159 comments

[ 2.8 ms ] story [ 244 ms ] thread
This just happened to me. I recieved messages (in gmail) from a contact that ware meant for his wife.

Be careful! I guess the best course of action is not to use gmail chat until google announces they have fixed the issue.

No, trust has been broken.

You can't tell me you have confidence that this randomly won't happen again in the future? It's shattered mine.

Off course. I'll probably never use gmail chat for anything sensetive.
Your search for perfect, flawless permanent security will be long, lonely and ultimately fruitless.

Already you've cut yourself off from flying, riding on trains and driving. Nobody can guarantee that deadly accidents will never happen, and indeed they do happen.

Presumably you only eat food your grow yourself. There are regular instances of contamination in the industrial food sector. Not that any guarantees can really be made, but at least contamination will be mostly your own fault.

See where I'm going with this?

I generally agree with this reasoning but this is not "flying", this is "flying with x airlines which dropped a plane once".

There are alternatives and one could choose a statistically safer one. There is obviously no guarantee. However, gtalk now has the highest likelihood of sending your messages to random people. That's a reason to avoid it.

When considering "passenger miles flown per incident", GTalk (and Google in general) has a security record completely on par with the best airlines.
What about the best chat services? In something like 18 years of chatting on the internet from IRC to ICQ, AIM, Skype, even Facebook messages, I have never seen a message go out to an incorrect recipient that wasn't the fault of my own negligence.
Well, they're also good[1]? British Airways didn't become a better airline when the Air France plane crashed, just like Air France didn't become a worse one.

1: Except, of course, IRC which is a protocol, not a service, and it was never designed to be private, but that's pedantry.

I think the overall point here is that the ability for a message addressed to one person to end up on someone else's screen carries some rather unfortunate implications for the internals of the service. Compare with IRC private messages, email, heck even XMPP.
Both IRC and XMPP cheerfully supports group messages?
I know XMPP does because I use that particular function at work daily, and IRC supports person to person PMs.

What I meant though is that the fact that whatever kind of shenanigans they're doing internally has a failure condition that can misroute messages is a bit scary.

(comment deleted)
This tend to happen when your policy is to stop supporting tested, established protocols for chat clients and introducing your own in beta version to the entire planet at once.
This also just happened to me. Some messages that I send (using the browser) to a friend were received by someone else. A messages intended for my girlfriend was received by a coworker. My Hangouts app (Android) actually showed these messages in the "wrong" conversation.
Good thing I've gotten most of the friends I chat with regularly to switch to OTR-enabled chat clients.
Yeah, can we get OTR in Hangouts already, Google? (no, not that "we're not archiving it - promise!" OTR)
What would be a correct OTR implementation for you? For in-browser chat you'll have to trust them at some point anyway...
Why not with a Browser plugin? Pidgin already Supports OTR via gtalk. And on Android you can use Gitterbot. Google should really implement OTR in a Javascript library in the Client Browser. Would that be possible?
Sure, but I like the convenience of web-based no-install gtalk. I think as far as google is concerned convenience beats security.

They "read" your mails, know what you search for and who your friends are. It would seem strange for them to go out of their way to provide truly OTR gtalk. And I'm totally fine with that, there are plenty of alternatives if I ever need encrypted chat.

Wow, I've always fully trusted gtalk. Even sent over my SSN and credit card details. Never again.
Well, you shouldn't do that, ever.

That said, the perfect is the enemy of the good.

> perfect is the enemy of the good

While I agree with that statement in general, I couldn't quite make out what you meant by it in this context.

Are you saying "good" = "most of the times your Google messages will go to the intended recipients" and "perfect" = "all of the times your messages will go to the intended recipients"?

Good means that GTalk is really, really good. Perfect means that it will never have a bug.

Nobody is talking about that this is some acceptable status quo. It's a bug and it will be fixed. If past performance is considered, it will be fixed fast.

Sorry, but I disagree with your choice of adjectives.

You are reducing what happened today to a mere "bug", which is the way Google (or developers) would look at it. Instead, approach it from the user's POV. Having your financial, personal, professional, secret or illegal (yes, I'm sure there will be that too) communications sent to multiple random people is more than just a bug.

I agree GTalk is "really, really good" like you say, but then what happened today also should "never, ever happen".

Consider that statistically it can happen to any other messaging service provider. And switching to other instant messaging service won't offer you additional protection due to that the core problem (it is impossible to guarantee zero bugs without huge overheads) is the same for all services.
nope. a trusted chat system can have bugs. just not THIS KIND of bug. the architecture should make these kind of bugs non existent. with email you don't see these kind of things happen, with dns lookup you don't see these things happen. WTF is up with google here?
All bugs are not created equal. Complete privacy violations in the core functionality of the app are unacceptable. They need to be made aware of that. "It was a computer bug" is a poor and intellectually dishonest excuse coming from a company that takes pride in hiring some of the best engineers in the world.
But GTalk isn't 'really, really good' from my perspective/experience.

- Multiple sign-ins cause issues all the time (Gtalk in GMail, GTalk on the phone/tablet is already enough to cause it to go nuts and send messages here or there, seemingly random). It _could_ allow me to specify what I prefer (XMPP should support that), but it doesn't.

- Loses messages all the time (every ~10th message doesn't arrive. My wife and me stopped using it for anything of value because of this)

- Hangout. The "We don't like XMPP anymore, want to force you to use G+ and .. have the most ugly show-me-some-comic-bubbles interface to make the transition extra smooth" app

Actually I wouldn't be surprised if the issue is hangout, not GTalk-the-original-xmpp-thing.

> perfect is the enemy of the good.

Yep, that is what they say. You know what else they say ?

"The enemy of good is good enough"

and also

"A witty saying proves nothing".

You probably should've stopped doing that after the PRISM revelations anyway.
Yeah, because the NSA wants to buy stuff with your CC number.
(comment deleted)
We deserve a public and highly detailed post-mortem.
Do we?
Yes, we do. Especially all those business users who have paid for GApps and have trusted Google with their comms.

In general, we deserve to have more decentralised services that are built on the principle of 'privacy by design', rather than 'trust by design'. Maybe, screw-ups like this can help spur more efforts in that regard.

If a distributed, private by design service happened to be 300% as expensive, will you be willing to pay for it? How about 200%? 120%?

How much are such things worth for paying customers?

If you're asking me specifically, then yes I'd be willing to pay for it, preferably as a part of a set of services/tools (that would need to include imap, contact management, calendaring). I'd happily switch away from Google services for that, providing usability isn't hugely compromised [1]. I'm actually working on open-source infrastructure to get us closer to this [2].

If you're making a general point about why people would pay for such things then privacy/security is just one more axis on which to consider purchasing decisions. It's up to the individual/organisation to decide what they really care about when they're choosing between different options. My concern is that there aren't really enough options that do consider the privacy/security aspect as well as the usability, so I see a gap there. I'd be glad to hear others' opinions on this though.

[1] I was already a paying user of MobileMe purely because I wanted auto-syncing of contacts and calendar so that price-point ($99 per year) is clearly one I'm willing to pay for something that works. I paid it grudgingly at first but I did pay (and renew). Whether that's actually a sustainable price-point for the provider is a different question.

[2] http://nymote.org/blog/2013/introducing-nymote/

I agree that paid GApps customers absolutely do, and maybe even a slight refund for the outage they should be taking. But free customers don't. With no payment also comes no expectation of service (outside the Terms of Service, which probably says that this kind of stuff will happen from time to time).
> "But free customers don't."

I respectfully (and strongly) disagree. You're essentially saying that free customers can be completely screwed over and have basically no rights at all (and you seem to be implying that this ok). Legally speaking, maybe Google has absolutely no obligation to say anything (even to it's paying customers), but this isn't about meeting the minimum legal requirements.

On a related note, how many people really have the ability to comprehend the ToS they click on? The reading level of many of those is surprisingly high given the demographics that use the services, so the concept of 'informed consent' is already quite strained imho. Therefore, people fall back on trust and it's probably in the providers interest that they do this (as they can make a ToS that's great for their own needs, while legally providing very little to the user).

> With no payment also comes no expectation of service

As a general rule, this is not true according to the law. If I feed someone a free meal, and they get food poisoning because I didn't maintain proper hygiene in my kitchen, I am at fault.

You will get a full explanation, under NDA, if you're a paying customer. For the rest of the people you're getting some PR-filtered bullshit.

I said it before and will say it again: Stay away from proprietary protocols like Hangouts.

> In general, we deserve to have more decentralised services that are built on the principle of 'privacy by design', rather than 'trust by design'

What do you mean by this? And how would this prevent a similar bug in the future?

In a centralized system a central server routes calls and can make mistakes.

In a decentralized system like BitMesasge the likelihood of a misroute is so low that it would take a trillion trillion universes a trillion trillion lifetimes before the chance of it happening once was even remotely likely, given every atom in each universe were sending a message to an other atom each pico-second.

It's just not going to happen.

We do, this is a huge violation of the trust people place in google's chat / hangouts. It doesn't matter that many people don't pay for the product, free or not there is an implicit contract between google and its users that things like this should not happen. Moreover, many people have paid subscriptions to google apps and obviously give them money directly.
Further to that, even "free" users make money for Google by reading ads published on their platform.
Just happening to me, I thought I was going mad.

It happens on regular accounts, not just Business, I've seen it this morning when I got messages intended for somebody else.

I would refrain to send any sensitive information over Google Talk right now.

> "I would refrain to send any sensitive information over Google Talk right now."

Why only "right now"? Why ever send sensitive information over a 3rd party's server. While I believe that Google will find and fix the problem, they probably make little to no claims about the level of security they offer. So using them at all should be a calculated risk.

So how else do you send them?
The exclusion of third party servers is meaningless. Any communication over the internet will pass through at least several third party routers, which are by all intents and purposes servers.

What you shouldn't do is transmitting sensitive information without controlling the end-to-end encryption chain. If you do that, you can involve as many third party servers as is convenient.

> "What you shouldn't do is transmitting sensitive information without controlling the end-to-end encryption chain."

Actually, this is what I meant and I should have been clearer. Thanks for pointing it out.

Two days back, the Mute function did not work on Google Hangout. Had to use the mute function on Mac.
Someone's continuous deployment process is about to get mirred in bureaucracy and paperwork
:-)

Releasing is hard to scale up like google have to. How many apps are they releasing to daily...!

It's not technical building blocks (they can all be automated), not even busy work, just complex intertwined dependencies from completely different, often non-electronic, domains.

Hypothetical release co-ordinator speaking: "Did app A release this morning into EMEA prod? Ok that means app B can go but only once the security review team drop their veto. Has release candidate 2 been promoted to the canary environment yet? Remember B's new deployment process is in scope this release, and do not release to the 5 servers in the BCP datacentre today..."

Could you imagine managing the constant evolution of a rules engine to replace a good quality release co-ordinator? I don't think i'd be able to sleep!

As far as i can see, continous deployment doesn't have the general applicability that continuous delivery enjoys.

No, releasing is easy, until your established process get fucked up by an Indian PM asking you to "integrate" features into G+
> No, releasing is easy, until your established process get fucked up by an Indian PM asking you to "integrate" features into G+

Was it his/her race that fucked it up? Would it have been better if Google hired only the finest corn-fed Mid Western white American?

Perhaps there is confusion in this thread regarding "PM". PM to a programmer may mean "Program Manager", but in most countries with parliamentary government, "PM" may mean "Prime Minister".
(comment deleted)
He's almost certainly referring to Vic Gundotra, the PM for G+.
senior vice president
Suddenly I'm very glad Talk has never been available in my country. After this I doubt they would have any hope of getting it past EU privacy laws anyway.

Edit:

As the people below have pointed out Voice isn't available to me - Talk is.

Wait, Talk is country restricted?
Talk is everywhere, OP probably means Voice, which isn't.
I find it very strange a simple instant messaging client would not be available in your country. Are you thinking of Google Voice?
You're assuming of course that EU companies have a better privacy track record.
I just opened the chat tab and i was shocked to see the conversation i had with my co-founder sent to my college friend. Two more lines from the same conversation was sent to my friend's brother. This is serious.
Sounds like chat roulette on a grand scale!
What if this happened with Gmail ? My bank details and other data getting displayed on someone's Inbox !

EDIT - I don't use gtalk for sending confidential info, so this doesn't affect me, but this could also happen with Gmail that I trust lot of data with (bank, school, government etc)..

I don't understand what your bank details are doing in your mail? Or what do you mean by 'details'?
This is probably a good reminder that you should never send anything in unencrypted e-mail that you wouldn't be willing to write on a postcard and send via USPS.
Remember that time when first.name@gmail.com would go to firstname@gmail.com and they were two separate accounts? People still use GMail.
Tut, always so negative. I told an old friend this morning that I was going to charge the anal probe, of course I meant that remark to my co-founder.

Haven't talked to him in ages, we had a good chat and we're going to meet for a drink at the weekend (sans probe). Cheers Google!

This is irrelevant. Just because you had a positive experience from it doesn't make this bug less serious.
Maybe he has a thing for probes?
In situations like this I would actually prefer it if the service went offline until fixed.
I've had this happen with facebook chat once maybe two years ago. I wonder if there have been other places where something like this has happened...
Wouldn't a problem like this call for pulling the service off while it's being investigated/fixed?
(comment deleted)
(comment deleted)
> At this time Google Talk is not functioning correctly and we are continuing to work to restore full functionality.

This is where you turn it off until you fix it. This isn't a service disruption, this is a service malfunction with far more serious potential consequences than delayed emails, or inability to download an app, or duplicate credit card charges, and you can't fix those consequences after the fact, not even by applying vast amounts of money.

I think they turned off Hangouts and reverted to old talk. I noticed that messages I've tried to send with Hangouts from G+ web page were not delivered and chats from gtalk dekstop client are saved in gmail as "chat" not "hangout"
Maybe this explains why us people that link our SIP to the PSTN via Googlo Talk haven't been able to do so for the last 18 hours or so? Maybe they are attempting to figure out what they can safely turn off/revert.

Edit: A bit of reading says that this probably is unrelated...

Time for some Russian roulette: Send offensive messages to random people on your GTalk and see who receives them!
I have experienced this bug for years: everything I send over GTalk goes to the NSA.
(comment deleted)
(comment deleted)