Yikes. A release in November introduced an API bug that was active for about 6 days, impacting 52.5 million users.
* With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
* In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
> We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.
Again, this is poor reporting. It's newsworthy that Google+ found and disclosed a vulnerability in its own code, but there is no norm for reporting internally-discovered vulnerabilities and few companies reliably do it, especially in SAAS platforms where there's no end-user patching activity that needs to be motivated.
There's a colorable argument that you don't even want this to be a norm, because of the incentive problems it creates:
Regardless: bear in mind that you haven't even heard about a fraction of the horrible vulnerabilities internal teams at tech companies have discovered over the years.
As someone in the heart of trying to help people get off G+, what's particularly newsworthy is that after two full months (and two days) of radio silence on the Google+ sunset, the first substantive comment from Google is ... that the sunset has been advanced by four months.
We'd be recommending people be starting their migrations by Feb - May, and now they've got to complete them by April. That's something of a PITA.
There are 7.9 million Google+ Communities. Sure, 3.9 million of those are 1 (or fewer) users, but that leaves tens of thousands of 1,000 or more members. Even at only a few percent of those as active, that's a lot of communities and people involved. And Google+ has no effective community migration process.
There's a lot of great content on Google+. Is anyone working on a script to archive some of it before it all goes away? Perhaps the fine folks at the Internet Archive (Wayback Machine)?
Specifically, I'm wondering if someone's working on a script that does the following:
- Ideally for each post URL given, it would preserve the post, and the comments (including the first few ones, not just the last few ones that are shown by default). It would be nice if it also preserves the +1s (including who +1d them), but that's optional.
- And given a user, it would do the above for each (public) post of the user, or (optionally) use your account to save (just for yourself) the posts that you can see.
There were a lot of people posting great stuff on G+ and resulting in wonderful thoughtful conversations (especially a couple of years ago), it would be shame to lose all that permanently.
They didn't "mess up" in either instance. Both times, they did exactly what you'd want a professional software team to do: they caught their own bugs, internally, and immediately fixed them.
There was drama in the first instance because they didn't immediately disclose the bug. But disclosure of internally-discovered vulnerabilities in SAAS products isn't a norm. You see disclosure of bugs in consumer products, like the ones Apple issues, because they have to be disclosed to motivate end-user patching. That's not the case for serverside bugs, and you haven't heard about virtually any of the horrible vulnerabilities internal teams at tech companies have caught.
I think you are falling for Google's marketing efforts with a statement like this. Project Zero, where all the positive association around Google's security comes from has little to do with their product security. Their product security hasnt been so stellar, just look at Android. And don't forget the entire company was breached for a while without them knowing. Just trying to put things into perspective.
My opinion is that, given the infrastructure and practices we have, anything that is in digital form will be eventually hacked in one way or another. It is just a matter of time. Unfortunately the best security team can't do anything about it.
What makes you think that Google has the best security team? Anecdotally some of their competitors appear to have a much better track record.
There is also a difference between "having a team of the best security people" and "having an organization that is best at security" I suspect Google is much more the prior and very little of the latter.
Does anyone know how or if this will affect OAuth2 logins? Several of the sites I run rely on Google OAuth2 and get the user's avatar using Google APIs. It's a simple thing that does not require Google+ but it's unclear to me how it will be affected.
What is this the 3rd or 4th social network Google has failed at?
It won't be affected. Google spent the last few years decoupling every useful G+ feature into standalone services, the account feature to me looks completely separate nowadays. Besides, without the OAuth provider, tons of integrations (that Google actively want on their products) would break.
G+ was such a silly play, when you consider that Google already had the key to centralized identity all along: the ubiquitous GMail account. They will continue to push that for sure.
This is why I gave up on oauth. In theory it's nice have somebody else manage your user accounts, but even facebook, which is not in imminent risk of a shutdown changes its API response periodically.
It amazes me that a company with all the resources that Google has repeatedly coming up with ideas and doing absolutely nothing effective with them. They've had some winners, like Chrome, and their acquisition of Youtube eventually paid off, but something as simple as a social media site and the best they can come up with from scratch is Google+.
As I understand it, Google is not well optimized for putting out new mass market customer-facing services and keeping them going. Their entire organizational hierarchy actually runs counter to this very idea, and you know, people at Google are just like people everywhere else. That is to say, they are just people.
The fact that every now and then they have a success speaks better of the specific team driving it than it does of Google as a whole organization. That is usually the case with any corporation though.
So basically, you can have all the resources in the world, but if you’re not organized well, then you will not accomplish your goals more efficiently than your smaller competitors. The fact that your competitors are comparatively resource starved probably helps them optimize better than you can, because what is just a side project to you is their entire existence to them.
I don't know what you mean? The G+ UI is pretty good, certainly a lot better than Facebook was at the time when G+ launched. For a while, a lot of people were happy there, particularly in certain niches like photography.
It's a shame the implementation was so complex (apparently) that now it can't be easily maintained. This does seem to happen to Google a lot. It probably has more to do with too many resources, rather than not enough.
But maybe it's not simple to compete with Facebook. Maybe this has little to do with technology.
I've never worked at Google, but some of the commentary I've seen from people who have worked there suggests that performance reviews and promotions (at the senior levels) are heavily gated on your roles in releasing new products to users, with maintenance of existing products factoring in very little, if at all.
G+ wasn't that bad, technically speaking. They just failed at managing the political aspects of it, focusing too brutally on their own requirements, to the detriment of users' own: "we want your real names, so we can be the authority of record for everything! And we won't let you hack anything of importance on top of the platform, because we want our content clean!"... Compare with the free-for-all hacking bonanza that early twitter was, or the spam machine that Facebook is - social networks are powered by oversharing, an activity that G+ actively resisted in many different ways.
But technically speaking, they had the best support for high-quality photos, good features for private groups, and a few other wins on features like Hangouts.
Ironically, this is exactly the attitude that led Google to fail in social media! Why do you think it's simple? Because you think it's technologically simple?
According to my taste and requirements Google+ is (or was before they started adding unnecessary complexity to its model) by far the best social network I've ever seen. In fact "It amazes me that a company with all the resources that Google has repeatedly…" behaved like "the president of Madagascar" shutting down everything...[1]
They could have done soo much more with Google+ ... The hype was real up until launch. Really wish they had done things a little differently. Oh well... With all these leaks, I'm actually really glad they weren't successful with this.
I admit I actually rather liked Google+, for certain communities it was really active and well suited. However now that Google is decoupled and free from G+ shackles, it has really room to take off and grow in new areas, which is exciting to see. eg G+ logins will now be returned to G or Gmail branding, probably dramatically increases consumer confidence and mindshare, and other stuff. Developer teams can be fully redeployed to other products etc. Building of "micro" communities within Maps, YouTube, etc will accelerate, and that's really where it should be, rather than forced to accede to G+ product area.
What are some good alternatives to Google+? I mean microblogs with subscribers/followers instead of friends, without a strict message length limit, with first-class comments, letting you to edit your posts and comments after you submit them and to limit access to particular post to a specific group of people?
Does anyone know of a good way to archive a Google+ group. There is a bunch of good info about hacking the Kankun smart plug that I would like to preserve.
I really don't care what they do with the consumer version (who uses it?), but I'd like to see mapping and wayfinding features added to the paid GSuite version.
Its like most of us live behind this wall of our behavior online, like it isn't shared unless there is a hack.
But its sold, shared and traded without us knowing it, and used to display a reality tailored to us with the unintended consequence of us living in a bubble and not seeing much outside the edge of the bubble.
[+] [-] jdp23|7 years ago|reply
* With respect to this API, apps that requested permission to view profile information that a user had added to their Google+ profile—like their name, email address, occupation, age (full list here)—were granted permission to view profile information about that user even when set to not-public.
* In addition, apps with access to a user's Google+ profile data also had access to the profile data that had been shared with the consenting user by another Google+ user but that was not shared publicly.
[+] [-] morley|7 years ago|reply
> We discovered this bug as part of our standard and ongoing testing procedures and fixed it within a week of it being introduced. No third party compromised our systems, and we have no evidence that the app developers that inadvertently had this access for six days were aware of it or misused it in any way.
[+] [-] tamrix|7 years ago|reply
[+] [-] tptacek|7 years ago|reply
There's a colorable argument that you don't even want this to be a norm, because of the incentive problems it creates:
http://flaked.sockpuppet.org/2018/10/09/internal-disclosure-...
Regardless: bear in mind that you haven't even heard about a fraction of the horrible vulnerabilities internal teams at tech companies have discovered over the years.
[+] [-] dredmorbius|7 years ago|reply
We'd be recommending people be starting their migrations by Feb - May, and now they've got to complete them by April. That's something of a PITA.
https://social.antefriguserat.de/index.php/Exodus_Planning_a...
There are 7.9 million Google+ Communities. Sure, 3.9 million of those are 1 (or fewer) users, but that leaves tens of thousands of 1,000 or more members. Even at only a few percent of those as active, that's a lot of communities and people involved. And Google+ has no effective community migration process.
Source on communities: I counted them myself, well, via sampling: https://old.reddit.com/r/plexodus/comments/9zx67d/google_com...
[+] [-] fotbr|7 years ago|reply
Does the shutdown of Google+ mean that Google Search users will get the + operator back?
[+] [-] pas|7 years ago|reply
[+] [-] pmarreck|7 years ago|reply
[+] [-] svat|7 years ago|reply
Specifically, I'm wondering if someone's working on a script that does the following:
- Ideally for each post URL given, it would preserve the post, and the comments (including the first few ones, not just the last few ones that are shown by default). It would be nice if it also preserves the +1s (including who +1d them), but that's optional.
- And given a user, it would do the above for each (public) post of the user, or (optionally) use your account to save (just for yourself) the posts that you can see.
There were a lot of people posting great stuff on G+ and resulting in wonderful thoughtful conversations (especially a couple of years ago), it would be shame to lose all that permanently.
(If someone doubts this: see e.g. (if you're interested in mathematics) the posts by https://plus.google.com/+TerenceTao27 https://plus.google.com/+TimothyGowers0 https://plus.google.com/+johncbaez999 etc, or https://plus.google.com/+DanPiponi for more CS-y stuff, or for more "general" stuff https://plus.google.com/+YonatanZunger etc -- and for all these people, especially in 2015-2016 or so.)
Edit: You can download your own content using Google Takeout https://takeout.google.com. Just learnt of these other places where this question has been asked / is being asked: this G+ community (https://plus.google.com/communities/112164273001338979772) and this wiki (https://social.antefriguserat.de/index.php/Main_Page) -- if you have any answers those may be good places to post too :-)
[+] [-] jacquesm|7 years ago|reply
If this is the company with the best security team in the world does that mean we should simply abandon all hope?
[+] [-] tptacek|7 years ago|reply
There was drama in the first instance because they didn't immediately disclose the bug. But disclosure of internally-discovered vulnerabilities in SAAS products isn't a norm. You see disclosure of bugs in consumer products, like the ones Apple issues, because they have to be disclosed to motivate end-user patching. That's not the case for serverside bugs, and you haven't heard about virtually any of the horrible vulnerabilities internal teams at tech companies have caught.
[+] [-] kerng|7 years ago|reply
I think you are falling for Google's marketing efforts with a statement like this. Project Zero, where all the positive association around Google's security comes from has little to do with their product security. Their product security hasnt been so stellar, just look at Android. And don't forget the entire company was breached for a while without them knowing. Just trying to put things into perspective.
[+] [-] coliveira|7 years ago|reply
[+] [-] Arelius|7 years ago|reply
There is also a difference between "having a team of the best security people" and "having an organization that is best at security" I suspect Google is much more the prior and very little of the latter.
[+] [-] cosmotron|7 years ago|reply
[+] [-] jcoffland|7 years ago|reply
What is this the 3rd or 4th social network Google has failed at?
[+] [-] toyg|7 years ago|reply
G+ was such a silly play, when you consider that Google already had the key to centralized identity all along: the ubiquitous GMail account. They will continue to push that for sure.
[+] [-] humanbeinc|7 years ago|reply
[+] [-] MiddleEndian|7 years ago|reply
[+] [-] Cheyana|7 years ago|reply
[+] [-] SllX|7 years ago|reply
The fact that every now and then they have a success speaks better of the specific team driving it than it does of Google as a whole organization. That is usually the case with any corporation though.
So basically, you can have all the resources in the world, but if you’re not organized well, then you will not accomplish your goals more efficiently than your smaller competitors. The fact that your competitors are comparatively resource starved probably helps them optimize better than you can, because what is just a side project to you is their entire existence to them.
[+] [-] skybrian|7 years ago|reply
It's a shame the implementation was so complex (apparently) that now it can't be easily maintained. This does seem to happen to Google a lot. It probably has more to do with too many resources, rather than not enough.
But maybe it's not simple to compete with Facebook. Maybe this has little to do with technology.
[+] [-] keerthiko|7 years ago|reply
um "simple"? walks off cackling maniacally into the sunset
[+] [-] jcranmer|7 years ago|reply
[+] [-] toyg|7 years ago|reply
But technically speaking, they had the best support for high-quality photos, good features for private groups, and a few other wins on features like Hangouts.
[+] [-] chubot|7 years ago|reply
Ironically, this is exactly the attitude that led Google to fail in social media! Why do you think it's simple? Because you think it's technologically simple?
[+] [-] wmeredith|7 years ago|reply
[+] [-] reaperducer|7 years ago|reply
[+] [-] qwerty456127|7 years ago|reply
[1] https://knowyourmeme.com/memes/shut-down-everything
[+] [-] nullsmack|7 years ago|reply
[+] [-] hdpq|7 years ago|reply
[+] [-] garysahota93|7 years ago|reply
[+] [-] toyg|7 years ago|reply
[+] [-] shemnon42|7 years ago|reply
[+] [-] afniljl|7 years ago|reply
[+] [-] qwerty456127|7 years ago|reply
[+] [-] mikewhy|7 years ago|reply
[+] [-] qwerty456127|7 years ago|reply
[+] [-] ccnafr|7 years ago|reply
[+] [-] harbie|7 years ago|reply
[+] [-] pmarreck|7 years ago|reply
[+] [-] newman314|7 years ago|reply
Does anyone know of a good way to archive a Google+ group. There is a bunch of good info about hacking the Kankun smart plug that I would like to preserve.
[+] [-] dredmorbius|7 years ago|reply
There are some tools.
https://social.antefriguserat.de/index.php/Data_Migration_Pr...
[+] [-] mc32|7 years ago|reply
[+] [-] DSingularity|7 years ago|reply
[+] [-] dana321|7 years ago|reply
Its like most of us live behind this wall of our behavior online, like it isn't shared unless there is a hack.
But its sold, shared and traded without us knowing it, and used to display a reality tailored to us with the unintended consequence of us living in a bubble and not seeing much outside the edge of the bubble.
This site is a great example of bubble breaking.