popularity-contest
Jeffrey F. Bloss
jbloss at tampabay.rr.com
Fri Mar 30 00:54:49 UTC 2007
Jan Torben Heuer wrote:
> OOzy Pal wrote:
> Hi,
>
> > Nothing more!!! If it is (K)Ubuntu developers then no problem.
> >
> > No risk on my private data!!! Right?
>
> This package is not more dangerous than other packages. It's on you whom
> you trust....
In fact, it's considerably more dangerous than "other packages" because
it compiles statistics about what software and versions are installed
on your system and how you're using them, then sends that information
in the clear through email... one of the most exploitable ways of moving
information there is on the net. :(
The short version is you don't even *know* who it is you're trusting.
And the information itself is highly valuable to a lot of different
BadGuys(tm). From script kiddie crackers who search for known
vulnerable versions of some software and then "Metasploit" it, to evil
governments perusing mail in bulk and profiling "dissidents",
Broadcasting this sort of information in the clear isn't just a way to
make their life easier it's potentially the difference in making it
*possible*.
And none of this takes into account the fact that the database could be
attacked directly. I realize identities are hashed, and I'd assume that
to mean a cryptographically strong actual hash, but a "serial number"
is still a serial number. If an attacker found a way to end run the
mathematics they'd own everyone and/or someone, entirely. :(
--
_?_ Outside of a dog, a book is a man's best friend.
(o o) Inside of a dog, it's too dark to read.
-oOO-(_)--OOo------------------------------[ Groucho Marx ]---
http://wrench.homelinux.net/~jeff/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20070329/60f9967c/attachment.sig>
More information about the ubuntu-users
mailing list