HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: January 2007

Xbox Live: The "Roach Motel" of Personal Information

Now I know I'm a bit behind the curve, but I finally got around to
purchasing an Xbox Live Gold membership so I could see how bad I really
am at Gears of War.  For a brief moment, I felt like Private Pyle from
"Full Metal Jacket" cleaning my rifle - "Everything is clean...smooth."
Registration was a snap; just enter my credit card number, verification
code, name, and current address - and in no time I'm online getting
fragged to death and spending more time as a spectator than I'm
actually fighting.

Well, once I got tired of watching everyone
else have fun, I decided to revisit my account settings so I could
remove my credit card information (as I commonly do with any online
account that stores my personal information).  Much to my surprise,
there's no "Delete" ability from the console menu. I can add all the
credit cards I want or update any existing information, but I can't
delete ANYTHING.  Thinking that it's just getting late and I'm missing
something obvious, I decided to let it go for the night and look into
it the next morning.

Since being an information security
professional is accompanied by a healthy amount of paranoia, the first
thing I did the next morning is start Googling terms such as
"delete|remove Credit Card Xbox Live" to see if anyone else has
encountered this problem.  Much to my dismay, it is indeed impossible
to remove.  Yes, I used the word "impossible." Some people "think" they
have the solution - but none of them are successful.  This is truly a
case of "You can put your personal information in, but it won't come
out." Getting a bit more concerned, I decided to take my chances and
call support.

Here's a short list of responses I received from calling 1.800.4MY.XBOX:

  • Yes, canceling your subscription will remove your billing information from your account.
  • Well,
    the only way to remove your billing information from your Xbox console
    is to completely wipe out your HDD drive and start a-new.
  • Sir, I don't understand what you're concerned about.  Only you can see your personal information.
  • Ok, I've entered a bogus name and address - so your billing information is now useless and you're all set.
  • I'm sorry sir, you'll have to call Microsoft for that.

the second response (which is just asinine and, in theory, would
probably work - but it's just a bit "bull in a china shop-ish"), all
proved false, incorrect, inaccurate or just plain wrong.  As for the
last one, well...you got me there.  I'm still trying to figure that one
out.  But customer
support isn't the problem - they're just doing their job and getting
frustrated with them gets you nowhere - there seems
to be something much more sinister at work here.

Next thing I
decided to do was closely re-read the privacy statement, conveniently
located right on the Xbox 360 console.  Sure enough, it explicitly
states I have the ability to "update" or "add" items for billing - but
conveniently leaves out the "delete" ability. I even found a KB article
that eerily ignores "removing" your personal information.

  Not only am I at a dead end with customer support,
now I'm suspicious and have only one burning question - Why?  What
benefit do I, the consumer, get by not being able to delete my personal
information and why all the barriers and misinformation? 
Unfortunately, I don't know - but rest assured I'm looking into it.

you've read this far, I'm sure you're probably wondering what I did to
relieve my all consuming paranoia. Unfortunately, there's not much you
can do, short of canceling your current credit card, that will be effective.

Although I was once fired up about joining the Xbox Live community and
the prepaid membership cards will indeed satisfy my privacy issue, I
still have a bad taste in my mouth from this experience and will have
to let this issue rest before I attempt another subscription request.

Apparently, it's more important for me to ensure
that I'm absolutely, positively certain that I want to close Microsoft
Word document without saving changes than it is to alert the user that
their personal information just checked in to the Xbox Live Roach Motel and can't check out.

Labels: Privacy

IE's Bookmarklet limits create privacy risk

Bookmarklets are awesome! They are similar to regular bookmarks, but instead of having a normal URL like http:// they use javascript :. This means when you click on the bookmarklet JavaScript code runs. Some common example's of bookmarklets include:

  • Take any word that was highlighted on a webpage and open a new window with the Wikipedia entry for that word

  • Strip all the HTML out of a webpage and only render the images

  • Submit the current URL to a bookmarking site like del.icio.us

The popular Firefox extension, GreaseMonkey is basically a collection of bookmarklets. You can read more about Bookmarklets and see examples on Wikipedia.

Since a bookmarklet is just a javascript : URL with some JavaScript code, it's size is limited by how long a URL can be. All the browsers differ on this limit, with most allowing several kilobytes. However, IE takes the unusual step of specifically crippling the size of a javascript : URL to 508 characters! This
makes it impossible to have complex bookmarklets without resorting to a trick. To load large bookmarklets in IE, the
bookmarklet has to bootstrap a larger JavaScript file by dynamically
creating a SCRIPT tag, and point the source attribute at a file containing the rest of the JavaScript for the bookmarklet. This means IE sends an HTTP request to fetch the rest of the script! This is
actually a privacy violation, because the HTTP request for the larger
JavaScript file will have an HTTP referer (sic) header with the URL of webpage the
person is invoking the bookmarklet on. Depending on the setup, it is possible that a user is telling the bookmarklet creator each and every time they use the bookmark, as well as what website they are using it on.

The bottom line is bookmarklets are a very cool and powerful feature. Any security enhancement gained by limiting their length is far outweighed by the privacy violation it creates.


Labels: Bookmark| IE| Privacy
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.