Closed Bug 323969 Opened 18 years ago Closed 18 years ago

Collect Sensitive Host info and make it public via Bugzilla

Categories

(Bugzilla :: Administration, task)

task
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: malitzke, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050913 SeaMonkey/1.0a
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050913 SeaMonkey/1.0a

This is not a Bugzilla technical problem per se; but well-intentioned misuse of Bugzilla and underlying database features.
One major Bugzilla user organization encourages users, when filing bugs or seeking help to submit a host of info: e.g. `uname -a`, compiler (gcc-4.0.2), glibc (glibc-2.3.5), kde (kde-3.5), ipv6, CFLAGS="....", CXXFLAGS=....", OS-headers="2.6.11.3", graphics-card="Savage4", python-2.x.y, etc, etc.
I am not a security expert (just a 20 year plus UNIX user) but consider making such detailed info available on the Internet plays potentially into the hands of criminal elements.
I have exhausted my powers of persuasion (via their Bugzilla) to get a review started. I do no want to embarass them publicly by disclosing their name here.
I hope the Mozilla (Bugzilla) organization would issue a general security alert to Bugzilla administrators to reconsider their policy on colletcting and disseminating sensitive information.

Reproducible: Sometimes

Steps to Reproduce:
1.Not all users fall into the trap.
2.
3.

Actual Results:  
not applicable

Expected Results:  
not applicable

I am at your disposal to help. However I would prefer to do so via direct communication. I have read and agree with your security policy. This is, strictly speaking, not a problem of the Bugzilla Organization. I am just hoping you would look into problem, as I perceive it.
I looked at the CERT site and did no find anything resembling this as a potential hazard. If you believe that it belongs in a more general category under CERT please advise.
I don't think this is anything we have any power to do anything about.  Organizations each have their own privacy policies, and if you don't like theirs, then don't submit things to them.

If you can't convince an organization to change their privacy policy there's not really much you can do but have a public discussion about it.  I don't think the government will do anything as long as they have a privacy policy posted and they aren't violating their own policy.  And there's nobody else to go to on this sort of thing except the government and the public.  (I'm not sure where we fit in this picture, we're not a government)
Group: webtools-security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
*** Bug 323971 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.