[Full-disclosure] Google Secure Access or "How to have people download a trojan."

• Previous message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:168 - Updated masqmail packages fix vulnerabilities"
• Next in thread: Yvan Boily: "re:[Full-disclosure] Google Secure Access or "How to have people download a trojan.""
• Maybe reply: Yvan Boily: "re:[Full-disclosure] Google Secure Access or "How to have people download a trojan.""
• Maybe reply: str0ke_at_milw0rm.com: "re:[Full-disclosure] Google Secure Access or "How to have people download a trojan.""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Sep 2005 15:55:54 -0700
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com

This is a quite pathetic attempt to install a trojan, let me explain:
 <snippets href="http://wifi.google.com/faq.html">

   1. "Google Secure Access is a downloadable client application that
   allows users to establish a more secure WiFi connection."
   2. "...your internet traffic will be encrypted, preventing others from
   viewing the information you transmit."

</snippets>
 So, by "more secure" Google means using encryption to prevent "others" from
sniffing your packets. That's nice! What else does it do? Here's some
information from the privacy policy:

<snippets href="http://wifi.google.com/privacy-policy.html">

   1. "Google may log some information from your web page requests ..."
   2. "Google also logs a small set of non-personally identifiable
   information ..."
   3. "Google will not sell or provide personally identifiable
   information to any third parties except ..."
   4. "... we may for a limited period of time preserve additional
   internet traffic or other information."

</snippets>
 Aha! What we have here is trojan spyware! It does exactly what it is
supposed to protect you from.
 The second snippet clearly states that this concerns NON-personally
identifiable information... what about the information mentioned in the
first snippet, is that personally identifiable? I guess so; the third
snippet mentions Google selling or providing personally identifiable
information, this must have come from somewhere!
 In the third snippet, Google neglects to mention non-personally
identifiable information. What about selling that? I guess they do!
 The best thing about the whole policy is the last snippet, which undoes
_everything_ stated before it. Nice one Google!! ;)
 I suggest that Google comes clean and replaces their privacy policy with a
shorter, less confusing version:

*Here's some candy, go play!*
Btw. All your base are belong to us.

 Cheers,
SkyLined
 --
Berend-Jan Wever <berendjanwever@gmail.com>
http://www.edup.tudelft.nl/~bjwever

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Previous message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:168 - Updated masqmail packages fix vulnerabilities"
• Next in thread: Yvan Boily: "re:[Full-disclosure] Google Secure Access or "How to have people download a trojan.""
• Maybe reply: Yvan Boily: "re:[Full-disclosure] Google Secure Access or "How to have people download a trojan.""
• Maybe reply: str0ke_at_milw0rm.com: "re:[Full-disclosure] Google Secure Access or "How to have people download a trojan.""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]