[383] in WWW Security List Archive
Re: What's the deal ?
daemon@ATHENA.MIT.EDU (Luke ~{B7?M~})
Tue Feb 14 20:12:54 1995
Date: Tue, 14 Feb 1995 13:46:55 -0600 (CST)
From: Luke ~{B7?M~} <ylu@ccwf.cc.utexas.edu>
To: www-security@ns2.rutgers.edu
cc: www-security@ns2.rutgers.edu
In-Reply-To: <199502141127.GAA08163@ns2.rutgers.edu>
Reply-To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>>ONLINE SPYING
>>While you're connected to your favorite Web page, it's also connected
^^^^^^^^
>>to you, and could be copying all sorts of information off your hard
>>drive, say industry experts. In fact, it happened last year when
^^^^^^^^^^^^^^^^ a.k.a. quacks
>>Central Point Software used registration software developed by
^^^^^^^^^^^^^^^^^^^^^^^
it's _not_ a web browser!
>>Pipeline Communications, and inadvertently also gathered descriptions
^^^^^^^^^^^^^
intentionally! don't tell me the programmers
put the scanning feature there inadvertently.
>>of the users' systems -- the type of microprocessor, the version of
>>DOS and Windows, the type of display and mouse, and the amount of free
>>space available on the hard drive. Customers squawked, and Central
>>Point had Pipeline change the software. However, Pipeline reports that
>>at least one of its clients is using the scanning feature now -- but
^^^^^^^^^^^^^^^^
by honor the scanning feature requested by the other end
of the network, this software is acting like a informatiion
server.
>>only after getting the owner's permission. The lesson? "If you can't
^^^^^^^^^^^^
>>trust it, don't connect to it." (Forbes 2/13/95 p.186)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you can't trust the software you're using, don't use it! In other
words, stay away from Pipeline Comm. It might as well clobber you hard
drive.
If a web _browser(client)_ does not volunteer the information, server will
have no way to know it. A computer is perfectly safe on the network if you
don't run _any kind_ of server software, unless of course a lightning or
some other high voltage source strikes your phone/power line (assuming
you're not using a wireless connection and batteries :) Any
writer/distributer of a network software who does not document its server
feature and/or _secretly_ volunteers info of a client environment is
considered abusing the computer/network, and subject to relavent criminal
prosecution.
__Luke
