[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Google Secure Access or "How to have people download a trojan."

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Google Secure Access or "How to have people download a trojan."
From: Berend-Jan Wever <berendjanwever@xxxxxxxxx>
Date: Tue, 20 Sep 2005 15:55:54 -0700

This is a quite pathetic attempt to install a trojan, let me explain:
 <snippets href="http://wifi.google.com/faq.html";>

   1. "Google Secure Access is a downloadable client application that 
   allows users to establish a more secure WiFi connection." 
   2. "...your internet traffic will be encrypted, preventing others from 
   viewing the information you transmit."

</snippets>
 So, by "more secure" Google means using encryption to prevent "others" from 
sniffing your packets. That's nice! What else does it do? Here's some 
information from the privacy policy:

<snippets href="http://wifi.google.com/privacy-policy.html";>

   1. "Google may log some information from your web page requests ..." 
   2. "Google also logs a small set of non-personally identifiable 
   information ..." 
   3. "Google will not sell or provide personally identifiable 
   information to any third parties except ..." 
   4. "... we may for a limited period of time preserve additional 
   internet traffic or other information."

</snippets>
 Aha! What we have here is trojan spyware! It does exactly what it is 
supposed to protect you from.
 The second snippet clearly states that this concerns NON-personally 
identifiable information... what about the information mentioned in the 
first snippet, is that personally identifiable? I guess so; the third 
snippet mentions Google selling or providing personally identifiable 
information, this must have come from somewhere!
 In the third snippet, Google neglects to mention non-personally 
identifiable information. What about selling that? I guess they do!
 The best thing about the whole policy is the last snippet, which undoes 
_everything_ stated before it. Nice one Google!! ;)
 I suggest that Google comes clean and replaces their privacy policy with a 
shorter, less confusing version:

*Here's some candy, go play!*
Btw. All your base are belong to us.

 Cheers,
SkyLined
 -- 
Berend-Jan Wever <berendjanwever@xxxxxxxxx>
http://www.edup.tudelft.nl/~bjwever

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] MDKSA-2005:168 - Updated masqmail packages fix vulnerabilities
Next by Date: re:[Full-disclosure] Google Secure Access or "How to have people download a trojan."
Previous by thread: [Full-disclosure] MDKSA-2005:168 - Updated masqmail packages fix vulnerabilities
Next by thread: re:[Full-disclosure] Google Secure Access or "How to have people download a trojan."
Index(es):
- Date
- Thread