back to article G Suite admins need to RTFM – thousands expose internal emails

If you're sysadmin of an organisation using Google Groups and G Suite, you need to revisit your configuration to make sure you aren't leaking internal information. That advice comes from Kenna Security, which on June 1 said it found 31 per cent of a sample of 9,600 organisations leaking sensitive e-mail information. The …

  1. ratfox
    Alert

    When enough people make a mistake, it stops being a user issue, and it becomes a UI issue. Maybe putting a big warning sign on the option would be enough to solve most of the issue.

    1. Anonymous Coward
      Anonymous Coward

      There are many good reasons why Amazon has books for migrating from Google Craps to O365 but not visa versa!

      1. Orv Silver badge

        Oddly enough I've been with two places that migrated from O365 to Google, after running both in parallel for years. Reasons seem to be reliability and interoperability problems with O365. (I get the impression Google plays better with existing non-MS infrastructure, and these were large organizations with complex authentication needs -- LDAP, Shibboleth, etc.) O365 developed a reputation for repeatedly botching service updates and being picky about browsers.

  2. Blockchain commentard

    Why is it even an option to expose your private stuff online?

    1. davenewman

      Because not everything people send is private. There are good reasons for a company setting up a public group, such as a discussion list with franchisees, suppliers or customers.

    2. Korev Silver badge
      Coat

      > Why is it even an option to expose your private stuff online?

      You mean you don't?

      Mine's the dirty old one -->

    3. handleoclast
      Coat

      Why is it even an option?

      Why is it even an option to expose your private stuff online?

      You're not the only person to find himself asking that. It is a question many people, including the guy himself, asked after Anthony Weiner sent dick pics to a minor.

  3. Mark 85

    I'm guessing that the manual was outsourced instead of being done in house. Either to interns who are clueless as to manuals or some place that's cheap.

    1. Anonymous Coward
      Facepalm

      If you feel it's been outsourced, try dealing with some of their "experts".

      I have come across new 1st liners with better problem solving than them.

      Hint:

      Hi, you've (Google) have allocated the wrong type of account against our customer login.

      OK sorted that for you, you now need to set up a new one

      It says I can't because I already have an account.

      OK you need to delete the old one.

      I can't because I can no longer login.

      That's because it's no longer associated with your account, you need to create a new one.

      It says I can't because I already have an account.

      OK you need to delete the old one.

      I can't because I can no longer login.

      That's because it's no longer associated with your account, you need to create a new one.

      It says I can't because I already have an account.

      OK you need to delete the old one.

      I can't because I can no longer login.

      That's because it's no longer associated with your account, you need to create a new one.

      It says I can't because I already have an account.

      OK you need to delete the old one.

      I can't because I can no longer login.

      That's because it's no longer associated with your account, you need to create a new one.

      I seriously think I was talking to an early Bot.

  4. T. F. M. Reader

    How confusing can it be?

    "Public on the Internet" vs. "private"... Hmmm... What might that mean?

    To quote the problem description, ...the misconfiguration happens when Groups Visibility is configured to “Public on the Internet”.

    I am sorry, but I don't find this confusing at all. Nor is it “complex terminology”, IMHO. All it is is PEBCAK.

    1. sabroni Silver badge

      Re: All it is is PEBCAK.

      If your user interface design doesn't take users into account then it's not the users chair and keyboard that delimit the issue, it's yours.

      1. handleoclast

        Re: All it is is PEBCAK.

        If your user interface design doesn't take users into account,,.

        I wish I could upvote you more than once.

    2. Orv Silver badge

      Re: How confusing can it be?

      The problem is Google's admin tools don't show you the status of groups in the group list. The only clue you get is a group type of 'Custom', which can mean anything. If you click it, you get another page, which also doesn't tell you the group's permissions. You have to click "Role and permissions" in order to see the settings. This means if you have more than a few groups, it's a very tedious and error-prone process to audit the permissions on them.

      The group owner(s) can change the permissions at any time, so all it takes is one click where someone hits "Anyone on the Internet" instead of "Anyone in the organization" directly below it, or misunderstands the difference between who can post and who can view.

  5. Oneman2Many

    You have to create or set permissions for your group as Team which is the default, and tick the box that says "Also allow anyone on the internet to post messages". Not really sure what extra training needs to be done to highlight that you are exposing your group to public internet ?

    1. Anonymous Coward
      Anonymous Coward

      because you can (could, haven't done it for sometime) get a bizarre situation where people external to the company get a bounce back if they try to email a group address, unless it was public.

    2. Amos1

      Is there a glossary? If so, how does it have "Public" defined?

      Public: "The seven BILLION people on Planet Earth! No username or password required for anyone."

    3. Orv Silver badge

      Now try auditing several dozen groups to see if anyone ticked that box. It takes two clicks per group just to see what the permissions are. Hope you didn't have plans for the day.

  6. Androgynous Cupboard Silver badge

    It is confusing

    When we moved to Google Apps for email, I'd expected to be managing a mail system like I was familiar with: users, with aliases that apply to a particular user or a set of users. But instead of a "group alias" google has this weird "groups" setting, which seems to try to merge the concepts behind a newsgroup or public mailing list and a simple group alias address.

    Personally I find it annoying and yes, confusing the first time we set it up. If google simply offered a normal group email address like you might find in, for example, exim, sendmail or any of the other systems their customers would be migrating from, this wouldn't have been an issue.

    Oh and for all the clever-clogs saying RTFM - that might have flown when Google Apps launched, but it is showing all the signs you'd expect after all these years: scope creep, poor mergers of acquisitions with different concepts, abandoned approaches etc. in the documentation. You are in a twisty maze of hyperlinks, all alike.

    1. takno

      Re: It is confusing

      To be fair they used to have exactly this functionality and it worked great.

      Sadly when they introduced the much more marginal case of google groups for domains they decided that since they both had the word "group" in they must be the same thing, and decided that you can't have both on a domain

  7. sitta_europea Silver badge

    It wasn't broken.

    Why did anyone think it needed fixing?

  8. GnuTzu

    Defense in Depth

    I've always been very wary of things that allow exposures by a single setting. I generally won't use such products unless forced to.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like