lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6a4cd40bc907dc9b8bdea3138ff9906b@mac.com>
From: whump at mac.com (Bill Humphries)
Subject: Bios programming...


On Mar 3, 2005, at 1:39 PM, Matt Marooney wrote:

>
> Exactly, thank you Randall.  I appreciate your feedback, I'll check 
> into
> your suggestions further.
>
> I like the way you put, "this is targeted at adults who are trying to
> curb their own behavior".  Seems like this list needs more people like
> that!  ;)

You asked a security list-serve a security related question.

Now, let me review, in a less snarky fashion, my issues with your 
proposal.

1) It is easily circumvented.

	a) the subject uses another computer.
	b) the subject programs their upstream router to drop packets intended 
for the monitoring organization.

2) It violates the privacy of other users.

	a) your application could, unless written specifically to avoid this, 
report on the actions of those other than the subject, on a shared 
computer. Note that it renders the application moot, as then the 
subject creates another user to go to the proscribed sites.
	b) since you have specified that the application be difficult to 
un-install, if the computer is transferred to another person, their 
activity will be monitored, potentially generating false positives 
attributed to the original subject under surveillance.

3) It can easily generate false positives.

	There are a number of exploits for systems such as phpBB that inject 
hidden IFRAMEs into HTML documents, which in turn load use JavaScript 
to load other URLs.

	As those URLs could be on the proscribed sites list, a visit to a 
hacked phpBB site, say a support group for "addicts" could spawn visits 
to your list of proscribed sites.

	Or, someone could attempt to spoof the monitoring server to get to 
record false hits.

5) It could be exploited.

See any number of reports of buffer overflow exploits sent to this 
list. Without careful detainting of user inputs (URLs) you could allow 
injection of malicious code.

Those are my technical objections. As for the others:

6) Who decides what is a 'suspect site'?

	The decision to classify as site as pornographic has a significant 
political component.

7) Trustworthiness of the Monitoring Organization

	The monitoring organization now has at least one piece of information 
(the act of installation is itself a datum) that can be used to attack 
a person's reputation. Will the subject be able to terminate their 
relationship with the monitoring organization? What are the monitoring 
organization's data privacy policies? Will violations be reported to 
data aggregators such as ChoicePoint? How secure is that data?

8) Trust vs. Pervasive Surveillance

Several people said they felt a legitimate need for this software 
citing "pornography addiction."

I've emailed a few friends who are in grad programs and clinical 
practice to confirm if there's an actual diagnosis of "pornography 
addiction". Sorry, the term feels loaded, like something tossed about 
during a congressional hearing.

And others mentioned the AA angle. However, when you join AA, to the 
best of my knowledge, you do not have an alcohol sensor implanted in 
your esophagus or stomach to report violations to AA.

What you do have is a sponsor, who you can call if you're on the verge 
of taking a drink.

And when, if ever, do you build trust with the person who you have said 
you have harmed? It strikes me as too easy to leave the secret 
policeman on forever. But now there's a third pillow in that bed, and I 
get the feeling that you do not condone polyamory.

That's why I made those remarks comparing your plan to the abuses of 
Mao's Cultural Revolution. You privatize the intrusive, something 
which, until recently, was the domain of totalitarian states.

-----

In conclusion, if someone believes they have an issue with respect to 
adult materials, drugs, alcohol, or anything else, then instead of 
installing software, maybe they should seek out a mental health 
professional, cleric, or trusted friend. They are less likely to be 
abused or exploited.

In short, don't create new problems trying to solve old ones.

I doubt this will change your course, but now I've said my piece on it.

Cheers,

-- whump

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ