| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Sep 22 08:04:29 2005 From: yboily at gmail.com (Yvan Boily) Subject: Google Secure Access or "How to have people download a trojan." Very well then, since the prevailing argument seems to be that mine is an argument of sophistry and rhetoric, I have decided to restate my argument. I am identifying the individual claims inline, and placing my arguments at the end. >Berend-Jan Wever wrote: > > This is a quite pathetic attempt to install a trojan, let me explain: Wever makes the statement that the Google Secure Access VPN client is a Trojan Horse. This is naturally an inference, which is a shaky foundation for interpreting. I don't think this is a serious concern, but just to clarify, I am drawing this inference from the context of the mailing list and discussion, and the balance of the argument leads me to beleive that the claimant is not arguing that the subject is a condomn or an ancient enemy of Greece. Statement: Google Secure Access is a Trojan Horse, and in particular, the application functions as spyware to gather information that is transmitted by the user. I dispute this statement as the generally accepted description of a Trojan Horse is as follows: A Trojan horse program is a malicious program that pretends to be a benign application; a Trojan horse program purposefully does something the user does not expect. Although there are variations on the verbiage, I beleive that this is a fair general description, and cite the following resources: http://www.symantec.com/avcenter/expanded_threats/virus_worm_trojan_horse.html http://us.mcafee.com/virusInfo/ http://www.trendmicro.com/en/security/general/virus/overview.htm > <snippets href="http://wifi.google.com/faq.html"> > 1. "Google Secure Access is a downloadable client application that > allows users to establish a more secure WiFi connection." > 2. "...your internet traffic will be encrypted, preventing others from > viewing the information you transmit." > </snippets> > > So, by "more secure" Google means using encryption to prevent "others" from > sniffing your packets. That's nice! What else does it do? Here's some > information from the privacy policy: > > <snippets href="http://wifi.google.com/privacy-policy.html"> > 1. "Google may log some information from your web page requests ..." > 2. "Google also logs a small set of non-personally identifiable > information ..." > 3. "Google will not sell or provide personally identifiable > information to any third parties except ..." > 4. "... we may for a limited period of time preserve additional > internet traffic or other information." > </snippets> > > Aha! What we have here is trojan spyware! It does exactly what it is > supposed to protect you from. Wever argues that the software exploits exactly the threat the application proposes to shield the user from. At the same time he repeats Googles assertion that there is an improvement in security; since the user now has the benefit of encryption, there is the added benefit that the user has increased privacy. Wever goes on to assert that the software is trojan spyware; from this a reasonable inference can be drawn that Wever is claiming that the application is a malicious application that surreptitiously gathers information about the user. > The second snippet clearly states that this concerns NON-personally > identifiable information... what about the information mentioned in the > first snippet, is that personally identifiable? I guess so; the third > snippet mentions Google selling or providing personally identifiable > information, this must have come from somewhere! This argument is based on the relationship between between the first two references, and the third reference. Beren is infering that because Google includes verbiage in reference 3 to address the possibility of sale or provision of personally identifiable information, that Google must in fact be collecting personal information. Claim One: Google is collecting personal information because the final paragraph of the previously cited Google Secure Access Privacy Policy states that there are circumstances under which sale or sharing of information would be permitted. Basis for my inference of this claim: 'the third snippet mentions Google selling or providing personally identifiable information, this must have come from somewhere!' Claim Two: Because Claim One is accepted, and the material described as being collected in the second last paragraph is not ofa personal nature, the information in the 3rd last paragraph of the cited policy must be of a personally identifiable nature. Basis for my inference of this claim: 'what about the information mentioned in the first snippet, is that personally identifiable? I guess so;", leads to Claim One. 'The second snippet clearly states that this concerns NON-personally identifiable information' > In the third snippet, Google neglects to mention non-personally > identifiable information. What about selling that? I guess they do! This argument is based on the idea that because Google does not specifically state they will not sell non-personally identifiable information this must prove that they do. Claim Three: Google shares non-personally identifiable information because they do not state that they will not share this information. > The best thing about the whole policy is the last snippet, which undoes > _everything_ stated before it. Nice one Google!! ;) This argument claims that the final paragraph frees Google from any responsibility to honor the original statements and privacy considerations made. I am drawing the inference that this argument is made because the final paragraph defines scenarios under which the privacy policy may not be deemed enforceable. Claim Four: Google does not need to honor the privacy policy because there are terms under which the policy is deemed unenforceable, and therefore qualifies as both a trojan horse and spyware as it misleads the user. > I suggest that Google comes clean and replaces their privacy policy with a > shorter, less confusing version: > > *Here's some candy, go play!* > Btw. All your base are belong to us. > Cheers, > SkyLined The conclusion that Beren draws is that Google's privacy policy is intended merely to distract people from the actual intention of Google. Since the original statement that Google Secure Access Client is a trojan horse, and spyware, we can infer that Beren intends to draw the following conclusion: Google's privacy policy is an attempt to distract the user from the fact that Google can use the Secure Client Application to gather information surreptiously while users employ its service. Once users have agreed to use this service, the information collected is the property of Google, and no longer subject to the promises made in the Privacy Policy. Basis: '*Here's some candy, go play!*' - This is inferred to the idea that by offering an incentive the users can be convinced to ignore the situation. 'Btw. All your base are belong to us' - Cultural reference indicating that the end result is domination over the subject, in this case, the information collected by Google. The entirety of Beren's argument as I have interpreted it is as follows: Statement: Google Secure Access is a Trojan Horse, and in particular, the application functions as spyware to gather information that is transmitted by the user. Claim One: Google is collecting personal information because the final paragraph of the previously cited Google Secure Access Privacy Policy states that there are circumstances under which sale or sharing of information would be permitted. Claim Two: Because Claim One is accepted, and the material described as being collected in the second last paragraph is not ofa personal nature, the information in the 3rd last paragraph of the cited policy must be of a personally identifiable nature. Claim Three: Google shares non-personally identifiable information because they do not state that they will not share this information. Claim Four: Google does not need to honor the privacy policy because there are terms under which the policy is deemed unenforceable. Conclusion: Google does not need to honor the privacy policy because there are terms under which the policy is deemed unenforceable, and therefore qualifies as both a trojan horse and spyware as it misleads the user. I take significant issue with this argument as the claims used to support it are not sound; to clarify this I submit the following challenges: Claim one asserts that Google *must* be collecting personal information because the possibility of sharing this information is documented in the policy. The issue here is that with the exception of the second last paragraph, Google never specifically claims that they will collect information, simply that they might. Stretching from "might collect potentially identifiable information" (best effort is described as 'not log cookies and strips potentially sensitive query data from the end of requests to help better protect your privacy') to "is collecting personal information" is a stretch. In fact, it would be considered an inductive fallacy; it requires the inference of behaviour due to a lack of clarity to make this leap, without any good reason to beleive they will. (Google might be collecting personal information, so you must accept that they are collecting personal information, because they are a big evil corporation!) Claim two asserts that since claim one indicates that personal information is being collected, and that the routing and sesssion duration information is being collected is not personal information, then the web page requests must be personally identifiable. This is an untenable position because it is an deductive fallacy; since it is not stated that it is not personally identifiable, the information must be personally identifiable. Claim three states that they will sell information non-personally identifiable information; this is actually a fair inference, but only because Google's business model is based on this. That said, this argument does not support the argument because Google clearly states that they may share this information in the resources sited as references. Claim four states that Google does not need to honor the privacy policy (i.e., that it undoes the previously binding actions), however the cited references dictate that should there be a reason for collecting additional information that they can collect additional information. This statement is not there as a blanket statement, and in fact, only covers circumstances where there may be a suspected or identified threat to any of the actors within the environment (Google, users, network servers, etc). Since the Beren claims that all restrictions on collection and sharing of data are relieved, this is clearly a hasty generalization. Because the only claim left valid is that Google will share non-identifiable information, and that this behaviour is disclosed rather than concealed, I assert that the conclusion Beren draws is unfounded, and the product of an over-arching appeal to fear to encourage people to be more skeptical of the service. The nature of the argument is such that Beren attempts to use the appearance of legitimate concerns to build a basis for an invalid conclusion is a classis case of rhetoric. In other words, the Google Client is neither a trojan horse, nor is it spyware as all functionality is clearly disclosed. I further submit that Google Secure Client does in fact offer more security as it initally claims when used with a wireless connection as it reduces the likelihood of an attacker collecting wireless traffic. In exchange for this protection, Google introduces a smaller risk that Google will collect personally identifiable information. The trade off of an unknown attacker possibly stealing any available information against a known service provider with a corporate image to defend, and a range of liabilities introduced through service provision collecting fairly clearly delineated information is a fairly acceptable scenario. These security trade-offs become more reasonable when one considers the following possibilities: 1) The verbiage about collection of information in the case of percieved threat likely relates to the retention of packet capture information in the case of an IDS or IPS being triggered. 2) The majority of sites which actually contain user identifiable information transmit such information in HTTP headers, do so via POST or PUT requests to store larger amounts of information; as a result these would be part of the 'potentially sensitive query data from the end of requests'. The combination of disclosure and thoughtful selection of visited sites while using a logged connection would yield much higher security in conjunction with increased privacy. 3) The use of tools such as ssh to forward local connections across encrypted tunnels make it possible to securely access sites regardless of the monitoring mechanisms (think local port redirection to a pre-installed squid proxy at a trusted host). Users incapable of this type of setup would likely receive a significant improvement in security through the gained encryption given their (probable) lack of understanding. 4) Aside from the potentially personal information contained in GET HTTP requests that would not be filtered, the next most significant potential issue raised by the Google information that might be shared would be a statistical attack that may allow a remote site that acquires a great deal of information about Google about session duration and routing to identify local session and account information. This is highly improbable so bears a low risk. As a result, I beleive that the Google Secure Client will in most cases represent an improvement in security, especially when one considers that the intended deployment of the application is for hosts which do not have the option of connecting using a secure wireless technology. Basically, I stand by my initial assertion. Berend-Jan Wever has presented an opinion designed to turn the security community away from a tool that they can use to alleviate a serious concern in exchange for an issue of information leakage. Like any security technology it has trade-offs, and like many vendor tools, these trade-offs are of a nature the vendor can profit from. Since there are few other tools or services available for free that offer such a solution that are easy to use (something that Google has done well in many cases), there is no real justification for Berend-Jan Wever's attack on the product and the service provider. The prevailing idea that because Google is getting larger and more proprietary/monopolistic, it must be evil is negated by the consistent disclosure of how information collected is used. Wevers opinion is a piece of fear-mongering garbage, fairly typical of the sensationalist reviews and reports used by the media to paint minor issues as The End of Civilization, and convince the world that unaffiliated security researchers are a Bad People; this is something that I think most people on this list should like to avoid. On 9/21/05, str0ke@...w0rm.com <str0ke@...w0rm.com> wrote: > > Dear Mr. Ass-Hat (aka, Yvan Boily): > > Nice job shitting on someones email with name calling and childish > remarks. > > Remember to clean your Pot its getting Black: > > "Before you go off FREAKING out you might want to consider a few things, > first:" > > You seemed to be the one FREAKEING out. Let me state a few steps that > can help you in life when you read other peoples emails in the future. > > 1) Breathe deeply, from your diaphragm; breathing from your chest won't > relax you. Picture your breath coming up from your "gut." > > 2) Slowly repeat a calm word or phrase such as "relax", "take it easy". > Repeat it to yourself while breathing deeply. > > 3) Use imagery; visualize a relaxing experience, from either your memory > or your imagination. > > 4) Non-strenuous, slow yoga-like exercises can relax your muscles and make > you feel much calmer. > > Remember if these 4 steps dont help you with your EMAIL RAGE. Please be > sure to seek help at an EMAIL RAGE clinic. > > /str0ke > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050922/e45d70c9/attachment.html
Powered by blists - more mailing lists