lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 17 Mar 2009 11:59:51 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Google to base ads on surfing behaviour

Bipin Gautam wrote:

> google is evil : http://news.zdnet.co.uk/internet/0,1000000097,39625962,00.htm

That's news?    8-)

> "These ads will associate categories of interest " say sports,
> gardening, cars, pets " with your browser, based on the types of sites
> you visit and the pages you view,"
> ...
> As with any other cookie, this tracking file can be cleared by the
> user at any time. By visiting Google's ad-preferences page, the user
> can opt out of having their surfing habits tracked, or input their own
> preferences for the subject matter of ads they would like to see.
> 
> However, as clearing the browser's cookies would effectively remove
> the opt-out cookie itself, Google has also released a plug-in for
> browsers that provides a permanent opt-out from the service.
> ...

Whatever happened to "default deny"?

Oh, that's right -- it wouldn't be in _Google's_ interest to require 
surfers to opt into Google breaching their privacy.

As the US government doesn't seem to care much, if at all, about 
protecting the privacy rights of its citizens (in fact, do US citizens 
actually have any legally-protected privacy rights worth talking about?), 
perhaps the EU should step up here and fine the crap out of Google until 
it "fixes" this latest egregious assault on our privacy...

...

And would it be churlish to point out that Google is breaking its own 
principles with this move?

Bipin has already alluded to the much-vaunted "do no evil" doctrine 
(actually, it is "You can make money without doing evil" -- point six at:

   http://www.google.com/corporate/tenthings.html

and arguably does not preclude "but you can make more money by doing 
evil" if you read the whole thing), but there are others, perhaps most 
pertinent here are in:

   http://www.google.com/corporate/software_principles.html

   Software Principles

   At Google, we put a lot of thought into improving your online
   experience.  We're alarmed by what we believe is a growing disregard
   for your rights as computer users. We've seen increasing reports of
   spyware and other applications that trick you in order to serve you
   pop-up ads, connect your modem to expensive toll numbers or hijack
   your browser from the site you're trying to visit.

Yet it seems that it is acceptable for Google to breach reasonable 
expectations of privacy "behind the scenes" (these principles seem aimed 
at client-side, rather than server-side, shenanigans -- hmmmm...).

   We do not see this trend reversing itself. In fact, it is getting
   worse. As a provider of services and monetization for users,
   advertisers and publishers on the Internet, we feel a responsibility

...to ensure those trends continue?

No -- actually, it continues:

   to be proactive about these issues. So, we have decided to take
   action. As a first step, we have outlined a set of principles we
   believe our industry should adopt and we're sharing them to foster
   discussion and help solve the problem. We intend to follow these
   guidelines ourselves with the applications we distribute (such as the
   Google Toolbar and Google Desktop). And because we strongly believe
   these principles are good for the industry and users worldwide, we
   will encourage our current and prospective business partners to adopt
   them as well.

...but again, we won't apply these principles to the service side of our 
industry and actions.

How gloriously myopic, or is that two-faced?

The second of these proposed software principles is described thus:

    UPFRONT DISCLOSURE

   When an application is installed or enabled, it should inform you of
   its principal and significant functions. And if the application makes
   money by showing you advertising, it should clearly and conspicuously
   explain this.  This information should be presented in a way that a
   typical user will see and understand -- not buried in small print that
   requires you to scroll. For example, if the application is paid for by
   serving pop-up ads or sending your personal data to a third party,
   that should be made clear to you.

But, again, not if it's Google, DoubleClick, et al. twiddling bits on the 
back-end...

And a few sections later:

   SNOOPING

   If an application collects or transmits your personal information such
   as your address, you should know. We believe you should be asked
   explicitly for your permission in a manner that is obvious and clearly
   states what information will be collected or transmitted. For more
   detail, it should be easy to find a privacy policy that discloses how
   the information will be used and whether it will be shared with third
   parties.

But, again, not if it's Google, DoubleClick, et al. twiddling bits on the 
back-end...  

...

And to add another security-related issue to this thread, I'd rather that 
Google and DoubleClick spent some time and effort on fixing a couple of 
DoubleClick's biggest problems rather than on adding AdSense tracking 
integration to DoubleClick's cookie mechanisms.

First is that DoubleClick really needs to work on not accepting "dodgy" 
ads such as the "fake AV" ads and such they've been serving increasingly 
often of late.

Second, and much bigger, DoubleClick also needs to fix a huge security 
flaw across the whole of doubleclick.com.  doubleclick.com is an open 
redirector farm.  Depending on your school of thought, that might be 
considered what is known in web app security circles as a form of cross-
site scripting (or XSS) flaw.  This has been abused by spammers, phishers 
and malware spreaders in the past and fixing it won't be trivial as the 
whole DoubleClick business model is based on this behaviour and the 
common, Q&D fix for this type of problem (referer-checking based 
solutions) is unviable when the expected referrers are virtually any 
domain on the planet (as required by DoubleClick's distributed ad serving 
business model).  It took Google the best part of a decade to (mostly) 
fix its own open redirector problems, but that should mean it can provide 
some valuable input to its new stablemate...


Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ