Jump to content

Privacy / Safety issue with install on Vista (1.8.4)


Serbian

Recommended Posts

It creates/places all *.dat files under %USERPROFILE%\AppData\Roaming -- a big non-no without even asking user. Privacy sensitive data is in %USERPROFILE%\AppData\LocalLow, but even that is weak.

This tends to happen to software which was using way too "politically correct" API (as in following %APPDATA%). Note: there is no easy env var for LocalLow (might be a reg key or hardcoded), since it's supposed to be, ahem, private place :-) and %USERPROFILE% can be on a net share as well, %HOMEDRIVE%%HOMEPATH% would be semi-safe (have to check that %HOMEDRIVE% is not mapped), and %LOCALAPPDATA%\..\LocalLow would be safe, but have to check and account for OS version diffs.

I know it's a bit hard to change the mind frame from "I want this app to be as public s MS Word" and "this app is very private and will always be so", but hey, even IE made a recent "I'm private forever" turn (IE 8 has full privacy cleanup like running on Chrome engine :-)))

So, in the spririt of not becoming the next big Privacy / Safety breacher:

1 - Installer needs to ask user where he wants uTorrent files:

a - Strictly next to uTorrnet.exe (uTorrent is private, on a USB stick)

- this is the only safe default for privacy-conscious

- works with public PC-s as well

b - Folder of his choice (uTorrent is either private or communal on the box)

- this is the "I know my box and folders" option (usually 1 sole user)

- also when user is not admin - people create separate alt-ProgramFiles folder(s)

- communal install/use with anonymity by virtue of one login for all users

c - LocalLow area (privacy-sensitive but still "politically correct")

- this is where MS keeps private stuff, like CryptnetUrlCache

d - Roaming area - better not (visible to network admin, copied to other boxes)

- with full warning that this exposes data even if nothing else is exposed

- this data goes to a net share and/or DC - it is always exposed ! ! !

=> this can expose even a Domain Admin :-)

2 - Installer needs to run under the most privacy-conservative assumptions:

a - Assume user doesn't want to "install" at all, he just wants default files unpacked in one place

- cmd option to just unpack is the only thing with guaranteed safety

- also no traces left in HKCR, HKLM, ever - HKCU only

b - If user does install, he has his own path where he wants files

- not doable with Word, but perfecly doable with a light app like uTorrent

c - Assume strict privacy first (USB stick)

d - Assume local privacy 2nd (LocalLow)

e - Don't even think about placing anything into Roaming profile without a rock-solid reason

f - Always ask before leaving a file in a place that can be on a net share

- %HOMEDRIVE%, %USERPROFILE%, %APPDATA%

- and double-check in code where is it actually

Everything so far is pretty easy, almost trivial to fix.

------ Hard Part - communal install / use => all paths are created equally relative :-)

A reasonably general way to handle this is to have some cmd line params. Either one, say -home, to give root path for everything (meaning that "save path", "temp path", "settings path" would all need to be relative the root), or one, say -config to give the path to the config file(for all paths) or separate cmd params for each path.

The key element to remember is that path values in such config file need to be expandable (REG_EXPAND_SZ equivalents), relative, but can't use env vars, they can only use what's given on cmd line and look at default places (path to .exe). In particular all paths on Directories tab.

So in theory a change to settings.dat (say to use ~\ as "from home path", .\ as "from .exe path" ) plus one or two cmd options would do (say -home to override %USERPROFILE%, -config to override "*.dat path").

Regular defaulting sequence would need to be defined, like:

- if a path is absolute it's cool

- replace ~\ with -torpath if given, default to -home if given

2nd default to %HOMEDRIVE%%HOMEPATH%

-- check that %HOMEDRIVE% is not network mapped (there are sneaky admins out there)

-- if so, prompt user to change it -- on the spot, plus don't-ask-again option stored in settings.dat

-- suggest LOCALAPPDATA derived path (needs some digging to construct LOCAL_HOME_PATH)

LOCAL_HOME_PATH == LOCALAPPDATA - "App Data suffix" (suffix may change, might be in reg)

-- LOCAL_HOME_PATH has NTUSER.DAT, ntuser.ini and "Local Settings" (which can be a junction)

- replace .\ with -config if given, default to PATH_TO_EXE if rel path exists

2nd default to LOCAL_PRIVATE_DATA (as in LocalLow)

(settings.dat lookup is simply .\settings.dat with this in place and it's presence "confirms" the path)

File association (.torrent) needs a cmd option or config flag to make it changeable/reversible on a per-invocation basis (=> save keys on start if different, restore or delete on exit). Oh and all registry keys strictly under HKCU, no HKCR and HKLM without informed consent from the user. Remember that each invocation might be from a different actual person (sharing the same user account) and with uTorrent.exe in a different folder. Also strict-USB user also wants associations but only while he's using the box and uTorrent.

------ Communal use scenario(s)

This is what Word would never do and what every commercial company would consider suicidal and subversive, but is also part of the charm of the free software - free as in freedom of course :-) and a legitimate need / scenario.

Users in this scenario usually have high anonymity based privacy so the "I know my box and folders" option (1.b above) usually works just fine - even 5 folders with uTorrent.exe each having it's own *.dat is no problem.

In communal use people tend to create one or more alt-Program-Files folders and depending on the kinds of users they can be from very disciplined (as in one C:\ProgramFiles instead of "C:\Program Files") to very undisciplined (2,3,5 places for non-admin installs).

Sometimes this gets more structured however - users have / create their own "home" folders and agree not to touch each other's stuff, with some not concerned about privacy at all while others are very much concerned. That's why all paths need to be relative and reg key settings reversible.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...