Security

The value of privacy policies

Most serious web sites post a privacy policy describing what the site's owners will do with data collected from and about the site's users. For users who are concerned about the spread of their personal information, a strongly-written privacy policy can be a reassuring feature. A recent court ruling, however, suggests that web privacy policies may not be worth the paper they aren't printed on, at least some of the time.

Northwest Airlines was recently faced with a class-action lawsuit headed by some of its customers, who were upset that the airline had provided passenger name record (PNR) data to the U.S. government after the September 11 attacks. The plaintiffs made several allegations, including the violation of various laws and, crucially, breach of contract as a result of Northwest's failure to live up to its privacy policy.

The policy reads, in part:

There is nothing here about giving PNR data (which includes hotel and car information, along with credit card numbers) to interested governmental agencies. One might well conclude that the privacy policy has been breached.

The court struck down the breach of contract claim, however. The reasoning was:

The implications are clear: weasel words in a privacy statement can be used against you. If you ever think you may want to take a site operator to court for the violation of a privacy statement, you will, at a minimum, have to be able to show that you read that statement before the violation occurred. It seems unlikely that many potential plaintiffs in privacy policy cases will be able to make that demonstration. Privacy policies, thus, may not be worth a whole lot - at least, not in countries which lack more general restrictions on the use of personal data.

(For the curious, the full ruling is available in PDF format).

Comments (3 posted)

Evans Data on Linux security

Evans Data has sent out a press release about a Linux security survey done by the company. "Ninety two percent of survey respondents indicated that their Linux systems have never been infected with a virus, according to Evans Data's new Summer 2004 Linux Development Survey." The PR lacks an answer for the most interesting question, however: what, exactly, happened to the other 8%?

Comments (28 posted)

courier: cross-site scripting vulnerability

Package(s):	courier	CVE #(s):	CAN-2004-0591
Created:	July 23, 2004	Updated:	August 4, 2004
Description:	The sqwebmail application has a cross-site scripting vulnerability. An attacker can inject and execute a web mail script via an email message.
Alerts:	Gentoo 200408-02 courier 2004-08-04 Debian DSA-533-1 courier 2004-07-22

Comments (none posted)

mailreader: directory traversal vulnerability

Package(s):	mailreader	CVE #(s):	CAN-2002-1581
Created:	July 23, 2004	Updated:	July 28, 2004
Description:	Mailreader has a directory traversal vulnerability. A remote attacker can view arbitrary files with the privileges of the nph-mr.cgi process.
Alerts:	Debian DSA-534-1 mailreader 2004-07-22

Comments (none posted)

Pavuk: Digest authentication helper buffer overflow

Package(s):	pavuk	CVE #(s):
Created:	July 26, 2004	Updated:	July 28, 2004
Description:	Pavuk contains several buffer overflow vulnerabilities in the code handling digest authentication. An attacker could cause a buffer overflow, leading to arbitrary code execution with the rights of the user running Pavuk. These vulnerabilities have been fixed in pavuk-0.9.28-r3.
Alerts:	Gentoo 200407-19 pavuk 2004-07-26

Comments (none posted)

samba: potential buffer overruns

Package(s):	samba	CVE #(s):	CAN-2004-0600 CAN-2004-0686
Created:	July 22, 2004	Updated:	September 2, 2004
Description:	According to this Samba advisory, Evgeny Demidov discovered that the Samba SMB/CIFS server has a buffer overflow bug in the Samba Web Administration Tool (SWAT) on decoding Base64 data during HTTP Basic Authentication. Samba versions between 3.0.2 through 3.0.4 are affected. (CAN-2004-0600) Another buffer overflow bug has been located in the Samba code used to support the "mangling method = hash" functionality. The default setting for this parameter is "mangling method = hash2" and therefore Samba is not vulnerable by default. Samba versions between 2.2.0 through 2.2.9 and 3.0.0 through 3.0.4 are affected. (CAN-2004-0686)
Alerts:	Fedora FEDORA-2004-285 samba 2004-09-02 Fedora FEDORA-2004-284 samba 2004-09-02 Whitebox WBSA-2004:259-01 samba 2004-08-19 Conectiva CLA-2004:854 samba 2004-07-30 Gentoo 200407-21 samba 2004-07-29 Trustix TSLSA-2004-0039 apache 2004-01-05 Red Hat RHSA-2004:404-01 samba 2004-07-26 Slackware SSA:2004-207-01 samba 2004-07-25 tinysofa TSSA-2004-014 samba 2004-07-23 SuSE SUSE-SA:2004:022 samba 2004-07-23 Netwosix NW-2004-0015 samba 2004-07-23 Mandrake MDKSA-2004:071 samba 2004-07-22 Conectiva CLA-2004:851 samba 2004-07-22 Red Hat RHSA-2004:259-01 samba 2004-07-22 OpenPKG OpenPKG-SA-2004.033 samba 2004-07-22

Comments (1 posted)

sox: buffer overflow

Package(s):	sox	CVE #(s):	CAN-2004-0557
Created:	July 28, 2004	Updated:	February 21, 2005
Description:	Sox suffers from buffer overflows in its WAV file handling; these overflows could conceivably be exploited by way of a malicious sound file.
Alerts:	Fedora-Legacy FLSA:1945 sox 2005-02-20 Debian DSA-565-1 sox 2004-10-13 Whitebox WBSA-2004:409-01 sox 2004-08-19 Slackware SSA:2004-223-03 sox 2004-08-07 Conectiva CLA-2004:855 sox 2004-07-30 Gentoo 200407-23 sox 2004-07-30 Mandrake MDKSA-2004:076 sox 2004-07-28 Red Hat RHSA-2004:409-01 sox 2004-07-29 Fedora FEDORA-2004-244 sox 2004-07-28 Fedora FEDORA-2004-235 sox 2004-07-28

Comments (none posted)

subversion: access control bypass

Package(s):	subversion	CVE #(s):
Created:	July 23, 2004	Updated:	July 28, 2004
Description:	Subversion has a vulnerability in the mod_authz_svn Apache authentication module that can allow a local user to bypass read restrictions in the repository.
Alerts:	Gentoo 200407-20 subversion 2004-07-26 Fedora FEDORA-2004-231 subversion 2004-07-23

Comments (none posted)