Full Disclosure mailing list archives
Re: Plaxo?
From: mis () seiden com
Date: Wed, 10 Aug 2005 03:15:15 -0700
On Wed, Aug 10, 2005 at 03:25:45PM +1000, Greg wrote:
----- Original Message ----- From: "Aditya Deshmukh" <aditya.deshmukh () online gateway strangled net> To: <nick () virus-l demon co uk>; <full-disclosure () lists grok org uk> Sent: Wednesday, August 10, 2005 1:06 PM Subject: RE: [Full-disclosure] Plaxo?Aditya Deshmukh wrote:I need some advice about allowing plaxo running on myinternal network.Shoud I allow it or ban it ?Default deny.Yes that's my kind of thinking!
it seems to me the question should be "what is the business value to your company of the service compared with the risk?" in my mind "default" means "absent any way to assess these factors".
If you need to ask, there is clearly _no_ need to ask... And a hint to clueful thinking about all such services -- how can you (or your users) assure the confidentiality of your/their address books if they are being stored and managed offsite?
well, you could look at their privacy policy, and you could look at their security stance as represented on their web page, and their response to the one public incident i know of. and if you aren't satisfied, you can ask for more information. their privacy policy restricts use of the data to its original intended purpose, and requires opt-in for any additional uses, says the data belongs to you, and restricts the data even in the event of merger or acquisition. see http://www.plaxo.com/privacy/q_and_a#q2 for more info. (but, since this is "full" disclosure, i did some work for plaxo several years ago, and was quite happy with their attitude, the way they did things, the high level of intelligence and competence and particularly how responsive they were to fixing the problems i found, which were more in the category of oversights than design problems or massive brain damage. but do not regard this as an endorsement that their level of protection is appropriate for your asset, as i have even less idea what your user's asset is worth than you have.)
That is not to say that such is not possible -- depending on the standards you wish or need to maintain -- but do any of these quasi- anonymous web-based address book managers even start to take the kinds of steps necessary to assure you to the level you require? And, how can you be sure that they actually do meet those requirements? Is their "terms of service" document really a sufficient basis on which to form such a relationship?Certainly not!
well, why should you trust *anyone* is a complicated issue. you might as well ask why should you trust your employees, your sysadmins, your consultants, your outsourcers, your vendors that you pay money, the writers of the binary-only code that you run on your machines, the company that you've outsourced spam filtering to, the hosting facility that logs access to your company's web site, the outsourced telephone people that have access to your detail billing records, the cell phone company that has access to your users' cell phone calling and geolocation history, the financial portal that has your account numbers/passwords for your bank and brokerage accounts? and while you're at it, you might ask why you should allow *IM and skype. the answer is their reputation is tied up with their performance of their represented services, and if you're careful and have enough budget, you audit/verify/surveill the performance of people to whom you pay money as part of the contract for service so you have some recourse. but none of these people will pay the value of your loss, whether you pay them money or not.
Why should I trust anyone with my users email address books ?
in some cases, for some users, for some companies, data about communicating entities has substantial value. (e.g. investment bankers, sales people, corporate lawyers, brittany spears, osama bin laden). in others, they have little or no value -- your users are probably able to make that determination better than you. i personally believe some substantial information about volume of data and timing of the data is needed to draw valuable conclusions from traffic data, not just "alice added bob to their address book on date x". so i'd be more worried about the brightmails, messagelabs and postinis of the world than the plaxos. once you have answered the questions about the value of the asset and the value of the business service, you might ask what the plausible threat scenarios are. if you're worried about a plaxo insider selling everybody's email address to j random spamhaus, you have an awful lot more to worry about than just plaxo. i think it's legitimate to worry about a skilled outside attacker being able to discover somebody's address book in a targeted attack due to a weakness in the plaxo software. you can bet that plaxo has considered the problem.
And I would have to deal with the extra spam that will be generated....
i have noticed no "spam", by my definition. but really, the entire volume of plaxo-related mail i've seen is in the noise compared with any catalog merchant or incentive points scheme or ebay, or any of those travel sites you use (who know where your users are travelling to, for chrissake). the "update request" emails your users receive are initiated by current plaxo members, not by plaxo itself, and those they send don't come from you, but from the plaxo mail server.
One small problem that may not have been noticed with Plaxo. If the Plaxo using person decides to do so, you can be a non-Plaxo using person on that externally managed address book with full email address also in there, added by the Plaxo user. I have received "I have updated my Plaxo" for whatever was updated, by several customers, at my help line email address and have checked it out when at their premises. Sure enough, there is my email address externally managed. So, whether you allow Plaxo or not, if some user outside of your company has all your email addresses within your company on their computer, it has also likely been added to Plaxo by them whether you like it or not.
if you're saying "plaxo knows the addresses of people who have not registered for plaxo because they're in registered users' address books, that isn't exactly a surprise, is it?
Greg. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- List Charter John Cartwright (Aug 08)
- Group Airfare Travel Website Programming Robert Kim Wireless Internet Advisor (Aug 08)
- Re: Group Airfare Travel Website Programming Valdis . Kletnieks (Aug 08)
- Plaxo? Aditya Deshmukh (Aug 09)
- Re: Plaxo? Nick FitzGerald (Aug 09)
- RE: Plaxo? Aditya Deshmukh (Aug 09)
- Re: Plaxo? Greg (Aug 09)
- Re: Plaxo? mis (Aug 10)
- Group Airfare Travel Website Programming Robert Kim Wireless Internet Advisor (Aug 08)