Comments

  1. Google really needs to bring in fresh, outside, customer focused leadership or their brand will start to decline.

    Maybe this is occuring because their HR department doesn’t work too well, in fact it mistates the facts to their own internal employees trying to help with referrals, but that is a topic for another conversation.

  2. Google really needs to bring in fresh, outside, customer focused leadership or their brand will start to decline.

    Maybe this is occuring because their HR department doesn’t work too well, in fact it mistates the facts to their own internal employees trying to help with referrals, but that is a topic for another conversation.

  3. Uh, Robert? That’s a woman’s blog…

    FTB: “Posted by Rebellin Woman at October 12, 2006 09:42 PM”

    Just goes to show how everyone is considered to be male on the Web until proven otherwise. :( (Even after I switched my name on Slashdot to SlashChick, I still got replies saying “He said…”)

  4. Uh, Robert? That’s a woman’s blog…

    FTB: “Posted by Rebellin Woman at October 12, 2006 09:42 PM”

    Just goes to show how everyone is considered to be male on the Web until proven otherwise. :( (Even after I switched my name on Slashdot to SlashChick, I still got replies saying “He said…”)

  5. Gmail is still in beta, so Google feels no obligation to deal with problems or respond to customers. That’s why they keep things in “beta” for so long.

  6. Gmail is still in beta, so Google feels no obligation to deal with problems or respond to customers. That’s why they keep things in “beta” for so long.

  7. Six little words: you – get – what- you – pay – for.

    Paid-for hosted e-mail, with: many more features than gmail (including IMAP); better reliability; and good customer service, is available for less than $40 per year.

  8. Six little words: you – get – what- you – pay – for.

    Paid-for hosted e-mail, with: many more features than gmail (including IMAP); better reliability; and good customer service, is available for less than $40 per year.

  9. @8. EXACTLY. Why should anyone expect Google to invest in supporting a free product? Now I suppose you could make the case that Google suffers in the long run by getting less ad views because of the bad service. But, I’m sure having a small percentage of people having problems with gmail is worth not having to invest in a money losing operation like support.

    The real question to ask is why someone is not willing to PAY FOR an email service if that email address is important to them.

  10. @8. EXACTLY. Why should anyone expect Google to invest in supporting a free product? Now I suppose you could make the case that Google suffers in the long run by getting less ad views because of the bad service. But, I’m sure having a small percentage of people having problems with gmail is worth not having to invest in a money losing operation like support.

    The real question to ask is why someone is not willing to PAY FOR an email service if that email address is important to them.

  11. @5. Yet another example of Scoble reading the first two sentences of something and thinking he groks it.

  12. The problem isn’t necessarily the lack of support for a free product. It’s the hypocrisy of braggins about security when the this incident shows they don’t give a damn about security.

  13. The problem isn’t necessarily the lack of support for a free product. It’s the hypocrisy of braggins about security when the this incident shows they don’t give a damn about security.

  14. LayZ: I had about 90 seconds in between flights and missed that. Glad you are so helpful. I can’t wait for you to start a blog and for you to make a mistake. You must be Jesus since you’re always so perfect.

  15. LayZ: I had about 90 seconds in between flights and missed that. Glad you are so helpful. I can’t wait for you to start a blog and for you to make a mistake. You must be Jesus since you’re always so perfect.

  16. Three fingers point back at us when one points to the faults in others.

    Robert,

    If you were not so boring, we would go somewhere else. ; ) Right? How about a pre-Scoble post? Your editors/ critics could rip you first in pre-post.
    Always a good read. Thanks for the Technical stuff without the fluff.

  17. Three fingers point back at us when one points to the faults in others.

    Robert,

    If you were not so boring, we would go somewhere else. ; ) Right? How about a pre-Scoble post? Your editors/ critics could rip you first in pre-post.
    Always a good read. Thanks for the Technical stuff without the fluff.

  18. Greensboro? I just moved to Greensboro for a job (MSFT) … too bad I didn’t know about this event sooner! Have a great talk, be sure to post about it.

  19. Greensboro? I just moved to Greensboro for a job (MSFT) … too bad I didn’t know about this event sooner! Have a great talk, be sure to post about it.

  20. LayZ, are you really Techno Jesus?

    Robert it’s funny you are “calling Matt Cutts” on this and I know it’s probably just fun blog tag game, but it brings up a growing challenge at Google which is that Matt, a very high level guy over there, and a handful of others are the public face of Google.

    I think they are mistaken not to invest in a big support infrastructure, but it sure seems to be working so far.

  21. LayZ, are you really Techno Jesus?

    Robert it’s funny you are “calling Matt Cutts” on this and I know it’s probably just fun blog tag game, but it brings up a growing challenge at Google which is that Matt, a very high level guy over there, and a handful of others are the public face of Google.

    I think they are mistaken not to invest in a big support infrastructure, but it sure seems to be working so far.

  22. Scoble,

    The main reason I don’t like journalist (and I prefer bloggers) is that they tend to write about problems they don’t understand (in my own little Europe at least); the bloggers (whose stream I read) tend to stay on topics they master. From my point of view, you are getting closer to that line; do more background work: the less and the better your post, the more appreciated your blog.

    I’ve been active on most Gmail Help forums, and they are two things you learn from there:

    - most users are really clueless, and a fair share is pissed and plain rude: I mean, more than the usual forum. I’d love to reply “RTFM” most if the time, but there is little doubt most won’t get it, and in any case, it wouldn’t help; typing always the same advice, and instead of getting thanks, having more newbies yelling their ignorance out (instead of reading previous post) is boring–this tends to get on everyone’s nerve. I am studying user’s appreciation, so to me its a goldmine, but for the coders, it must be though; their response pattern tend to concurr that too (nice, nice, not so, not, away for a while, and back nice).

    - most demands are watched, very rapidly, but usually without comments: instead of explictely caring about individual users, Google approach is very much not “humane”: they do it, in the code—because that’s the fairest, simplest way to do it, and the obvous one for developers. Make a fine product, make it better; no need for PR if you are doing your job. I tend to prefer this approach: I don’t want to pay more (or have more ads in that case) to have a guy that failed a carrier in marketing explaining to me what I should do when I am simply mentioning a clearly isolated bug (and hope nothing but ot have it corected whenver it tops a priority list that has to be secret). And I realy prefer to know a good coder is working on something no one can replace him with. Most users complain about this attitude: no phone lines, no human speaking. I try to reasure people, and tell them they are listening—but they are not coming back with a smile, nope.

    They are tricks though: if you mail about an error, you get an automated message; most people seem to get upset by geting a receipt confirmation. If the problem needs help, someone usually explain that replying to this message will get you “a real person” (That ridiculous, as the first message has been red already, simply not replied to).

    In this particular case, Google is not responsible: that person probably got a key-stoke logger, an easy-to-crack password… Neither case is covered by any digital service. What update should any service do in that instance? What line of code to change? Gmail developpers are certainly useless in that case. What proof do they have that the plaintiff is actually the user? Hint: they are not allowed to look into the account at any case, and the hacker knows about the private question, and all the messages.

    Their apparently are heavily under-staffed: how many more people will they need to hire (and they have issues hiring, because of their demanding process) to deal with a problem they are not responsible for? On a Beta service that comes wihtout any warranty?

    Of course legal is for a**hole lawyers—but it’s more than that from Google point of view: they claim, they know the product is not fully ready—and that case proves it is not. They might need to come up with additional security for a service most people will use for storring all they really sensitive info.

    On the short term, or without such a solution, should they lower they hiring standards because their users are clueless about computer security? I’m not trying to be offensive, but to underline teh debate.

    Their way to do it is (as they have done already) make the simplest and decisive advise on how to avoid those problems; the day someone abide those and get into trouble, they will adapt. So far, their legal waiver pages have been the only one I read; they care about making those things clear.

    They think in large numbers—and they have to—do they think about the one? I don’t know: if they do, it’s behind the scene (I received private messages from them, not important stuff; but the point is they do it.)—but I beleive they do, as all cases tend to go quiet after less than a week.

    On a personal note: I am very upset to read someone who thinks that she can bother someone as busy as a VP for a problem anyone can appreciate. Senior executives are for though calls; this demands at most interviews to identify the hacking technique. Three days is long whit your ID stolen—but not from a over-worked professional point of view. Sending 11 applications won’t help that–it simply sends the message “I’m not ready to deal with that serious situation cold-headed”, i. e. the wrong messsage. If I had to deal with several of those issues, I’d prefer to have this case wait for her to cool down. I know it’s wrong: I actually tend to go for the most upset first, in the forum and in life—but you can’t blame folks from Google for their attitude and come up with a bad one.

    Last point: all the cases of suspected Gmail ID theft that I have hear about on the forum are related to Paypal; I think that is odd—and I’d like to have an idea on witch one is the easier to compromise, and some statistic on how many of those had the same password for both.

  23. Scoble,

    The main reason I don’t like journalist (and I prefer bloggers) is that they tend to write about problems they don’t understand (in my own little Europe at least); the bloggers (whose stream I read) tend to stay on topics they master. From my point of view, you are getting closer to that line; do more background work: the less and the better your post, the more appreciated your blog.

    I’ve been active on most Gmail Help forums, and they are two things you learn from there:

    - most users are really clueless, and a fair share is pissed and plain rude: I mean, more than the usual forum. I’d love to reply “RTFM” most if the time, but there is little doubt most won’t get it, and in any case, it wouldn’t help; typing always the same advice, and instead of getting thanks, having more newbies yelling their ignorance out (instead of reading previous post) is boring–this tends to get on everyone’s nerve. I am studying user’s appreciation, so to me its a goldmine, but for the coders, it must be though; their response pattern tend to concurr that too (nice, nice, not so, not, away for a while, and back nice).

    - most demands are watched, very rapidly, but usually without comments: instead of explictely caring about individual users, Google approach is very much not “humane”: they do it, in the code—because that’s the fairest, simplest way to do it, and the obvous one for developers. Make a fine product, make it better; no need for PR if you are doing your job. I tend to prefer this approach: I don’t want to pay more (or have more ads in that case) to have a guy that failed a carrier in marketing explaining to me what I should do when I am simply mentioning a clearly isolated bug (and hope nothing but ot have it corected whenver it tops a priority list that has to be secret). And I realy prefer to know a good coder is working on something no one can replace him with. Most users complain about this attitude: no phone lines, no human speaking. I try to reasure people, and tell them they are listening—but they are not coming back with a smile, nope.

    They are tricks though: if you mail about an error, you get an automated message; most people seem to get upset by geting a receipt confirmation. If the problem needs help, someone usually explain that replying to this message will get you “a real person” (That ridiculous, as the first message has been red already, simply not replied to).

    In this particular case, Google is not responsible: that person probably got a key-stoke logger, an easy-to-crack password… Neither case is covered by any digital service. What update should any service do in that instance? What line of code to change? Gmail developpers are certainly useless in that case. What proof do they have that the plaintiff is actually the user? Hint: they are not allowed to look into the account at any case, and the hacker knows about the private question, and all the messages.

    Their apparently are heavily under-staffed: how many more people will they need to hire (and they have issues hiring, because of their demanding process) to deal with a problem they are not responsible for? On a Beta service that comes wihtout any warranty?

    Of course legal is for a**hole lawyers—but it’s more than that from Google point of view: they claim, they know the product is not fully ready—and that case proves it is not. They might need to come up with additional security for a service most people will use for storring all they really sensitive info.

    On the short term, or without such a solution, should they lower they hiring standards because their users are clueless about computer security? I’m not trying to be offensive, but to underline teh debate.

    Their way to do it is (as they have done already) make the simplest and decisive advise on how to avoid those problems; the day someone abide those and get into trouble, they will adapt. So far, their legal waiver pages have been the only one I read; they care about making those things clear.

    They think in large numbers—and they have to—do they think about the one? I don’t know: if they do, it’s behind the scene (I received private messages from them, not important stuff; but the point is they do it.)—but I beleive they do, as all cases tend to go quiet after less than a week.

    On a personal note: I am very upset to read someone who thinks that she can bother someone as busy as a VP for a problem anyone can appreciate. Senior executives are for though calls; this demands at most interviews to identify the hacking technique. Three days is long whit your ID stolen—but not from a over-worked professional point of view. Sending 11 applications won’t help that–it simply sends the message “I’m not ready to deal with that serious situation cold-headed”, i. e. the wrong messsage. If I had to deal with several of those issues, I’d prefer to have this case wait for her to cool down. I know it’s wrong: I actually tend to go for the most upset first, in the forum and in life—but you can’t blame folks from Google for their attitude and come up with a bad one.

    Last point: all the cases of suspected Gmail ID theft that I have hear about on the forum are related to Paypal; I think that is odd—and I’d like to have an idea on witch one is the easier to compromise, and some statistic on how many of those had the same password for both.

  24. bertilhatt,

    If Google will care about security – they will offer real password restore service.

    Like a automated dialing of phone number user has specified for password restore.

    Or blacklisting/graylisting IPs used to access hacked accounts.

    There are a lot of things that company can do to protect their customers – even if those are “stupid users” who got some virus/keylogger installed every week (as those are 90%+ of Internet population).

  25. bertilhatt,

    If Google will care about security – they will offer real password restore service.

    Like a automated dialing of phone number user has specified for password restore.

    Or blacklisting/graylisting IPs used to access hacked accounts.

    There are a lot of things that company can do to protect their customers – even if those are “stupid users” who got some virus/keylogger installed every week (as those are 90%+ of Internet population).

  26. I am not sure the phone thing would work for any country: remember it’s a global company—they have to consider phone lines being spied on by totalitarian regimes, for instance; but such an opt-in feature might help (and I can imagine from other deatils that their already are moving there). Hackers tend to know they should use IP shells.

    But again, I’m definitely not a security consultant. If you have a clear idea on hos this works, you certainly can offer them to use that (in a very cold and anonimous on-line form): the average suggestion to update time is extremely short.

    Oh: and, for Google, “customers” are called “users”. I was not trying to put them down, but to offer a possible developper’s perspective, and mostly to point out that Gmail was facing a unique situation, of having people ready to store all their personal information in one place—while the closest equivalent, Paypal, can rely on a banking system that can react, Google see yet another limit to being such a lean company.

    They certainly need to come up with a solution, but I for one would rather have Sheryl Sandberg think about how to make a sensitive long-term solution, that spending the same time quieting someone upset. The irony is that the Google Toolbar anti-phising feature as saved thousands of other sites.

  27. I am not sure the phone thing would work for any country: remember it’s a global company—they have to consider phone lines being spied on by totalitarian regimes, for instance; but such an opt-in feature might help (and I can imagine from other deatils that their already are moving there). Hackers tend to know they should use IP shells.

    But again, I’m definitely not a security consultant. If you have a clear idea on hos this works, you certainly can offer them to use that (in a very cold and anonimous on-line form): the average suggestion to update time is extremely short.

    Oh: and, for Google, “customers” are called “users”. I was not trying to put them down, but to offer a possible developper’s perspective, and mostly to point out that Gmail was facing a unique situation, of having people ready to store all their personal information in one place—while the closest equivalent, Paypal, can rely on a banking system that can react, Google see yet another limit to being such a lean company.

    They certainly need to come up with a solution, but I for one would rather have Sheryl Sandberg think about how to make a sensitive long-term solution, that spending the same time quieting someone upset. The irony is that the Google Toolbar anti-phising feature as saved thousands of other sites.

  28. Last (Sorry to take so much space)
    I can’t find her being anywhere around Gmail-User, the official help forum you can reach by clicking on “Help” in Gmail, or find with a simple search.
    There she might have noticed that several uses have been experiencing some access issues.

  29. Last (Sorry to take so much space)
    I can’t find her being anywhere around Gmail-User, the official help forum you can reach by clicking on “Help” in Gmail, or find with a simple search.
    There she might have noticed that several uses have been experiencing some access issues.

  30. @19. You saying two things. It is risky to have your life online. Esp, if the host company does not want to cover you for your problems. Anybody’s account could be hacked, no matter how clever he/she is. Second thing you are saying is that it is okay to ignore customer’s problem in case these problems are customer generated.

    Fortunately Microsoft does not think way. Microsoft otherwise could blame users for all the hacks happen with Windows. Not all users are geeky like you. Microsoft instead tries to follow a multi-prong approach. Educate users. Of course, it is not possible to educate all users in 5, 10 of even 50 years. So try to create systems to protect users. You know, majority of IE attacks won’t harm “educated” users. Do you believe Microsoft should say, why that users downloaded the infected image? As in Google case, I am sure even Microsoft’s lawyers must have covered Microsoft, in case if Microsoft decides to ignore customers fault. No Microsoft does not hide behind these term of conditions. These are for Microsoft’s protection in the court of law. In the market it is the satisfaction and understanding of users which bring them back.

    Therefore, Microsoft tries to cover users. They try to fix faults and provide patches. They even try to find the hackers and deal with them according to the law of the land.

    In a case, if you need to contact them, they respond with their best ability. This is true even for the free products. My wife wrote hotmail customer service several time. After getting an initial automated response she always got a human’s response.

    One way is to blame users and say that highly qualified PhD employees do not deal with low level customer service issues. Another way is to actually try to feel the pain of the users, of every single of them. No company is ideal. But a company who tries to follow the latter has a far longer lifetime than a company who tries to follow the former.

    Disclaimer: The commentator is a Microsoft employee. The opinion expressed is his own based on his observation of Microsoft from inside as as from outside.

  31. @19. You saying two things. It is risky to have your life online. Esp, if the host company does not want to cover you for your problems. Anybody’s account could be hacked, no matter how clever he/she is. Second thing you are saying is that it is okay to ignore customer’s problem in case these problems are customer generated.

    Fortunately Microsoft does not think way. Microsoft otherwise could blame users for all the hacks happen with Windows. Not all users are geeky like you. Microsoft instead tries to follow a multi-prong approach. Educate users. Of course, it is not possible to educate all users in 5, 10 of even 50 years. So try to create systems to protect users. You know, majority of IE attacks won’t harm “educated” users. Do you believe Microsoft should say, why that users downloaded the infected image? As in Google case, I am sure even Microsoft’s lawyers must have covered Microsoft, in case if Microsoft decides to ignore customers fault. No Microsoft does not hide behind these term of conditions. These are for Microsoft’s protection in the court of law. In the market it is the satisfaction and understanding of users which bring them back.

    Therefore, Microsoft tries to cover users. They try to fix faults and provide patches. They even try to find the hackers and deal with them according to the law of the land.

    In a case, if you need to contact them, they respond with their best ability. This is true even for the free products. My wife wrote hotmail customer service several time. After getting an initial automated response she always got a human’s response.

    One way is to blame users and say that highly qualified PhD employees do not deal with low level customer service issues. Another way is to actually try to feel the pain of the users, of every single of them. No company is ideal. But a company who tries to follow the latter has a far longer lifetime than a company who tries to follow the former.

    Disclaimer: The commentator is a Microsoft employee. The opinion expressed is his own based on his observation of Microsoft from inside as as from outside.

  32. Kamal,
    You misread me: I was not trying to say Google’s attitude is right, or the best–just that they see things differently. Their perspective collides with an increasingly personal on-line information. I certainly never though of anything close to “highly qualified PhD employees do not deal with low level customer service issues”: they do, in what they think is a more efficient way.

    They want to organize the world’s knowledge and only have a few thousand employees: no way to handle that without pushing automation and algorithms to their limit. Using Google is assuming an CS PhD can do better because his code is brilliant, and with a more functional UI, because few company have such a large of they efforts toward that. What proved relevant for search (e.g. against Yahoo! human inventory and inded thematic indexes) demands a different attitude regarding bugs too: you need to write, and accept a better answer demands more time. Bad patching is faster, but not preferable. Coders don’t answer the phone: they do the job silently; with intimacy involved, this can trigger very violent reactions. Sending 11 reports for one incident is the kind of attitude that kills the direct relation with the developpers Google pionnered, and pushes toward more red-tape.

    Saying “Look: she’s not happy!” misses that aspect. I’m not neglecting the consumer rage, or the effort to educate them; I just think these need to be compared to what they trigger. And I’d be happy to measure how much Google taugh to common users and compare.

    Take the recent Facebook trainwreck: if they’d try to calm down, abide the demands, come right away to the window, the idea of having feeds in a SNS would be dead. They prefered to go in favor of the best service (because, somehow, they were able to know better) and think about it, and code like mad for three days—and come up (a little late) with the over-all best solutions. Some users still wanted to have the whole thing shut down; but instead of going for the loudest, they went for what they experience told them was the long-term.

    People complain Google maintains things in Beta “too long”: this could be one of the reason why.

    What I would be tempted to think is that there are some updates on Gmail security procedures, not all go so well, and some log-ins don’t work (see the forum); what goes behing the scene might be too big for this isolated case to get the priority. She also might have over-interpreted a failed log-in; this won’t prevent here from receiving a personal response–but not just now, maybe.

    I do not want to say anything personal about Microsoft patches policy, or customer relations; but anyone around me (including my computer-illiterate mom) could tell you that what you describe is very very different than most people’s experience. Or rather, to sound positive: let’s say the quality of Microsoft products lead me to learn far more on computer inner workings than I would have expected.

    (Funny enough, I’ve been looking on Hotmail.com, and couldn’t find any form to fill in case of a ID theft)

  33. Kamal,
    You misread me: I was not trying to say Google’s attitude is right, or the best–just that they see things differently. Their perspective collides with an increasingly personal on-line information. I certainly never though of anything close to “highly qualified PhD employees do not deal with low level customer service issues”: they do, in what they think is a more efficient way.

    They want to organize the world’s knowledge and only have a few thousand employees: no way to handle that without pushing automation and algorithms to their limit. Using Google is assuming an CS PhD can do better because his code is brilliant, and with a more functional UI, because few company have such a large of they efforts toward that. What proved relevant for search (e.g. against Yahoo! human inventory and inded thematic indexes) demands a different attitude regarding bugs too: you need to write, and accept a better answer demands more time. Bad patching is faster, but not preferable. Coders don’t answer the phone: they do the job silently; with intimacy involved, this can trigger very violent reactions. Sending 11 reports for one incident is the kind of attitude that kills the direct relation with the developpers Google pionnered, and pushes toward more red-tape.

    Saying “Look: she’s not happy!” misses that aspect. I’m not neglecting the consumer rage, or the effort to educate them; I just think these need to be compared to what they trigger. And I’d be happy to measure how much Google taugh to common users and compare.

    Take the recent Facebook trainwreck: if they’d try to calm down, abide the demands, come right away to the window, the idea of having feeds in a SNS would be dead. They prefered to go in favor of the best service (because, somehow, they were able to know better) and think about it, and code like mad for three days—and come up (a little late) with the over-all best solutions. Some users still wanted to have the whole thing shut down; but instead of going for the loudest, they went for what they experience told them was the long-term.

    People complain Google maintains things in Beta “too long”: this could be one of the reason why.

    What I would be tempted to think is that there are some updates on Gmail security procedures, not all go so well, and some log-ins don’t work (see the forum); what goes behing the scene might be too big for this isolated case to get the priority. She also might have over-interpreted a failed log-in; this won’t prevent here from receiving a personal response–but not just now, maybe.

    I do not want to say anything personal about Microsoft patches policy, or customer relations; but anyone around me (including my computer-illiterate mom) could tell you that what you describe is very very different than most people’s experience. Or rather, to sound positive: let’s say the quality of Microsoft products lead me to learn far more on computer inner workings than I would have expected.

    (Funny enough, I’ve been looking on Hotmail.com, and couldn’t find any form to fill in case of a ID theft)

  34. I had the exact same experience in July of this year. I’m not convinced it was a hack, by the way. Google will lock down accounts that are accessed by multiple machines in a close time span, or if GMail notifier is running when Google Desktop is running, etc. In my case, I accessed GMail from a Cingular phone right before it was locked down. When they got around to responding, it was fixed right away.

    It seems like this starts happening right around the time that they roll out new stuff (like their spreadsheet/Writely combo).

    After I got it sorted out I created a second email box on another freemail service and set Gmail to send a copy all of my sent and received mail to it, because the most frustrating part of the whole experience was this: The information I needed to unlock the account was in my GMail account. Since I got GMail via a cellphone invitation, that code was long gone and so I couldn’t provide the information Google required to reset my password.

    DnW

  35. I had the exact same experience in July of this year. I’m not convinced it was a hack, by the way. Google will lock down accounts that are accessed by multiple machines in a close time span, or if GMail notifier is running when Google Desktop is running, etc. In my case, I accessed GMail from a Cingular phone right before it was locked down. When they got around to responding, it was fixed right away.

    It seems like this starts happening right around the time that they roll out new stuff (like their spreadsheet/Writely combo).

    After I got it sorted out I created a second email box on another freemail service and set Gmail to send a copy all of my sent and received mail to it, because the most frustrating part of the whole experience was this: The information I needed to unlock the account was in my GMail account. Since I got GMail via a cellphone invitation, that code was long gone and so I couldn’t provide the information Google required to reset my password.

    DnW

  36. Google 0, Ebay 1

    Even to the best of us, bad things happen; such as losing control of our internet accounts. This just (as in this morning) happened to me, exactly as it did to Rebellin. My Ebay account and Gmail account were suddenly…

  37. bertilhatt @25. Your point is well taken. You would not find any special form on hotmail to report ID theft. I am not sure if there is any. ID theft is a big issue. Microsoft allows you to even contact for any customer service issue big or small. Follow the “help” button. You may get majority of problems solved there. If not then press “more help” button. It will take you to a form. That’s what my wife did and she got a human response shortly after auto response. BTW, do you know what the latest acquisition (Colloquis) of Microsoft does — it gives a platform to solve customer service issues more effectively.

    And why your friends and family do not find the same experience with Microsoft as I do? The reason is that Microsoft provides a much more complicated service (a general purpose computing environment rather than a special purpose service). But here we are talking about the business philosophy. Microsoft tries to cover users even if it is a user (or hacker) generated problem.

    An on line service is not be any more complicated than let us say serving coffee at starbucks. Both of them are atomic products. You have issue with starbucks coffee, I am sure starbucks would like to help instead of blaming your taste buds.

    If you try to create a little bit more complicated online service, then an offline analogous could be a fancy restaurant. You do not care at a restaurant whether the chef has PhD or not as long as you are getting a tasty food. In many restaurant if you have question about food quality, chef may even be willing to come and see you. Sure a restaurant has a small number of customers to deal with. But then a restaurant has only a small amount of resources too.

    Bottom line, an online service must work as a black-box for a customer. It should not matter whether it is human or automator on the other hand.

  38. bertilhatt @25. Your point is well taken. You would not find any special form on hotmail to report ID theft. I am not sure if there is any. ID theft is a big issue. Microsoft allows you to even contact for any customer service issue big or small. Follow the “help” button. You may get majority of problems solved there. If not then press “more help” button. It will take you to a form. That’s what my wife did and she got a human response shortly after auto response. BTW, do you know what the latest acquisition (Colloquis) of Microsoft does — it gives a platform to solve customer service issues more effectively.

    And why your friends and family do not find the same experience with Microsoft as I do? The reason is that Microsoft provides a much more complicated service (a general purpose computing environment rather than a special purpose service). But here we are talking about the business philosophy. Microsoft tries to cover users even if it is a user (or hacker) generated problem.

    An on line service is not be any more complicated than let us say serving coffee at starbucks. Both of them are atomic products. You have issue with starbucks coffee, I am sure starbucks would like to help instead of blaming your taste buds.

    If you try to create a little bit more complicated online service, then an offline analogous could be a fancy restaurant. You do not care at a restaurant whether the chef has PhD or not as long as you are getting a tasty food. In many restaurant if you have question about food quality, chef may even be willing to come and see you. Sure a restaurant has a small number of customers to deal with. But then a restaurant has only a small amount of resources too.

    Bottom line, an online service must work as a black-box for a customer. It should not matter whether it is human or automator on the other hand.

  39. bertilhatt,

    One of solutions I know can be ability for users to provide a PKI digital certificate to be used for login (or password recovery).
    So users who are using two-factor authentication (like eToken http://www.aladdin.com/eToken/default.asp or iKey http://www.safenet-inc.com/products/tokens/iKey1000.asp) can rely on it to keep their private information really private.

    With Google for Domains – there are expected to be more users then simply mams and dads sending “I miss you so much” emails. Stealing password domain administrator password can be huge disaster for entire company/campus.

  40. bertilhatt,

    One of solutions I know can be ability for users to provide a PKI digital certificate to be used for login (or password recovery).
    So users who are using two-factor authentication (like eToken http://www.aladdin.com/eToken/default.asp or iKey http://www.safenet-inc.com/products/tokens/iKey1000.asp) can rely on it to keep their private information really private.

    With Google for Domains – there are expected to be more users then simply mams and dads sending “I miss you so much” emails. Stealing password domain administrator password can be huge disaster for entire company/campus.

  41. [...] EXAMPLE 1 On Scoble’s blog, I read about a user struggling to get a response from Google for a GMail account that was taken over. Now, compare this with eBay (who every blogger is happy to fry at the drop of a hat). [Before I get into it, FULL DISCLOSURE — I used to work at eBay and had a great 5 years there. But I admit that there are lots of things eBay could do better. So, to any imaginary readers who want to flame me, this is not about what eBay can do better!] [...]

  42. Holy smokes, I made the Scobelizer blog?! WOW! Thanks for posting my issue. Google finally shut down my account after 4 days of no response, but said that they couldn’t verify my identity so I would not be allowed access to the account again. I still firmly believe that a 4 day response time is unacceptable when it comes the security of my personal data, AND, it is crap that they won’t give me a chance to prove my identity with official documentation. I understand they’re busy, but they shouldn’t have launched this product if they couldn’t support it. Yes, it’s free, but they’re selling ad space on our accounts!

    So now I’m wondering where I should set up my new primary email account. Any suggestions?

  43. Holy smokes, I made the Scobelizer blog?! WOW! Thanks for posting my issue. Google finally shut down my account after 4 days of no response, but said that they couldn’t verify my identity so I would not be allowed access to the account again. I still firmly believe that a 4 day response time is unacceptable when it comes the security of my personal data, AND, it is crap that they won’t give me a chance to prove my identity with official documentation. I understand they’re busy, but they shouldn’t have launched this product if they couldn’t support it. Yes, it’s free, but they’re selling ad space on our accounts!

    So now I’m wondering where I should set up my new primary email account. Any suggestions?

  44. Rebellin Woman had her PayPal account hacked, witch had the same password as Gmail. Google safety features were never breached. I appreciate everyone has too many accounts to use different passwords, but having a different one for your bank and for the place where you store everything, that sounds like the bare minimum to me.

    As they cannot look into your mail (for both legal and technical reason) there was no way to get out of there, except close the account: taking four days to make such a big decision, and to be sure the account was actually hacked and not just experiencing security issues, that doesn’t seem much to me.

    Now the question is: should a mail provider, offering life-long archive, keep an access to your mail?
    I’d rather not.

    Kamal: the problem I have seen the most is a computer completely stuck (hence no way to surf or mail) with a non-existent hotline. Those lucky to have a friend writing on behalf of them received a reply that they were not entitled to spend someone else’s assistance allowance.

  45. Rebellin Woman had her PayPal account hacked, witch had the same password as Gmail. Google safety features were never breached. I appreciate everyone has too many accounts to use different passwords, but having a different one for your bank and for the place where you store everything, that sounds like the bare minimum to me.

    As they cannot look into your mail (for both legal and technical reason) there was no way to get out of there, except close the account: taking four days to make such a big decision, and to be sure the account was actually hacked and not just experiencing security issues, that doesn’t seem much to me.

    Now the question is: should a mail provider, offering life-long archive, keep an access to your mail?
    I’d rather not.

    Kamal: the problem I have seen the most is a computer completely stuck (hence no way to surf or mail) with a non-existent hotline. Those lucky to have a friend writing on behalf of them received a reply that they were not entitled to spend someone else’s assistance allowance.

  46. @4, I agree that’s a different subject. I submitted your resume in our recruiting system; if the folks that handle hiring didn’t think you were a good match, then that’s their call.

    Looking into this, several people mention both their Gmail and Ebay/Paypal passwords being hacked at the same time. That sounds like phishing or a virus/trojan to me.

    Gmail provides the ability to set an alternate/backup email address; see here for how to do that:
    http://mail.google.com/support/bin/answer.py?answer=6566

    And you can choose a security question (or write your own). If someone doesn’t give either a backup email address or a security question, it is a harder issue to investigate whether someone is who they say they are.

  47. @4, I agree that’s a different subject. I submitted your resume in our recruiting system; if the folks that handle hiring didn’t think you were a good match, then that’s their call.

    Looking into this, several people mention both their Gmail and Ebay/Paypal passwords being hacked at the same time. That sounds like phishing or a virus/trojan to me.

    Gmail provides the ability to set an alternate/backup email address; see here for how to do that:
    http://mail.google.com/support/bin/answer.py?answer=6566

    And you can choose a security question (or write your own). If someone doesn’t give either a backup email address or a security question, it is a harder issue to investigate whether someone is who they say they are.

  48. Matt, is it common knowledge that David Dalka had been considered by Google recruiters who thought he was not a good enough match?

    I did not know this. Even if this is common knowledge, this has nothing to do with the discussion here. And I think such facts should be kept internal to Google and shared with the subject in private instead of publically disclosing them. This is private information and somebody’s dignity could be sensitive to it.

  49. Matt, is it common knowledge that David Dalka had been considered by Google recruiters who thought he was not a good enough match?

    I did not know this. Even if this is common knowledge, this has nothing to do with the discussion here. And I think such facts should be kept internal to Google and shared with the subject in private instead of publically disclosing them. This is private information and somebody’s dignity could be sensitive to it.

  50. Matt @39,

    And what use is setting an alternate email address, or a security question, if they can both be changed by anyone with access to the account? That may help the forgetful, but not those who have lost control of their accounts, like me.

    FWIW, eBay seems to so much the same thing, but keeps a record of all the alternate email addresses you have ever provided for the account, even if you change them. Seem reasonable to me…

  51. Matt @39,

    And what use is setting an alternate email address, or a security question, if they can both be changed by anyone with access to the account? That may help the forgetful, but not those who have lost control of their accounts, like me.

    FWIW, eBay seems to so much the same thing, but keeps a record of all the alternate email addresses you have ever provided for the account, even if you change them. Seem reasonable to me…

  52. Who watches the watchers.

    Passwords as a secure system are flawed by design.
    Even in secure systems, I have seen people laugh at the IT people trying to implement security through passwords. Users have shown me elaborate systems of passwords that must be changed every two weeks on several systems. The same people then proceeded to show me the cheat sheets with the passwords taped under desks or in books, sheets kept in wallets etc. etc. The IT people in an attempt to try to teach the folks a lesson would send out love notes/emails to the boss from unattended computers. Funny people.

    Even computer access cards do not work when the operator gets up to take a pee or when they go for coffee without logging off or pulling the card. The best system I have seen was a (FORD) laptop system, which required both a password and a prox key.

    An even better system would be a dual piece system that has a five to ten foot range. A two-piece system would allow you to walk away from your machine without locking the system down. Auto- lock would occur when you exceeded the range of the keys.

    Instead of constantly changing the passwords, the user would have a new key issued by the security managers at a frequency TBD by security.

    High security areas could also have blackout screens, which would be active whenever an unauthorized key enters a zone of higher-level security. The technology exists; it only needs to be addressed from the level of the user instead of the paranoid view of IT folks that are providing what is viewed by many as a false security system.

    Everyone wants a secure system. No one yet has been able to come up with a viable system.

    Email compromise can occur with shoulder peekers, etc. The old saying “locks only keep honest people honest” holds true for passwords. Real hackers/thieves can find ways around all systems.

    Just a thought.

  53. Who watches the watchers.

    Passwords as a secure system are flawed by design.
    Even in secure systems, I have seen people laugh at the IT people trying to implement security through passwords. Users have shown me elaborate systems of passwords that must be changed every two weeks on several systems. The same people then proceeded to show me the cheat sheets with the passwords taped under desks or in books, sheets kept in wallets etc. etc. The IT people in an attempt to try to teach the folks a lesson would send out love notes/emails to the boss from unattended computers. Funny people.

    Even computer access cards do not work when the operator gets up to take a pee or when they go for coffee without logging off or pulling the card. The best system I have seen was a (FORD) laptop system, which required both a password and a prox key.

    An even better system would be a dual piece system that has a five to ten foot range. A two-piece system would allow you to walk away from your machine without locking the system down. Auto- lock would occur when you exceeded the range of the keys.

    Instead of constantly changing the passwords, the user would have a new key issued by the security managers at a frequency TBD by security.

    High security areas could also have blackout screens, which would be active whenever an unauthorized key enters a zone of higher-level security. The technology exists; it only needs to be addressed from the level of the user instead of the paranoid view of IT folks that are providing what is viewed by many as a false security system.

    Everyone wants a secure system. No one yet has been able to come up with a viable system.

    Email compromise can occur with shoulder peekers, etc. The old saying “locks only keep honest people honest” holds true for passwords. Real hackers/thieves can find ways around all systems.

    Just a thought.

  54. @41, I completely agree with you. After trying this out myself to see what it would be like if I got hacked, I passed along similar sentiments as feedback.

    Kamal Jain, I don’t think David’s desire for a job at Google is a secret; he’s registered http://www.nextgoogleceo.com/
    to make his case. I certainly didn’t intend to convey anything other than that I’d submitted his resume on his behalf. BTW, if you’re a junkie for all things David Dalka, he’ll be doing a speech at eComXpo:
    http://daviddalka.com/createvalue/2006/10/17/my-speech-at-ecomxpo-now-has-a-contest/

    @42, but we should try pretty hard to handle the common cases. Forgetting a password is one, and having an account stolen is another. I personally think Google does pretty well on the former, but could improve on the latter.

  55. @41, I completely agree with you. After trying this out myself to see what it would be like if I got hacked, I passed along similar sentiments as feedback.

    Kamal Jain, I don’t think David’s desire for a job at Google is a secret; he’s registered http://www.nextgoogleceo.com/
    to make his case. I certainly didn’t intend to convey anything other than that I’d submitted his resume on his behalf. BTW, if you’re a junkie for all things David Dalka, he’ll be doing a speech at eComXpo:
    http://daviddalka.com/createvalue/2006/10/17/my-speech-at-ecomxpo-now-has-a-contest/

    @42, but we should try pretty hard to handle the common cases. Forgetting a password is one, and having an account stolen is another. I personally think Google does pretty well on the former, but could improve on the latter.