Re: Plaxo?

[mis () seiden com]

On Wed, Aug 10, 2005 at 03:25:45PM +1000, Greg wrote:
> ----- Original Message ----- 
> From: "Aditya Deshmukh" <aditya.deshmukh () online gateway strangled net>
> To: <nick () virus-l demon co uk>; <full-disclosure () lists grok org uk>
> Sent: Wednesday, August 10, 2005 1:06 PM
> Subject: RE: [Full-disclosure] Plaxo?
>
>
> > > Aditya Deshmukh wrote:
> > >
> > > > I need some advice about allowing plaxo running on my 
> > > internal network.
> > > > Shoud I allow it or ban it ?
> > >
> > > Default deny.
> >
> > Yes that's my kind of thinking! 

it seems to me the question should be "what is the business value to
your company of the service compared with the risk?"

in my mind "default" means "absent any way to assess these factors".


> > > If you need to ask, there is clearly _no_ need to ask...
> > >
> > > And a hint to clueful thinking about all such services -- how can you 
> > > (or your users) assure the confidentiality of your/their 
> > > address books 
> > > if they are being stored and managed offsite?

well, you could look at their privacy policy, and you could look at
their security stance as represented on their web page, and their
response to the one public incident i know of.  and if you aren't
satisfied, you can ask for more information.

their privacy policy restricts use of the data to its original
intended purpose, and requires opt-in for any additional uses,
says the data belongs to you, and restricts the data even in
the event of merger or acquisition.

see
http://www.plaxo.com/privacy/q_and_a#q2
for more info.

(but, since this is "full" disclosure, i did some work for plaxo
several years ago, and was quite happy with their attitude, the way
they did things, the high level of intelligence and competence and
particularly how responsive they were to fixing the problems i found,
which were more in the category of oversights than design problems or
massive brain damage.  but do not regard this as an endorsement that
their level of protection is appropriate for your asset, as i have
even less idea what your user's asset is worth than you have.)


> > > That is not to say that such is not possible -- depending on the 
> > > standards you wish or need to maintain -- but do any of these quasi-
> > > anonymous web-based address book managers even start to take 
> > > the kinds 
> > > of steps necessary to assure you to the level you require?  And, how 
> > > can you be sure that they actually do meet those requirements?  Is 
> > > their "terms of service" document really a sufficient basis 
> > > on which to 
> > > form such a relationship?
> >
> > Certainly not! 

well, why should you trust *anyone* is a complicated issue.

you might as well ask why should you trust your employees, your
sysadmins, your consultants, your outsourcers, your vendors that you
pay money, the writers of the binary-only code that you run on your
machines, the company that you've outsourced spam filtering to, the
hosting facility that logs access to your company's web site, the 
outsourced telephone people that have access to your detail billing
records, the cell phone company that has access to your users' 
cell phone calling and geolocation history, the financial portal
that has your account numbers/passwords for your bank and brokerage 
accounts?

and while you're at it, you might ask why you should allow *IM and skype.

the answer is their reputation is tied up with their performance of
their represented services, and if you're careful and have enough budget,
you audit/verify/surveill the performance of people to whom you pay money
as part of the contract for service so you have some recourse.

but none of these people will pay the value of your loss, whether you
pay them money or not.

> > Why should I trust anyone with my users email address books ?

in some cases, for some users, for some companies, data about
communicating entities has substantial value. (e.g. investment
bankers, sales people, corporate lawyers, brittany spears, osama bin
laden).  in others, they have little or no value -- your users are
probably able to make that determination better than you.

i personally believe some substantial information about volume of data
and timing of the data is needed to draw valuable conclusions from
traffic data, not just "alice added bob to their address book on date
x".  so i'd be more worried about the brightmails, messagelabs and
postinis of the world than the plaxos.

once you have answered the questions about the value of the asset
and the value of the business service, you might ask what the
plausible threat scenarios are.

if you're worried about a plaxo insider selling everybody's email
address to j random spamhaus, you have an awful lot more to worry about
than just plaxo.

i think it's legitimate to worry about a skilled outside attacker
being able to discover somebody's address book in a targeted attack
due to a weakness in the plaxo software.  you can bet that plaxo
has considered the problem.




> > And I would have to deal with the extra spam that will be generated.... 

i have noticed no "spam", by my definition.  but really, the entire
volume of plaxo-related mail i've seen is in the noise compared with
any catalog merchant or incentive points scheme or ebay, or any of
those travel sites you use (who know where your users are travelling
to, for chrissake).

the "update request" emails your users receive are initiated by
current plaxo members, not by plaxo itself, and those they send
don't come from you, but from the plaxo mail server.

> >
>
> One small problem that may not have been noticed with Plaxo. If the Plaxo using person decides to do so,  you can be 
> a non-Plaxo using person on that externally managed address book with full email address also in there, added by the 
> Plaxo user. I have received "I have updated my Plaxo" for whatever was updated, by several customers, at my help line 
> email address and have checked it out when at their premises. Sure enough, there is my email address externally 
> managed.
>
> So, whether you allow Plaxo or not, if some user outside of your company has all your email addresses within your 
> company on their computer, it has also likely been added to Plaxo by them whether you like it or not.


if you're saying "plaxo knows the addresses of people who have not registered for plaxo because
they're in registered users' address books, that isn't exactly a surprise, is it? 



> Greg.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/