Clippool is Cool. But is it Safe?

  • Article

Bryant Likes posts a pointer to a multi-computer utility that I have been using with great satisfaction on 2-4 of my machines for the last three years. I love clippool. For testing in particular, it is practically invaluable (Outlook or Bug Tracker on primary machine->beta software on test machine->UI text bug in long error message->copy from test machine to primary machine->paste it into a bug or email). It's magic.

But user beware! As I recall, clippool has two big problems:

  1. Reliability -- Clippool has a tendency to get confused, for whatever reason. When it does, you have to kill the cp process on the server and all clients and then restart it from the command line again on each computer.
  2. Security -- I can't believe they don't mention this on the Microsoft Support page for clippool that Bryant cites... Clippool provides about as much security as my cat, Leilu. Meow.

On a domain like Microsoft's, if you have clippool running and another user knows it AND they know the name of your computer, they can capture and paste everything you cut or copy without authentication (I think!).

Let's say that your computers are named useralias1 and useralias2, a common naming convention. You start clippool on useralias1 with:

>clippool /server 

and then you start clippool on the client (useralias2) using the following command.

>clippool /client useralias1

This establishes a 2 way link between your "server" and your "client".

Then, unbeknownst to you, your evil boss runs this same command on her computer, stealthily adding one of her spare computers (EvilBoss_Spy1;) as a client to the useralias1 "clippool":

>clippool /client useralias1

Clippool provides no notification to the clippool server (You!) that an untrusted client (Your Evil Boss!) has been added to your pool. Your evil boss then writes a script that pastes non-duplicate clipboard content into a log file at a set interval and syndicates it as an RSS feed. Okay, most evil bosses aren't that technical or imaginative but don't forget about your evil, mischievous, and/or curious co-workers who are.

No, I am not paranoid and I do not have an evil boss. If I did though, I would take steps to ensure that neither my manager nor my evil co-workers had any knowledge of my clippool usage and/or the names of my machines.