Re: Google Secure Access or "How to have people download a trojan."

[Yvan Boily <yboily () gmail com>]

On 9/21/05, Paul Nickerson <pvnick () gmail com> wrote:

> Seriously, Yvan. You really don't know who it is you're talking to. That
> is Mr. Berand-Jan Wever, creater of all that is more 1337 than you. If you
> and him are debating about issues pertaining to hacking, more often than not
> he will be right.
  Considering the radical mis-representation of the Google policy,
advisories or not, I refuse to respect the opinion of someone who practices
such fine-grained 'clipping' of relevant information when raising an issue.
 Unless, of course, you expect me to start telling someone that everything
is a security hole just because Well-Known-Expert says it is an issue. It is
a simple philosophy; when you receive a piece of information that you would
like to use as a foundation, then verificy its authenticity, then verify its
accuracy. This is why I when I read a report about a vulnerability I will
verify the accuracy of the report it before I start advising people to react
to them.

 I have never ever heard of you. What's the last security advisory that YOU
> have come out with?
 None. Congrats. Woohoo. I guess you win, after all, since you have never
heard of me. That is a fantastically well-founded argument. I mean, really,
you must know *EVERYONE*. Honestly though, I respect that you have never
heard of me, but don't judge the posts by reputation, judge them by the
details in the post. Wever may have an interesting perspective, but it is
based on a limited interpretation of the policies he cited; I submit that
this limited interpretation is strongly supported by the fact that in many
instances where he cites material from the original, he cites only the
components that support his argument, and ignores the components which
damage it.

 I'm sorry, but before you can go calling someone as 1337 as Skylined an
> "Ass-Clown", you need to build up some credibility for yourself. Until then,
> good-day sir.
 Good-day to you. That is why this list has such an interesting character.
At least give me some credit for doing it with my real name instead of
hiding behind a pseudonym like many other critics who post to this list :)

 Not to mention as Microsoft becomes better at everything it does and
> becomes righteous, Google is turning into the new Microsoft.
 Whoa. I guess Microsoft is getting better at security management, and given
the horrors of running Microsoft products on the perimeter in the past,
well, one can say it is getting better. But still, whoa. Microsoft still has
a long way to go before the majority of the community will trust them, given
their history. That said, I think the security team over there is doing alot
of good work given the challenges they face.

 Google has become all monopolistic and shit. 75% of website referrals come
> from google. They are all cocky and think they can get away with everything,
> just like Microsoft used to be. Fight the power!!!!
 'Used to be', last time I checked Microsoft still behaves like they can get
away with anything, but they at least are projecting the impression that
they are changing. And yes, Google is becoming more monopolistic, and
behaving more like Microsoft. Microsoft, for all of its faults, is a very
successful business. Just like any other leader in their field, Google is
adopting many of the practices that will allow it to remain that way. At
least Google has (thus far) refrained from spamming me horribly with print
and email materials when I sign up for services, and they give away many
services that I enjoy [search, google earth,.. oh and email :)]

I don't blindly trust, but I certainly won't start jumping at shadows
because a company that delivers free services that invite serious potential
liabilities publish documents with the verbiage required to protect
themselves.

> Regards,
> Paul
> Greyhats Security
> http://greyhatsecurity.org
>
>  On 9/21/05, Yvan Boily <yboily () gmail com> wrote:
>
> >  Dear Ass-Clown (aka, skyline):
> >  You have seriously mis-interpreted the privacy policy. Considering that
> > most such documents are written in legalese and are similar to EULAs rather
> > than a list of how the information collected is used, it is normal to be
> > skeptical about published privacy policies.
> >  >> 1. "Google may log some information from your web page requests ..."
> >
> > In Full:
> > Google may log some information from your web page requests as may the
> > websites that you visit. We do this to understand how Google Secure Access
> > is being used and to improve our services. Google Secure Access does not log
> > cookies and strips potentially sensitive query data from the end of requests
> > to help better protect your privacy.
> >  This roughly translates into 'If you use our service, we are going to
> > track how you use it, and ensure that you are not exposing us to serious
> > liability.'. Hmm.. sounds like any standard business practice, at least for
> > any that plans to be more than a mom & pop.
> >  >> 2. "Google also logs a small set of non-personally identifiable
> > information ..."
> > In Full:
> > Google also logs a small set of non-personally identifiable information
> > -- such as routing information, session durations and operating system and
> > Google Secure Access client version numbers -- in order to create your
> > Google Secure Access connection, understand how people are using Google
> > Secure Access and help us maintain the Google Secure Access client.
> >  Hey Hey!! Good job skippy, you succeeded in snipping out the part that
> > indicates that the information that is gathered is information that any good
> > service provider tracks! Wow! Do you have a cell phone? Or a land-line? Or
> > an internet service provider? Jackass. They all track this type of
> > information so they can figure out wonderful things like technical support
> > requirements, load management, and a number of other good things.
> >  >> 3. "Google will not sell or provide personally identifiable
> > information to any third parties except ..."
> > In Full:
> > Google will not sell or provide personally identifiable information to
> > any third parties except under the limited circumstances described in the Google
> > Privacy Policy <http://www.google.com/intl/en/privacy.html>.
> >  And From the Privacy Policy... actually, too long to summarize nicely.
> > But in short, unless they have your consent they will not share information
> > they collect about you, except to business partners who provide information
> > processing services (in which case they are legally bound to protect and
> > preserve that informtion), and except in cases where they have a legal
> > obligation (HELLO Patriot Act!) etc...
> >  In other words, they will keep your information private unless you give
> > them permission, and will only share information with business partners.
> > Hmm, this sounds like a similar practice to what most banks do, except that
> > the banks will sell your information! These business practices are very
> > common, and virtually all businesses take on these sorts of practices.
> >  >> 4. "... we may for a limited period of time preserve additional
> > internet traffic or other information."
> > In Full:
> > If Google concludes that we are required by law or have a good faith
> > belief that collection, preservation or disclosure of additional information
> > is reasonably necessary to protect the rights, property or safety of Google,
> > our users or the public, such as if we believe the Google Secure Access
> > service is being abused, we may for a limited period of time preserve
> > additional internet traffic or other information.
> >  In other words, if you attack our systems, or our users, or break the
> > law, or any number of other things that may trigger our IDS or IPS then we
> > may track other information, and oh, by the way, if we are required to
> > collect information by law, we will comply. In other words, we will protect
> > our systems even though we are giving you free access.
> >  Before you go off FREAKING out you might want to consider a few things,
> > first:
> >  1. This is a free, publicly available service. Without monitoring
> > liablities to the service it would quickly become another example of a
> > failed, free, publicly available service.
> > 2. Google owns the network and therefore bears liability if someone uses
> > the network for illegal purposes.
> > 3. Google offers this service, not rams it down your throat.
> > 4. Google offers uninstallers, and does not inject its software into
> > other processes, nor to my knowledge, does it run multiple processes that
> > share locks so that it can re-launch itself, and prevent deletion of core
> > files. These are all traits of spyware.
> > 5. Google has a strong history of balancing advertising capabilities and
> > privacy. Although they are an advertising company and make money off of
> > context-based advertising, they have done a good job of not hoovering
> > information from peoples computers and selling it to the lowest bidder.
> >  If you don't like the idea of the service, or you want to convince
> > others, then try writing something worth reading rather than an adolescent
> > sounding rant about how the MAN is going to invade your privacy, and steal
> > your precious session durations and client version information. Either that
> > or apply for a job with Minitrue, also known as CNN. Your style of
> > "reporting" is strongly appreciated in those circles.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/