Google Blogoscoped

Thursday, February 15, 2007

German Google Book Killer VTO (Continued)

On Tuesday, Mathias Schindler reported how easy it was to access the site of German Google Book Search competitor in progress, VTO (full text search online). A PowerPoint presentation linked from the VTO’s homepage contained the password to the Beta site, and the site itself only protected its book pages with some JavaScript that disables the right mouse button (a non-protection, actually, which the browser allows to circumvent through a variety of simple means). Mathias was able to download a complete copy of a current German bestselling book, which was quite delicate considering the company behind VTO supported a lawsuit against Google Book Search because Google allegedly didn’t protect well against the downloading of book texts.

Now, the the company behind VTO, MVB/ BoeV (the marketing and publishing service of German book shops/ the German publishers’ and book shops’ association), issued a statement regarding Mathias’ report – I won’t comment on the specific arguments put forth, as I believe Mathias’ extensive research continues to speak for itself:

The security of data and texts in the “full text search online” system is guaranteed and of highest priority. This was announced by the MVB, opposing previous statements of the Book Report Express publication, which cited tests of a so-called watch blogger who said he found “security holes” in the system. “VTO delivers a maximum security service for publishers,” director of MVB Ronald Schild says. Only the contents which have been provided to be made available freely will be accessible by users. (...)

Through a regrettable error, the internal user name and password were temporarily available as “authorized account.” Using these credentials it was easy to find access to the VTO test system. The MVB already took action and exempted project coordinator Theodor Brüggemann from his job. New passwords will be issued to the participating publishers.

During the test phase, the system contained a few texts which were intentionally provided without limitations for sample purposes. According to Schild, “This kind of access to texts is not possible when the VTO system runs in normal mode.” Unlike these full texts from the test phase, the publisher will usually limit the scope of texts which made available.

When faced with Mathias’ report, MVB’s Schild previously told Book Report Express:

We try to fulfill the best possible security standards, but we realize 100% security is impossible ...

We have clear requirement for our technology provider [HGV Publishing Services, Hamburg, and MPS Technologies, Delhi] to close potential security holes until the time we go live with a greater number of books.

Of course, the book shops’ association is outsourcing the technical details. But maybe that’s the core of the problem: they want to compete against a tech company (Google) in a technical space (the web), but they’re non-technical themselves, possibly lacking the means to judge the quality of the outsourced work, or outline meaningful technical requirements. As an example, it took me roughly 15 seconds just now to uncover a no holds barred HTML injection vulnerability on the homepage of the MBV/ BoeV.


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!