Coffeehouse Thread

9 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Study: Microsoft's Phishing Filter Protects User Privacy (*paid for by Microsoft)

Back to Forum: Coffeehouse
  • User profile image
    Manip

    Microsoft pays for an audit of its anti-phishing filter and gets just the result that they wanted.

    But in all fairness even the people who carried out the audit admit that they were looking to prove a positive (a far easier task than disproving a negative).

    Audit wrote:
    The following assertions were used by Jefferson Wells in conducting the privacy assessment:

    1) The Phishing Filter client does not transmit any personally identifiable information without explicit user consent.
    2) URL information transmitted for rating by the Phishing Filter client cannot be traced back to the user’s personal information.
    3) HTTP and HTTPS URLs transmitted for rating by the Phishing Filter client are limited to the domain and path only. All other information in the URL is stripped.
    4) The Phishing Filter client only transmits URLs in the following scenarios.
    Angel When the user wants to manually provide feedback on a URL.
    (b) When the URL is not found in the Phishing Filter local data files.
    (c) When the Phishing Filter client heuristics determine a site as suspicious.
    5) Transmission of any and all URL information by the Phishing Filter client is over SSL on the Internet.


    What were the results?

    Audit wrote:
    OVERALL CONCLUSION
    As of April 13, 2006 and based on the assertions identified and the testing performed Jefferson Wells found that all assertions were valid. Based on Jefferson Wells testing, the assertions noted have been validated for the versions noted in the “Scope” section of this report. A matrix with the assertions and results by assertion is provided in the “Audit Results” section of the report.


    Unsurprisingly everything Microsoft asked them to 'prove', has been and a nice middle-management friendly report was produced about it.

    I am unhappy with the conclusions so I am going to pick apart the original assertions and try and disprove some of them.

    Audit wrote:
    1) The Phishing Filter client does not transmit any personally identifiable information without explicit user consent.


    I wasn't sure what their definition of "personally identifiable information" was so I decided to look inside the report... But couldn't find it there... Which leaves me perplexed... How can they prove or disprove an assertion if they haven't defined the assertion?

    So I looked for a more extensive conclusion further down in the report that I hoped would explain to me how this assertion was validated... But this nine page report doesn't contain any of that information; instead they have opted for nice little check boxes reading "Validated" and "Not Validated" in a very short table.

    So I am left asking what level of information is required for someone to be "personally identified" by the anti-phlishing filter? 

    Are they personally identified if their web access history can be read like a book? Or is it when Microsoft knows that their first name is Bob and they live in New York?

    Because of this report's loose definitions it is impossible to conclusively prove or disprove the above assertion.

    Audit wrote:
    2) URL information transmitted for rating by the Phishing Filter client cannot be traced back to the user’s personal information.


    Yet again we come back to this undefined but important definition of what is someone's personal information?

    If you can define personal information as an IP address and a web-history then this assertion is false. If you define it as their name and star sign then it is true.

    Audit wrote:
    4) The Phishing Filter client only transmits URLs in the following scenarios.
    Angel When the user wants to manually provide feedback on a URL.
    (b) When the URL is not found in the Phishing Filter local data files.
    (c) When the Phishing Filter client heuristics determine a site as suspicious.
    5) Transmission of any and all URL information by the Phishing Filter client is over SSL on the Internet.


    I find this a slightly bizarre assertion... It is essentially asking, "Does the program work the way it was build?" The answer is of course 'yes'...

    The fact that URLs are transmitted using SSL is irrelevant. It is the destination not the journey. It is also likely that if a third party could read the packets being sent by IE7's anti-phlishing filter, that they could also read the raw HTTP traffic.

    Conclusion: This audit / report might have well been produced within Microsoft's PR department. It does not accurately define its assertions, and even if it had, the questions raised by the report are of little interest and don't strengthen the case for security and or privacy within Microsoft's Anti-Phlishing filter.

    This is a rubber-stamp report paid for by a large corportation to make its users feel better about the technology.

  • User profile image
    Dr Herbie

    Never believe ANY of these things, from any company, or from any 'research' group, unless you know where the funding comes from.

    If you ever have anything to do with statistics, read this

    Ha, and they said I was paranoid ... Smiley

    Herbie

  • User profile image
    Red5

    There are three types Liars:
    1. Liars
    2. Damn Liars
    3. Statiticians

  • User profile image
    rjdohnert

    Research companies have to make money too.  They wouldnt perform the stdies unless they are paid.  That goes with any research company.  If you happen to find one that does do the stdy for free they already have an established bias

  • User profile image
    Manip

    rjdohnert wrote:
    Research companies have to make money too.  They wouldnt perform the stdies unless they are paid.  That goes with any research company.  If you happen to find one that does do the stdy for free they already have an established bias


    But these guys didn't even do a quality biased study. This 'study' is not worth the paper its not printed on.

  • User profile image
    rjdohnert

    I havent read it yet, so whats the link?

    Manip wrote:
    rjdohnert wrote:Research companies have to make money too.  They wouldnt perform the stdies unless they are paid.  That goes with any research company.  If you happen to find one that does do the stdy for free they already have an established bias


    But these guys didn't even do a quality biased study. This 'study' is not worth the paper its not printed on.

  • User profile image
    eagle

    The anti-phishing team is phishing for results? Where is your source for this startling revelation?

  • User profile image
    Maurits

    rjdohnert wrote:
    whats the link?

    http://blogs.msdn.com/ie/archive/2006/05/08/592677.aspx

    EDIT: Snap!

  • User profile image
    Manip

    There is a link on the IE blog post here: http://blogs.msdn.com/ie/archive/2006/05/08/592677.aspx

    [Direct Link Here PDF]


    edit: Sorry Maurits Smiley

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.