january 2005

moderator's slog and other internet matters
With respect to this, in the majority of cases, facs have written to offending posters - at times various facs have even bothered to call various of these posters up and spend time with them explaining to them the issues. However, there are a number of complications that have also arisen which is why sometimes these things have to be treated on a case by case basis and not a one process fits all.  I'll give you an *example* of this: someone posts using the email address of another fc member. Whoever is administering the list - ie a facs member or list member - has to get in touch with other facs - try to trace through the email headers, find the server or email forwarding site where the address was set up etc - get back to other facs, wait for them to have read their posts for the day, come to a consensus about what to do, do something.

If people are so interested in what goes on in the facs list, it often consists of the above boring details, interspersed with the occaisional message of *happy birthday* or whatever. The above process can take 12-36 hours. In the meantime, whoever has stolen the email address is on a roll and flooding the list with a bunch of crap both from this address and other identities they take on. In order to avoid this situation, whoever is administering the list usually confers with a couple of other facs and puts the list on emergency moderation and perhaps unsubs whoever is flooding the list.  So, there you go - that's about as transparent as it gets. Sure, in a perfect world the unsubbed
person gets all kinds of warnings etc. Let me assure you, in the past when there has been someone who has done a similar thing that's exactly the kind of process that has happened. In fact we are therefore discussing one incident in a list that has been 4 years in the running.

Could you just give me and perhaps a few others of the facs (although I'm really not speaking for anyone in particular) a break!! Or perhaps you guys would like a turn at spending every morning for a month or two trawling through spam, checking archive postings and corresponding with the sys op at myspinach when something goes wrong technically....please try to keep in mind that all facs and others who initiate projects through fc and also others who have spent time doing list admin who are list members are doing this voluntarily and sometimes they are just too tired to deal with crabs and other creepy crawlies! And that is why things sometimes get done sporadically - as is the case with any kind of voluntary labor,

Dr. Anna Munster
University of NSW
::posted on ::fibreculture:: mailinglist for australasian::critical internet theory, culture and research

 
Flaw in Google Desktop Search exposed data
21 December 2004
NewScientist.com news service
Will Knight
http://www.newscientist.com/

*
A flaw in Google's desktop search program was revealed on Monday by a team of computer researchers. They showed it could be used to capture valuable personal information from a remote user's computer. Google Desktop Search (GDS) lets users quickly hunt for files and documents stored on their computer using a web browser. After installation, the program runs in the background - indexing documents, emails, instant messaging conversations and web browser history - so that searches bring up results almost instantly. Dan Wallach at Rice University in Texas, US, and two students, Seth Nielson and Seth Fogarty, discovered the flaw shortly after the application was released on 14 October 2004. They developed demonstration code to exploit the flaw and steal search results via a web page. A query entered into Google on a computer running the desktop search program automatically adds results from the computer itself to results from the web. The researchers suspected that the way GDS integrates these results could prove a potential weak spot.

Fake connections

By analysing packets of information sent across a network, the team realised they could fool the application into handing over desktop search results to a remote user via the internet. They wrote a java applet - a small program that runs within a browser - to exploit the glitch through a malicious website. The victim would first need to be lured to the website, perhaps through the use of spam email messages. Once there the applet pretends to make a connection to www.google.com, which in turn allows the remote hacker to perform a search of everything on the user's computer accessible through the GDS. This might include personal or financial information.

Wallach notes that the applet does not need to exploit a software bug in order to work. "The Java program is completely legit," he told New Scientist. The trick simply exploited an oversight in GDS's security.

Remote repair

The trick is more a proof of concept than a real threat as Google was notified of the vulnerability in November and began updating desktop programs remotely on 10 December. The company said in a statement that it had "since fixed the problem so that all current and future users are secure".

Bruce Schneier, a US computer security expert, said the flaw is potentially serious but no different to those found in many different applications every day. "Like any piece of commercial software, it's huge and complex," he told New Scientist. Schneier adds that the automatic update process used by Google to repair installed applications might itself prove a security weak spot, but was better than relying on users to update software for themselves. "Security is always a trade-off," he says.

But Wallach says the flaw highlights the importance of testing an application thoroughly before releasing it. "Whenever you try to do something new and clever, you run the risk of enabling some sort of security attack," he warns. "The challenge for any organisation is to study carefully their own products for these kinds of issues before they get out of the
door."
Concerns have previously been raised over the security implications of Google's powerful desktop search tool. Some pundits were alarmed that previously visited web pages protected by encryption or passwords can be viewed using the search tool, although this feature can be switched off. On 14 December, US research firm Gartner warned customers not to use the tool on computers that might contain valuable business information until it has been tested more thoroughly.
Related Articles

from gratefulthrice