lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4170165B.50605@davewking.com>
From: davefd at davewking.com (Dave King)
Subject: Google Desktop Search

<snip>
Admittedly, that first quote sounds scary, and it certainly doesn't hurt 
to test and see what information, if any, is being sent out, but really. 
You people are security professionals. . . do you honestly think that it 
"magically" came up with the password to your email account from a 
cached web page?
</snip>

I completely agree and possibly by use of the word automagically was 
confusing (sorry). 
Just in case I was misunderstood, like I said I tested this with Hotmail 
and was unable to replicate the results because I didn't have the little 
box marked "Sign me in automatically" on the Hotmail Login page.  So, I 
tried this again after logging into Hotmail and asking it to "Sign me in 
automatically" and it allowed me to view the message automagically, just 
as I expected.  After logging out of Hotmail and trying again, it again 
brought up the sign in prompt before it let me view my message, again as 
expected.   So, once again, I was unable to replicate the automagic sign 
in without having explicitly enabled it on a previous sign in, looks 
like Google's not pulling any crazy hacker tricks after all.

Dave King
http://www.thesecure.net


mike@...eisch.com wrote:

>Hello All;
>
>At the risk of being flamed, I would submit that you didn't know it
>indexed web history at all, because you didn't read the part of the info
>page where it says:
>
>"It's a desktop search application that provides full text search over
>your email, computer files, chats, and the web pages you've viewed."
>
>This can be found at:  http://desktop.google.com/about.html
>
>Where it also says:
>
>"The Google Desktop Search program does not make your computer's content
>accessible to Google or anyone else. You can learn more by reading the
>Desktop Search privacy policy."
>
>And, whether security pro or good consumer you should READ the privacy
>policy, before using the product.  What if it said "by downloading this
>software, you agree that we can access all contents of your hard disk
>whenever we want to, and share the information with all of the vendors on
>the planet"?
>
>Admittedly, that first quote sounds scary, and it certainly doesn't hurt
>to test and see what information, if any, is being sent out, but really. 
>You people are security professionals. . . do you honestly think that it
>"magically" came up with the password to your email account from a cached
>web page?  Read the javascript in the headers of Yahoo's login page:
>
><-- Begin javascript comments from Yahoo -->
>/*
> * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
> * Digest Algorithm, as defined in RFC 1321.
> * Copyright (C) Paul Johnston 1999 - 2000.
> * Updated by Greg Holt 2000 - 2001.
> * See http://pajhome.org.uk/site/legal.html for details.
> */
>
><-- End Javascript comments from Yahoo -->
>
>THEY don't even cache, or pass, your password. Like all secure programs,
>they store, and transmit, an MD5 Sum. Besides, why would you keep
>confidential information in a Yahoo email account anyway?  I don't mean to
>chastise anyone, and it certainly isn't my place, but we should all try to
>avoid generating FUD when we can.
>
>M.
>
>
>
>
>  
>
>>If you noticed during the install, it gives you the opportunity to
>>include https pages in web history caching.  When it said this it made
>>me curious since I didn't know it indexed web history at all, but
>>apparently it does and this option can be disabled on the preferences
>>page if you don't want it.
>>
>>I tried to reproduce what you said happened with Hotmail and it did
>>index the messages I have viewed and brought them up in the search
>>results, and it did let me view a cached copy without a
>>username/password, but it did not allow me to access the real message in
>>my account without my username/password.  Are you set to login
>>automagically?
>>
>>Dave King
>>http://www.thesecure.net
>>
>>DogoBrazil wrote:
>>
>>    
>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ