The PointCast Network (PCN) is a free commercial software application which provides an interactive multimedia news and information service right on the computer desktop. PCN automatically interfaces with the Internet and provides users with customisable, up-to-the-minute downloads of business and international news headlines, stocks, sports, weather, and financial information, as well as Internet access. PCN makes its money by selling interactive advertisement space on the PCN screen.

This service works via an automated Internet connection, within the Windows environment, with the PCN home server. PCN pulses the Net for updated information when the user activates the update feature on a time-by-time basis, or on an automatic schedule. When downloaded onto a desktop system, PCN also is automatically set as the default screensaver.

Many current users of PCN, which is currently in Beta 0.9, believe it to be a valuable source for news and information, which helps them perform their jobs more effectively and efficiently.

Currently, PCN is available for only DOS based platforms, but Macintosh and UNIX versions are under development. For more detailed information, the PCN home page is located at: http://www.pointcast.com.

One major concern with PCN is that it establishes a periodic connection to send and receive information. This raises questions of what other system or user information is being collected and sent during update transmissions? Could PCN be a Trojan Horse? For those with security and software integrity concerns, this might be an area which is not addressed in administrative procedures.

The PointCast Network application acts as a proxy operator for the user, downloading through your firewall whatever it decides, data, new executables, etc. As a result, there is at least the potential for information probing and possibly other malicious activities or exploitation of the user.

PCN promotional materials state "We do not collect any information regarding software programs, utilities, etc. that reside on individual computers. We respect the privacy of our viewers." The company does indicate that it collects registration numbers and other information that viewers volunteer, and that they take note of viewer's computer operating system. Service users are also asked if this registration information can be made available by PCN to other companies.

Despite the PCN disclaimer, the fact remains that their service provides a pathway which could be used to probe the computers of its users, thereby creating an otherwise nonexistent vulnerability. How much trust should we provide to services like this?

What is to prevent a hacker, foreign intelligence service, or other unscrupulous party from offering a similar product which captures individual PC keystrokes, scans hard drives, uploads information, accesses LAN or network connections, or destroys files and data? What if someone breaks into the PCN Web site after it has distributed its product to millions of people?

The proliferation of PCN and similar software products undoubtedly will grow rapidly. Therefore, we must be prepared to proactively address their individual and collective impact on computer security, information protection, and information assurance issues.

There may also be FOCI concerns. What if it turns out that PCN's (or another current or future service like it) parent company is a French firm? Or Canadian? Or Russian, etc.? What if a board member is a foreign national? This type of development could raise serious issues relating to Perception Management (e.g., manipulation of information and information sources).

To have a software application that freely exchanges information with an off-site server creates potentially exploitable vulnerabilities, thereby increasing risks. While it is true that we take risks every time we make contact across the Internet, witness the Internet pages which will give you a list of the last 50 users who contacted the site (see: http://www.cs.utexas.edu:80/users/jwetzler/), we must also be aware of the resulting implications so that we fully understand the extent of the risk which is accepted.

Given this situation, several recommendations that merit consideration include the following:

* Perform a detailed evaluation of the PCN application

* Identify and publicize vulnerabilities that exist in this and similar software packages

* Educate users as to what they should do when the encounter software packages like this that may pose a vulnerability

* Modify or establish a Department-wide policy on the use of such software packages.

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001