Community mailing list archives

community@mail.odoo.com

Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

by
Andi Becker
- 11/12/2015 06:04:35
Thanks Jason

This clarifies for us also the point of view of our customer. He is very worried after the problem yesterday, which has been solved meanwhile. 

Things like you describe ...

But fact is someone has collected information about who are Odoo users and who are Odoo resellers. And to sell such data, the records could not be few.

... should actually never happen without the written consent of the customer. Those companies have often very sensible data and trust the system because it is no Google, Not Facebook, bot Adobe, not Microsoft, ... but Open Source Software. 

Especially if you are a German company located in Germany you could get huge problems with such behaviours which companies actually try to avoid by using Free Open Source Software. Unfortunately also developers trust the FLOSS Software perhaps with two closed eyes and do not check if not some scripts are running in the background sending data from your computer to whoever the receiver might be. 

Much better would be to keep all this stuff separate and than anybody who wants to include it can include it. instead the need to check with every new release of a module if it is doing something more than it is supposed to do. By the way it is not said that only modules which come with the main ODOO package are sending data, It could be actually any other module to!

So IMHO Good Practice would simply be to NOT include such phone home mechanism into any kind of Software which is Open Source Software, as this is already the common practice of Proprietary Software we know all.

It was mentioned Magento. Actually this is interesting as they have a quite similar history like Odoo in Licensing and in how to treat and what for to use the community.

Nevertheless it would be nice if at least somebody from ODOO S.A. could let everyone know what data gets collected for whatever reason as than we can communicate this to the customers and they can afterwards decide what to do. This is actually not the job of a developer or an agency to make a decision in wether or not collect data. At the end the customer is the one who will be hold responsible in most cases unless the agency or the developer also implements a data collection mechanism without prior consent - best in written with company stamp - from the owner of the site.

Thanks  


With kind regards,
Mit freundlichen Grüßen,
Con un cordial saludo,
Cordialement,
с сердечным приветом,
เรื่องที่เกี่ยวกับชนิด,
與親切的問候,

<html><div> 

</div><div> ANDI BECKER

CEO/General Manager LisAndi Co., Ltd.

about.me/andibecker</div></html>
--------------------------------------------------

LisAndi Co. Ltd., Phuket, Thailand (lisandi.com)
15/21 M.2 Viset Road, Rawai, Muang, Phuket, Thailand 83130

Mobile: +66 (0)81 606 3378
VoIP:   +49 (0)711 50 88788 50
Fax:     +49 (0)711 50 88788 50
Skype:          lisandi
Facebook:     andibecker
Google Talk/Facetime/eMail:  andi@lisandi.com

--------------------------------------------------

This email may contain confidential and/or privileged information. If you are not the intended recipient (or have received this email by mistake), please notify the sender immediately and destroy this email. Any unauthorized copying, disclosure or distribution of the material in this email is strictly prohibited. Email transmission security and error-free status cannot be guaranteed as information could be intercepted, corrupted, destroyed, delayed, incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which may arise as a result of email transmission

On Thu, Nov 12, 2015 at 4:42 PM, Jason / 崔建平 <jason@qdodoo.com> wrote:

Hi Luke,

 

Thanks for the update and you could be right about this topic. But those people may go beyond the mailing list – they claim to have data including industry, geography, job title, etc. Moreover, they sent English emails to my boss who never responds to foreign language (like English) mailing list like for this community.

 

I cannot conclude where those data were leaked and I am not implying any source. But fact is someone has collected information about who are Odoo users and who are Odoo resellers. And to sell such data, the records could not be few.

 

From: bounce-4149216-mail.group-59@mail.odoo.com [mailto:bounce-4149216-mail.group-59@mail.odoo.com] On Behalf Of Luke Branch
Sent: Thursday, November 12, 2015 3:57 PM


To: Community <community@mail.odoo.com>
Subject: Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

 

Hi Jason,

 

The issue you've described is restricted to these Odoo.com community mailing lists.

 

Some companies seem to monitor the email addresses on this list and collect them to allow them to cold call/email marketing their Odoo services.

 

The problem is when you reply to the community mailing lists on Odoo, your email address is visible to recipients of the list. You can take a look at the email headers in this reply as an example to see my email address.

 

From what I understand of it Odoo collects some anonymised instance usage statistics among other things, however nothing related to your customer's private data, as some seem to be suggesting.

 

Hi Andreas,

 

Magento does exactly the same thing, and includes magento branding and links all over its software, like transactional emails, static blocks, etc. Look at the default theme and transactional emails and you'll see what I mean.

 

Custom extensions and themes can be used to override these defaults. Just like any other open source project (sugarcrm, Wordpress, etc., there are loads of examples) Odoo of course includes branding in key places. It's your job to override these defaults if you don't want them there.

 

oAuth should be switched off if you're not using it to resolve your problem.

 

Switch your Odoo user into debug/developer mode and you should find what you need in the technical settings that appear.

 

I suggest checking out some of the great books on Odoo Development and Odoo functional operations in the packtpub website, as well as the many training MooC training courses available online. They have been an invaluable resource for me along with the Odoo official documentation and the many users in the Odoo community forum help.odoo.com that are often happy to provide insight or advice based on their own experience with the platform.

 

I am still very much only scratching the surface in terms of my own understanding of Odoo, however I suggest picking apart the code to learn how different things work, and if you can't figure it out ask humbly for help in the mailing lists and help forum. People are often happy to help out if they can, and I have learnt a huge amount just from the advice of others in these two forums.

Sent from my iPhone


On 12 Nov 2015, at 2:27 PM, Jason /
崔建平 <jason@qdodoo.com> wrote:

Privacy IS an issue. We have been approached by emails marketing Odoo user information or potential customers. It is wondered how many more Odoo partners have received such emails. We did not respond, so not sure from where those info was leaked, and what details were in their hands. Also we do not know what details have been exposed from our own implementations.

 

 

From: bounce-4148214-mail.group-59@mail.odoo.com [mailto:bounce-4148214-mail.group-59@mail.odoo.com] On Behalf Of Gunnar Wagner
Sent: Thursday, November 12, 2015 1:27 PM
To: Community <community@mail.odoo.com>
Subject: Re: MAJOR SECURITY PROBLEM! PRIVACY VIOLATED!

 

On 11/12/2015 10:57 AM, Andreas Becker wrote:


>> ... Where can we find a no phone home module - could you recommend one

https://bitbucket.org/BizzAppDev/oerp_no_phoning_home should be what he is referring to

--
Gunnar Wagner | Iris Germanica Co., Ltd. | Jin Qian Gong Lu 385, 8-201, Feng Xian District, 201404 Shanghai, P.R. CHINA
+86.159.0094.1702 | skype: professorgunrad | wechat: 15900941702

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe

_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe