[LINK] Federal police asked to probe Google

Craig Sanders cas at taz.net.au
Sun Jun 6 22:35:10 AEST 2010


On Sun, Jun 06, 2010 at 10:05:09PM +1000, Jan Whitaker wrote:
> At 09:39 PM 6/06/2010, Richard Chirgwin wrote:
> > A "payload" frame, however, has the destination address set. An
> > interface with the wrong address, upon receiving that frame, is
> > supposed to drop it (a behaviour that's been in Ethernet forever -
> > the old coax networks behaved like this). Sniffer software ignores
> > what is an explicit part of the standard - "drop frames not addressed
> > to you". So it's at least tenable to argue that anyone who captures
> > frames not addressed to them *is* breaching the TIA, irrespective of
> > whether or not the payload is encrypted.
>
> Could this be a case of the programmer not paying attention to the    
> standard?                                                             

possibly. but it's certainly a case of Richard only understanding
a small part of the standard and ignoring everything in it that
contradicts the point he wants to make (which is that it's somehow
unusual or "standards-breaking" to not drop packets "not addressed to
you" - and identifying which packets are "not addr..." is far from as
clear-cut and well-defined as he's stating)

> Google said whoever wrote it was 'experimenting' or something         
> similar, part of their 'innovation' thing. If there were whiz kids    
> writing code for them without proper training, that could happen. It  
> could be a case of wow, neat, I wonder if I can bypass this or get    
> that data without the sender knowing?                                 

it's not a matter of "bypassing" anything. it's more a matter of not
bothering to put in a lot of extra work to filter out stuff (possibly
because no-one had bothered telling him/her that it would be a good
idea).

capturing packets is easy.  filtering out the noise is hard.  

and programmers are lazy. without detailed specifications they'll focus
on the "interesting" bits of the program and ignore the boring bits.


> If the coder had no sense of compliance requirements, it could easily
> happen out of pure ignorance. Doesn't excuse google from knowing what
> their code does, but I can see how it could happen.

AFAICT, it was when somebody higher up reviewed the code that the
requirements were established.

craig

-- 
craig sanders <cas at taz.net.au>



More information about the Link mailing list