Re: Google Desktop Search

[Dave King <davefd () davewking com>]

<snip>
Admittedly, that first quote sounds scary, and it certainly doesn't hurt 
to test and see what information, if any, is being sent out, but really. 
You people are security professionals. . . do you honestly think that it 
"magically" came up with the password to your email account from a 
cached web page?
</snip>

I completely agree and possibly by use of the word automagically was 
confusing (sorry). 
Just in case I was misunderstood, like I said I tested this with Hotmail 
and was unable to replicate the results because I didn't have the little 
box marked "Sign me in automatically" on the Hotmail Login page.  So, I 
tried this again after logging into Hotmail and asking it to "Sign me in 
automatically" and it allowed me to view the message automagically, just 
as I expected.  After logging out of Hotmail and trying again, it again 
brought up the sign in prompt before it let me view my message, again as 
expected.   So, once again, I was unable to replicate the automagic sign 
in without having explicitly enabled it on a previous sign in, looks 
like Google's not pulling any crazy hacker tricks after all.

Dave King
http://www.thesecure.net


mike () ampeisch com wrote:

> Hello All;
>
> At the risk of being flamed, I would submit that you didn't know it
> indexed web history at all, because you didn't read the part of the info
> page where it says:
>
> "It's a desktop search application that provides full text search over
> your email, computer files, chats, and the web pages you've viewed."
>
> This can be found at:  http://desktop.google.com/about.html
>
> Where it also says:
>
> "The Google Desktop Search program does not make your computer's content
> accessible to Google or anyone else. You can learn more by reading the
> Desktop Search privacy policy."
>
> And, whether security pro or good consumer you should READ the privacy
> policy, before using the product.  What if it said "by downloading this
> software, you agree that we can access all contents of your hard disk
> whenever we want to, and share the information with all of the vendors on
> the planet"?
>
> Admittedly, that first quote sounds scary, and it certainly doesn't hurt
> to test and see what information, if any, is being sent out, but really. 
> You people are security professionals. . . do you honestly think that it
> "magically" came up with the password to your email account from a cached
> web page?  Read the javascript in the headers of Yahoo's login page:
>
> <-- Begin javascript comments from Yahoo -->
> /*
> * A JavaScript implementation of the RSA Data Security, Inc. MD5 Message
> * Digest Algorithm, as defined in RFC 1321.
> * Copyright (C) Paul Johnston 1999 - 2000.
> * Updated by Greg Holt 2000 - 2001.
> * See http://pajhome.org.uk/site/legal.html for details.
> */
>
> <-- End Javascript comments from Yahoo -->
>
> THEY don't even cache, or pass, your password. Like all secure programs,
> they store, and transmit, an MD5 Sum. Besides, why would you keep
> confidential information in a Yahoo email account anyway?  I don't mean to
> chastise anyone, and it certainly isn't my place, but we should all try to
> avoid generating FUD when we can.
>
> M.
>
>
>
>
>  
>
> > If you noticed during the install, it gives you the opportunity to
> > include https pages in web history caching.  When it said this it made
> > me curious since I didn't know it indexed web history at all, but
> > apparently it does and this option can be disabled on the preferences
> > page if you don't want it.
> >
> > I tried to reproduce what you said happened with Hotmail and it did
> > index the messages I have viewed and brought them up in the search
> > results, and it did let me view a cached copy without a
> > username/password, but it did not allow me to access the real message in
> > my account without my username/password.  Are you set to login
> > automagically?
> >
> > Dave King
> > http://www.thesecure.net
> >
> > DogoBrazil wrote:
> >
> >    


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html