compare hashes ("does the encrypted version
of what they entered as a new password equal any of the encrypted previous
passwords").

~~~
lftl
If by hash you mean a one-way hashing system, then he did say _significantly
different_ and not just different. You couldn't do that with any common one-
way hash.

~~~
nopassrecover
You're correct, I didn't understand what he meant by significantly different
until you pointed out because I have never encountered a system that didn't
allow me to have a "similar password". However, I have encountered ones where
my new password could not contain previous passwords, so unless they are
hashing each component of my password and comparing this probably does
indicate clear-text storage.

------
m0nty
That article is fairly info-lite, even after visiting the source article
(linked from OP). So "members of the faculty were concerned that it wouldn’t
keep their correspondence private enough" but they don't say _why_ they feel
that way or suggest there's any actual _evidence_ of lax security. The Google
Buzz thing is a red herring since UCD weren't using that anyway, and as an
apps administrator you can say which services your users are allowed to use.

I do have an interest in this: I'm about to move a campus to Gmail. I have no
evidence it's less secure than the Exchange/Postfix systems it will be
replacing, and I suspect in many ways it is more secure. I would welcome
evidence to the contrary but the OP doesn't have any. This sounds like a bunch
of people who don't understand "hacking" making loud about how the cloud just
_has_ to be less secure than their in-house systems.

~~~
bmj
Part of it may be the association of Google with web search--people may think
that if Google is processing email, it can become part of search results.

My employer uses a hosted Exchange service, and I've not heard anyone raise a
peep about privacy concerns. I suspect, however, that if we decided to move to
Google Mail, people would raise the same sort of concerns.

~~~
m0nty
Well, my current strategy is to migrate users when we give them new PCs this
summer, then only tell them about the change later. Much later. Initially
they'll be using Outlook to access email; they can use the web interface later
if they want to. Why would they be interested in which email backend we're
using? The trouble with asking them, or informing them in a way which suggest
I want their opinion, is that it very quickly just becomes a beauty contest,
where I have sound technical and financial reasons to make the move.

------
Adaptive
There are privacy issues, certainly, but as with the recent Yale rejection of
Google Apps, I'd suggest we're not getting the full picture in this article.

Keep in mind that, as with any IT department in a large organization, there
are vested interests to protect and outsourcing infrastructure can often be
seen as a threat.

Holding up privacy as the showstopper is bit of a straw man. I could easily
list a bunch of reasons why keeping mail service local has major downsides and
security concerns.

I'm not assuming that the IT dept in question had covert motives in this, just
noting that we certainly aren't getting all the information in this situation.

------
scscsc
Actually the problem is too much privacy. University staff have access to your
email without any problem if you store it on their system. However, on
Google's system, they can't access it at all. They probably don't like this
very much.

------
mambodog
After having to endure my university's switch to Live@Edu (Outlook Webaccess
in cloud) I can only envy those that would be so lucky to have Gmail for their
uni email service.

~~~
SandB0x
Yes! My university uses Live, or whatever it's called this year and it sucks
in a majestic fashion. Different versions open in different browsers, the
mobile site just doesn't work at all, there's an enormous redirection song and
dance when logging in. Loads of _basic usability flaws_. Want to archive an
email and create a new folder at the same time? Not possible. Oh and it's down
far too often.

The only reason I don't pump it through my Gmail account is the level of crap
that gets sent on mailing lists.

------
yesimahuman
I have this thought in my mind that google is looking at and using my email
for it's own purposes. I have a google apps account for my business (free).

While I understand they do use my information for advertising purposes, is
that the extent of it? Am I just misguided? I don't really think there is
anything to worry about, but I don't _trust_ them. Should I?

~~~
rue
Personally, I do not. The data will be there for when (not if) someone -
Google or other - decides to use it for worse purposes.

There are several options, so there is no need to subject yourself to those
concerns.

