Yes, I believe that he made an educated guess for the accounts, possibly off of IP.
As for the security stuff, you're familiar with http://googleenterprise.blogspot.com/2010/06/security-first-... and the linked white paper at http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_.... The "Access Control" section says that we grant access to as little as we can, to as few as we can. All access is logged, and the security team has the logs. I'm sure the logs are about to be audited. I wouldn't want to be a Googler who had violated the privacy policy!
SREs do "production stuff". Responsibilities vary widely. Some need access to user data. Most don't.
I have no idea what alerts exist, or will be made to exist. I have confidence in the security team's ability to find effective ones.
Yes, I believe that he made an educated guess for the accounts, possibly off of IP.
As for the security stuff, you're familiar with http://googleenterprise.blogspot.com/2010/06/security-first-... and the linked white paper at http://www.google.com/a/help/intl/en/admins/pdf/ds_gsa_apps_.... The "Access Control" section says that we grant access to as little as we can, to as few as we can. All access is logged, and the security team has the logs. I'm sure the logs are about to be audited. I wouldn't want to be a Googler who had violated the privacy policy!
SREs do "production stuff". Responsibilities vary widely. Some need access to user data. Most don't.
I have no idea what alerts exist, or will be made to exist. I have confidence in the security team's ability to find effective ones.