Export Googleplus content: an important question to all and in particular to Edward Morbius who is very actively...
Export Googleplus content: an important question to all and in particular to Edward Morbius who is very actively sharing experiences.
Are we totally sure that the Google+ Exporter v1.7.2 is safe both in the short and in the medium to long turn? My security software doubts it.
Thanks, Peter
Are we totally sure that the Google+ Exporter v1.7.2 is safe both in the short and in the medium to long turn? My security software doubts it.
Thanks, Peter
Reasonably so, yes.
ReplyDeleteAnd for a longer reply:
ReplyDeleteThe app runs locally and doesn't involve any server-side processing. It's interacting with Google+. These all reduce risk.
The developer assures us that there's no transfer of credentials. That's comforting, but needn't be the case.
He has provided similar services and software to the G+ and other communities for years. And there seem to be no issues with those, and some strong endorsements by people I've known for a long time.
If you're particularly concerned, you could change passwords, or invoke two-factor authentication. It's possible that other Google content (mail, and pretty much anything else) could be exfiltrated. Again, given the history, reasonably unlikely.
Though that's a strong argument against all-in-one services (as Google tried to force on users through Google+). I've moved my primary mail elsewhere, and make minimal use of other Google services under this account, most have no history set.
Google also has a notion of special-use passwords for tools -- Gmail in particular -- such that you have a specific password that only works for a given machine and application to access email, when used with third-party mail clients (say, OSX's Mail.app). That seems not to be the case here.
Have I thought of this risk: yes, definitely.
Do I see a major concern? No.
Am I positive of that? No.
Life is taking chances.
You could reduce the risk somewhat by applying application firewall rules if your OS supports it. For macOS you could use Little Snitch to manually approve any incoming and outgoing connection from/to the app. Limiting it to just the plus.google.com domain could come a long way, though I bet it'd also need access to accounts.google.com at least for the sign-in procedure.
ReplyDeleteHaving said that, the same concerns are a reason why I haven't use the app myself either. Plus, I also like working on my own solution, even though time is limited, and my own solution won't be as user-friendly.
I installed the software and immediately I was concerned about the network calls it was making even before I "logged in" or accepted terms of service.
ReplyDeleteThese network connections ended up being for two things:
• His help button is a pay for service he bought. It's making a call to its service to allow for people to click the help button and send email support that's tracked on his end.
• His payment service which is only fully active if you BUY the software, but it does make a "ping" to the service to know there was a potential sale. As Filip H.F. Slagter noted, any reasonable firewall software would allow you to block these two and then allow for the google auth to work so you can test the software without giving personal data away. This is what I did for my trial run.
I then install the full version because I have 15,000 posts, so financially it made sense for me. (Rather than creating my own software that did the same thing.) Bonus, it imported to Blogger for easy checking and archiving and when I did find a bug the developer was very responsive to fixing that bug. The bug fix was out the next day after I reported it.
I don't normally suggest software, I normally tell people to build it themselves, but in this case, the cost/time ratio worked in reverse for me, particularly given the amount of time I had left before Google closed down.
I did get a "your system is making unusual requests, prove you aren't a robot" challenge today. Only a minor problem, since it let me prove and post this. ☺
ReplyDeleteMichael K Johnson Interesting. I have never seen a CAPTCHA on Google+ itself. That despite years of (occasionally) scraping the site. This seems to be a new development, and may hamper archival.
ReplyDeleteEdward Morbius I got a bunch of CAPTCHAs on Blogger while uploading my posts, but it was due to the fact that I had to do them 1000 at a time, due an arbitrary timeout set on Blogger and my network speed not being up to doing more than said 1000 posts as a time.
ReplyDeleteI was also was hit with the Google CAPTCHA today when accessing G+, after running Google+ Exporter. I've never had that happen, until using version 1.7.2. It has been occuring all day when accessing Google+ through a web browser. I'm not getting the CAPTCHA with any other Google service. I only ran the Exporter once this morning, inside a virtual machine, to get a fresh back up with the new version. I even shut the virtual machine down to see if the CAPTCHA would go away, but hours later it still happens when accessing G+ through a browser.
ReplyDeleteTom Gatermann Did the VM share your IP address?
ReplyDeleteTom Gatermann oh interesting, I saw it first after the update to 1.7.2, maybe not a coincidence.
ReplyDeleteJohn Lewis, yes, the VM shares my IP.
ReplyDeleteAll devices on my network get the CAPTCHA still, when acessing G+ through a web browser. Using the G+ app has no issues.
After 24 hours, I still get the CAPTCHA when trying to acess G+ through a browser. The CAPTCHA I'm presented with is a simple box that has to be checked, and once I check it I'm taken to G+.
I should also say that I've only done about five full refreshes within the app, over the last couple of weeks. I have less than 2,000 posts that I've exported.
ReplyDeleteI posted this update on another post in the community, but I'll post it here as well since we discussed the CAPTCHA here. After 27+ hours I am no longer presented with a CAPTCHA when accessing G+ in a browser.
ReplyDeleteTom Gatermann My guess is your IP address is different too.
ReplyDeleteJohn Lewis, I just double-checked, still the same IP. Even though I have a dynamic IP from my ISP, it hasn't changed in well over 6 months.
ReplyDeleteTom Gatermann Interesting. Thanks!
ReplyDeleteI've mostly run into rate-limiting CAPTCHAs on Google via Google Web Search (GWS), both from my ISP connection and (especially) via Tor.
ReplyDeleteFor ISP, either a pretty high rate of manual queries (I occasionally try a bunch of iterations to try to find something), or automated queries (researching, usually to find total hits within a restricted domain or TLD). For the latter, the rate-limiting is aggressive and runs well past one query every few minutes, and can remain in place for hours, possibly over a day.
I've run a few such experiments looking at a large set of search terms (often 100 or more) over a large set of domains or TLDs (often 100 or more). The resulting set is on the order of 10,000 queries, and to run those generally takes a week or more.
If there were other ways of obtaining the information, I'd use them, but there aren't that I'm aware.
By contrast, I've hammered G+ with 1+ query/s for 18-24 hours without interruption. This is the first I've heard of rate-limiting CAPTCHAs on the site.