[Note: this is a re-send of my post describing why I'd asked
about quarantining. It's been called to my attention that the
footnote I put in at "(*)" in the original was subject to
misinterpretation. I apologize; my remark was meant to be
ironic, meant to be perceived by a Linux audience as wryly
humorous. It did have the merit of being brief.
I've replaced it.
Please, everyone, allow this version of my post to represent
what I meant, and to replace the earlier version. Nothing has
been changed other than the footnote. (Too bad it's not brief
anymore. Sorry.) -Bill]
__________________________________________________________
On 17 Aug 2010 08:43:35 -0400
kevin_d_cl...@comcast.net (Kevin D. Clark) wrote:
> Suggestion: suppose you have setup your system with a uid that is
> protected by some iptables rules (call this UNTRUSTED), and futhermore
> also suppose that the binary that you really want to protect against
> is called "DOCREADER".
Exactly! You've got it! This much is already done. I just didn't put
details in the original post; I won't do *all* the details here either,
but here's a synopsis. (Like everything I write, it starts out as
only a few lines, but grows. Sorry; I hope you find it's worth it.)
_____________
Over the past couple of years, I've been, gradually, developing my
personal machine as a kind of feasibility proof that it's possible
to visit the Internet without submitting to Moglen's "spying, all
the time, for free".
http://www.isoc-ny.org/?p=1338
^ highly recommended
It's most of the way there. Essentially, the rubric is to provide
a Linux account for each of several classes of activity, e.g.,
o General browsing (no scripts, no Flash)
o Special browsing (e.g, each site where I post data [e.g.,
subscription sites], or single-site browsers [e.g.,
a single-purpose account to inspect charge-card history])
o Poisoned browsing
o Browsing where cookies are required
o Browsing where Javascript is required
o Browsing where [gack] Flash is required
[BTW, it's surprising how much of the Internet works just
fine without having to turn on any of the poisoned stuff.]
o PDF viewing (to be implemented; the reason for this thread)
o Mail-client quarantining (to be implemented)
o and more
Each of the browsing classes above is handled by by running it
under a discrete Linux account(*). Each such account is nonprivileged
(duh!) and the standard Linux permissions mechanisms are indispensable
in preventing, say, your browser account from knowing anything about
your e-mail account. I've set up each browsing account to typically
run on a specific X desktop(*), to help me remember where things are,
and to enable having more than one kind of browsing go on at a time.
I often have three or four kinds of browsing going on.
For the poisonous accounts: once you allow Javascript to run
you pretty much have to assume that you've run arbitrary/malicious
binary code from the 'net. You should assume that "you" has done the
worst things that the current account has permissions to do. Writing
cookies, "resurrecting" zombie cookies, writing Flash cookies,
writing and reading arbritrary files to and from disk (oh, wait,
I already mentioned Flash cookies), doing whatever else Flash
does (no one knows!) Even doing installs, etc. OK, accept it:
any place on your machine that was writable by "you" while "you"
was browsing must now be treated as poisoned.
After any poisonous account has been used I erase its home
directory; a clean home directory is reloaded for the next use.
Each poisonous account can write stuff to the disk (Flash will
certainly so so), but I can make it go away, and prove that
it's gone away. And sleep at night. It's my computer(*).
All of that's working and has been working for some time. (Although
of course it was something of pain get it working. :) It was only
a question of pulling together tools that are already there(*).
But it's certainly not a technique which helps anyone else (yet?);
this is just a feasibility proof(**). Nor is it a technique for
grandma's use case. Ever. :(
My original post in this thread came from observing that programs
*other than browsers* can be, and are, designed to phone home.
Adobe Reader(tm), for instance. But not just Adobe, nor just
proprietary blobs. Any program whose source code you don't see,
especially any program which offers "services" such as displaying
hyperlinks. But any program can be exploitable, whether or not it's
complicit by design in spying. To put it another way, I'd like
for any program I run to be subject to proof by me that it hasn't
been able to spy.
For instance, thinking beyond PDF readers, my e-mail client. It
displays hyperlinks. It offers to display HTML. (HTML is turned off,
of course, but it bothers me that an e-mail client contains code
which knows anything about HTML.) It would be nice if the account in
which my e-mail client runs were restricted so that it could open
sockets only to my POP/IMAP provider. That's a more exquisite
granularity than I was asking for (the ability to drop all packets).
Sounds good - a bonus! Thanks, guys.
Stay tuned for the paper. :)
In_2013_or_so'ly yrs,
Bill
__________________________________________________________
(*) I admit that I've been frustrated to the point of tears at
the worst of the difficulties I've encountered thus far
(such as reverse engineering Firefox's directory structure
so as to be able to deepfreeze it - ouch!) But none of the
obstacles has been insurmountable.
Because I use Linux.
With Linux I have the tools to tear apart the directory
structure used by Firefox and analyze it, to customize browser
personalities so that each instantiation does what I want. There
is no "Registry". I have bash. I have filesystems with permission
controls that are easy to use and easy to script. I have user
and group structures that are easy to use; it's easy to script
creating and managing them. I have rsync. I have a system whose
administration isn't constrained by GUIs. I have a lot more;
I have a system that does what *I* tell to do.
I'm delighted that I've been able to demonstrate that it's possible
to NOT acquiesce in being screwed by every website that places
a tracking cookie, or uses CSS+JS to phone home with my browsing
history, or counts on me to give the Flash binary access to the
private data I've entrusted to my computer.
And not just my data, but also data belonging to others:
YOUR e-mail address; customers' financial data; other people's
personal records far more sensitive than any of these. Any data
readable by "me" on any shared network drive I map to on my
client's LAN. More.)
The things on my computer are not there for Warner Brothers or
Facebook or Google to siphon off.
Nor is it my prerogative to *allow* them to be siphoned off.
This is true whether or not it's extra work or "difficult" for
me to prevent it. In my case it even has to be true whether or
not anyone told me about the exposure: it's my responsibility
to know; it's what I do. It's true whether or not browsers leak.
It's true whether or not it's "likely" Warner Brothers or
Facebook or Google would find the data.
It's simply not permissible that I allow them to be in a state
where they can be found from the 'net. (It's the VA that might
do that. I'm not the VA.) *I* take responsibility to ensure that
these data, my own as well as other people's, are not exposed.
Period.
The record is clear:
o that Flash exists as a commercial spying tool, not by
accident or by being hacked, but by Adobe's design.
o that commercial entities exist precisely to assist
corporations in using Flash to spy on you.
o that because it's worth money, a lot of professional,
measured-by-performance effort goes into it.
o that almost all the world's personal computers,
including almost all those in business, including those
inside "firewalls", have Flash installed.
o that there is (heavens!) such a thing as industrial
espionage.
o (and that other components, although less dangerous than
Flash, carry similar threats and need to be dealt with,
for example PDF viewers.)
This spying is not some teenager playing with bots or
accidentally stumbling across your computer with a port scan.
This spying is purposeful and actively seeking *your* data.
It is reprehensible, and facilitated by browser manufacturers
and by (certain) OS makers. Nevertheless I'm delighted to
be able to say, "people CAN be free of this spying." (If they
use Linux, at least. But please keep reading.)
It does turn out to be a *little* bit inconvenient to be free
in this (and a noticeable hassle to set up, unfortunately), but
it's completely convenient *enough* to be used. Every time.
Every day. If distros included the setup it could be made almost
perfectly transparent.
For the present: I'm now able to say to my clients, and to myself
on their behalf if they don't think to ask, that due diligence and
good engineering have been applied to the portable computer I
bring in to their sites and attach to their networks, and that
my portable computer does not expose them to these vulnerabilities,
either while I'm on site or after I leave.
This was not always the case. I have to admit that I, like
many others, *used* to connect to my clients' networks with a
machine on which an unquarantined browser had been used. I
have to admit that I knew better at the time. I knew that using
a browser, especially if uses plugins, exposes everything on the
disk which is readable by "me" to the 'net. I knew about file
permissions. I knew how browsers work. I knew better.
(Even back then I knew enough to not install Flash, though.
And of course I never used IE, or Windows.)
Linux has made the difference.
(Fair disclosure: the work isn't done -- next stop, sanitizing
the reading of PDFs. And after that there are other exposures.
But they too can be dealt with, and none of them will be as
difficult as the case of browsers and quarantining Flash.)
I am delighted that the tools which made this work possible
have been made available to individuals like me: by the free
software community, by Linux itself, and (not least) by the
generously-shared expertise on this list. To say that I'm
grateful to Linux is an understatement. I certainly couldn't
have done it on Windows. As far as I know, on Windows you're
screwed.
But as you know, my level of knowledge of other operating
systems is less (even less? :) than of Linux. I'm not, in
fact, qualified to say whether expert users of other operating
systems might be able to prevent this spying, as we can with
Linux. I know that many of the necessary tools are there
(although no Windows shop I've ever seen uses more than a few
of them), and that the OSs themselves have indeed gotten better.
I *suspect* that all of the tools are not there, especially if
my design constraint is accepted that "it has be easy enough to
use that it actually gets used, all the time". This suspicion
may be due to my ignorance, in which case I welcome enlightenment.
(Please see below.)
Wherever "(*)" appears in this post it was intended as a flag
that, as I wrote, I noticed an area where to my knowledge a tool
is likely to be missing, or would prove so inconvenient to use
that it wouldn't help real people. It may have appeared that I
was being snide about a particular vendor's software, but if so,
I only intended to be humorous. (I was writing for a Linux
audience, and we often make certain kinds of snide remarks.)
If anyone was, or is, offended I apologize.
Finally, and not least:
A large number of the world's personal-computer users aren't
using Linux. If this ever does get written up into a presentation,
it would be nice to be able to say "people do have a choice to
not be spied upon" and not just "Linux people". If anyone is
interested in porting these protections to Windows (or OSX!),
or demonstrating by any equivalent protections on Windows
(or OSX), thereby helping create a far better presentation,
I'm eager to help; please contact me.
"You don't have to acquiesce in being screwed."(tm)
(**) "Feasibility proof".
Few computer owners are likely to want to go to this much
trouble. Heck, *I* don't want to go to this much trouble.
But I'm damned if I have to accept "Javascript is
required for a rich experience". It isn't.
I'm damned if I have to accept "only click on links
you trust".
I'm damned if I have to give up a little freedom for
a little convenience.
I'm a curmudgeon, OK. But there's more. My personal laptop has
to perform a number of functions, not just "my" browsing. Among
other things, my laptop has access to client data, some of
which are sensitive, some of which are protected by Federal law.
In any case, some data on my machine belong to others, and I'm
responsible for them. Those data are protected on disk by strong
encryption (of course!), but when those partitions have been
opened and made readable (by "me") I mustn't run a browser
(or any program!):
o which is capable of running arbitrary/unknown code
(always the case for a browser! Also a PDF viewer, or...)
o running as "me"
o or running as any user having read permissions to that data.
(The same goes for data of lesser sensitivity. For instance,
I don't want unknown code reading my e-mail, or siphoning my
address book -- not that anyone would do *that*...)
It should be IMPOSSIBLE for ANY browser to read data which
"me" has accepted responsibility for.
It should be not just improbable, but IMPOSSIBLE, for "me"
to leak confidential information back to the Web. (I should
say: I need to be able to DEMONSTRATE that it's impossible
to leak confidential data to the Web--even if I've been tricked
into running the most poisonous binary code imaginable. With
Javascript you never know/you can't know; the best anyone can
do is argue over levels of improbability, and keep patching.
Because I run Linux I can indeed demonstrate that(*), even if
it has proven to be a little trouble.
So I guess this hasn't been just a feasibility proof. It's
what anyone *must* do who needs to tell clients "I accept
my responsibility for your data".
_______________________________________________
gnhlug-discuss mailing list
gnhlug-discuss@mail.gnhlug.org
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
