Google defends Google Apps security

Google Inc. this week came swinging at critics who have called on the city of Los Angeles to re-think its plan to implement the Google Apps hosted e-mail and office applications due to privacy and security concerns.

In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data, and better maintain its privacy.

"From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors.

Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementation sin the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the City Council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

The controversy centers on a plan by the City of Los Angelesto replace its Novell GroupWise e-mail and Microsoft Office applications with Google Apps. Under the $7.25 million plan, the city will transition about 30,000 users to Google's e-mail and office productivity products by the end of December 2009.

City officials have said that they expect the move will save Los Angeles more than $13 million in software license and manpower costs over the next five years. The plan is expected to be approved by city council members as early as next week and the implementation process is scheduled to begin soon thereafter. If approved, L.A. will become the second major city after L.A. to migrate its applications to Google's cloud infrastructure.

The migration would make Google, which hosts the servers running the applications, responsible for retaining and protecting sensitive health care and litigation data along with criminal and drug investigation records. Since the plan was proposed critics from various organizations, including the Los Angeles Police Department, the City Attorney's office and public interest groups have raised questions about the privacy and security implications of storing sensitive data in the cloud for access via the public Internet. The concerns received a fresh airing following the recent Twitter Inc. security breach caused by an attacker gaining access to a worker's e-mail on the Gmail system hosted by Google. Glotzbach yesterday contended that the concerns have been raised as part of an effort by some rivals and others to spread fear, uncertainty and doubt over the company's cloud computing service.

"There seems to be this sentiment that this was some secret, backroom kind of process," Glotzbach said. Instead, Google won the contract over 15 rival bidders largely because of the security and privacy controls in Google Apps, he added. In fact, as city officials reviewed the contract over the past eight months, Google engineers have been working with the city's technology team and police department representatives to understand and address security and privacy concerns, he said. Glotzbach claimed that Google Apps will offer better data protection than is current available for the city's applications for a number of reasons. For instance, having Google host and manage the applications means the city won't have to worry about installing new security patches, or expend the resources needed to implement them. Similarly, it's harder for hackers to launch attacks on hosted software because they won't know which server or data center is hosting the data, he said.

Botnets infect fewer computers in China

The number of botnets and of computers controlled by them in China has fallen in recent years, though the country remains a top host for the networks of compromised computers, according to the government and independent researchers.

Over 1.2 million computers in China were newly infected with software that enabled their control by a botnet last year, about one-third the figure for the previous year, according to a report published late last month by China's National Computer Network Emergency Response Technical Team (CNCERT).

That followed an equally steep fall from 2006, when the team estimated there were 10 million new infections in China.

The number of Chinese PCs in botnets has fluctuated in recent quarters but generally fallen, said Prabhat Singh, McAfee's senior director of Avert operations in the Asia Pacific. New infections remained steady between the first and second quarters at around 1.6 million, he said.

Botnets, or groups of computers controlled by an attacker, are often used to send mass spam e-mail messages and malware. They can also be used to launch distributed denial of service (DDoS) attacks, in which the PCs are all ordered to connect to a target server at once, overwhelming it with information requests and effectively shutting it down.

New bot infections have dropped in China partly because free anti-virus tools have appeared online, expanding their use by cost-sensitive Chinese PC users, said Zhao Wei, CEO of KnownSec, a Beijing security company.Protection for other PCs has come from Chinese companies offering anti-virus support for users of pirated Windows systems, Zhao said. A large portion of Chinese consumers and businesses run pirated copies of Windows XP, which can be easily bought at electronics markets across China.

Some Chinese companies are sending those users Microsoft's updates without including the Windows Genuine Advantage program, which blocks access to certain updates if a user's operating system does not validate, Zhao said.

China may still have more botnets than statistics show. The growing number of botnets controlled through Web servers, rather than through IRC (Internet Relay Chat) servers, may not be fully included in some counts, said Zhao.

Zhao's company last year found one Chinese server controlling a botnet of 4 million PCs, which could have included machines both in China and abroad, Zhao said. The botnet disappeared when Zhao's staff started tracking it, he said.

Botnets are usually much smaller, said Vu Nguyen, a McAfee Avert Labs researcher. Attackers usually keep them below 2,500 machines to avoid drawing attention by directing massive traffic, he said.

Chinese attackers sometimes rent their botnets out to customers, Nguyen said. Others advertise botnet setup services online for as little as 250 yuan (US$37), said McAfee's Singh.

CNCERT also found a drop in the number of servers controlling botnets in China. The number was 1,825 last year, sharply down from 6,660 the year before, according to the CNCERT report.

China ranks among the world's top spam generators and is home to some companies offering "bulletproof" hosting, in which domains are not closed down for activities like sending spam.