On Friday 29 August 2003 11:34 am, rikona wrote: > Hello Bryan, > > Thursday, August 28, 2003, 3:46:20 PM, you wrote: > > BP> Requires some hardware but this is doable. Simply run a proxy > BP> server on a dedicated machine, in the router or ipchains using > BP> netfilter, allow only that machine's IP to initiate http traffic > BP> on port 80 and then all the local machines have to be configured > BP> to use the proxy server. Now, local machines can't surf at will, > BP> they must go through the proxy server and you can make the port > BP> of that whatever you want. > > If I understand you, each local machine would have to use a non-80 > port to surf, with the translation done by the proxy. I'm then > assuming, say, Mozilla would have to be set up to use a non-80 port to > get to the proxy. Otherwise any app on the machine could use port 80. > You are, in effect, blocking port 80 from any local machine. Is this > correct?
Yes, pretty much exactly the way that a corporate proxy server works. You can't get any traffic out on port 80 with any application. You have to specify a proxy server, say port 8080 or 8118. The proxy server sits on that port and accepts traffic, sends it out to the Internet and routes the packets back to you when they come back. The only applications that can get out are ones that use the proxy server. On the proxy server, or with a router, you basically run a firewall and disallow all traffic on port 80 from all IP addresses except the proxy server. So, no one else can send anything out or get anything in on port 80 unless they go through the proxy server. You can even set it up and install it from a CD only distribution, so no changes, no rootkits or anything else is possible because a reboot restores the system right back. Benefits include being able to restrict some sites for everyone, being able to filter out harmful traffic like java, banner ads, etc., and finally caching. Because the proxy server serves all requests, if you have already requested something and five minutes later someone else requests the same thing, it gets pulled from the proxy cache, speeding up surfing for some people in some cases. > Windows users are giving us a glimpse of the future, should linux be > used by the masses. I'm just trying to get ready. :-))) Also, much of > the functionality is for privacy, not just security. Well, you can pretty much make your own browser as private as you want, so I am not sure that the proxy adds that much. Admittedly, I run a proxy server on my own computer but it is a local one called privoxy. It filters out the worst of the garbage on the web, including pop-ups, pop-unders, redirects, some banner ads, known scumvertiser cookies, etc. So, I do understand the desire to increase privacy and security, I just think that a dedicated proxy and cutting off port 80 access is overkill for that. > BP> Open Source apps make it very difficult to create little one off > BP> scumware applications, trojans too. > > As linux gets more popular, some deviant will take an app, add some > malware, and create easy-to-get-and-use or otherwise attractive lures > to get people to load it. Apparently this has already been done for > some 'reputable' distribution apps in linux. Some folks are inherently > evil. I haven't heard of any, however, penetration is still going to be difficult given the requirement for almost all Linux apps to release the source code. People DO look at the source code. Granted, I am not a developer myself, but I am very active in the community (forums, message boards, etc.) and am likely to see something. I constantly see people hashing apart code within the community, discussing it, pointing people to improvements, etc. Just a for instance. An anonymous proxy service in Germany was recently contacted by Federal Police there and asked to monitor traffic from a suspected criminal. They served a subpoena, etc. The group running the service released a patch that included code to monitor this one specific connection. Within 24 hours, someone had dissected the patch and noticed the suspect code and Usenet was all abuzz about how the service had been compromised and they were installing monitors in the software. This all happened within the last week or two weeks. It is a lot easier to sneak stuff in with proprietary closed source. Open source, even the lack of actual posted open source when it is expected, automatically raises the red flags and is likely to hamper any suspect apps from being distributed. For those that pay attention. There was a highly recognized ftp site that was compromised and they matched all the code back to the original contributors to make sure that there were no compromised pieces of code floating around. From what I heard, nothing was touched. Again, if someone is going to install software without being fairly sure, including checking md5 sums, etc., then they are bound to attract some dirt eventually. > BP> It won't be a standalone application because it needs to monitor > BP> http traffic so that it can track usage for delivering ads. That > BP> is its sole value. > > Not necessarily. There is money to be made in selling information > about people. Even if logged on as just a user, I'd guess all your > personal is there - email, contact lists, on-line banking info, > history files of where you surfed, tax info, calendars, cookie files, > perhaps even some info about account names and passwords. Snoopware > might like to collect this and send it 'back home'. There's more than > just ads. Just putting a name and address onto an extensive cookie > history is worth a lot. Doubtful that there is much of use. SSL sessions are encrypted, so no cookies or other info can contain info of any use to an intruder. What the encryption means is that all info is also encrypted. 128-bit is nothing to sneeze at, by the time you crack the code, most of it will be worthless. Assuming that the bit that you crack is worth something. Online banking is pretty much guaranteed to be SSL encrypted so they will get nothing from that. I don't use a browser for email, so no contact lists, and even if they were there, my understanding is that the email in Mozilla and the like is actually a separate app, it is not included in the browser so getting that info might be more difficult than you think. Granted that history files and the like are there, but without being able to personally identify you when you come a browsin' to a customers site, the demographic info is pretty much worthless. And, if you were really paranoid about this type of thing, you could run an encrypted file system, or better yet, just set the browser to erase all history, cookies, and other session data each time you exit the program. Opera has that feature, I am pretty sure that the other browsers do too. No, most of the scumware apps need to stay active and track trends and constantly report back. Single shot apps would be a lot of work for very low returns, if any at all, and are not likely to attract the kind of guys you are worried about. All the scumware things that I know of for Windows, like Gator, etc. are all active and running apps that tie into the browser. Trojans, viruses and the like are a different story and can be countered with other means. > BP> So, if I were going to create something of this nature, I can't do it > open BP> source because someone would rat me out almost immediately, > provided I could BP> even get someone to install it, for even good > applications it takes time to BP> build recognition in the Linux community. > > Perhaps the scenario is to take the open source code and add some more > open source code for snooping, etc, and distribute the package. And, > no, the author of this malware is not likely to publish the code, open > source or not. That's the point. If they publish, someone will rat them out and if they refuse, some software author is going to ask for the source, and when they refuse to publish, will raise hell to GNU and FSF and almost immediately, there will be a massive amount of distrust of the package. I guess I just disagree, I don't see this scenario as being very likely and I see major responses as soon as they do try it. Given the absolute difficulty in getting the Linux community to accept new apps and software right now, I just don't think that it is easy enough for someone who is not legitimate to be willing to invest the time needed to get any kind of penetration for his package. > One of the most attractive ways to distribute malware is to package > supposedly known code for all these versions. "See how much trouble > I've saved you - it's ready to go in YOUR rpm." Looks attractive to > many, and they'll get it. Kpackage will display all of the files in an RPM before you install it. diffcheck will show the services that are running, or you can simply do a ps and see them. I still don't think that it is as easy as you make it out to be to include something like this. Not only that, but since you are taking someone else's code and modifying it, you are probably breaking several laws, violating copyrights, etc. May be okay if you are a virus writer and way outside the law but scumware guys need to be able to cash the checks and getting thrown into jail doesn't help that process. In the end, there is no way to protect someone against themselves. That is true whether we are talking about Linux, Windows, or even a closed box behind a locked door with no power and simply a hammer that monkey-boy can use to hit the pretty, metal thing. Stupid people will stay stupid and will do stupid things and they will always be able to figure out a way to destroy a machine. The only consolation is that they probably do the same thing to everything that they buy which helps us all keep jobs, I suppose. As smart as you try to make the software, they will still figure out how to stupidly get past your safety features. For myself, I would much rather provide common sense controls and leave my users feeling insecure and uncertain. Forewarned is forearmed. > Easy or not, I'll bet they have tried. Probably successful too, but > linux does not have critical mass to make these things wildly > successful. I have no doubt that it has been tried. For many of the reasons that I have already pointed out, I suspect that each time it has been a dismal failure. I used to be a law enforcement officer and someone asked me once if it was worth it to get better locks and an alarm system. I told him, the point of security is not to keep someone out who really wants to get in. If they want in, they WILL get in. The point of security is to make your house just a bit more tough to get in than your neighbor's house. Criminals, being inherently lazy always go for the easier target. As long as companies keep making software, including operating systems for people too lazy to learn the simplest rules about computers, there will always be an easier target. > I'm imagining that linux is successful and that the competence of > these users is similar to the masses using M$ - low. This is a good > part of the problem. Smart Win users have very few problems, too. To > accurately compare the two, you should assume similar conditions. I think that it is much more likely for Linux to create more of a service type of arrangement than to mimic Windows. For instance, MS is currently trying to move customers from a "purchase a product" mentality to a "subscribe to a service" mentality regarding their operating systems. If they are successful, they will inadvertently be helping Linux. If I had a choice of paying for a subscription, I would much rather subscribe to a service that gets a Linux admin to administer my system than to pay MS to roll out buggy code and then give me regular patches. Eventually, we may see something of this nature begin to take off with Linux, remote administration already makes it possible. Some distributors may go the Lindows route and try to replicate the windows experience with Linux. Personally, I think that they are likely to fail. If I want Windows, what's wrong with buying Windows? Why would I buy Linux if what I really want is Windows? Some people will take the plunge and learn something in order to be able to use Linux, others will remain fodder for the script kiddies. I think that there will always be different levels of computer markets and companies to target them. > BP> because they are trying to protect stupid users against their own > BP> stupidity > > Agreed - this is a good part of the problem, but very necessary if > the masses use your software. Perhaps the secret is to give a short > exam in order to log on. :-))) Oops - then relatively few would use > Win. Good security idea, bad marketing idea. Again, I don't see anything wrong with Windows if that is what you want. If you want Linux, you are simply going to need to learn something to get it. Price of admission, no such thing as "free beer," and all that. Everytime that I see an article suggesting that we need to dumb Linux down in order to attract Windows users, I always ask myself, Why??? Who cares if someone stays with Windows, it is definitely not hurting me. I don't care if MS makes money, I don't mind if they suck some guy in because he would rather pay someone than learn how to do something himself. And, in the end, if MS and Uncle Bill bend him over and give him a jolly good one, whose fault is it really? You can't blame a dog for barking, a cat for meowing, or a scummy monopolist for taking advantage of the sheep. -- Bryan Phinney Software Test Engineer
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
