lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1f199161050921070066967afd@mail.gmail.com>
Date: Wed Sep 21 15:00:35 2005
From: yboily at gmail.com (Yvan Boily)
Subject: Google Secure Access or "How to have people
	download a trojan."

Dear Ass-Clown (aka, skyline):
 You have seriously mis-interpreted the privacy policy. Considering that
most such documents are written in legalese and are similar to EULAs rather
than a list of how the information collected is used, it is normal to be
skeptical about published privacy policies.
 >> 1. "Google may log some information from your web page requests ..."
In Full:
Google may log some information from your web page requests as may the
websites that you visit. We do this to understand how Google Secure Access
is being used and to improve our services. Google Secure Access does not log
cookies and strips potentially sensitive query data from the end of requests
to help better protect your privacy.
 This roughly translates into 'If you use our service, we are going to track
how you use it, and ensure that you are not exposing us to serious
liability.'. Hmm.. sounds like any standard business practice, at least for
any that plans to be more than a mom & pop.
 >> 2. "Google also logs a small set of non-personally identifiable
information ..."
In Full:
Google also logs a small set of non-personally identifiable information --
such as routing information, session durations and operating system and
Google Secure Access client version numbers -- in order to create your
Google Secure Access connection, understand how people are using Google
Secure Access and help us maintain the Google Secure Access client.
 Hey Hey!! Good job skippy, you succeeded in snipping out the part that
indicates that the information that is gathered is information that any good
service provider tracks! Wow! Do you have a cell phone? Or a land-line? Or
an internet service provider? Jackass. They all track this type of
information so they can figure out wonderful things like technical support
requirements, load management, and a number of other good things.
 >> 3. "Google will not sell or provide personally identifiable information
to any third parties except ..."
In Full:
Google will not sell or provide personally identifiable information to any
third parties except under the limited circumstances described in the Google
Privacy Policy <http://www.google.com/intl/en/privacy.html>.
 And From the Privacy Policy... actually, too long to summarize nicely. But
in short, unless they have your consent they will not share information they
collect about you, except to business partners who provide information
processing services (in which case they are legally bound to protect and
preserve that informtion), and except in cases where they have a legal
obligation (HELLO Patriot Act!) etc...
 In other words, they will keep your information private unless you give
them permission, and will only share information with business partners.
Hmm, this sounds like a similar practice to what most banks do, except that
the banks will sell your information! These business practices are very
common, and virtually all businesses take on these sorts of practices.
 >> 4. "... we may for a limited period of time preserve additional internet
traffic or other information."
In Full:
If Google concludes that we are required by law or have a good faith belief
that collection, preservation or disclosure of additional information is
reasonably necessary to protect the rights, property or safety of Google,
our users or the public, such as if we believe the Google Secure Access
service is being abused, we may for a limited period of time preserve
additional internet traffic or other information.
 In other words, if you attack our systems, or our users, or break the law,
or any number of other things that may trigger our IDS or IPS then we may
track other information, and oh, by the way, if we are required to collect
information by law, we will comply. In other words, we will protect our
systems even though we are giving you free access.
 Before you go off FREAKING out you might want to consider a few things,
first:
 1. This is a free, publicly available service. Without monitoring
liablities to the service it would quickly become another example of a
failed, free, publicly available service.
2. Google owns the network and therefore bears liability if someone uses the
network for illegal purposes.
3. Google offers this service, not rams it down your throat.
4. Google offers uninstallers, and does not inject its software into other
processes, nor to my knowledge, does it run multiple processes that share
locks so that it can re-launch itself, and prevent deletion of core files.
These are all traits of spyware.
5. Google has a strong history of balancing advertising capabilities and
privacy. Although they are an advertising company and make money off of
context-based advertising, they have done a good job of not hoovering
information from peoples computers and selling it to the lowest bidder.
 If you don't like the idea of the service, or you want to convince others,
then try writing something worth reading rather than an adolescent sounding
rant about how the MAN is going to invade your privacy, and steal your
precious session durations and client version information. Either that or
apply for a job with Minitrue, also known as CNN. Your style of "reporting"
is strongly appreciated in those circles.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050921/5a5392ae/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ