2016-05-28 - Re: [GRASE-Hotspot] grase reports page is a breach of security and privacy

Header Data

From: Timothy White <ti***8@gmail.com>
Message Hash: 582e93d6c93c8779d9cba2d1b0e5f27b5c63703a99bdc440097a76a1de5ee7a9
Message ID: <CAESLx0JnXb_G1eGHuk_Yz6K0nWOPNYxjwm03UQdqFU-P+CTiXQ@mail.gmail.com>
Reply To: <CAESLx0KgFnne6r_Snw_LNWZbcVc-Nvzu6xfUhq6e1DVhUFkyvA@mail.gmail.com>
UTC Datetime: 2016-05-28 15:29:08 UTC
Raw Date: Sun, 29 May 2016 08:29:08 +1000

Raw message 

Also, when we changed to the Google API charts API, it was clearly in the
changelog.
https://github.com/GraseHotspot/grase-www-portal/blob/master/debian/changelog#L15

The change was made because it worked better than lots of Open Source
charting libraries out there with minimal effort. Reports that can actually
provide useful data are much better than reports that just look pretty but
don't give useful data. Any patches for a better reports page are welcome,
as I know it currently falls way short of where we'd like it to be.

Tim

On Sun, May 29, 2016 at 8:24 AM, Timothy White <ti***8@gmail.com> wrote:

> As already pointed out by others, you can lookup the Google API's being
> used, and see that it's not uploading anything to google, but using the
> Google charts library locally in your browser to render graphs. Google does
> not get any of your private information, it's not stored in any account.
>
> Being open source, you can also see all the code, so feel free to browse
> it on Github. The page in question is
> https://github.com/GraseHotspot/grase-www-portal/blob/master/files/usr/share/grase/www/radmin/templates/reports.tpl
>
> If you have a problem with Google libraries, please stop using the Grase
> Hotspot, or just stop using the Reports page.
>
> I've never hidden any part of the hotspot system, the code is all public
> on Github. I welcome security audits as no one is paying for any, so feel
> free to pay for a security audit.
>
> Tim
>
> On Sat, May 28, 2016 at 7:57 PM, 'Christopher Gregory' via Grase Hotspot <
> gr***t@grasehotspot.org> wrote:
>
>> Hello Tim,
>>
>> To say that I am angry is the understatement of the year.
>>
>> You have absolutely NO right using google to submit peoples server stats.
>> That is exactly what you are doing.
>>
>> A reports page is PRIVATE INFORMATION, yet I have clearly found that you
>> call https://google.com in your reports page.
>>
>> What account are you storing peoples PRIVATE information on?
>>
>> As you have created this, despite that you have exams at uni I demand to
>> know ALL the places that you have placed such hidden no disclosed pieces
>> of  code.
>>
>> As a systems administrator of a number of years of PAID employment I
>> DISABLE google as they are pure SCUM.
>>
>> I want the exact location on google that you are putting people's private
>> information and I want it PURGED NOW.
>>
>> If needs be I will take personal legal action against you.
>>
>> Yes I am publicly posting this on the list.
>>
>> Christopher.
>>
>> --
>> This mailing list is for the Grase Hotspot Project
>> http://grasehotspot.org
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "Grase Hotspot" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to gr***e@grasehotspot.org.
>> To post to this group, send email to gr***t@grasehotspot.org.
>> Visit this group at
>> https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
>> To view this discussion on the web visit
>> https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/1f9ecbd4ffd5c741ccb1dc484ec95302.squirrel%40www.pc-networking-services.com
>> .
>>
>
>

Thread