| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: whump at mac.com (Bill Humphries) Subject: Bios programming... On Mar 3, 2005, at 1:39 PM, Matt Marooney wrote: > > Exactly, thank you Randall. I appreciate your feedback, I'll check > into > your suggestions further. > > I like the way you put, "this is targeted at adults who are trying to > curb their own behavior". Seems like this list needs more people like > that! ;) You asked a security list-serve a security related question. Now, let me review, in a less snarky fashion, my issues with your proposal. 1) It is easily circumvented. a) the subject uses another computer. b) the subject programs their upstream router to drop packets intended for the monitoring organization. 2) It violates the privacy of other users. a) your application could, unless written specifically to avoid this, report on the actions of those other than the subject, on a shared computer. Note that it renders the application moot, as then the subject creates another user to go to the proscribed sites. b) since you have specified that the application be difficult to un-install, if the computer is transferred to another person, their activity will be monitored, potentially generating false positives attributed to the original subject under surveillance. 3) It can easily generate false positives. There are a number of exploits for systems such as phpBB that inject hidden IFRAMEs into HTML documents, which in turn load use JavaScript to load other URLs. As those URLs could be on the proscribed sites list, a visit to a hacked phpBB site, say a support group for "addicts" could spawn visits to your list of proscribed sites. Or, someone could attempt to spoof the monitoring server to get to record false hits. 5) It could be exploited. See any number of reports of buffer overflow exploits sent to this list. Without careful detainting of user inputs (URLs) you could allow injection of malicious code. Those are my technical objections. As for the others: 6) Who decides what is a 'suspect site'? The decision to classify as site as pornographic has a significant political component. 7) Trustworthiness of the Monitoring Organization The monitoring organization now has at least one piece of information (the act of installation is itself a datum) that can be used to attack a person's reputation. Will the subject be able to terminate their relationship with the monitoring organization? What are the monitoring organization's data privacy policies? Will violations be reported to data aggregators such as ChoicePoint? How secure is that data? 8) Trust vs. Pervasive Surveillance Several people said they felt a legitimate need for this software citing "pornography addiction." I've emailed a few friends who are in grad programs and clinical practice to confirm if there's an actual diagnosis of "pornography addiction". Sorry, the term feels loaded, like something tossed about during a congressional hearing. And others mentioned the AA angle. However, when you join AA, to the best of my knowledge, you do not have an alcohol sensor implanted in your esophagus or stomach to report violations to AA. What you do have is a sponsor, who you can call if you're on the verge of taking a drink. And when, if ever, do you build trust with the person who you have said you have harmed? It strikes me as too easy to leave the secret policeman on forever. But now there's a third pillow in that bed, and I get the feeling that you do not condone polyamory. That's why I made those remarks comparing your plan to the abuses of Mao's Cultural Revolution. You privatize the intrusive, something which, until recently, was the domain of totalitarian states. ----- In conclusion, if someone believes they have an issue with respect to adult materials, drugs, alcohol, or anything else, then instead of installing software, maybe they should seek out a mental health professional, cleric, or trusted friend. They are less likely to be abused or exploited. In short, don't create new problems trying to solve old ones. I doubt this will change your course, but now I've said my piece on it. Cheers, -- whump
Powered by blists - more mailing lists