lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri, 10 Feb 2012 16:52:53 +0100
From: Martijn Broos <martijn.broos@...xion.com>
To: "Valdis.Kletnieks@...edu" <Valdis.Kletnieks@...edu>, Nick Boyce
	<nick.boyce@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Bug 718066 - [meta] Add feature to
	submit	anonymous product metrics to Mozilla


Hi,

I can imagine that developers want to have a clue what they need to repair.
I only have a problem the way they do it and the way my behavior is exposed without possible influence.

Let's say for the sake of argument, that 20% on similar hardware have a problem with loading times and the developers have the metrics to prove so (waiting times, load times, scripts I use,  etc...)
Would the conclusion be, that Firefox is at fault?
- What if the major part of that % is living in a certain continent?
- What if the major % has the same ISP?
- How is the spread of OS usage?
- etc, etc....

Without the surrounding parameters known, you have a pile of bytes instead of DATA (people tend to mix those definitions). Of course you could make "fuzzy" statistics out of it, but like most mathematicians know: statistics prove predetermined conclusions.

Still would a 5% speed increase weigh up to the privacy of 200 million users?
Like in the bugtrack stated. If my instance of firefox is PII bound, you can trace my laptop, determine behavior, etc...
And to conclude: Modzilla states they don't intent to use the data in any other way:
I have a couple of  questions about the intent:
- Will that intent stay the same throughout the future? The intent can easily be changed when money gets involved.
- What if a legal entity (like a government, The Music branch protectors(to prove that the piratebay is used so often), etc...) "kindly" requests the data with a court-order?

Also take into account the following:
Since 2012, the Netherlands has a new law which forbids behavior analysis by persistent cookies...All advertisement companies are now looking into device identification.
Why: they can make more money when they show you the right adds.
Modzilla will help them a great deal if they can offer them a PII out of stock... And I see the comments, they won't do that! Do you want to bet 1 million bugs over it that they won't do it?

-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of Valdis.Kletnieks@...edu
Sent: vrijdag 10 februari 2012 15:48
To: Nick Boyce
Cc: full-disclosure
Subject: Re: [Full-disclosure] Bug 718066 - [meta] Add feature to submit anonymous product metrics to Mozilla

On Fri, 10 Feb 2012 03:51:53 GMT, Nick Boyce said:
> OT: They should just make FF quality high and the design impeccable -

"Quality high" is always a nice concept.  But there's always 5 quality issues and resources to fix only 3.  Obviously, you want to fix the 3 that matter most to your users - but which 3 are they?  You really can't rely on bug reports or surveys, because those tend to have a major self-selection bias.  Think about it - how many people do you know that use Firefox?  How many of them have had it crash or misbehave?  How many of them *reported* it?  Surveys have the same problem - you can't easily run a survey of users who just want to hit their sites and *do* stuff and find out what they want - because they'll just skip your survey, hit their site, and *do* stuff.  Unless of course you make the survey mandatory - in which case you tick them off because you got in the way of hitting their site and doing stuff.

Or "report the list of extensions and performance numbers" -  it's one thing to know that users have a range of launch times.  It's something else to know that 20% of users have *consistently* longer launch times on comparabie hardware.
But if you have data that shows that NoScript users take a 15% launch time hit,
*that* is something you can then go do something about.

Similar problems for "impeccable design" - if you want a browser that Joe Sixpack will actually *use*, then you need data on how Joe actually wants to use that browser.  And *asking* Joe never works - anybody who's had to do project requirements will tell you that what the user *says* they want, what they *think* they want, and what they actually need, are almost always 3 different things.

No, I'm not saying it's OK for the Mozilla crew to collect PII like that - but I can certainly understand why they feel the temptation to do so...



DISCLAIMER : This message is sent in confidence and is only intended for the named recipient. If you receive this message by mistake, you may not use, copy, distribute or forward this message, or any part of its contents or rely upon the information contained in it.
Please notify the sender immediately by e-mail and delete the relevant e-mails from any computer.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ