Outliner Software
Home Forum Archives Search Login Register


 

Outliner Software Forum RSS Feed Forum Posts Feed

Subscribe by Email

CRIMP Defined

 

Tip Jar

The Perils of CRIMPing

View this topic | Back to topic list

Posted by Joshua Cearley
Jul 7, 2015 at 04:42 PM

 

Dr Andus wrote:
> Regarding the infection, maybe that’s one more argument for using a
> web-based task management tool.

I have to disagree with this if the concern is security.  A local binary in isolation only has to be vetted once.  A very security conscious person could even use a tool like GPG to sign the binary at home, or have the IT/security department do it for them, with the public key on their USB stick.  If the work computer is compromised they wouldn’t get the key to forge a signature, and trojans that modify any exe file they can find would invalidate that signature.

A web service can’t be audited; they could get hacked at any time, and often do[1][2].  Most connections to even secure websites are only vetted by association to organizations that have been caught forging signatures[3]. Even if you trust the (probably small) web service, any number of intermediary attacks[4] can compromise you anyway.

(If you meant possibly losing data if your machine gets hauled off by IT, in which case I would agree.)

Dr Andus wrote:
> Oops, I didn’t see your message before I posted mine. I didn’t
> realise a portable app would do such a thing (?)

As far as I’m aware, the only real rules for being a “portable” application is that you don’t leave a footprint on the host.  MIRC for example stores all preferences in an ini file when used from a portable install, yet still performs phone-home activation of your license key for each host you run the program from.

Ken wrote:
> More frustrating is that I am now very gun shy about using any
> portable/no-install apps at work, especially if they “phone home”
> abroad, legitimate or otherwise.

Hmm.  This makes a good case for moving the update toggle on to the first-run wizard for a portable application.  Maybe even some kind of “roaming” mode where app usage data or update checking only gets sent when using the computer you initially installed the program on (e.x. set your home machine as home, and if detects a different machine ID then it won’t phone anywhere.)

Footnotes

[1] http://www.cnn.com/2013/03/04/tech/web/evernote-hacked/

[2] https://en.wikipedia.org/wiki/2011_PlayStation_Network_outage

[3] http://techcrunch.com/2015/04/01/google-cnnic/ Additionally, VeriSign will forge SSL certs for law enforcement.

[4] http://www.nationaldefensemagazine.org/blog/lists/posts/post.aspx?ID=249

 

© 2006-2025 Pixicom - Some Rights Reserved. | Tip Jar