On 12/11/2010 13:59, Roger Marquis wrote:
> Don't know if this is a development feature, security hole, or privacy
This was a debugging aide accidentally left in. It has already been
> The script itself looks fine but its implementation by xss raises a
> couple of issues:
> 1) Do FreeNAS (alpha/beta/release) appliance users have an expectation
> that their usage will not be tracked by google/getfirebug or other
> remote business entities without an opt-in or opt-out dialog?
I think they likely have no expectations either way, to be honest. I'm
unaware of any tracking that's going on with this script.
> xss? If not why not?
You should view this as a 'debugging printf' that was left in by mistake
in a development release.
> 3) Should development features be loaded onto end-user browsers without
> their explicit approval?
The answer is "it depends." Development features are routinely enabled
in development software. FreeBSD enables witness, for example, in its
development releases. In this case, it was nothing more than an honest
> 4) Could IXSystems be held liable if the firebug-lite.js script were
> hacked or otherwise exploited to access a local server or client?
> Clearly firebug is an important development tool, but shouldn't the use
> of XSS by potentially unsuspecting end-users, many of whom are not
> developers, be addressed by policy, privacy-related or other?