if you attach documents by linking to a Google Drive document, sure.
if you attach documents 'inside' the mail (i.e. MIME encoded multipart) that is most definitely not secure.
1) you do not know how that mail gets delivered, not necessarily via servers that support encryption
2) you do not know how that mail, or the attachment, gets stored on the local machine
3) you do now know if the mail, or attachment, is sent to someone else
4) you cannot revoke the access to the document once the Need To Known stops
In our ISMS, sending Highly Sensitive data (ex: customer data) by attaching directly to a mail, is strictly not allowed by the IT charter. We explain it during an on-boarding meeting to all new staff members. And it's a fireable offense.
in the NRC article it says that board members started to complian that the CEO was "making choices that were not in the interest of the company". Four days later they were fired.
"It was at that moment that Nexperia alerted the ministry of Economic Affairs"
Right, I suppose at that point there was some chauvinism or at least fear of being held accountable for it. But the thing that surprised me was that there was actually someone listening at Economic Affairs. Perhaps at that level a board of directors has connections at the government. Either that, or there's some AFM type branch that listens to directors' complaints.
The Chinese CEO of Nexperia, Wing, tried to divert company funds to finance his own chip factory, WingSkySemi, appointing straw men to key positions and firing European executives, which led to a major internal conflict.
Right, while I understand the potential compute cost, it would be like the iPhone restricting the number of times you could use “allow once“ for location permissions.
As a CISO I am happy with many of the protections that Google creates. They are in a unique position, and probably the only ones to be able to do it.
However, I think the issue is that with great power comes great responsibility.
They are better than most organisations, and working with many constraints that we cannot always imagine.
But several times a week we get a false "this mail is phishing" incident, where a mail from a customer or prospect is put in "Spam", with a red security banner saying it contains "dangerous links". Generally it is caused by domain reputation issues, that block all mail that uses an e-mail scanning product. These products wrap URLs so they can scan when the mail is read, and thus when they do not detect a virus, they become defacto purveyors of virii, and their entire domain is tagged as dangerous.
I have raised this to Google in May (!) and have been exchanging mail on a nearly daily basis. Pointing out a new security product that has been blacklisted, explaining the situation to a new agent, etc.
Not only does this mean that they are training our staff that security warnings are generally false, but it means we are missing important mail from prospects and customers. Our customers are generally huge corporations, missing a mail for us is not like missing one mail for a B2C outfit.
So far the issue is not resolved (we are in Oct now!) and recently they have stopped responding. I appreciate our organisation is not the US Government, but still, we pay upwards of 20K$ / year for "Google Workspace Enterprise" accounts. I guess I was expecting something more.
If someone within Google reads this: you need to fix this.
I'm old. I've been doing security for a very long time. Started back in the 1990s. Here's what I have learned over the last 30 years...
Half (or more) of security alerts/warnings are false positives. Whether it's the vulnerability scanner complaining about some non-existent issues (based on the version of Apache alone... which was back ported by the package maintaner), or an AI report generated by interns at Deloitte fresh out of college, or someone reporting www.example.com to Google Safe Browsing as malicious, etc. At least half of the things they report on are wrong.
You sort of have to have a clue (technically) and know what you are doing to weed through all the bullshit. Tools that block access, based on these things do more harm than good.
Because maintaining is not as fun as starting? Because other people can maintain a well structured project but not as many people can start something from scratch? Because his skills can be better used elsewhere?
That sounds like the Google philosophy though, where smart people come up with ideas and write the initial implementation (then get promoted) and other less smart people take over, and you end up with a mess that had great potential like Bazel?
My understanding is that this is not a philosophy at all, it is an incidental result of a bad set of misaligned incentives, where to be promoted you need to start something new or drive growth and post launch maintenance/growth is weighted much less
This could also end up like Fabrice Bellard's projects: yes he is no longer maintaining tinycc, but as a result we are now getting ffmpeg, qemu, and more.
As much as I lament the quality of leadership at the moment (and not just in the US) I am not sure that we can equate Afghanistan with Germany.
It is one thing to denazify a "modern western country" that shares most of your values, culture and religion, and that has had institutions for some time. It is another thing altogether to pull off the deal in a country that has never had a working civil society, civil institions, education, etc. Especially if you do not share it's culture or religion, and there is a part of the country that is still actively engaged in a military campaign to obstruct you.
Not saying that it couldn't be done, or that mistakes weren't made. Just that you can't compare the two like that.
The underlying theory that the GP is getting at is that Japan and Germany were easy to rebuild because they had existing institutions and a society that trusted institutions. The idea is that it is kind of a self fulfilling prophecy; germany and Japan will "remember" how to be civilized, but under different leadership, Afghanistan and Iraq cannot revert to that.
It leans heavily on assumptions about countries and institutions.
I don't doubt that, I was just explaining the argument. It has been recently popularized in tech circles by a viral appearance by professor Sarah Paine on the Dwarkesh podcast.
I am fully willing to believe that the US royally fucked up the rebuild of Afghanistan.
That could explain the success of rebuilding Germany, as it shared a lot culturally with the US, but what about Japan? Japan was, and to a large extent still is, a very alien culture, and yet the US rebuilt it extremely effectively.
reply