Security and Privacy Concern about Logos4 Phonning Home

Page 14 of 15 (285 items) « First ... < Previous 11 12 13 14 15 Next >
This post has 284 Replies | 8 Followers

Posts 13398
Mark Barnes | Forum Activity | Replied: Mon, Sep 20 2010 3:01 AM

tom collinge:

Jonathan Burke:

It should also be pointed out that your decision to switch off the download feature of Logos does not constitute the program being broken. it means you've chosen not to download books.

No, I did not chose to not download books.  I chose not to have my data sent to Logos' servers, and because I decided not to send my data to Logos' servers, I am being forced not to download books.

That seems to be a bug. I'm going to report it as such as see what Logos say (manual commands such as update now and sync now override the Use Internet setting, but it doesn't work for update resources).

 

Posts 128
Derek | Forum Activity | Replied: Sat, Dec 4 2010 5:07 AM

I would like to add my 2c to this topic.

I do not like having any personal data stored on anyone elses' servers.  The reasons are my own and do not require my explanation to you in this thread.

I have been trying to decide whether to update to L4 or not, and I guess this just made the decision for me.  Let me simply say that I was shocked to find that my data was being sent to Logos servers without my knowledge (ok, it was in the EULA, but most never read that document any more... they are so long and verbose... I know I probably should read each eula for each of the 100 programs installed on my machine, but I have work to do...)....

As long as there is no CHOICE to store my notes on the Logos servers or not, I will choose to stay with Libronix 3...

I sincerely hope that they provide an option in the future...

Till then, it's L3 for me..

 

Posts 2964
tom | Forum Activity | Replied: Sat, Dec 4 2010 5:56 AM

Derek:
As long as there is no CHOICE to store my notes on the Logos servers or not, I will choose to stay with Libronix 3...

Derek, there is a uservoice request concerning this.  If this is important for you, please vote for this request: http://logos.uservoice.com/forums/42823-logos-bible-software-4/suggestions/660833-add-an-option-that-allows-a-user-not-to-upload-the?ref=title

Posts 5573
Forum MVP
Rich DeRuiter | Forum Activity | Replied: Sat, Dec 4 2010 9:19 AM

Derek:
As long as there is no CHOICE to store my notes on the Logos servers or not, I will choose to stay with Libronix 3...

That's certainly your choice, and L3 is a great Bible study program.

The other alternative is to do what many others have done, namely, to use a 3rd party note taking program. The reason many use a 3rd party program is that the Logos note taking system has some limitations that some find cumbersome. There's a partial list in an old thread:

 http://community.logos.com/forums/p/3548/35924.aspx#35924

To access your 3rd party notes, you could create a list of them in your favorites, and or a short note telling you where the external note is located.

 Help links: WIKI;  Logos 6 FAQ. (Phil. 2:14, NIV)

Posts 10952
Denise | Forum Activity | Replied: Sat, Dec 4 2010 10:18 AM

Of course, Derek, you CAN have the best of both worlds. Run L3 AND L4! I use L3 as a reader, including lots of highlighting, notes and more. No slowdown and pretty fancy notes too. Runs like a Turbo-L4. Then I use L4 for all my 'research' tools ...lexicons, interlinears, apparatus and so forth. Then later, if Logos ever decides they don't own everything I write/highlight, I can import them from L3 to L4. Bob can continue being happy with his vision. And I'm happy with my high-speed Bible software.

"I didn't know God made honky tonk angels."

Posts 128
Derek | Forum Activity | Replied: Sat, Dec 4 2010 4:01 PM

Thanks, I am a OneNote junkie, but I love having my notes in my bible program, and the little indications that I have a note attached with a passage...

Logos 3 for me...

Posts 1934
Donnie Hale | Forum Activity | Replied: Sat, Dec 4 2010 9:20 PM

I'm really late to this discussion, so I hope everyone will bear with me. I'm working under the premise that some set of Logos customers have concerns about syncing any of their data to the Logos servers which are sufficiently legitimate to them that they need a way to work "offline" (as far as the Logos application is concerned). Given that, I can think of at least 5 ways of using Logos 4 without syncing their data to Logos. Note that I'm not going to provide step-by-step details for them all - I'll leave that as an exercise for the reader.

1) Make your actual use of L4 on a computer that's never on the internet. Do your program and resource updates on a computer that is on the internet. Use the techniques described on the wiki to move your updated program / resources from the internet PC to the offline PC.

2) As others have well pointed-out, set up a firewall (there are great free ones) to disallow any internet access for Logos specifically.

3) Change your etc/hosts file so that DNS lookups for any of the Logos sync server domain names yield invalid IP addresses. (If you use 127.0.0.1, it will hit your own PC; and that will cause any Logos requests to sync or update to fail.) Note that I don't know what all of the domain names are, but somebody around here probably does.

4) A bit similar to item 3, set up an account with OpenDNS.com and set your DNS settings to use their DNS servers. (Typically your settings would be for DNS servers hosted by your ISP.) Use the OpenDNS web interface to blacklist the Logos sync server domain names. Note that OpenDNS.com is the most effective tool I've found to reasonably filter access to the web - certainly better than any of those "net nanny" programs.

5) Mark Barnes has indicated that all traffic from Logos to its servers is over connections that honor your system's proxy settings. You can leverage that by setting your proxy settings to an invalid IP address just before you run Logos and reset them when you're done running Logos. Make sure you set SSL / HTTPS connections to go through the proxy. ***NOTE*** I have one concern here. An outbound internet connection from your PC does not have to be an HTTP(S) connection or honor proxy settings. It can be made directly to reachable server on the internet using any arbitrary / proprietary protocol an application chooses to use. Fiddler won't see any traffic like that. So if Logos has any internet traffic that doesn't honor proxy settings or only uses direct connections, item 5 won't stop it. The only real way to see this traffic would be with a full-blown protocol analyzer like WireShark.

If I had to choose from these options and I had to make sure my data *never* got sync'd, I'd use option 1. If it was more about controlling exactly when and how the data got sync'd, I'd use option 3.

Hopefully this helps someone.

Donnie

 

Posts 18876
Rosie Perera | Forum Activity | Replied: Sat, Dec 4 2010 10:08 PM

Donnie Hale:

1) Make your actual use of L4 on a computer that's never on the internet. Do your program and resource updates on a computer that is on the internet. Use the techniques described on the wiki to move your updated program / resources from the internet PC to the offline PC.

That sounds like a really good option, for those who are concerned about such things. Assuming they can afford to have two computers, that is.

Of course, while you're doing sermon prep, there will probably be times when you want to go out to the Web to Google something. In that case, if you want to do it all from the same computer (to be able to easily copy/paste into a Word document that you're working on your sermon in), you'd have to close Logos first to be sure no sync took place while you were connected to the Internet. Then be sure to unplug your Internet connection before starting Logos back up again. This method (if you're going to allow yourself some occasional Internet connection on that computer) is prone to human error, though. It would be easy to forget to shut down Logos sometime.

Posts 13398
Mark Barnes | Forum Activity | Replied: Sat, Dec 4 2010 10:32 PM

Thanks, Donnie, that's a helpful summary. Permit me some comments:

Donnie Hale:
1) Make your actual use of L4 on a computer that's never on the internet. Do your program and resource updates on a computer that is on the internet. Use the techniques described on the wiki to move your updated program / resources from the internet PC to the offline PC.

It's not possible to get all updates that way. Metadata updates certainly would be missed, perhaps some others too. Disconnecting entirely from the internet is overkill if you just want to prevent notes etc. from being synced to Logos' servers. Logos currently only use one address to achieve syncing, and that's sync.logos.com - and you can use any of the other methods you suggest to block access to that one site. Indeed, if you want belt and braces you can use more than one method.

Be aware that (2) could probably be set up per user, whereas (3) and (4) would be system-wide. Personally, I'd be less confident about (4) than the others, because local DNS caching would mean changes wouldn't necessarily take place instantly.

Regarding (5), I've never seen any non-HTTP activity from Logos (not even FTP), although I haven't run WireShark since the early days of Logos 4 because WireShark can't see inside HTTPS packets. But they've got no reason that I could determine to go to the trouble of implementing anything that complex, so I see (5) as a theoretical risk only.

I've been using method (3) for several weeks on one account, and it works great. If I was paranoid, I'd combine it with method (4) and if I was very paranoid I'd also use method (2).

Posts 128
Derek | Forum Activity | Replied: Sun, Dec 5 2010 12:42 AM

Donnie, thanks for your suggestions, all are great and creative, technically I appreciated the use of the dyndns method... :). However they cripple the rest of the software in the process. The best possible option is still for logos to fix this properly. One of the difficulties is that logos could start using another server at any time and several of these methods would suddenly allow data to be sync'd without the user's knowledge. The safest option for me is to use l3 whilst I wait for a "fix" for L4..

Posts 13398
Mark Barnes | Forum Activity | Replied: Sun, Dec 5 2010 1:00 AM

Derek:
The best possible option is still for logos to fix this properly.

I agree.

Derek:
However they cripple the rest of the software in the process.

blocking sync.logos com will only block syncing. It won't stop anything else working.

Derek:
One of the difficulties is that logos could start using another server at any time and several of these methods would suddenly allow data to be sync'd without the user's knowledge.

Not quite true. The likelihood of it happening without a program update is negligible, and even if it did happen, the sync icon gives a visual indicating that syncing is taking place, so it wouldn't happen without your knowledge.

Posts 128
Derek | Forum Activity | Replied: Sun, Dec 5 2010 3:31 AM

Mark Barnes:

Not quite true. The likelihood of it happening without a program update is negligible, and even if it did happen, the sync icon gives a visual indicating that syncing is taking place, so it wouldn't happen without your knowledge.

You assume that I am observant and vigilant enough to pay attention to that detail...  ;)

Posts 128
Derek | Forum Activity | Replied: Sun, Dec 5 2010 3:32 AM

tom collinge:

Derek:
As long as there is no CHOICE to store my notes on the Logos servers or not, I will choose to stay with Libronix 3...

Derek, there is a uservoice request concerning this.  If this is important for you, please vote for this request: http://logos.uservoice.com/forums/42823-logos-bible-software-4/suggestions/660833-add-an-option-that-allows-a-user-not-to-upload-the?ref=title

 

I added a few of my votes to the cause.

Posts 3810
spitzerpl | Forum Activity | Replied: Sun, Dec 5 2010 3:46 AM

If the option is made available to set internet use to NO, it needs to do what it says its going to do. This seems like a clear honesty/integrity issue to me. I always thought setting internet to no meant it never used the internet for anything, period. If its other then that it seems misleading. The question mark next to the use internet option in Program Settings says "Yes:Logos will connect to the internet for various features No: Logos will not connect to the internet. Restart Required" That seems clear to me.

<EDIT> Sorry, not sure exactly where this thread current stands, but when I posted this I was starting to read from the beginning without looking at the dates.

Posts 2964
tom | Forum Activity | Replied: Sun, Dec 5 2010 5:32 AM

Philip Spitzer:
<EDIT> Sorry, not sure exactly where this thread current stands, but when I posted this I was starting to read from the beginning without looking at the dates.

No problem, I think we all have done this.  This security/privacy issue is becoming a lot like the note issue, every other month it comes back to life.

Posts 2964
tom | Forum Activity | Replied: Sun, Dec 5 2010 5:34 AM

Derek:
I added a few of my votes to the cause.

I don't think you were the only one who has added a couple of votes for this request.  It has moved up one spot to be #7.

Posts 1934
Donnie Hale | Forum Activity | Replied: Sun, Dec 5 2010 10:59 AM

Mark Barnes:

It's not possible to get all updates that way. Metadata updates certainly would be missed, perhaps some others too. Disconnecting entirely from the internet is overkill if you just want to prevent notes etc. from being synced to Logos' servers. Logos currently only use one address to achieve syncing, and that's sync.logos.com - and you can use any of the other methods you suggest to block access to that one site. Indeed, if you want belt and braces you can use more than one method.

Your feedback is always appreciated, Mark. Especially by someone who's tried using some of these methods...

A question for you. Why would someone *not* get metadata updates using one of the "move resource content from one computer to another" wiki methods? If all of those updates end up under one of the folders that's supposed to get copied, and you can do any requisite reindexing on the offline computer, what would they be missing. How are metadata updates different?

Note that I'm not worried about it for myself, necessarily. But I have used the wiki technique with success. I can do big downloads at work where I have a significantly faster internet connection, and then copy the updates to my home PCs (all used just by me).

Thanks,

Donnie

 

Posts 13398
Mark Barnes | Forum Activity | Replied: Sun, Dec 5 2010 1:11 PM

Donnie Hale:
Why would someone *not* get metadata updates using one of the "move resource content from one computer to another" wiki methods?

Metadata updates can be sent separately from resources files (i.e. you have have metadata updated without the resource itself being affected). Surprisingly Logos has delivered hundreds or even thousands of metadata updates.

As far as I'm able to tell, metadata updates are written directly to the library, and one or two other databases. Only wiki suggestion #1 copies those databases. That's fine for a first time installation, but you can't keep copying files between installations to keep them permanently in sync. It just won't work (you'll end up over-writing one or the other). Using scan is fine (and supported). The Wiki method is unsupported, and I'd be very cautious about using it regularly just to keep two installations in sync.

Posts 1934
Donnie Hale | Forum Activity | Replied: Sun, Dec 5 2010 2:04 PM

Mark Barnes:

As far as I'm able to tell, metadata updates are written directly to the library, and one or two other databases. Only wiki suggestion #1 copies those databases. That's fine for a first time installation, but you can't keep copying files between installations to keep them permanently in sync. It just won't work (you'll end up over-writing one or the other). Using scan is fine (and supported). The Wiki method is unsupported, and I'd be very cautious about using it regularly just to keep two installations in sync.

Mark,

Rather than trying to keep them in sync, can you just copy one installation in its entirety anytime the program, resources, and/or metadata are updated? It appears you'd have to leave the "Documents\{random}" folder alone, as it contains all your personal work product.

Given that L4 is a lot less dependent (implicitly or explicitly) on the registry than most Windows apps (primarily because it's a .NET app), it seems like a straight file system copy of the whole thing should have a chance of working?

Donnie

 

Posts 13398
Mark Barnes | Forum Activity | Replied: Sun, Dec 5 2010 2:29 PM

Donnie Hale:
Rather than trying to keep them in sync, can you just copy one installation in its entirety anytime the program, resources, and/or metadata are updated? It appears you'd have to leave the "Documents\{random}" folder alone, as it contains all your personal work product.

In theory, this may work, if you installed via option 1 or 2. But I would worry that there may be unforeseen consequences. You'd certainly have to be careful you the two installations were at the same version before you copied files. I'd also worry that Logos may get confused about the two installations if you ever did try and sync them (would it know they were different?). And I'd worry about the files that had path names as part of the data ResourceManager/ResourceManager.db as one example of many.

So, I think if you were going to rely on this method, you'd need to do some pretty extensive testing to keep any eye on it.

PS - For these reasons, personally the only method I even for the initial install is option #3. I worry about #1 and #2, and I'd worry even more if I was copying data folders between two installations frequently.

Page 14 of 15 (285 items) « First ... < Previous 11 12 13 14 15 Next > | RSS