Re: [Littlesnitch-talk] curl
Does anyone know who's behind curl and what it's about? Which software is it associated with? Is it spyware, legit, something in between or what? curl is a command-line retrieval utility. Several developers use curl to send and retrieve data so they don't have to add networking code into there own program. The key is to find out which application you are running is associated with easymediasolutions.com. Also, if you are going to allow curl or other command line utilities (like smtp) to connect, make sure you allow once or until quit only, or specify server and port. -- Jeremy Weathers Political history is far too criminal and pathological to be a fit subject of study for the young. Children should acquire their heroes and villains from fiction. - Wystan Hugh Auden ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] curl
curl is a Commanline tool for retrieving or sending files over a network connection. It usually works with ftp or http protocoll. It is also sometimes used by Shell/Perl/Apple scripts and so on but it might also be missused by trojans. type 'man curl' in Terminal if you want to know how curl works Am 01.02.2006 um 18:07 schrieb Alexander Arnett: Does anyone know who's behind curl and what it's about? Which software is it associated with? Is it spyware, legit, something in between or what? Littlesnitch comes back with a message saying curl wants to talk to: hs47.easymediasolutions.com TCP port 80 http In a like vein, it's nice that Littlesnitch intercepts all these phone home requests but how can we reference the good/legit requests white hat software from the bad/nefarious black hat software requests? Is there an online directory that we can check against or are we just left to trial-and-error? ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk -- postfix version 2.1.5 ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] curl
On Wednesday, February 01, 2006, at 12:10PM, Alexander Arnett [EMAIL PROTECTED] wrote: Does anyone know who's behind curl and what it's about? Which software is it associated with? Is it spyware, legit, something in between or what? What, is Google down? ;) Curl is a utility much like wget. It's a set of libraries and command line tool used for requesting accessing data on the Internet. Enter curl google.com in the Terminal and you'll see the source for the Google homepage displayed on your screen. Littlesnitch comes back with a message saying curl wants to talk to: hs47.easymediasolutions.com TCP port 80 http Some application is attempting to use curl to download something from that address. If you had the full path you could see exactly what was being accessed in a web browser. Were you running an application that was trying to auto-update? What was running at the time? My guess is that if you block the connection and don't find any undesired consequence (ie. blocking a Safari connection results in no displayed web page) it's fine to permanently block. I'd not recommend permanently blocking curl as it's probably used by plenty of software for many valid tasks. I thought LS would display the parent application that spawned the curl task, but maybe curl was launched in a way which doesn't keep that link. In a like vein, it's nice that Littlesnitch intercepts all these phone home requests but how can we reference the good/legit requests white hat software from the bad/nefarious black hat software requests? Generally you should be able to match the app name or the address to figure out what is going on. In general just think about it. Does TextWrangler need to phone home? Only if it's checking for updates. If you disable that check and you still see connection attempts, something is wrong and can be blocked. Does softwareupdated need to connect to apple.com? Yep, so let it go through. My list is full of Allow All rules that I think make sense. There are also plenty of Block All rules for apps that I thought were suspicious and haven't caused me any problems so far. Is there an online directory that we can check against or are we just left to trial-and-error? Good idea, there should be a place to post connections that apps attempt. A database to post, in a standard format, things like: TextWrangler attempts to connect to bbsoft.com port 80 With space to add comments and explanations like: Version checking which can be disabled or Unknown phoning home I hope this helped. -- -- arno s hautala /-\ [EMAIL PROTECTED] -- -- ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] curl
PS: Since there is no useful Information on the website hs47.easymediasolutions.com (you can open it in Safari) it is most likely that this is some sort of user tracking or something like that. Am 01.02.2006 um 18:07 schrieb Alexander Arnett: Does anyone know who's behind curl and what it's about? Which software is it associated with? Is it spyware, legit, something in between or what? Littlesnitch comes back with a message saying curl wants to talk to: hs47.easymediasolutions.com TCP port 80 http In a like vein, it's nice that Littlesnitch intercepts all these phone home requests but how can we reference the good/legit requests white hat software from the bad/nefarious black hat software requests? Is there an online directory that we can check against or are we just left to trial-and-error? ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk -- postfix version 2.1.5 ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] curl
Am 01.02.2006 um 18:31 schrieb Arno S Hautala:Is there an online directory that we can check against or are we just left to trial-and-error? Good idea, there should be a place to post connections that apps attempt. A database to post, in a standard format, things like: TextWrangler attempts to connect to bbsoft.com port 80 With space to add comments and explanations like: Version checking which can be disabled or Unknown phoning home Good idea - Full ACK.
Re: [Littlesnitch-talk] curl
Something on your computer wants to downlad something else onto your computer, or send something from your computer to someplace else. Very risky unless you know exactly what has called curl and what it is trying to download. This is the kind of thing a trojan scout might do, to get the true trojan. Or maybe it's something sending off your address book and credit card numbers. Or maybe it's something entirely benign. Read the curl manpage, too. One thing to try, when the LS alert comes up, is to (i) click on some LS button, like the once button (but don't click the Allow Once button yet), which I believe will keep the LS alert from timing out, (ii) move the LS window out of the way, (iii) start up Activity Monitor, showing processes threaded, to see what the curl process is a child of, ie what program wants to use curl. Re requesting good vs bad, be clear that what you're asking for is opinions from people who might not be trustworthy, so then what you have to do is try to get enough opinions for you to be able to make up your own mind. On Wed, 1 Feb 2006, Alexander Arnett wrote: Does anyone know who's behind curl and what it's about? Which software is it associated with? Is it spyware, legit, something in between or what? Littlesnitch comes back with a message saying curl wants to talk to: hs47.easymediasolutions.com TCP port 80 http In a like vein, it's nice that Littlesnitch intercepts all these phone home requests but how can we reference the good/legit requests white hat software from the bad/nefarious black hat software requests? . . . ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] curl
On 01 Feb 2006, at 17:59, Martin Kissner wrote: Still I wouldn't encourage anyone to uninstall brain 1.0 ;-) Absolutely. It'd be interesting to see this integrated with LS. An extra button in the LS dialog to Report the connection attempt to the ObDev database. Also reporting wouldn't be sufficient if Users wouldn't be able check the database. And of course you can wait for people who would get suspicious about the connection to obdev. Absolutely, I envisioned a system where this just made reporting easier. It would really only be useful if available to the public (submitted anonymously of course ;) ). -- -- arno s. hautala/-\[EMAIL PROTECTED] -- -- ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] Does LS filter widget access to the Internet?
derek fong wrote: Ole wrote: I cannot confirm this. I installed widget update today and LS detected its connection attempts correctly. Ole Am 30.10.2005 um 16:06 schrieb Saad Kadhi: Hi there, I downloaded Widget Update [1], a widget that checks if there are any updates for the other widgets installed on the Dashboard. Widget Update was able to access the Internet [2] and I am 100% sure I didn't see any alert from LS regarding this access. Hi, It all depends on how the widgets communicate with the Internet and how you've set up your rules. Since Little Snitch works on the basis of allowing or blocking network access to specific applications, it's possible to inadvertently grant full access to more applications than you bargained for by using the Always allow connection rule on a trusted application. For example, many applications (not just widgets) use a program called cURL, which is an open source application that helps alleviate from developers most of the heavy lifting associated with talking to web and FTP servers, among others. (cURL is included in the default Mac OS X installation - open a Terminal window and type man curl or curl --help.) Now, let's say Application A uses cURL to perform an up-to-date software check. You trust Application A and are annoyed at always having to confirm that you want to allow network access to it whenever it performs a software update check, so you decide to always allow outgoing web traffic. However, along comes Application B which also uses cURL, but uses it instead to phone home to its developers to let them know details of your machine, IP address, passwords, etc.. Since you previously granted always allow to cURL, you would never see Application B's connection attempt. Incidentally, this is not theoretical -- I have a number of shareware and even commercial applications and system preference panels installed on my system that rely on cURL to talk to the Internet, and you probably do, too. Maybe this is obvious to the more tech-savvy among us, but I think it's an important point to make if it hasn't already been made elsewhere. What would be nice in a future version of Little Snitch is for it to be able to differentiate between what applications call these helper applications (such as cURL) so that granting an application full access to cURL won't necessarily give unfettered access to another application that uses cURL behind the scenes. In the meantime, remember that Little Snitch is just another tool in your security arsenal and that it can't prevent all mishaps from occurring.. Thanks, -f Thanks for clarifying that. I indeed had curl to allow all network traffic and wasn't aware of this potential issue. So thanks. Are there any other usual subjects like curl? Ole ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] Mounting iDisk - Solution Found
Hi, Please have a look at our online documentation at: http://www.obdev.at/products/littlesnitch/docu/rules.html Expect of 'phyton' and 'curl' your list contains only necessary system daemons. For more information about 'phyton' and 'curl' please do a google search. regards, Karl Schwarzott -- Objective Development Software GmbH http://www.obdev.at/ On Jun 29, 2005, at 5:54 , A J Dimaculangan wrote: I was able to get it working after receiving advise from Karl at ObDev. I reset the rules and started over. The iDisk now mounts correctly. I must have had a Deny rule that stopped the mounting. But now I have the same quandary over certain requests that come through. Is there a list of what certain apps are that consistently ask for access? Such as configd curl dmnotifyd nmblookup nslookup ntpd ntpdate python slpd (especially slpd, if you deny that one the requests are virtually constant at times.) Thanks, A J ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk
Re: [Littlesnitch-talk] ftp is trying to connect to...
Always on port 80. I am also getting a warning about curl trying to use port 80 as well. Isn't 80 the web sharing port? Will I be able to close this port, but still be able to use my computer's localhost websharing? thank you. From: Tom R. no spam [EMAIL PROTECTED] Reply-To: littlesnitch-talk@obdev.at To: littlesnitch-talk@obdev.at Subject: Re: [Littlesnitch-talk] ftp is trying to connect to... Date: Thu, 6 Jan 2005 03:55:01 -0500 (EST) What port(s)? On Wed, 5 Jan 2005, lahdyfreekindah @hotmail.com wrote: yes, I am getting 2 regular addresses, and every once and a while a random one thrown in there. Both seems to be ISPs. One is just a plain domain, and another is a rather long h202.n179.cust.domain.net type address. . . . I am curious, though. I wonder if you tried to resolve any of the addresses that ftp wanted? . . . lahdyfreekindah @hotmail.com said the following on 05/01/2005 03:25 am: I just wiped my hard drive and re-installed everything yesterday. Ever since I have been getting a little snitch alert about 'ftp' trying to connect to random IP addresses and websites. I'm used to seeing alerts from stuff I expect, but this happens right after start up, and not a result from any clicking around that I am doing. what's going on? . . . ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk ___ Littlesnitch-talk mailing list Littlesnitch-talk@obdev.at http://at.obdev.at/mailman/listinfo/littlesnitch-talk