[Note: this is a re-send of my post describing why I'd asked about quarantining. It's been called to my attention that the footnote I put in at "(*)" in the original was subject to misinterpretation. I apologize; my remark was meant to be ironic, meant to be perceived by a Linux audience as wryly humorous. It did have the merit of being brief.
I've replaced it. Please, everyone, allow this version of my post to represent what I meant, and to replace the earlier version. Nothing has been changed other than the footnote. (Too bad it's not brief anymore. Sorry.) -Bill] __________________________________________________________ On 17 Aug 2010 08:43:35 -0400 kevin_d_cl...@comcast.net (Kevin D. Clark) wrote: > Suggestion: suppose you have setup your system with a uid that is > protected by some iptables rules (call this UNTRUSTED), and futhermore > also suppose that the binary that you really want to protect against > is called "DOCREADER". Exactly! You've got it! This much is already done. I just didn't put details in the original post; I won't do *all* the details here either, but here's a synopsis. (Like everything I write, it starts out as only a few lines, but grows. Sorry; I hope you find it's worth it.) _____________ Over the past couple of years, I've been, gradually, developing my personal machine as a kind of feasibility proof that it's possible to visit the Internet without submitting to Moglen's "spying, all the time, for free". http://www.isoc-ny.org/?p=1338 ^ highly recommended It's most of the way there. Essentially, the rubric is to provide a Linux account for each of several classes of activity, e.g., o General browsing (no scripts, no Flash) o Special browsing (e.g, each site where I post data [e.g., subscription sites], or single-site browsers [e.g., a single-purpose account to inspect charge-card history]) o Poisoned browsing o Browsing where cookies are required o Browsing where Javascript is required o Browsing where [gack] Flash is required [BTW, it's surprising how much of the Internet works just fine without having to turn on any of the poisoned stuff.] o PDF viewing (to be implemented; the reason for this thread) o Mail-client quarantining (to be implemented) o and more Each of the browsing classes above is handled by by running it under a discrete Linux account(*). Each such account is nonprivileged (duh!) and the standard Linux permissions mechanisms are indispensable in preventing, say, your browser account from knowing anything about your e-mail account. I've set up each browsing account to typically run on a specific X desktop(*), to help me remember where things are, and to enable having more than one kind of browsing go on at a time. I often have three or four kinds of browsing going on. For the poisonous accounts: once you allow Javascript to run you pretty much have to assume that you've run arbitrary/malicious binary code from the 'net. You should assume that "you" has done the worst things that the current account has permissions to do. Writing cookies, "resurrecting" zombie cookies, writing Flash cookies, writing and reading arbritrary files to and from disk (oh, wait, I already mentioned Flash cookies), doing whatever else Flash does (no one knows!) Even doing installs, etc. OK, accept it: any place on your machine that was writable by "you" while "you" was browsing must now be treated as poisoned. After any poisonous account has been used I erase its home directory; a clean home directory is reloaded for the next use. Each poisonous account can write stuff to the disk (Flash will certainly so so), but I can make it go away, and prove that it's gone away. And sleep at night. It's my computer(*). All of that's working and has been working for some time. (Although of course it was something of pain get it working. :) It was only a question of pulling together tools that are already there(*). But it's certainly not a technique which helps anyone else (yet?); this is just a feasibility proof(**). Nor is it a technique for grandma's use case. Ever. :( My original post in this thread came from observing that programs *other than browsers* can be, and are, designed to phone home. Adobe Reader(tm), for instance. But not just Adobe, nor just proprietary blobs. Any program whose source code you don't see, especially any program which offers "services" such as displaying hyperlinks. But any program can be exploitable, whether or not it's complicit by design in spying. To put it another way, I'd like for any program I run to be subject to proof by me that it hasn't been able to spy. For instance, thinking beyond PDF readers, my e-mail client. It displays hyperlinks. It offers to display HTML. (HTML is turned off, of course, but it bothers me that an e-mail client contains code which knows anything about HTML.) It would be nice if the account in which my e-mail client runs were restricted so that it could open sockets only to my POP/IMAP provider. That's a more exquisite granularity than I was asking for (the ability to drop all packets). Sounds good - a bonus! Thanks, guys. Stay tuned for the paper. :) In_2013_or_so'ly yrs, Bill __________________________________________________________ (*) I admit that I've been frustrated to the point of tears at the worst of the difficulties I've encountered thus far (such as reverse engineering Firefox's directory structure so as to be able to deepfreeze it - ouch!) But none of the obstacles has been insurmountable. Because I use Linux. With Linux I have the tools to tear apart the directory structure used by Firefox and analyze it, to customize browser personalities so that each instantiation does what I want. There is no "Registry". I have bash. I have filesystems with permission controls that are easy to use and easy to script. I have user and group structures that are easy to use; it's easy to script creating and managing them. I have rsync. I have a system whose administration isn't constrained by GUIs. I have a lot more; I have a system that does what *I* tell to do. I'm delighted that I've been able to demonstrate that it's possible to NOT acquiesce in being screwed by every website that places a tracking cookie, or uses CSS+JS to phone home with my browsing history, or counts on me to give the Flash binary access to the private data I've entrusted to my computer. And not just my data, but also data belonging to others: YOUR e-mail address; customers' financial data; other people's personal records far more sensitive than any of these. Any data readable by "me" on any shared network drive I map to on my client's LAN. More.) The things on my computer are not there for Warner Brothers or Facebook or Google to siphon off. Nor is it my prerogative to *allow* them to be siphoned off. This is true whether or not it's extra work or "difficult" for me to prevent it. In my case it even has to be true whether or not anyone told me about the exposure: it's my responsibility to know; it's what I do. It's true whether or not browsers leak. It's true whether or not it's "likely" Warner Brothers or Facebook or Google would find the data. It's simply not permissible that I allow them to be in a state where they can be found from the 'net. (It's the VA that might do that. I'm not the VA.) *I* take responsibility to ensure that these data, my own as well as other people's, are not exposed. Period. The record is clear: o that Flash exists as a commercial spying tool, not by accident or by being hacked, but by Adobe's design. o that commercial entities exist precisely to assist corporations in using Flash to spy on you. o that because it's worth money, a lot of professional, measured-by-performance effort goes into it. o that almost all the world's personal computers, including almost all those in business, including those inside "firewalls", have Flash installed. o that there is (heavens!) such a thing as industrial espionage. o (and that other components, although less dangerous than Flash, carry similar threats and need to be dealt with, for example PDF viewers.) This spying is not some teenager playing with bots or accidentally stumbling across your computer with a port scan. This spying is purposeful and actively seeking *your* data. It is reprehensible, and facilitated by browser manufacturers and by (certain) OS makers. Nevertheless I'm delighted to be able to say, "people CAN be free of this spying." (If they use Linux, at least. But please keep reading.) It does turn out to be a *little* bit inconvenient to be free in this (and a noticeable hassle to set up, unfortunately), but it's completely convenient *enough* to be used. Every time. Every day. If distros included the setup it could be made almost perfectly transparent. For the present: I'm now able to say to my clients, and to myself on their behalf if they don't think to ask, that due diligence and good engineering have been applied to the portable computer I bring in to their sites and attach to their networks, and that my portable computer does not expose them to these vulnerabilities, either while I'm on site or after I leave. This was not always the case. I have to admit that I, like many others, *used* to connect to my clients' networks with a machine on which an unquarantined browser had been used. I have to admit that I knew better at the time. I knew that using a browser, especially if uses plugins, exposes everything on the disk which is readable by "me" to the 'net. I knew about file permissions. I knew how browsers work. I knew better. (Even back then I knew enough to not install Flash, though. And of course I never used IE, or Windows.) Linux has made the difference. (Fair disclosure: the work isn't done -- next stop, sanitizing the reading of PDFs. And after that there are other exposures. But they too can be dealt with, and none of them will be as difficult as the case of browsers and quarantining Flash.) I am delighted that the tools which made this work possible have been made available to individuals like me: by the free software community, by Linux itself, and (not least) by the generously-shared expertise on this list. To say that I'm grateful to Linux is an understatement. I certainly couldn't have done it on Windows. As far as I know, on Windows you're screwed. But as you know, my level of knowledge of other operating systems is less (even less? :) than of Linux. I'm not, in fact, qualified to say whether expert users of other operating systems might be able to prevent this spying, as we can with Linux. I know that many of the necessary tools are there (although no Windows shop I've ever seen uses more than a few of them), and that the OSs themselves have indeed gotten better. I *suspect* that all of the tools are not there, especially if my design constraint is accepted that "it has be easy enough to use that it actually gets used, all the time". This suspicion may be due to my ignorance, in which case I welcome enlightenment. (Please see below.) Wherever "(*)" appears in this post it was intended as a flag that, as I wrote, I noticed an area where to my knowledge a tool is likely to be missing, or would prove so inconvenient to use that it wouldn't help real people. It may have appeared that I was being snide about a particular vendor's software, but if so, I only intended to be humorous. (I was writing for a Linux audience, and we often make certain kinds of snide remarks.) If anyone was, or is, offended I apologize. Finally, and not least: A large number of the world's personal-computer users aren't using Linux. If this ever does get written up into a presentation, it would be nice to be able to say "people do have a choice to not be spied upon" and not just "Linux people". If anyone is interested in porting these protections to Windows (or OSX!), or demonstrating by any equivalent protections on Windows (or OSX), thereby helping create a far better presentation, I'm eager to help; please contact me. "You don't have to acquiesce in being screwed."(tm) (**) "Feasibility proof". Few computer owners are likely to want to go to this much trouble. Heck, *I* don't want to go to this much trouble. But I'm damned if I have to accept "Javascript is required for a rich experience". It isn't. I'm damned if I have to accept "only click on links you trust". I'm damned if I have to give up a little freedom for a little convenience. I'm a curmudgeon, OK. But there's more. My personal laptop has to perform a number of functions, not just "my" browsing. Among other things, my laptop has access to client data, some of which are sensitive, some of which are protected by Federal law. In any case, some data on my machine belong to others, and I'm responsible for them. Those data are protected on disk by strong encryption (of course!), but when those partitions have been opened and made readable (by "me") I mustn't run a browser (or any program!): o which is capable of running arbitrary/unknown code (always the case for a browser! Also a PDF viewer, or...) o running as "me" o or running as any user having read permissions to that data. (The same goes for data of lesser sensitivity. For instance, I don't want unknown code reading my e-mail, or siphoning my address book -- not that anyone would do *that*...) It should be IMPOSSIBLE for ANY browser to read data which "me" has accepted responsibility for. It should be not just improbable, but IMPOSSIBLE, for "me" to leak confidential information back to the Web. (I should say: I need to be able to DEMONSTRATE that it's impossible to leak confidential data to the Web--even if I've been tricked into running the most poisonous binary code imaginable. With Javascript you never know/you can't know; the best anyone can do is argue over levels of improbability, and keep patching. Because I run Linux I can indeed demonstrate that(*), even if it has proven to be a little trouble. So I guess this hasn't been just a feasibility proof. It's what anyone *must* do who needs to tell clients "I accept my responsibility for your data". _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/