[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1f1991610509220004548541db@mail.gmail.com>
Date: Thu Sep 22 08:04:29 2005
From: yboily at gmail.com (Yvan Boily)
Subject: Google Secure Access or "How to have people
download a trojan."
Very well then, since the prevailing argument seems to be that mine is an
argument of sophistry and rhetoric, I have decided to restate my argument.
I am identifying the individual claims inline, and placing my arguments at
the end.
>Berend-Jan Wever wrote:
>
> This is a quite pathetic attempt to install a trojan, let me explain:
Wever makes the statement that the Google Secure Access VPN client is a
Trojan Horse. This is naturally an inference, which is a shaky foundation
for interpreting. I don't think this is a serious concern, but just to
clarify, I am drawing this inference from the context of the mailing list
and discussion, and the balance of the argument leads me to beleive that the
claimant is not arguing that the subject is a condomn or an ancient enemy of
Greece.
Statement:
Google Secure Access is a Trojan Horse, and in particular, the application
functions as spyware to gather information that is transmitted by the user.
I dispute this statement as the generally accepted description of a Trojan
Horse is as follows:
A Trojan horse program is a malicious program that pretends to be a benign
application; a Trojan horse program purposefully does something the user
does not expect.
Although there are variations on the verbiage, I beleive that this is a fair
general description, and cite the following resources:
http://www.symantec.com/avcenter/expanded_threats/virus_worm_trojan_horse.html
http://us.mcafee.com/virusInfo/
http://www.trendmicro.com/en/security/general/virus/overview.htm
> <snippets href="http://wifi.google.com/faq.html">
> 1. "Google Secure Access is a downloadable client application that
> allows users to establish a more secure WiFi connection."
> 2. "...your internet traffic will be encrypted, preventing others from
> viewing the information you transmit."
> </snippets>
>
> So, by "more secure" Google means using encryption to prevent "others"
from
> sniffing your packets. That's nice! What else does it do? Here's some
> information from the privacy policy:
>
> <snippets href="http://wifi.google.com/privacy-policy.html">
> 1. "Google may log some information from your web page requests ..."
> 2. "Google also logs a small set of non-personally identifiable
> information ..."
> 3. "Google will not sell or provide personally identifiable
> information to any third parties except ..."
> 4. "... we may for a limited period of time preserve additional
> internet traffic or other information."
> </snippets>
>
> Aha! What we have here is trojan spyware! It does exactly what it is
> supposed to protect you from.
Wever argues that the software exploits exactly the threat the application
proposes to shield the user from. At the same time he repeats Googles
assertion that there is an improvement in security; since the user now has
the benefit of encryption, there is the added benefit that the user has
increased privacy.
Wever goes on to assert that the software is trojan spyware; from this a
reasonable inference can be drawn that Wever is claiming that the
application is a malicious application that surreptitiously gathers
information about the user.
> The second snippet clearly states that this concerns NON-personally
> identifiable information... what about the information mentioned in the
> first snippet, is that personally identifiable? I guess so; the third
> snippet mentions Google selling or providing personally identifiable
> information, this must have come from somewhere!
This argument is based on the relationship between between the first two
references, and the third reference. Beren is infering that because Google
includes verbiage in reference 3 to address the possibility of sale or
provision of personally identifiable information, that Google must in fact
be collecting personal information.
Claim One:
Google is collecting personal information because the final paragraph of the
previously cited Google Secure Access Privacy Policy states that there are
circumstances under which sale or sharing of information would be permitted.
Basis for my inference of this claim:
'the third snippet mentions Google selling or providing personally
identifiable information, this must have come from somewhere!'
Claim Two:
Because Claim One is accepted, and the material described as being collected
in the second last paragraph is not ofa personal nature, the information in
the 3rd last paragraph of the cited policy must be of a personally
identifiable nature.
Basis for my inference of this claim:
'what about the information mentioned in the first snippet, is that
personally identifiable? I guess so;", leads to Claim One.
'The second snippet clearly states that this concerns NON-personally
identifiable information'
> In the third snippet, Google neglects to mention non-personally
> identifiable information. What about selling that? I guess they do!
This argument is based on the idea that because Google does not specifically
state they will not sell non-personally identifiable information this must
prove that they do.
Claim Three:
Google shares non-personally identifiable information because they do not
state that they will not share this information.
> The best thing about the whole policy is the last snippet, which undoes
> _everything_ stated before it. Nice one Google!! ;)
This argument claims that the final paragraph frees Google from any
responsibility to honor the original statements and privacy considerations
made. I am drawing the inference that this argument is made because the
final paragraph defines scenarios under which the privacy policy may not be
deemed enforceable.
Claim Four:
Google does not need to honor the privacy policy because there are terms
under which the policy is deemed unenforceable, and therefore qualifies as
both a trojan horse and spyware as it misleads the user.
> I suggest that Google comes clean and replaces their privacy policy with a
> shorter, less confusing version:
>
> *Here's some candy, go play!*
> Btw. All your base are belong to us.
> Cheers,
> SkyLined
The conclusion that Beren draws is that Google's privacy policy is intended
merely to distract people from the actual intention of Google. Since the
original statement that Google Secure Access Client is a trojan horse, and
spyware, we can infer that Beren intends to draw the following conclusion:
Google's privacy policy is an attempt to distract the user from the fact
that Google can use the Secure Client Application to gather information
surreptiously while users employ its service. Once users have agreed to use
this service, the information collected is the property of Google, and no
longer subject to the promises made in the Privacy Policy.
Basis:
'*Here's some candy, go play!*' - This is inferred to the idea that by
offering an incentive the users can be convinced to ignore the situation.
'Btw. All your base are belong to us' - Cultural reference indicating that
the end result is domination over the subject, in this case, the information
collected by Google.
The entirety of Beren's argument as I have interpreted it is as follows:
Statement: Google Secure Access is a Trojan Horse, and in particular, the
application functions as spyware to gather information that is transmitted
by the user.
Claim One: Google is collecting personal information because the final
paragraph of the previously cited Google Secure Access Privacy Policy states
that there are circumstances under which sale or sharing of information
would be permitted.
Claim Two: Because Claim One is accepted, and the material described as
being collected in the second last paragraph is not ofa personal nature, the
information in the 3rd last paragraph of the cited policy must be of a
personally identifiable nature.
Claim Three: Google shares non-personally identifiable information because
they do not state that they will not share this information.
Claim Four: Google does not need to honor the privacy policy because there
are terms under which the policy is deemed unenforceable.
Conclusion: Google does not need to honor the privacy policy because there
are terms under which the policy is deemed unenforceable, and therefore
qualifies as both a trojan horse and spyware as it misleads the user.
I take significant issue with this argument as the claims used to support it
are not sound; to clarify this I submit the following challenges:
Claim one asserts that Google *must* be collecting personal information
because the possibility of sharing this information is documented in the
policy. The issue here is that with the exception of the second last
paragraph, Google never specifically claims that they will collect
information, simply that they might. Stretching from "might collect
potentially identifiable information" (best effort is described as 'not log
cookies and strips potentially sensitive query data from the end of requests
to help better protect your privacy') to "is collecting personal
information" is a stretch. In fact, it would be considered an inductive
fallacy; it requires the inference of behaviour due to a lack of clarity to
make this leap, without any good reason to beleive they will. (Google might
be collecting personal information, so you must accept that they are
collecting personal information, because they are a big evil corporation!)
Claim two asserts that since claim one indicates that personal information
is being collected, and that the routing and sesssion duration information
is being collected is not personal information, then the web page requests
must be personally identifiable. This is an untenable position because it is
an deductive fallacy; since it is not stated that it is not personally
identifiable, the information must be personally identifiable.
Claim three states that they will sell information non-personally
identifiable information; this is actually a fair inference, but only
because Google's business model is based on this. That said, this argument
does not support the argument because Google clearly states that they may
share this information in the resources sited as references.
Claim four states that Google does not need to honor the privacy policy (i.e.,
that it undoes the previously binding actions), however the cited references
dictate that should there be a reason for collecting additional information
that they can collect additional information. This statement is not there as
a blanket statement, and in fact, only covers circumstances where there may
be a suspected or identified threat to any of the actors within the
environment (Google, users, network servers, etc). Since the Beren claims
that all restrictions on collection and sharing of data are relieved, this
is clearly a hasty generalization.
Because the only claim left valid is that Google will share non-identifiable
information, and that this behaviour is disclosed rather than concealed, I
assert that the conclusion Beren draws is unfounded, and the product of an
over-arching appeal to fear to encourage people to be more skeptical of the
service. The nature of the argument is such that Beren attempts to use the
appearance of legitimate concerns to build a basis for an invalid conclusion
is a classis case of rhetoric. In other words, the Google Client is neither
a trojan horse, nor is it spyware as all functionality is clearly disclosed.
I further submit that Google Secure Client does in fact offer more security
as it initally claims when used with a wireless connection as it reduces the
likelihood of an attacker collecting wireless traffic. In exchange for this
protection, Google introduces a smaller risk that Google will collect
personally identifiable information. The trade off of an unknown attacker
possibly stealing any available information against a known service provider
with a corporate image to defend, and a range of liabilities introduced
through service provision collecting fairly clearly delineated information
is a fairly acceptable scenario.
These security trade-offs become more reasonable when one considers the
following possibilities:
1) The verbiage about collection of information in the case of percieved
threat likely relates to the retention of packet capture information in the
case of an IDS or IPS being triggered.
2) The majority of sites which actually contain user identifiable
information transmit such information in HTTP headers, do so via POST or PUT
requests to store larger amounts of information; as a result these would be
part of the 'potentially sensitive query data from the end of requests'. The
combination of disclosure and thoughtful selection of visited sites while
using a logged connection would yield much higher security in conjunction
with increased privacy.
3) The use of tools such as ssh to forward local connections across
encrypted tunnels make it possible to securely access sites regardless of
the monitoring mechanisms (think local port redirection to a pre-installed
squid proxy at a trusted host). Users incapable of this type of setup would
likely receive a significant improvement in security through the gained
encryption given their (probable) lack of understanding.
4) Aside from the potentially personal information contained in GET HTTP
requests that would not be filtered, the next most significant potential
issue raised by the Google information that might be shared would be a
statistical attack that may allow a remote site that acquires a great deal
of information about Google about session duration and routing to identify
local session and account information. This is highly improbable so bears a
low risk.
As a result, I beleive that the Google Secure Client will in most cases
represent an improvement in security, especially when one considers that the
intended deployment of the application is for hosts which do not have the
option of connecting using a secure wireless technology.
Basically, I stand by my initial assertion. Berend-Jan Wever has presented
an opinion designed to turn the security community away from a tool that
they can use to alleviate a serious concern in exchange for an issue of
information leakage. Like any security technology it has trade-offs, and
like many vendor tools, these trade-offs are of a nature the vendor can
profit from.
Since there are few other tools or services available for free that offer
such a solution that are easy to use (something that Google has done well in
many cases), there is no real justification for Berend-Jan Wever's attack on
the product and the service provider. The prevailing idea that because
Google is getting larger and more proprietary/monopolistic, it must be evil
is negated by the consistent disclosure of how information collected is
used.
Wevers opinion is a piece of fear-mongering garbage, fairly typical of the
sensationalist reviews and reports used by the media to paint minor issues
as The End of Civilization, and convince the world that unaffiliated
security researchers are a Bad People; this is something that I think most
people on this list should like to avoid.
On 9/21/05, str0ke@...w0rm.com <str0ke@...w0rm.com> wrote:
>
> Dear Mr. Ass-Hat (aka, Yvan Boily):
>
> Nice job shitting on someones email with name calling and childish
> remarks.
>
> Remember to clean your Pot its getting Black:
>
> "Before you go off FREAKING out you might want to consider a few things,
> first:"
>
> You seemed to be the one FREAKEING out. Let me state a few steps that
> can help you in life when you read other peoples emails in the future.
>
> 1) Breathe deeply, from your diaphragm; breathing from your chest won't
> relax you. Picture your breath coming up from your "gut."
>
> 2) Slowly repeat a calm word or phrase such as "relax", "take it easy".
> Repeat it to yourself while breathing deeply.
>
> 3) Use imagery; visualize a relaxing experience, from either your memory
> or your imagination.
>
> 4) Non-strenuous, slow yoga-like exercises can relax your muscles and make
> you feel much calmer.
>
> Remember if these 4 steps dont help you with your EMAIL RAGE. Please be
> sure to seek help at an EMAIL RAGE clinic.
>
> /str0ke
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050922/e45d70c9/attachment.html
Powered by blists - more mailing lists