December 18th, 2001, 03:58 PM
SpiDynamics WebInspect - Keeping Track of its Users?
I'm posting this here because for some Strange,Mysterious reason, the fine people at bugtraq won't publish my response on their list....I've tried for 2 days now and decided that its being rejected...Why i have no idea, and they have not sent me any rejection confirmation, however others posts keep coming, and mine is nowhere to be found....
So alas i have to spread the word myself...Here is the original bugtraq post...and the full story,SpiDynamics somewhat weak reply, and my as of yet unanswered reply are all at the url at the bottom....Thank you for your time.
------Cut and paste from SpiDynamics Website------
WebInspect, S.P.I. Dynamic's premier product, is the most comprehensive network-based web application security solution ever designed. It dynamically uncovers well-known static security holes, as well as security vulnerabilities specific to your own custom web applications, working with your existing security software to re-enforce and strengthen functionality. Using patent-pending logic, WebInspect hones in on a new class of vulnerabilities undetected by any other scanner currently on the market.
------End cut and paste from SpiDynamics Website------
Basically it's a vulnerability scanner that you use to remotely test your website for potential security holes. A demo of it is available for download from the SpiDynamics Website (http://www.spidynamics.com) for the cost of filling out an information form(And seemingly signing away your privacy).
I've come to the conclusion that SpiDynamics is keeping track of atleast what sites you are scanning with their software and possibly much more. What's worse is that there's NO mention of this "Reporting" activity on the part of the software in the EULA(End User License Agreement) that you must agree to before you install their demo of WebInspect. I'm no legal expert, Or master hacker...But anyone can see that something strange is going on here. And a lead developer from their company even admitted to me on the telephone that "I had found a Bug". The thing is, that I personally think it's intentional, and not just
some accidental oversight on their part. It seems to me that this is Highly illegal, almost to the point of evesdropping...but like I said i'm no legal expert, you be the judge... http://www.globalapathy.com/news/default.asp (Read full article here)
P.S. I've included SpiDynamics evasive reply and my reply to them on my site....I think they should change their policy, or face some sort of legal action...Any legal experts out there?What action could be taken?
December 18th, 2001, 05:03 PM
If it's illegal or not depends on what information actually is collected. At least in my country.
If your personal details are saved togheter with information about your web-site's vulnerabilities without your permission it's definatly illegal. If you're told, it's not, but then you probably wouldn't use the software.
If the software only logs different vulnerabilites with no link to either web-site, ip-address or person, it's probably not illegal. The information couldn't be exploited, and would only be interesting for statistics (very interesting indeed!)
In the US however, the rules on this field is not as strict as in my country. I don't know for this specific case, but logging of information done by many American web-sites is illegal in my country.
I'm gonna check this with a friend who studies law, because it's an interesting question in these days of surveillance.
December 18th, 2001, 07:54 PM
Hey thanks alot....They've confirmed that it keeps track of when you scan the site and what IP address your scanning....They claim that it doesn't log the vulnerabilities however the connection does stay open during the scan so i tend to NOT believe them....However i'm not sure.