Google MediaServer
Google has a MediaServer, which is part of Google Desktop. It is a very simple
MediaServer that does nothing more than make services like YouTube and Picasa
available via a few MediaServer profiles. On GNUcitizen there was a claim
that there would be security problems in the Google MediaServer. Time for some
myth debunking:
The GNUcitizen people say: " UPnP does not have any mechanisms for authenticating with your
devices
. Therefore, anyone can mess with
your media. Good that Google has implemented some kind of IP/MAC based lockout
features in the Media Server, but I as you understand these checks are
insufficient."
Indeed Google has implemented restrictions on what
device can access the MediaServer on your PC. In fact, you have to explicitely
add them or allow all devices to be able to browse your data. If you click the
box "allow everyone" and all of a sudden everyone on the network can see your
private Picasa pictures then that is not a fault of UPnP. It would be the same
as sharing your private directory with CIFS with guest access or anonymous
FTP.
So, they do have a point that it might be better to have something
stronger than just IP/MAC based restrictions. It is a shame that the UPnP
standard for authenticating with your devices (it exists, it is called
DeviceSecurity, and was made in 2003) has never taken off, because this would
solve a lot of these problems.
But if you look at the functionality the
Google MediaServer offers, then you see that the threat is actually quite low.
You can only view and browse things, just as you would be able to do if someone
would stay logged in in his/her Google account. You can't modify (upload,
change, delete) data. You can't open up the data to other people that are not
on your LAN (unless your LAN is broken into of course). So what is the big
fuss, GNUcitizen?