Gmail: Security Issue, Not a Big Issue
March 12, 2009
I recall a professor in college describing how one can win a debate by defining terms to leave the opponent without a leg upon which to stand. Try this tactic when you talk about search and today’s trophy and entitlement crowd usually respond with “Knock it off” or “You are wrong.” That’s my experience. Yours may differ because you are exposed to a more enlightened crowd than I. I thought of this “redefining terms” tactic when I read Dancho Danchev’s “Google Downplays Severity of Gmail CSRF Flaw” here. As a former high school and college debate team member, I am appreciate of the utility of defining terms “my way”. Mr. Danchev’s article includes a snippet of Google’s response to yet another Gmail security glitch. Google’s response, if it is accurately presented. explains that the security issue in part this way:
We’ve been aware of this report for some time, and we do not consider this case to be a significant vulnerability … Despite the very low chance of guessing a password in this way, we will explore ways to further mitigate the issue. We always encourage users to choose strong passwords, and we have an indicator to help them do this.
The key to this is the definition of “significant vulnerability”. Without defining terms, who can say whether the security issue is a big deal or a little deal. In my opinion, wordsmithing may address perception but it does not answer the questions this article raised in my mind.
Stephen Arnold, March 12, 2009