[prev in list] [next in list] [prev in thread] [next in thread]
List: kopete-devel
Subject: Re: [kopete-devel] Fwd: Kopete shows user name in chat
From: Matt Rogers <mattr () kde ! org>
Date: 2009-10-02 3:49:34
Message-ID: 200910012249.39531.mattr () kde ! org
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Hi,
I agree. This is not a security issue. I don't even agree that this is a
privacy issue. If a user doesn't like the fact that their real name is shown
in our chat client, then they should not enter a real name when using IRC. If
your argument would apply to other IM protocols, our use of a user's real name
that they provided to the IM service would also be an issue. However, it is
not an issue for other IM services (we've received no complaints at least), so
I see no reason to treat IRC any differently. Also note that we don't ship an
IRC plugin in the KDE4 version of Kopete, so I would imagine that a great deal
of people have quit using Kopete for IRC anyways.
Your privacy concerns are appreciated. However, the Kopete development team
will not likely make any changes to address this complaint.
Thanks
--
Matt
On Thursday 01 October 2009 11:58:30 David Faure wrote:
> Hello,
>
> I don't think this is a "security" issue, rather a privacy issue,
> so there's no reason to keep it undisclosed, all irc users know about whois
> already. For this reason I'm forwarding your email to the kopete
> development mailing-list, for the kopete developers to answer it and/or
> fix kopete if necessary.
>
> David.
>
> ---------- Forwarded Message ----------
>
> Subject: Kopete shows user name in chat
> Date: Wednesday 18 March 2009
> From: T P D <tp@diffenbach.org>
> To: security@kde.org
> Cc:
>
> Kopete by default shows the user's account name in IRC chat as the
> user's "Full Name".
>
> No warning is given to users that their account names will be shown to
> anyone performing an IRC /whois command.
>
> While it appears possible to override this behavior, it's not intuitive,
> as the value labeled "Full Name" is modified by changing a setting
> labeled "Real Name".
>
> Even worse Kopete presumably has added code to access the account name
> when no "Real Name" is given; that is, someone actually affirmatively
> thought this behavior was a "Good Thing". This too is counter-intuitive:
> a setting left blank should not, without warning, result in transmitting
> display sensitive user information. Blank implies "show nothing", not
> "show my actual name".
>
> This is quite simply, a security hole, as much as any buffer overrun.
> Worse, a security hole someone purposely added.
>
> Did no one, during requirements gathering, code writing, or code review
> think that the reason people use nicks in IRC is because they don't wish
> to show their real names? Or that those wishing to reveal their real
> name should have to explicitly do so?
>
>
> For me, knowing that someone knowingly and affirmatively coded this
> calls into question the judgment of the entire KDE team.
>
>
> -------------------------------------------------------
>
--
Matt
["signature.asc" (application/pgp-signature)]
_______________________________________________
kopete-devel mailing list
kopete-devel@kde.org
https://mail.kde.org/mailman/listinfo/kopete-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic