lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3da3d8310604142138v1b0cc559s46815de211413902@mail.gmail.com>
Date: Sat, 15 Apr 2006 00:38:23 -0400
From: "Eliah Kagan" <degeneracypressure@...il.com>
To: "franz@...mail.com" <franz@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Firefox 1.5.0.1 Password Manager Arbtirary User Browsing History Disclosure


> I guess when he uninstalled Firefox
> originally, it wasn't a completely clean uninstall. That's the only
> explanation since we couldn't duplicate my reported bug as easily as
> we thought.

I think that what this comes down to is that when you uninstall
Firefox (or Mozilla), it doesn't prompt you with the option to remove
all user data. That would eliminate the privacy concern, wouldn't it?

To play the devil's advocate, is this a privacy problem at all? Joe
installs software as Mary, creates user data, and uninstalls the
software. Mary then installs compatible software which reads the old
user data. So Mary knows about what was done under her user
account--is that bad? Joe should have no expectation that Mary will
not find out about what he does when logged on as her. Arguably,
Mary's ability to know what her own user account has been used to do
constitutes command of her own information and is a boon to Mary's
privacy.

On the one hand, software should preserve the privacy of all users,
even dumb ones. On the other hand, if you're not going to use multiple
user accounts, you can hardly expect to enjoy the benefits of
privilege separation.

-Eliah


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ