Re: SpiDynamics WebInspect - Keeping Track of its Users?

["Caleb Sima" <csima () spidynamics com>]

I can understand DB's concern and I apologize to DB that the support and
sales people that he spoke to did not elevate this up to the proper
individuals to answer his questions properly.
(No developers actually spoke to DB)

We make no effort to hide that this remote authentication is done.

After registering for a download from our website an email is sent to the
user
describing how to use webinspect. Pasted below is an excerpt from that
message.

> SUPPORT & SERVICE
>
> As a WebInspect pilot user, your current trial license allows you to scan
> up to 5 devices and is valid for 2 weeks.  If you have any questions or
> comments on installing or running the software please contact our support
> desk at support () spidynamics com or call 1-866-SPI-2700 (M-F, 9 - 5
Eastern).
> Note: An active Internet connection is needed to authenticate. If you are
> located behind a proxy, set your IE settings to point to your proxy.

Below is an excerpt from our logfile on exactly what we log from the user.

> GET /spiAuth/spiAuth.spi
> Action=Auth&Key=NkYCBMFFEXLrTXeHUHH8&LastDate=2/4/2001+1:22:14+AM&IP=2.2.2.
2 200 >Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) -

Broken up this is:
Action=: This says whether the user is updating the product or just
authorizing use
Key=: This is the users key id that was given to them to use the product.
LastDate=: This is the date and time that the authorization took place
IP=: This is the ip address of what the user is attempting to scan

This remote authentication is used only on demo keys and is used to keep
users from abusing the product and scanning sites that they are not
authorized to scan. If spidynamics notices a user scanning a site that
is illegal this allows us to cut off access to the product immediatly.
If anyone would actually want to take the time to look at the authentication
themselves to verify this,
just add a hosts entry to download.spidynamics.com and point the ip address
to an SSL webserver.

Caleb Sima
CTO
SPIDynamics Inc.
csima () spidynamics com

----- Original Message -----
From: "A.S." <DB () globalapathy com>
To: <bugtraq () securityfocus com>
Sent: Saturday, December 15, 2001 10:12 AM
Subject: SpiDynamics WebInspect - Keeping Track of its Users?


>                     WebInspect - *Privacy ALERT*
>
>         ------Cut and paste from SpiDynamics Website--
> ----
> WebInspect, S.P.I. Dynamic's premier product, is the
> most comprehensive network-based web application
> security solution ever designed. It dynamically
> uncovers well-known static security holes, as well as
> security vulnerabilities specific to your own custom
> web applications, working with your existing security
> software to re-enforce and strengthen functionality.
> Using patent-pending logic, WebInspect hones in on
> a new class of vulnerabilities undetected by any other
> scanner currently on the market.
>         ------End cut and paste from SpiDynamics
> Website------
>
>
>         Basically it's a vulnerability scanner that you use
> to remotely test your website for potential security
> holes. A demo of it is available for download from the
> SpiDynamics Website
> (http://www.spidynamics.com) for the cost of filling
> out an information form.
>
>         I've come to the conclusion that SpiDynamics is
> keeping track of atleast what sites you are scanning
> with their software and possibly much more.  What's
> worse is that there's NO mention of this "Reporting"
> activity on the part of the software in the EULA(End
> User License Agreement) that you must agree to
> before you install their demo of WebInspect.  I'm no
> legal expert, Or master hacker...But anyone can see
> that something strange is going on here. And a lead
> developer from their company even admitted to me
> on the telephone that "I had found a Bug".  The thing
> is, that I personally think it's intentional, and not just
> some accidental oversight on their part. It seems to
> me that this is Highly illegal, almost to the point of
> evesdropping...but like I said i'm no legal expert, you
> be the judge...
> http://www.globalapathy.com/news/default.asp (Read
> full article here)
>
> -DB