Security

Security: Google retracts its privacy clauses

Stephen Horsfield — Thu, 04 Sep 2008 09:26:39 GMT

Since yesterday, and my post about Google Chrome, Google has updated its terms and conditions and removed the clauses. See my previous post here: Security: How much do you trust Google?.

Privacy clauses

Section 11 has been completed rewritten. Note that this is the only change in the terms of service, even the date has not been changed:

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services.

Looks a bit different to the previous clause. Specifically, the following has been removed:

11.1 ... By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.

11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above license.

Terms and conditions (still dated 15 August 2008) in full

Google Chrome Terms of Service

These Terms of Service apply to the executable code version of Google Chrome. Source code for Google Chrome is available free of charge under open source software license agreements at http://code.google.com/chromium/terms.html.

1. Your relationship with Google

1.1 Your use of Google’s products, software, services and web sites (referred to collectively as the “Services” in this document and excluding any services provided to you by Google under a separate written agreement) is subject to the terms of a legal agreement between you and Google. “Google” means Google Inc., whose principal place of business is at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. This document explains how the agreement is made up, and sets out some of the terms of that agreement.

1.2 Unless otherwise agreed in writing with Google, your agreement with Google will always include, at a minimum, the terms and conditions set out in this document. These are referred to below as the “Universal Terms”. Open source software licenses for Google Chrome source code constitute separate written agreements. To the limited extent that the open source software licenses expressly supersede these Universal Terms, the open source licenses govern your agreement with Google for the use of Google Chrome or specific included components of Google Chrome.

1.3 Your agreement with Google will also include the terms of any Legal Notices applicable to the Services, in addition to the Universal Terms. All of these are referred to below as the “Additional Terms”. Where Additional Terms apply to a Service, these will be accessible for you to read either within, or through your use of, that Service.

1.4 The Universal Terms, together with the Additional Terms, form a legally binding agreement between you and Google in relation to your use of the Services. It is important that you take the time to read them carefully. Collectively, this legal agreement is referred to below as the “Terms”.

1.5 If there is any contradiction between what the Additional Terms say and what the Universal Terms say, then the Additional Terms shall take precedence in relation to that Service.

2. Accepting the Terms

2.1 In order to use the Services, you must first agree to the Terms. You may not use the Services if you do not accept the Terms.

2.2 You can accept the Terms by:

(A) clicking to accept or agree to the Terms, where this option is made available to you by Google in the user interface for any Service; or

(B) by actually using the Services. In this case, you understand and agree that Google will treat your use of the Services as acceptance of the Terms from that point onwards.

2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google, or (b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services.

2.4 Before you continue, you should print off or save a local copy of the Universal Terms for your records.

3. Language of the Terms

3.1 Where Google has provided you with a translation of the English language version of the Terms, then you agree that the translation is provided for your convenience only and that the English language versions of the Terms will govern your relationship with Google.

3.2 If there is any contradiction between what the English language version of the Terms says and what a translation says, then the English language version shall take precedence.

4. Provision of the Services by Google

4.1 Google has subsidiaries and affiliated legal entities around the world (“Subsidiaries and Affiliates”). Sometimes, these companies will be providing the Services to you on behalf of Google itself. You acknowledge and agree that Subsidiaries and Affiliates will be entitled to provide the Services to you.

4.2 Google is constantly innovating in order to provide the best possible experience for its users. You acknowledge and agree that the form and nature of the Services which Google provides may change from time to time without prior notice to you.

4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.

4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account.

4.5 You acknowledge and agree that while Google may not currently have set a fixed upper limit on the number of transmissions you may send or receive through the Services or on the amount of storage space used for the provision of any Service, such fixed upper limits may be set by Google at any time, at Google’s discretion.

5. Use of the Services by you

5.1 In order to access certain Services, you may be required to provide information about yourself (such as identification or contact details) as part of the registration process for the Service, or as part of your continued use of the Services. You agree that any registration information you give to Google will always be accurate, correct and up to date.

5.2 You agree to use the Services only for purposes that are permitted by (a) the Terms and (b) any applicable law, regulation or generally accepted practices or guidelines in the relevant jurisdictions (including any laws regarding the export of data or software to and from the United States or other relevant countries).

5.3 You agree not to access (or attempt to access) any of the Services by any means other than through the interface that is provided by Google, unless you have been specifically allowed to do so in a separate agreement with Google. You specifically agree not to access (or attempt to access) any of the Services through any automated means (including use of scripts or web crawlers) and shall ensure that you comply with the instructions set out in any robots.txt file present on the Services.

5.4 You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services).

5.5 Unless you have been specifically permitted to do so in a separate agreement with Google, you agree that you will not reproduce, duplicate, copy, sell, trade or resell the Services for any purpose.

5.6 You agree that you are solely responsible for (and that Google has no responsibility to you or to any third party for) any breach of your obligations under the Terms and for the consequences (including any loss or damage which Google may suffer) of any such breach.

6. Your passwords and account security

6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.

6.2 Accordingly, you agree that you will be solely responsible to Google for all activities that occur under your account.

6.3 If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately at http://www.google.com/support/accounts/bin/answer.py?answer=48601.

7. Privacy and your personal information

7.1 For information about Google’s data protection practices, please read Google’s privacy policy at http://www.google.com/privacy.html. This policy explains how Google treats your personal information, and protects your privacy, when you use the Services.

7.2 You agree to the use of your data in accordance with Google’s privacy policies.

8. Content in the Services

8.1 You understand that all information (such as data files, written text, computer software, music, audio files or other sounds, photographs, videos or other images) which you may have access to as part of, or through your use of, the Services are the sole responsibility of the person from which such content originated. All such information is referred to below as the “Content”.

8.2 You should be aware that Content presented to you as part of the Services, including but not limited to advertisements in the Services and sponsored Content within the Services may be protected by intellectual property rights which are owned by the sponsors or advertisers who provide that Content to Google (or by other persons or companies on their behalf). You may not modify, rent, lease, loan, sell, distribute or create derivative works based on this Content (either in whole or in part) unless you have been specifically told that you may do so by Google or by the owners of that Content, in a separate agreement.

8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see http://www.google.com/help/customize.html#safe). In addition, there are commercially available services and software to limit access to material that you may find objectionable.

8.4 You understand that by using the Services you may be exposed to Content that you may find offensive, indecent or objectionable and that, in this respect, you use the Services at your own risk.

8.5 You agree that you are solely responsible for (and that Google has no responsibility to you or to any third party for) any Content that you create, transmit or display while using the Services and for the consequences of your actions (including any loss or damage which Google may suffer) by doing so.

9. Proprietary rights

9.1 You acknowledge and agree that Google (or Google’s licensors) own all legal right, title and interest in and to the Services, including any intellectual property rights which subsist in the Services (whether those rights happen to be registered or not, and wherever in the world those rights may exist). You further acknowledge that the Services may contain information which is designated confidential by Google and that you shall not disclose such information without Google’s prior written consent.

9.2 Unless you have agreed otherwise in writing with Google, nothing in the Terms gives you a right to use any of Google’s trade names, trade marks, service marks, logos, domain names, and other distinctive brand features.

9.3 If you have been given an explicit right to use any of these brand features in a separate written agreement with Google, then you agree that your use of such features shall be in compliance with that agreement, any applicable provisions of the Terms, and Google's brand feature use guidelines as updated from time to time. These guidelines can be viewed online at http://www.google.com/permissions/guidelines.html (or such other URL as Google may provide for this purpose from time to time).

9.4 Other than the limited license set forth in Section 11, Google acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights which subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist). Unless you have agreed otherwise in writing with Google, you agree that you are responsible for protecting and enforcing those rights and that Google has no obligation to do so on your behalf.

9.5 You agree that you shall not remove, obscure, or alter any proprietary rights notices (including copyright and trade mark notices) which may be affixed to or contained within the Services.

9.6 Unless you have been expressly authorized to do so in writing by Google, you agree that in using the Services, you will not use any trade mark, service mark, trade name, logo of any company or organization in a way that is likely or intended to cause confusion about the owner or authorized user of such marks, names or logos.

10. License from Google

10.1 Google gives you a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software provided to you by Google as part of the Services as provided to you by Google (referred to as the “Software” below). This license is for the sole purpose of enabling you to use and enjoy the benefit of the Services as provided by Google, in the manner permitted by the Terms.

10.2 You may not (and you may not permit anyone else to) copy, modify, create a derivative work of, reverse engineer, decompile or otherwise attempt to extract the source code of the Software or any part thereof, unless this is expressly permitted or required by law, or unless you have been specifically told that you may do so by Google, in writing.

10.3 Unless Google has given you specific written permission to do so, you may not assign (or grant a sub-license of) your rights to use the Software, grant a security interest in or over your rights to use the Software, or otherwise transfer any part of your rights to use the Software.

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services.

12. Software updates

12.1 The Software which you use may automatically download and install updates from time to time from Google. These updates are designed to improve, enhance and further develop the Services and may take the form of bug fixes, enhanced functions, new software modules and completely new versions. You agree to receive such updates (and permit Google to deliver these to you) as part of your use of the Services.

13. Ending your relationship with Google

13.1 The Terms will continue to apply until terminated by either you or Google as set out below.

13.2 If you want to terminate your legal agreement with Google, you may do so by (a) notifying Google at any time and (b) closing your accounts for all of the Services which you use, where Google has made this option available to you. Your notice should be sent, in writing, to Google’s address which is set out at the beginning of these Terms.

13.3 Google may at any time, terminate its legal agreement with you if:

(A) you have breached any provision of the Terms (or have acted in manner which clearly shows that you do not intend to, or are unable to comply with the provisions of the Terms); or

(B) Google is required to do so by law (for example, where the provision of the Services to you is, or becomes, unlawful); or

(C) the partner with whom Google offered the Services to you has terminated its relationship with Google or ceased to offer the Services to you; or

(D) Google is transitioning to no longer providing the Services to users in the country in which you are resident or from which you use the service; or

(E) the provision of the Services to you by Google is, in Google’s opinion, no longer commercially viable.

13.4 Nothing in this Section shall affect Google’s rights regarding provision of Services under Section 4 of the Terms.

13.5 When these Terms come to an end, all of the legal rights, obligations and liabilities that you and Google have benefited from, been subject to (or which have accrued over time whilst the Terms have been in force) or which are expressed to continue indefinitely, shall be unaffected by this cessation, and the provisions of paragraph 20.7 shall continue to apply to such rights, obligations and liabilities indefinitely.

14. EXCLUSION OF WARRANTIES

14.1 NOTHING IN THESE TERMS, INCLUDING SECTIONS 14 AND 15, SHALL EXCLUDE OR LIMIT GOOGLE’S WARRANTY OR LIABILITY FOR LOSSES WHICH MAY NOT BE LAWFULLY EXCLUDED OR LIMITED BY APPLICABLE LAW. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR CONDITIONS OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR LOSS OR DAMAGE CAUSED BY NEGLIGENCE, BREACH OF CONTRACT OR BREACH OF IMPLIED TERMS, OR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, ONLY THE LIMITATIONS WHICH ARE LAWFUL IN YOUR JURISDICTION WILL APPLY TO YOU AND OUR LIABILITY WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

14.2 YOU EXPRESSLY UNDERSTAND AND AGREE THAT YOUR USE OF THE SERVICES IS AT YOUR SOLE RISK AND THAT THE SERVICES ARE PROVIDED "AS IS" AND “AS AVAILABLE.”

14.3 IN PARTICULAR, GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO YOU THAT:

(A) YOUR USE OF THE SERVICES WILL MEET YOUR REQUIREMENTS,

(B) YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR,

(C) ANY INFORMATION OBTAINED BY YOU AS A RESULT OF YOUR USE OF THE SERVICES WILL BE ACCURATE OR RELIABLE, AND

(D) THAT DEFECTS IN THE OPERATION OR FUNCTIONALITY OF ANY SOFTWARE PROVIDED TO YOU AS PART OF THE SERVICES WILL BE CORRECTED.

14.4 ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICES IS DONE AT YOUR OWN DISCRETION AND RISK AND THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR OTHER DEVICE OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY SUCH MATERIAL.

14.5 NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM GOOGLE OR THROUGH OR FROM THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THE TERMS.

14.6 GOOGLE FURTHER EXPRESSLY DISCLAIMS ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

15. LIMITATION OF LIABILITY

15.1 SUBJECT TO OVERALL PROVISION IN PARAGRAPH 14.1 ABOVE, YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS SHALL NOT BE LIABLE TO YOU FOR:

(A) ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL CONSEQUENTIAL OR EXEMPLARY DAMAGES WHICH MAY BE INCURRED BY YOU, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY.. THIS SHALL INCLUDE, BUT NOT BE LIMITED TO, ANY LOSS OF PROFIT (WHETHER INCURRED DIRECTLY OR INDIRECTLY), ANY LOSS OF GOODWILL OR BUSINESS REPUTATION, ANY LOSS OF DATA SUFFERED, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSS;

(B) ANY LOSS OR DAMAGE WHICH MAY BE INCURRED BY YOU, INCLUDING BUT NOT LIMITED TO LOSS OR DAMAGE AS A RESULT OF:

(I) ANY RELIANCE PLACED BY YOU ON THE COMPLETENESS, ACCURACY OR EXISTENCE OF ANY ADVERTISING, OR AS A RESULT OF ANY RELATIONSHIP OR TRANSACTION BETWEEN YOU AND ANY ADVERTISER OR SPONSOR WHOSE ADVERTISING APPEARS ON THE SERVICES;

(II) ANY CHANGES WHICH GOOGLE MAY MAKE TO THE SERVICES, OR FOR ANY PERMANENT OR TEMPORARY CESSATION IN THE PROVISION OF THE SERVICES (OR ANY FEATURES WITHIN THE SERVICES);

(III) THE DELETION OF, CORRUPTION OF, OR FAILURE TO STORE, ANY CONTENT AND OTHER COMMUNICATIONS DATA MAINTAINED OR TRANSMITTED BY OR THROUGH YOUR USE OF THE SERVICES;

(III) YOUR FAILURE TO PROVIDE GOOGLE WITH ACCURATE ACCOUNT INFORMATION;

(IV) YOUR FAILURE TO KEEP YOUR PASSWORD OR ACCOUNT DETAILS SECURE AND CONFIDENTIAL;

15.2 THE LIMITATIONS ON GOOGLE’S LIABILITY TO YOU IN PARAGRAPH 15.1 ABOVE SHALL APPLY WHETHER OR NOT GOOGLE HAS BEEN ADVISED OF OR SHOULD HAVE BEEN AWARE OF THE POSSIBILITY OF ANY SUCH LOSSES ARISING.

16. Copyright and trade mark policies

16.1 It is Google’s policy to respond to notices of alleged copyright infringement that comply with applicable international intellectual property law (including, in the United States, the Digital Millennium Copyright Act) and to terminating the accounts of repeat infringers. Details of Google’s policy can be found at http://www.google.com/dmca.html.

16.2 Google operates a trade mark complaints procedure in respect of Google’s advertising business, details of which can be found at http://www.google.com/tm_complaint.html.

17. Advertisements

17.1 Some of the Services are supported by advertising revenue and may display advertisements and promotions. These advertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.

17.2 The manner, mode and extent of advertising by Google on the Services are subject to change without specific notice to you.

17.3 In consideration for Google granting you access to and use of the Services, you agree that Google may place such advertising on the Services.

18. Other content

18.1 The Services may include hyperlinks to other web sites or content or resources. Google may have no control over any web sites or resources which are provided by companies or persons other than Google.

18.2 You acknowledge and agree that Google is not responsible for the availability of any such external sites or resources, and does not endorse any advertising, products or other materials on or available from such web sites or resources.

18.3 You acknowledge and agree that Google is not liable for any loss or damage which may be incurred by you as a result of the availability of those external sites or resources, or as a result of any reliance placed by you on the completeness, accuracy or existence of any advertising, products or other materials on, or available from, such web sites or resources.

19. Changes to the Terms

19.1 Google may make changes to the Universal Terms or Additional Terms from time to time. When these changes are made, Google will make a new copy of the Universal Terms available at http://www.google.com/accounts/TOS?hl=en and any new Additional Terms will be made available to you from within, or through, the affected Services.

19.2 You understand and agree that if you use the Services after the date on which the Universal Terms or Additional Terms have changed, Google will treat your use as acceptance of the updated Universal Terms or Additional Terms.

20. General legal terms

20.1 Sometimes when you use the Services, you may (as a result of, or through your use of the Services) use a service or download a piece of software, or purchase goods, which are provided by another person or company. Your use of these other services, software or goods may be subject to separate terms between you and the company or person concerned. If so, the Terms do not affect your legal relationship with these other companies or individuals.

20.2 The Terms constitute the whole legal agreement between you and Google and govern your use of the Services (but excluding any services which Google may provide to you under a separate written agreement), and completely replace any prior agreements between you and Google in relation to the Services.

20.3 You agree that Google may provide you with notices, including those regarding changes to the Terms, by email, regular mail, or postings on the Services.

20.4 You agree that if Google does not exercise or enforce any legal right or remedy which is contained in the Terms (or which Google has the benefit of under any applicable law), this will not be taken to be a formal waiver of Google’s rights and that those rights or remedies will still be available to Google.

20.5 If any court of law, having the jurisdiction to decide on this matter, rules that any provision of these Terms is invalid, then that provision will be removed from the Terms without affecting the rest of the Terms. The remaining provisions of the Terms will continue to be valid and enforceable.

20.6 You acknowledge and agree that each member of the group of companies of which Google is the parent shall be third party beneficiaries to the Terms and that such other companies shall be entitled to directly enforce, and rely upon, any provision of the Terms which confers a benefit on (or rights in favor of) them. Other than this, no other person or company shall be third party beneficiaries to the Terms.

20.7 The Terms, and your relationship with Google under the Terms, shall be governed by the laws of the State of California without regard to its conflict of laws provisions. You and Google agree to submit to the exclusive jurisdiction of the courts located within the county of Santa Clara, California to resolve any legal matter arising from the Terms. Notwithstanding this, you agree that Google shall still be allowed to apply for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction.

August 15, 2008

Metadata

Categories: Business, IT Management, Security
Additional keywords: Google, Google Chrome, Privacy
Technorati Tags: security, business, IT Management, privacy, Google Chrome

Security: How much do you trust Google?

Stephen Horsfield — Wed, 03 Sep 2008 08:14:41 GMT

Google has just released a beta of its Google Chrome web browser. Make sure you read the terms and conditions. Have a look at the privacy clauses...

[Note: Google has updated its terms and conditions. Read my blog post here: Security: Google retracts its privacy clauses]

Privacy clauses

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.

11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above license.

Is this something you want?

Terms and conditions (dated 15 August 2008) in full

Google Chrome Terms of Service

These Terms of Service apply to the executable code version of Google Chrome. Source code for Google Chrome is available free of charge under open source software license agreements at http://code.google.com/chromium/terms.html.

1. Your relationship with Google

1.1 Your use of Google’s products, software, services and web sites (referred to collectively as the “Services” in this document and excluding any services provided to you by Google under a separate written agreement) is subject to the terms of a legal agreement between you and Google. “Google” means Google Inc., whose principal place of business is at 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States. This document explains how the agreement is made up, and sets out some of the terms of that agreement.

1.2 Unless otherwise agreed in writing with Google, your agreement with Google will always include, at a minimum, the terms and conditions set out in this document. These are referred to below as the “Universal Terms”. Open source software licenses for Google Chrome source code constitute separate written agreements. To the limited extent that the open source software licenses expressly supersede these Universal Terms, the open source licenses govern your agreement with Google for the use of Google Chrome or specific included components of Google Chrome.

1.3 Your agreement with Google will also include the terms of any Legal Notices applicable to the Services, in addition to the Universal Terms. All of these are referred to below as the “Additional Terms”. Where Additional Terms apply to a Service, these will be accessible for you to read either within, or through your use of, that Service.

1.4 The Universal Terms, together with the Additional Terms, form a legally binding agreement between you and Google in relation to your use of the Services. It is important that you take the time to read them carefully. Collectively, this legal agreement is referred to below as the “Terms”.

1.5 If there is any contradiction between what the Additional Terms say and what the Universal Terms say, then the Additional Terms shall take precedence in relation to that Service.

2. Accepting the Terms

2.1 In order to use the Services, you must first agree to the Terms. You may not use the Services if you do not accept the Terms.

2.2 You can accept the Terms by:

(A) clicking to accept or agree to the Terms, where this option is made available to you by Google in the user interface for any Service; or

(B) by actually using the Services. In this case, you understand and agree that Google will treat your use of the Services as acceptance of the Terms from that point onwards.

2.3 You may not use the Services and may not accept the Terms if (a) you are not of legal age to form a binding contract with Google, or (b) you are a person barred from receiving the Services under the laws of the United States or other countries including the country in which you are resident or from which you use the Services.

2.4 Before you continue, you should print off or save a local copy of the Universal Terms for your records.

3. Language of the Terms

3.1 Where Google has provided you with a translation of the English language version of the Terms, then you agree that the translation is provided for your convenience only and that the English language versions of the Terms will govern your relationship with Google.

3.2 If there is any contradiction between what the English language version of the Terms says and what a translation says, then the English language version shall take precedence.

4. Provision of the Services by Google

4.1 Google has subsidiaries and affiliated legal entities around the world (“Subsidiaries and Affiliates”). Sometimes, these companies will be providing the Services to you on behalf of Google itself. You acknowledge and agree that Subsidiaries and Affiliates will be entitled to provide the Services to you.

4.2 Google is constantly innovating in order to provide the best possible experience for its users. You acknowledge and agree that the form and nature of the Services which Google provides may change from time to time without prior notice to you.

4.3 As part of this continuing innovation, you acknowledge and agree that Google may stop (permanently or temporarily) providing the Services (or any features within the Services) to you or to users generally at Google’s sole discretion, without prior notice to you. You may stop using the Services at any time. You do not need to specifically inform Google when you stop using the Services.

4.4 You acknowledge and agree that if Google disables access to your account, you may be prevented from accessing the Services, your account details or any files or other content which is contained in your account.

4.5 You acknowledge and agree that while Google may not currently have set a fixed upper limit on the number of transmissions you may send or receive through the Services or on the amount of storage space used for the provision of any Service, such fixed upper limits may be set by Google at any time, at Google’s discretion.

5. Use of the Services by you

5.1 In order to access certain Services, you may be required to provide information about yourself (such as identification or contact details) as part of the registration process for the Service, or as part of your continued use of the Services. You agree that any registration information you give to Google will always be accurate, correct and up to date.

5.2 You agree to use the Services only for purposes that are permitted by (a) the Terms and (b) any applicable law, regulation or generally accepted practices or guidelines in the relevant jurisdictions (including any laws regarding the export of data or software to and from the United States or other relevant countries).

5.3 You agree not to access (or attempt to access) any of the Services by any means other than through the interface that is provided by Google, unless you have been specifically allowed to do so in a separate agreement with Google. You specifically agree not to access (or attempt to access) any of the Services through any automated means (including use of scripts or web crawlers) and shall ensure that you comply with the instructions set out in any robots.txt file present on the Services.

5.4 You agree that you will not engage in any activity that interferes with or disrupts the Services (or the servers and networks which are connected to the Services).

5.5 Unless you have been specifically permitted to do so in a separate agreement with Google, you agree that you will not reproduce, duplicate, copy, sell, trade or resell the Services for any purpose.

5.6 You agree that you are solely responsible for (and that Google has no responsibility to you or to any third party for) any breach of your obligations under the Terms and for the consequences (including any loss or damage which Google may suffer) of any such breach.

6. Your passwords and account security

6.1 You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.

6.2 Accordingly, you agree that you will be solely responsible to Google for all activities that occur under your account.

6.3 If you become aware of any unauthorized use of your password or of your account, you agree to notify Google immediately at http://www.google.com/support/accounts/bin/answer.py?answer=48601.

7. Privacy and your personal information

7.1 For information about Google’s data protection practices, please read Google’s privacy policy at http://www.google.com/privacy.html. This policy explains how Google treats your personal information, and protects your privacy, when you use the Services.

7.2 You agree to the use of your data in accordance with Google’s privacy policies.

8. Content in the Services

8.1 You understand that all information (such as data files, written text, computer software, music, audio files or other sounds, photographs, videos or other images) which you may have access to as part of, or through your use of, the Services are the sole responsibility of the person from which such content originated. All such information is referred to below as the “Content”.

8.2 You should be aware that Content presented to you as part of the Services, including but not limited to advertisements in the Services and sponsored Content within the Services may be protected by intellectual property rights which are owned by the sponsors or advertisers who provide that Content to Google (or by other persons or companies on their behalf). You may not modify, rent, lease, loan, sell, distribute or create derivative works based on this Content (either in whole or in part) unless you have been specifically told that you may do so by Google or by the owners of that Content, in a separate agreement.

8.3 Google reserves the right (but shall have no obligation) to pre-screen, review, flag, filter, modify, refuse or remove any or all Content from any Service. For some of the Services, Google may provide tools to filter out explicit sexual content. These tools include the SafeSearch preference settings (see http://www.google.com/help/customize.html#safe). In addition, there are commercially available services and software to limit access to material that you may find objectionable.

8.4 You understand that by using the Services you may be exposed to Content that you may find offensive, indecent or objectionable and that, in this respect, you use the Services at your own risk.

8.5 You agree that you are solely responsible for (and that Google has no responsibility to you or to any third party for) any Content that you create, transmit or display while using the Services and for the consequences of your actions (including any loss or damage which Google may suffer) by doing so.

9. Proprietary rights

9.1 You acknowledge and agree that Google (or Google’s licensors) own all legal right, title and interest in and to the Services, including any intellectual property rights which subsist in the Services (whether those rights happen to be registered or not, and wherever in the world those rights may exist). You further acknowledge that the Services may contain information which is designated confidential by Google and that you shall not disclose such information without Google’s prior written consent.

9.2 Unless you have agreed otherwise in writing with Google, nothing in the Terms gives you a right to use any of Google’s trade names, trade marks, service marks, logos, domain names, and other distinctive brand features.

9.3 If you have been given an explicit right to use any of these brand features in a separate written agreement with Google, then you agree that your use of such features shall be in compliance with that agreement, any applicable provisions of the Terms, and Google's brand feature use guidelines as updated from time to time. These guidelines can be viewed online at http://www.google.com/permissions/guidelines.html (or such other URL as Google may provide for this purpose from time to time).

9.4 Other than the limited license set forth in Section 11, Google acknowledges and agrees that it obtains no right, title or interest from you (or your licensors) under these Terms in or to any Content that you submit, post, transmit or display on, or through, the Services, including any intellectual property rights which subsist in that Content (whether those rights happen to be registered or not, and wherever in the world those rights may exist). Unless you have agreed otherwise in writing with Google, you agree that you are responsible for protecting and enforcing those rights and that Google has no obligation to do so on your behalf.

9.5 You agree that you shall not remove, obscure, or alter any proprietary rights notices (including copyright and trade mark notices) which may be affixed to or contained within the Services.

9.6 Unless you have been expressly authorized to do so in writing by Google, you agree that in using the Services, you will not use any trade mark, service mark, trade name, logo of any company or organization in a way that is likely or intended to cause confusion about the owner or authorized user of such marks, names or logos.

10. License from Google

10.1 Google gives you a personal, worldwide, royalty-free, non-assignable and non-exclusive license to use the software provided to you by Google as part of the Services as provided to you by Google (referred to as the “Software” below). This license is for the sole purpose of enabling you to use and enjoy the benefit of the Services as provided by Google, in the manner permitted by the Terms.

10.2 You may not (and you may not permit anyone else to) copy, modify, create a derivative work of, reverse engineer, decompile or otherwise attempt to extract the source code of the Software or any part thereof, unless this is expressly permitted or required by law, or unless you have been specifically told that you may do so by Google, in writing.

10.3 Unless Google has given you specific written permission to do so, you may not assign (or grant a sub-license of) your rights to use the Software, grant a security interest in or over your rights to use the Software, or otherwise transfer any part of your rights to use the Software.

11. Content license from you

11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This license is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.

11.2 You agree that this license includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.

11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this license shall permit Google to take these actions.

11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above license.

12. Software updates

12.1 The Software which you use may automatically download and install updates from time to time from Google. These updates are designed to improve, enhance and further develop the Services and may take the form of bug fixes, enhanced functions, new software modules and completely new versions. You agree to receive such updates (and permit Google to deliver these to you) as part of your use of the Services.

13. Ending your relationship with Google

13.1 The Terms will continue to apply until terminated by either you or Google as set out below.

13.2 If you want to terminate your legal agreement with Google, you may do so by (a) notifying Google at any time and (b) closing your accounts for all of the Services which you use, where Google has made this option available to you. Your notice should be sent, in writing, to Google’s address which is set out at the beginning of these Terms.

13.3 Google may at any time, terminate its legal agreement with you if:

(A) you have breached any provision of the Terms (or have acted in manner which clearly shows that you do not intend to, or are unable to comply with the provisions of the Terms); or

(B) Google is required to do so by law (for example, where the provision of the Services to you is, or becomes, unlawful); or

(C) the partner with whom Google offered the Services to you has terminated its relationship with Google or ceased to offer the Services to you; or

(D) Google is transitioning to no longer providing the Services to users in the country in which you are resident or from which you use the service; or

(E) the provision of the Services to you by Google is, in Google’s opinion, no longer commercially viable.

13.4 Nothing in this Section shall affect Google’s rights regarding provision of Services under Section 4 of the Terms.

13.5 When these Terms come to an end, all of the legal rights, obligations and liabilities that you and Google have benefited from, been subject to (or which have accrued over time whilst the Terms have been in force) or which are expressed to continue indefinitely, shall be unaffected by this cessation, and the provisions of paragraph 20.7 shall continue to apply to such rights, obligations and liabilities indefinitely.

14. EXCLUSION OF WARRANTIES

14.1 NOTHING IN THESE TERMS, INCLUDING SECTIONS 14 AND 15, SHALL EXCLUDE OR LIMIT GOOGLE’S WARRANTY OR LIABILITY FOR LOSSES WHICH MAY NOT BE LAWFULLY EXCLUDED OR LIMITED BY APPLICABLE LAW. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES OR CONDITIONS OR THE LIMITATION OR EXCLUSION OF LIABILITY FOR LOSS OR DAMAGE CAUSED BY NEGLIGENCE, BREACH OF CONTRACT OR BREACH OF IMPLIED TERMS, OR INCIDENTAL OR CONSEQUENTIAL DAMAGES. ACCORDINGLY, ONLY THE LIMITATIONS WHICH ARE LAWFUL IN YOUR JURISDICTION WILL APPLY TO YOU AND OUR LIABILITY WILL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

14.2 YOU EXPRESSLY UNDERSTAND AND AGREE THAT YOUR USE OF THE SERVICES IS AT YOUR SOLE RISK AND THAT THE SERVICES ARE PROVIDED "AS IS" AND “AS AVAILABLE.”

14.3 IN PARTICULAR, GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO YOU THAT:

(A) YOUR USE OF THE SERVICES WILL MEET YOUR REQUIREMENTS,

(B) YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR,

(C) ANY INFORMATION OBTAINED BY YOU AS A RESULT OF YOUR USE OF THE SERVICES WILL BE ACCURATE OR RELIABLE, AND

(D) THAT DEFECTS IN THE OPERATION OR FUNCTIONALITY OF ANY SOFTWARE PROVIDED TO YOU AS PART OF THE SERVICES WILL BE CORRECTED.

14.4 ANY MATERIAL DOWNLOADED OR OTHERWISE OBTAINED THROUGH THE USE OF THE SERVICES IS DONE AT YOUR OWN DISCRETION AND RISK AND THAT YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR OTHER DEVICE OR LOSS OF DATA THAT RESULTS FROM THE DOWNLOAD OF ANY SUCH MATERIAL.

14.5 NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM GOOGLE OR THROUGH OR FROM THE SERVICES SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THE TERMS.

14.6 GOOGLE FURTHER EXPRESSLY DISCLAIMS ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

15. LIMITATION OF LIABILITY

15.1 SUBJECT TO OVERALL PROVISION IN PARAGRAPH 14.1 ABOVE, YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS SHALL NOT BE LIABLE TO YOU FOR:

(A) ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL CONSEQUENTIAL OR EXEMPLARY DAMAGES WHICH MAY BE INCURRED BY YOU, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY.. THIS SHALL INCLUDE, BUT NOT BE LIMITED TO, ANY LOSS OF PROFIT (WHETHER INCURRED DIRECTLY OR INDIRECTLY), ANY LOSS OF GOODWILL OR BUSINESS REPUTATION, ANY LOSS OF DATA SUFFERED, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSS;

(B) ANY LOSS OR DAMAGE WHICH MAY BE INCURRED BY YOU, INCLUDING BUT NOT LIMITED TO LOSS OR DAMAGE AS A RESULT OF:

(I) ANY RELIANCE PLACED BY YOU ON THE COMPLETENESS, ACCURACY OR EXISTENCE OF ANY ADVERTISING, OR AS A RESULT OF ANY RELATIONSHIP OR TRANSACTION BETWEEN YOU AND ANY ADVERTISER OR SPONSOR WHOSE ADVERTISING APPEARS ON THE SERVICES;

(II) ANY CHANGES WHICH GOOGLE MAY MAKE TO THE SERVICES, OR FOR ANY PERMANENT OR TEMPORARY CESSATION IN THE PROVISION OF THE SERVICES (OR ANY FEATURES WITHIN THE SERVICES);

(III) THE DELETION OF, CORRUPTION OF, OR FAILURE TO STORE, ANY CONTENT AND OTHER COMMUNICATIONS DATA MAINTAINED OR TRANSMITTED BY OR THROUGH YOUR USE OF THE SERVICES;

(III) YOUR FAILURE TO PROVIDE GOOGLE WITH ACCURATE ACCOUNT INFORMATION;

(IV) YOUR FAILURE TO KEEP YOUR PASSWORD OR ACCOUNT DETAILS SECURE AND CONFIDENTIAL;

15.2 THE LIMITATIONS ON GOOGLE’S LIABILITY TO YOU IN PARAGRAPH 15.1 ABOVE SHALL APPLY WHETHER OR NOT GOOGLE HAS BEEN ADVISED OF OR SHOULD HAVE BEEN AWARE OF THE POSSIBILITY OF ANY SUCH LOSSES ARISING.

16. Copyright and trade mark policies

16.1 It is Google’s policy to respond to notices of alleged copyright infringement that comply with applicable international intellectual property law (including, in the United States, the Digital Millennium Copyright Act) and to terminating the accounts of repeat infringers. Details of Google’s policy can be found at http://www.google.com/dmca.html.

16.2 Google operates a trade mark complaints procedure in respect of Google’s advertising business, details of which can be found at http://www.google.com/tm_complaint.html.

17. Advertisements

17.1 Some of the Services are supported by advertising revenue and may display advertisements and promotions. These advertisements may be targeted to the content of information stored on the Services, queries made through the Services or other information.

17.2 The manner, mode and extent of advertising by Google on the Services are subject to change without specific notice to you.

17.3 In consideration for Google granting you access to and use of the Services, you agree that Google may place such advertising on the Services.

18. Other content

18.1 The Services may include hyperlinks to other web sites or content or resources. Google may have no control over any web sites or resources which are provided by companies or persons other than Google.

18.2 You acknowledge and agree that Google is not responsible for the availability of any such external sites or resources, and does not endorse any advertising, products or other materials on or available from such web sites or resources.

18.3 You acknowledge and agree that Google is not liable for any loss or damage which may be incurred by you as a result of the availability of those external sites or resources, or as a result of any reliance placed by you on the completeness, accuracy or existence of any advertising, products or other materials on, or available from, such web sites or resources.

19. Changes to the Terms

19.1 Google may make changes to the Universal Terms or Additional Terms from time to time. When these changes are made, Google will make a new copy of the Universal Terms available at http://www.google.com/accounts/TOS?hl=en and any new Additional Terms will be made available to you from within, or through, the affected Services.

19.2 You understand and agree that if you use the Services after the date on which the Universal Terms or Additional Terms have changed, Google will treat your use as acceptance of the updated Universal Terms or Additional Terms.

20. General legal terms

20.1 Sometimes when you use the Services, you may (as a result of, or through your use of the Services) use a service or download a piece of software, or purchase goods, which are provided by another person or company. Your use of these other services, software or goods may be subject to separate terms between you and the company or person concerned. If so, the Terms do not affect your legal relationship with these other companies or individuals.

20.2 The Terms constitute the whole legal agreement between you and Google and govern your use of the Services (but excluding any services which Google may provide to you under a separate written agreement), and completely replace any prior agreements between you and Google in relation to the Services.

20.3 You agree that Google may provide you with notices, including those regarding changes to the Terms, by email, regular mail, or postings on the Services.

20.4 You agree that if Google does not exercise or enforce any legal right or remedy which is contained in the Terms (or which Google has the benefit of under any applicable law), this will not be taken to be a formal waiver of Google’s rights and that those rights or remedies will still be available to Google.

20.5 If any court of law, having the jurisdiction to decide on this matter, rules that any provision of these Terms is invalid, then that provision will be removed from the Terms without affecting the rest of the Terms. The remaining provisions of the Terms will continue to be valid and enforceable.

20.6 You acknowledge and agree that each member of the group of companies of which Google is the parent shall be third party beneficiaries to the Terms and that such other companies shall be entitled to directly enforce, and rely upon, any provision of the Terms which confers a benefit on (or rights in favor of) them. Other than this, no other person or company shall be third party beneficiaries to the Terms.

20.7 The Terms, and your relationship with Google under the Terms, shall be governed by the laws of the State of California without regard to its conflict of laws provisions. You and Google agree to submit to the exclusive jurisdiction of the courts located within the county of Santa Clara, California to resolve any legal matter arising from the Terms. Notwithstanding this, you agree that Google shall still be allowed to apply for injunctive remedies (or an equivalent type of urgent legal relief) in any jurisdiction.

August 15, 2008

Metadata

Categories: Business, IT Management, Security
Additional keywords: Google, Google Chrome, Privacy
Technorati Tags: security, business, IT Management, privacy, Google Chrome

Security: Conducting a Security Review and why your designs should incorporate Defence-In-Depth?

Stephen Horsfield — Fri, 04 Jul 2008 11:55:45 GMT

I'm currently conducting a due-diligence review of a technical system. The system is a classic distributed, two-tier system with data held centrally and business-logic delegated to an application tier. I've been asked to perform a security analysis as part of my review. I can't tell you anything about the project itself, for confidentiality (and security) reasons, but I thought I'd share some of the thought processes behind what I've been doing.

Reviewing security

The foremost rule of security assessment is to include the entire system. Don't just look at technical aspects of security but also at non-technical risks. Here's an example: a password is a common technical security measure, but if steps aren't taken to prevent users from posting their passwords on the Internet, then the password is useless, even if it regularly expires and uses strong password controls.

There is a similar problem when security is not appropriately applied. When there is a too restrictive or misunderstood technical security requirement, individuals will look for and often find a way round the problem, often by disobeying the very policies that are critical non-technical security measures.

The solution? Security measures must be appropriate, proportionate, understood and trusted. If you don't get the buy-in of your users then these measures have no or else limited value.

Understanding the threats

The second rule of security assessment is to address the organisation's blind-spots. Legitimate users of systems are also potential attackers, sometimes intentionally, sometimes maliciously and sometimes they are simply applying their own pragmatism, "surely the business doesn't want me to spend all that time jumping through these policy hoops? I can save the company money if I do it like this...".

Create buy-in

Next, make sure that you employ security measures that your legitimate users are willing to employ. There is no value in creating 60 character random passwords. Your users will never remember them and so they'll write them down. Probably, they'll leave them next to the computer as well...

Implement Defence-In-Depth

Defence-In-Depth is the principle of checking security at each component of a system. It ensures that a breach in an outer component doesn't automatically gain unrestricted access to the assets at a deeper level. In my analysis I found that this principle had not been applied and that meant that a breach at the outermost level could result in unrestricted access to substantially more data than a user was normally entitled to.

Another resulting effect of the Defence-In-Depth approach is that it allows for clear security boundaries to be applied. Within the data centre the organisation has effective security capabilities but once the data has left this secure area the degree of control is reduced.

So how does Defence-In-Depth compare in a two-tier system?

Without Defence-In-Depth

In this scenario, all security checks are performed only once at the application layer, the communication layer or the data layer. Let's look at the implication of each option in turn:

1. Controls at the application layer only

In this case, if a user can breach the communication mechanism or the application code, then the user gains total access to all data in the system. This presents some major difficulties from a security perspective as it can be relatively easy to break one or both of these using reverse-engineering or eavesdropping approaches.

2. Controls at the communication layer only

Securing the communication layer alone allows users to have complete access to the data and to do anything with it. This provides no protection whatsoever from the insider, and that includes anyone who manages to break into the environment.

3. Controls at the data layer only

In this case, the access to data can be secured, however the data may be misused or transferred outside of the application. The security at the data layer must be substantially hardened to prevent malicious users from causing unintended behaviour. Once the data has left the data centre, the organisation no longer has any control over it.

With Defence-In-Depth

The Defence-In-Depth approach is pessimistic. It chooses to secure all three layers used in this system:

1. Controls at the application layer first

This limits those allowed to use the application. If it is breached, the user still has to break both the communication layer and the data layer security mechanisms.

2. Controls at the communication layer

This provides two added benefits. Firstly, it limits the potential to break the application because the application's communications are encrypted. Correct protocols can also prevent replay attacks and man-in-the-middle attacks.

Secondly, it enables the data layer to only allow access through this secure medium, limiting its exposure to other systems.

3. Controls at the data layer

The data layer ensures that the application only has access to the data that the application's user is entitled to. This limits the exposure of data. Because the other two layers have hardened the access mechanism, the data layer is less susceptible to direct attacks using otherwise valid credentials.

Conclusion

Applying Defence-In-Depth won't solve all your problems, and it will introduce additional design complexity. However, it should be applied to distributed systems where security is an imperative.

Metadata

Categories: Business, Security, Software Development
Additional keywords: Defence In Depth, security policy, secure design
Technorati Tags: software development, business, strategy, best practice, security security review Defence-In-Depth

EPiServer: Getting a PageData Object When You Do Not Have Access to the Page

Stephen Horsfield — Thu, 31 Jan 2008 08:53:43 GMT

UPDATED: 16-MAY-2008

Overview

How can you get the PageData object for a page when the current user doesn't have access. It took me a while to find out, but you can just read on...

Context

I have been implementing a redirect facility. Only editors and administrators are allowed access to the page and everyone else is redirected according to a property on the page. The ACL on the page does not give Read access to the Everyone group. How can I get the property?

Solution

The easy solution is to use EPiServer 5. Then you can use the GetPage method of the DataFactory class to get a page, and provide the access level:

EPiServer.Core.PageData page =
  EPiServer.DataFactory.Instance.GetPage(
    pageReference, 
    EPiServer.Security.AccessLevel.NoAccess);

UPDATED: Thanks to Steve Celius of EPiServer for a better solution for EPiServer 4.6

Link to Steve Celius' blog: http://labs.episerver.com/en/Blogs/Steve-Celius/

In EPiServer 4.6, the EPiServer.Security.AccessLevel enumeration does not include a NoAccess member. However, the EPiServer.Security.AccessControlList.NoAccess property is an instance of EPiServer.Security.AccessLevel and can be used directly.

THE METHOD I ORIGINALLY POSTED IS BELOW, BUT DO NOT USE IT!!!

However, I was using EPiServer 4.6 for this project, and the luxury of a NoAccess access level was not given to me!

In this case, you need to circumvent the EPiServer security model. Of course, this probably isn't supported! The following code does the job:

EPiServer.DataAccess.PageLoadDB pageLoadDB =
  new EPiServer.DataAccess.PageLoadDB();

EPiServer.Core.PageData page =
  pageLoadDB.Load2(pageReference);

Job done!

Versions

EPiServer 4.6
EPiServer 5

Metadata

Categories: Software development, EPiServer, Page properties, security
Additional keywords: access denied, page properties, get page
Technorati Tags: .NET, ASP.NET, EPiServer, security, DataFactory

SQL Server: Viewing Database Permissions Using a Query

Stephen Horsfield — Thu, 17 Jan 2008 09:02:18 GMT

Overview

Have you ever wondered how to view object permissions using a query?

Simple example

Try this on a database:

select o.name, u.name, p.permission_name, p.state, p.state_desc 

  from sys.database_permissions p 

       inner join sys.all_objects o 

         on p.major_id = o.object_id 

       inner join sys.database_principals u 

         on p.grantee_principal_id = u.principal_id

References

Versions

Microsoft SQL Server 2005

Metadata

Categories: SQL Server, IT Management, Software Development, Security
Additional keywords: information schema, system views, permissions, security, query
Technorati Tags: SQL, SQL Server, software development, IT Management, security, permissions

Windows: Disabling Data Execution Prevention

Stephen Horsfield — Tue, 08 Jan 2008 15:10:56 GMT

Overview

Sometimes, old code doesn't seem to work with the new Data Execution Prevention feature in Microsoft Windows. It's easy to turn it off for non-system applications and services, but how do you do it for system components, and why would you?

Warning: Data Execution Prevention is a security feature. Disabling DEP reduces the security of your system.

Context

On our Microsoft Commerce Server 2002 system, running on Windows Server 2003, we were getting "COM Surrogate" errors, which relate to DEP errors with the dllhost.exe system program. Adding it to the exception list didn't solve our problem.

Solution

Thankfully, Microsoft has written an article on how to turn off DEP for an entire server. For this case, you need to add the following option:

/noexecute=AlwaysOff

to your boot.ini file.

See A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 (Microsoft Support) for further information.

Versions

Microsoft Windows Server 2003
Microsoft Commerce Server 2002
Also applicable to Microsoft Windows XP

Metadata

Categories: IT Management, Security, Windows Server, Commerce Server
Additional keywords: how to turn off DEP, disable DEP
Technorati Tags: IT Management, Windows, Windows 2003, problem, DEP, Data Execution Prevention, Commerce Server

SQL Server: Malicious triggers

Stephen Horsfield — Fri, 04 Jan 2008 11:25:17 GMT

Overview

What is a malicious trigger? What can it do? How can you protect yourself and your database server?

Background

I've been reading the Microsoft Press MCITP training book for the Microsoft 70-441 exam: Designing Database Solutions by Using Microsoft SQL Server 2005 and I came across an interesting comment about trigger security. I'm describing it here, because it is quite easy for a malicious database developer to use against an unsuspecting DBA.

You can find the book here:
http://www.amazon.com/MCITP-Self-Paced-Training-Exam-70-441/dp/0735623422/ref=sr_1_1?ie=UTF8&s=books&qid=1199445450&sr=1-1

ISBN-13: 978-0-7356-2342-2
ISBN-10: 0-7356-2342-2

Context and issue

In SQL Server, triggers execute using the user context of the person that initiated the statement (DML or DDL). This user may not be the user that created the trigger and herein lies the danger.

Triggers can include most SQL commands including GRANT statements and database configuration statements, such as creating a login, elevating server-wide permissions and installing custom .NET assemblies.

Are you worried yet?!

Exploit

A malicious database developer creates a trigger on a table he/she owns. He/she adds malicious code into the body of the trigger which he/she normally could not execute.

Next, the developer requests assistance from the DBA, stating trouble performing a particular DML or DDL statement.

The unsuspecting DBA tries the statement using his/her DBA account, if necessary fixing the syntactic mistakes in the developer's suggestion.

The trigger is executed using the DBA's user context and succeeds to change permissions or in performing other malicious activities.

Workaround

There are several workarounds:

Don't give your developers full DBO rights. Instead, give them specific permissions. Require that an authorised DBA creates any necessary triggers
Don't execute statements against a non-system database using a privileged account. Test using an account with the same permissions as the user, or the actual user's account
Review the existence of triggers using the sys.triggers and sys.server_triggers catalogue views. Check the code using the sys.sql_modules catalogue view

Versions

SQL Server 2005

Metadata

Technorati Tags: IT Management, SQL, SQL Server, security, database triggers, best practice