Re: What's the deal ?

• To: www-security@ns2.rutgers.edu
• Subject: Re: What's the deal ?
• From: Brian Behlendorf <brian@wired.com>
• Date: Tue, 14 Feb 1995 12:53:07 -0800 (PST)
• In-Reply-To: <199502141127.GAA08163@ns2.rutgers.edu>
• Reply-To: www-security@ns2.rutgers.edu

One would be wrong to say it could never happen, however one would be
misguided to say it has a high or random chance of happening.  In software
where the source code is public domain (depressingly enough becoming a
smaller percentage every day) it's highly unlikely that a software developer
would put a trojan horse in that forwards data it's not allowed to touch, as
other programmers in the community could spot that.  In private-code
browsers, it's highly unlikely that a large company would risk ridicule and
possibly lawsuits to gain some random information from people's hard 
disks.  Smaller community-based browsers have this risk simply because 
fewer people are using it or watching what it does, but that doesn't make 
it any less immoral or less open to the possibility of legal action.  

So, the risk is there, but only in browsers that are less commonly known 
and less rigorously tested.  It all depends on who you trust, really.  
Perhaps one function of the W3O could be a certification authority (like 
Underwriters Laboratories in the US) that places their seal of approval 
on browsers who have been verified to conform to a couple of strict 
criteria (such as not passing along information from a user's hard disk 
not specifically part of the browser's functionality).  

A similar case happened a few years ago with Prodigy's client - it does
client-side caching of images to optimize performance, and in doing so it
allocates a 1-megabyte chunk of space on the hard disk.  Users would see this
large cache.dat file and wonder what was in it, and when they'd look using a
word processor they'd see old copies of their personal files that had been
deleted (remember, deleting a file just removes a pointer to it, it doesn't
zero out the actual memory) and presume that Prodigy was uploading their
personal files.  This turned out to be a bunch of hooey, but it's a
refreshing reminder that people are concerned about this issue. 

	Brian


On Tue, 14 Feb 1995 mpoole@heac006.gb.ec.ps.net wrote:
> I suspect that the following is not a real issue, but would be interested
> to hear if anyone has any real details of what the problems are/were.
> 
> 
> > ONLINE SPYING
> > While you're connected to your favorite Web page, it's also connected
> > to you, and could be copying all sorts of information off your hard
> > drive, say industry experts. In fact, it happened last year when
> > Central Point Software used registration software developed by
> > Pipeline Communications, and inadvertently also gathered descriptions
> > of the users' systems -- the type of microprocessor, the version of
> > DOS and Windows, the type of display and mouse, and the amount of free
> > space available on the hard drive. Customers squawked, and Central
> > Point had Pipeline change the software. However, Pipeline reports that
> > at least one of its clients is using the scanning feature now -- but
> > only after getting the owner's permission. The lesson? "If you can't
> > trust it, don't connect to it." (Forbes 2/13/95 p.186)
> 
> 
> -- 
> Martin Poole, Perot Systems Europe              mpoole@heac006.gb.ec.ps.net
>  "No matter where you go, there you are."       mpoole@cix.compulink.co.uk
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@hotwired.com  brian@hyperreal.com  http://www.hotwired.com/Staff/brian/

• Re: What's the deal ?
• From: "Phillip M. Hallam-Baker" <hallam@dxal18.cern.ch>

• What's the deal ?
• From: mpoole@heac006.gb.ec.ps.net

• Previous: Re: What's the deal ?
• Next: NCSA htaccess and htgroup
• Index(es):
  • Index
  • Thread