Digg ThisThis entry is cross-posted at blogcritics.
There’s been a lot of security issues posted about the Internet lately. Some of them involve Google, the well-known and well-used search engine.
Now, before I write the rest of this piece, let me tell you in no uncertain terms that I use Google daily. I like Google. It finds what I’m looking for. It does what it’s supposed to do.
In short, it works.
Recently, my PC died, and I replaced it with a new Intel CoreDuo MacBook. I love this computer for the same reasons I like Google: it simply works. It even does Windows — better than a PC can, I might add.
But I ran into something quite disturbing this morning. I was viewing my firewall reports because of an unusual error notice.
My six-week-old Mac was trying to “phone home” — to Google!
So I fired up my email program:
Dear Google (this is an open letter):
My firewall recently gave me this warning:
Aug 12 12:41:29 [this]-computer kernel[0]: Stealth Mode connection attempt to TCP 10.0.1.2:50626 from 64.233.179.104:80
So I ran a WHOIS and found this:
Server Used: [ whois.ARIN.net ]
64.233.179.99 = [ ]OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US
NetRange: 64.233.160.0 - 64.233.191.255
CIDR: 64.233.160.0/19
NetName: GOOGLE
NetHandle: NET-64-233-160-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.GOOGLE.COM
NameServer: NS2.GOOGLE.COM
Comment:
RegDate: 2003-08-18
Updated: 2004-03-05
RTechHandle: ZG39-ARIN
RTechName: Google Inc.
RTechPhone: 1-650-318-0200
RTechEmail: arin-contact@google.comOrgTechHandle: ZG39-ARIN
OrgTechName: Google Inc.
OrgTechPhone: 1-650-318-0200
OrgTechEmail: arin-contact@google.comARIN WHOIS database last updated 2006-08-16 19: 10
Enter ? for additional hints on searching ARIN’s WHOIS database.
Questions:
1) What are you doing in my computer?
2) Why are you doing what you are doing in my computer?
3) Why is my computer trying to “phone home” to Google — behind my back?Fortunately, my computer has a excellent firewall that blocked the communication. I find this occurrence extremely disturbing; please enlighten me.
Sincerely,
William Kessel
–
http:/www.collisionbend.com
I’ll keep you posted on their reply.
August 17th, 2006 at 2:29 pm
[...] collisionbend.com - A Cleveland Ohio Weblog by Will Kessel » Hey Google: Phone Home! [...]
August 17th, 2006 at 3:58 pm
I’m only 95% sure, but it looks to me like the that’s an access FROM google TO your computer, not the other way around.
August 17th, 2006 at 4:37 pm
Chris, normally I would take a look at my argument a second time and reconsider my remarks, but:
1) this was accompanied by about 30 other attempts within seconds of each other, much faster than I could do myself (I did not include the entire Console log for limitations of space);
2) what I didn’t explain earlier (and, in retrospect, I probably *should* have) is that I had another stealthy attempt to access cox.net — with whom I have had absolutely no dealing whatsoever (again with about 30 attempts listed — all within seconds of each other);
3) the network IP requested in both (Cox and Google) cases (10.0.1.2:50626) is not within my network at home;
4) I went over my history in Firefox, as I have that nifty little IP identifier extension in my status bar, and the cox.net/cox.com/coxnet.com IP block never shows up — in fact, it’s not even close.
Spyware and malware sweeps on the Mac side are inconclusive (I haven’t logged into Windows on this machine in two weeks), but Mac spyware/malware/anti-virus software isn’t worth much anyway — there’s really no need.
These are not user-initiated attempts, and from the Console report I can only conclude that these are external sources.
August 18th, 2006 at 11:31 am
OK. Someone who declined to leave a name (so I won’t let that person comment here), replied that this was a Google response to an image search.
Sounds reasonable. While I occasionally run an image search on Google, I haven’t in a long while — at least back to last month, which would coincide with the time I purchased the MacBook. Looking back, it is entirely possible that I last ran a Google image search on my bride’s computer and not mine — it’s been that long.
Good idea, but it’s ruled out.
He (or she) also asked what result I get when I ping/traceroute IP 10.0.1.2. Internet 101: the IP addresses 10.0.0.0 through 10.0.255.255 are reserved for private networks (ditto for the 127.0.*.* and 192.168.*.* IP families). If I ping 10.0.1.2, it goes nowhere, as this IP does not exist within my home network.
So rule that one out.
OK. They also questioned the location of the gear and firewall. Here goes: Mac with firewall (IP 192.168.0.2) connects to wireless (WPA2 security, IP 127.0.0.2) with another firewall which connects to a wired router (IP 192.168.0.0) with yet another firewall which then connects to my DSL modem.
Cross out that one, too.
So, possibly a wifi coffee house? Possibly, except that the MacBook has been out of the house exactly twice so far: August 2 though 6, when I was in Connecticut (the events in question were on the 14th, and in Connecticut I was only protected by the Mac firewall, connected directly to a DSL modem — which leaves a door open, but the dates don’t jive), and yesterday afternoon (the 17th) at the Willoughby Arabica.
So that’s pretty much ruled out. Not too many options left.
Gmail account? I have one. Didn’t access it this week at all. Not once.
Bounce that one, too.
I just want to know what’s going on here; I’m not pointing the bony finger at anyone. Because it’s happening with one (unrelated) web server and Google at the same *approximate* times (within a few hours each), it might be a piece of malware deposited from some web site somewhere.
But then, why phone home to Google? Sure, they’re rolling out free Internet service in their hometown, which qualifies them as an ISP, but not for a while yet; it was just announced this past week.
So if Google comes back and says, “it’s not us, but here’s what we know about scripting and malware that would create your issue…”, I’m cool with that: at least there would be, assumably, a solution.