Re: Quarantining an account from the Internet, or from all networking?
On Tue, Aug 17, 2010 at 1:02 AM, Greg Rundlett (freephile) g...@freephile.com wrote: I just want to add for those who may be interested in iptables, but not wanting to get into the intricacies, you can try firestarter [1] or it's successor gui app called ufw [2] (in Ubuntu) [1] http://www.fs-security.com/ [2] https://help.ubuntu.com/10.04/serverguide/C/firewall.html ufw doesn't look very GUI to me. Firestarter looks like a typical firewall GUI. The Events tab, which I presume is an integrated log viewer, is a nice touch. However, a cursory read of the docs finds it doesn't appear to support anything but very basic source/destination address/port rules, which won't help Bill. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
Suggestion: suppose you have setup your system with a uid that is protected by some iptables rules (call this UNTRUSTED), and futhermore also suppose that the binary that you really want to protect against is called DOCREADER. Well, then, you might want to consider replacing every occurence of the DOCREADER binary on your system's disk with a script that basically does this: #!/bin/sh exec sudo -u UNTRUSTED DOCREADER-original $...@} You might also want to consider locking this package down from a package-management-automatic-updates perspective. --kevin -- alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/ GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E Wipe him down with gasoline 'til his arms are hard and mean From now on boys this iron boat's your home So heave away, boys. -- Tom Waits ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Looking for sofware to display keystrokes as they are typed, for demos
At least on my Debian box there's a logkeys package available that might serve if you can maybe find a way to tail its output in an on-screen window during your presentation. Here's a fragment of example output it captured while I was composing this email with vi as launched from exmh: 2010-08-17 08:57:46-0400 kkothat might serve if you can find a way to maybe LShfttailLShft its output in a windowEscbhin onscreenEscblli-EscLShft 2010-08-17 08:58:50-0400 your EscbbLShft 2010-08-17 08:58:58-0400 LShft 2010-08-17 08:59:14-0400 ] 2010-08-17 08:59:15-0400 jjoEsck#+28wLShft ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
Do other users need to be on the same system w/o restrictions? If not, I'd create a VM (or physical system if you have $$) with its own firewall and only that user. Block everything in/out except what's needed. Run only that app in there. If some sites are allowed, add a proxy to restrict that. Choice of VM + firewall lft to the user. On 8/16/10, Bill Sconce sco...@in-spec-inc.com wrote: On Mon, 16 Aug 2010 16:56:32 -0400 Bill Sconce sco...@in-spec-inc.com wrote: Does anyone know of a way to prevent a Linux account from accessing the Internet? Wow. Excellent. It looks like iptables may be the ticket. (If my ${very_untrusted_user_UID} is prevented from sending packets out that does exactly the job needed. E.g., a user account which I set up for reading PDFs can't send anything, no matter how perniciously a PDF file has been crafted (and of course assuming that the account is also nonprivileged etc.) then my objective has been met. I'll give iptables a try. It's at just the right level of brute- forceness, and of Linuxness. I love this list. Many thanks! Many more thanks! I'll report back on results of testing. I'll_report_back_on_results_of_testing'ly yrs, Bill ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ -- Sent from my mobile device ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
On Tue, Aug 17, 2010 at 11:26 AM, Tom Buskey t...@buskey.name wrote: Do other users need to be on the same system w/o restrictions? It sounds like what he really wants to do is sandbox an untrusted application. For example, if you don't trust Adobe Reader, you might want to deny all network I/O to it. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
On Tue, Aug 17, 2010 at 8:43 AM, Kevin D. Clark kevin_d_cl...@comcast.net wrote: Well, then, you might want to consider replacing every occurence of the DOCREADER binary on your system's disk with a script that basically does this: #!/bin/sh exec sudo -u UNTRUSTED DOCREADER-original $...@} Just occurred to me: Couldn't you setgid the binary, and make the binary owned by root, group untrusted or whatever, mode 755. Right? -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Looking for sofware to display keystrokes as they are typed, for demos
On 08/17/2010 09:06 AM, Michael ODonnell wrote: At least on my Debian box there's a logkeys package available that might serve if you can maybe find a way to tail its output in an on-screen window during your presentation. I like the idea of tailing a keylogger to display keystrokes. Pretty clever. And thanks for the references. As I had indicated, Googling an issue with display keys as they are pressed just doesn't have the kind of keyword discrimination that makes a search worthwhile. The logkeys project is available at http://code.google.com/p/logkeys and the docs point to another few possibilities like PyKeyLogger, too. Thanks! -- Ted Roche Ted Roche Associates, LLCp http://www.tedroche.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
Benjamin Scott writes: On Tue, Aug 17, 2010 at 8:43 AM, Kevin D. Clark Well, then, you might want to consider replacing every occurence of the DOCREADER binary on your system's disk with a script that basically does this: #!/bin/sh exec sudo -u UNTRUSTED DOCREADER-original $...@} Just occurred to me: Couldn't you setgid the binary, and make the binary owned by root, group untrusted or whatever, mode 755. Right? That's a better suggestion than mine. Another way to do all of this would be through a SELinux config. I have played with this on occasion, but haven't had as much time as I would like to explore here. It seems to me that this could be a more fine-grained solution. Regards, --kevin -- alumni.unh.edu!kdc / http://kdc-blog.blogspot.com/ GnuPG: D87F DAD6 0291 289C EB1E 781C 9BF8 A7D8 B280 F24E Wipe him down with gasoline 'til his arms are hard and mean From now on boys this iron boat's your home So heave away, boys. -- Tom Waits ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
On 17 Aug 2010 08:43:35 -0400 kevin_d_cl...@comcast.net (Kevin D. Clark) wrote: Suggestion: suppose you have setup your system with a uid that is protected by some iptables rules (call this UNTRUSTED), and futhermore also suppose that the binary that you really want to protect against is called DOCREADER. Exactly! You've got it! This much is already done. I just didn't put details in the original post; I won't do *all* the details here either, but here's a synopsis. (Like everything I write, it starts out as only a few lines, but grows. Sorry; I hope you find it's worth it.) _ Over the past couple of years, I've been, gradually, developing my personal machine as a kind of feasibility proof that it's possible to visit the Internet without submitting to Moglen's spying, all the time, for free. http://www.isoc-ny.org/?p=1338 ^ highly recommended It's most of the way there. Essentially, the rubric is to provide a Linux account for each of several classes of activity, e.g., o General browsing (no scripts, no Flash) o Special browsing (e.g, each site where I post data [e.g., subscription sites], or single-site browsers [e.g., a single-purpose account to inspect charge-card history]) o Poisoned browsing o Browsing where cookies are required o Browsing where Javascript is required o Browsing where [gack] Flash is required [BTW, it's surprising how much of the Internet works just fine without having to turn on any of the poisoned stuff.] o PDF viewing (to be implemented; the reason for this thread) o Mail-client quarantining (to be implemented) o and more Each of the browsing classes above is handled by by running it under a discrete Linux account(*). Each such account is nonprivileged (duh!) and the standard Linux permissions mechanisms are indispensable in preventing, say, your browser account from knowing anything about your e-mail account. I've set up each browsing account to typically run on a specific X desktop(*), to help me remember where things are, and to enable having more than one kind of browsing go on at a time. I often have three or four kinds of browsing going on. For the poisonous accounts: once you allow Javascript to run you pretty much have to assume that you've run arbitrary/malicious binary code from the 'net. You should assume that you has done the worst things that the current account has permissions to do. Writing cookies, resurrecting zombie cookies, writing Flash cookies, writing and reading arbritrary files to and from disk (oh, wait, I already mentioned Flash cookies), doing whatever else Flash does (no one knows!) Even doing installs, etc. OK, accept it: any place on your machine that was writable by you while you was browsing must now be treated as poisoned. After any poisonous account has been used I erase its home directory; a clean home directory is reloaded for the next use. Each poisonous account can write stuff to the disk (Flash will certainly so so), but I can make it go away, and prove that it's gone away. And sleep at night. It's my computer(*). All of that's working and has been working for some time. (Although of course it was something of pain get it working. :) It was only a question of pulling together tools that are already there(*). But it's certainly not a technique which helps anyone else (yet?); this is just a feasibility proof(**). Nor is it a technique for grandma's use case. Ever. :( My original post in this thread came from observing that programs *other than browsers* can be, and are, designed to phone home. Adobe Reader(tm), for instance. But not just Adobe, nor just proprietary blobs. Any program whose source code you don't see, especially any program which offers services such as displaying hyperlinks. But any program can be exploitable, whether or not it's complicit by design in spying. To put it another way, I'd like for any program I run to be subject to proof by me that it hasn't been able to spy. For instance, thinking beyond PDF readers, my e-mail client. It displays hyperlinks. It offers to display HTML. (HTML is turned off, of course, but it bothers me that an e-mail client contains code which knows anything about HTML.) It would be nice if the account in which my e-mail client runs were restricted so that it could open sockets only to my POP/IMAP provider. That's a more exquisite granularity than I was asking for (the ability to drop all packets). Sounds good - a bonus! Thanks, guys. Stay tuned for the paper. :) In_2013_or_so'ly yrs, Bill __ (*) Sorry, Windows users. The tools you need just aren't available on Windows. (**) Feasibility proof. Few computer owners are likely to want to go to this much trouble. Heck, *I* don't want to go to this much trouble. But I'm damned if I have to accept
Linux vs Windows, obscure security features (was: Quarantining an account...)
On Tue, Aug 17, 2010 at 2:31 PM, Bill Sconce sco...@in-spec-inc.com wrote: (*) Sorry, Windows users. The tools you need just aren't available on Windows. Windows NT certainly has user accounts. Always has, since the first version (Version 3.0). (NT is today called Windows 7, and has also been called Vista, XP, and 2000.) (It's still Microsoft; they love playing name games.) Vista also introduces a number of features along the lines of privilege isolation. One I find particularly interesting is Integrity Levels (also called Mandatory Integrity Control (again, still Microsoft)). For example, you can assign an ACL to your web browser binary which result in that process having reduced access to other things, such as your user files. So in addition to having user accounts, you can actually get into fine-grained controls below the user level. Vaguely similar to SELinux. Vista also uses multiple desktops for privilege separation. Those poorly-implemented User Account Control dialogs actually appear on a separate desktop and are overlaid with the user desktop (in theory, to prevent malware from attacking them directly). Vista also supports running simultaneous virtual desktops in support of multiple user sessions (Fast User Switching, in Microsoft parlance). And unlike your stuff, the above is all in wide use today, even by grandma. (How well it works is another matter, of course. Too many users act like they *want* to install malware. Including grandma, as you note.) Before you go throwing around FUD, you might want to check your facts. If you go into a vendor-neutral or pro-Microsoft environment saying things like that, you're going to get ripped to shreds by the Microsofties, and rightly so. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
On Tue, Aug 17, 2010 at 5:22 PM, David Hardy belovedbold...@gmail.com wrote: And we all know, I think, that Windows NT was created for Microsoft by Dave Cutler, former developer of RSX and VMS .. And Cutler moved to Microsoft because DEC just wanted to maintain/extend VMS, while Cutler wanted to write a new OS (MICA) for the new hardware architecture (PRISM) that was being designed. Microsoft needed a better OS (where better included not part-owned by IBM), Cutler wanted to continue MICA... and thus OS/2 NT was born. It was originally going to be the 3.0 release of OS/2. Then the IBM and MSFT alliance fell apart completely, and it became Windows NT. (Aside: Significant chunks of the PRISM technology ended up as the Alpha architecture.) I remember how there were a number of similarities between the VMS user authorization parameters and the NT ones, Reportedly, the NT kernel and VMS share a number of architectural similarities. I read a 2-page technical analysis once; most of it was over my head but it sure seemed like there was something to it. I've been told NT was so similar DEC threatened MSFT with legal action, and MSFT settled out-of-court; one consequence was that NT was maintained on the Alpha for longer than had MSFT wanted. Or something like that. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
Very interesting, and additional information that I was not aware of, naturally. For a short while, maybe nine years ago, I had an office with an Alpha machine that was running OpenVMS 6.something, and then when my managers found out that it could run NT, they made me change it to NT. I wish now that I'd told them it could also run Red Hat. There was even a web site back then concerning running NT on Alphas, with available downloads, and, if memory serves, which it often does not these daze, a pseudo-'for Dummies' book about VMS and NT interoperability; I may still have it around here somewhere. (there is also another 'for Dummies' book on running VMS together with Linux.) Aha, the web site; here it is: http://www.alphant.com/ I also remember having to install firmware to do the change, and it looks like some of it may still be available at Microsoft. I may even have some floppies around here, too. Ah, the glory daze...miniscule hard drives, nit-noy RAM...green monitors...9-track reels...and midnight shift operators who looked like they'd escaped from the bar scene in *Star Wars*... http://www.alphant.com/ant_faq.shtml On Tue, Aug 17, 2010 at 5:41 PM, Benjamin Scott dragonh...@gmail.comwrote: On Tue, Aug 17, 2010 at 5:22 PM, David Hardy belovedbold...@gmail.com wrote: And we all know, I think, that Windows NT was created for Microsoft by Dave Cutler, former developer of RSX and VMS .. And Cutler moved to Microsoft because DEC just wanted to maintain/extend VMS, while Cutler wanted to write a new OS (MICA) for the new hardware architecture (PRISM) that was being designed. Microsoft needed a better OS (where better included not part-owned by IBM), Cutler wanted to continue MICA... and thus OS/2 NT was born. It was originally going to be the 3.0 release of OS/2. Then the IBM and MSFT alliance fell apart completely, and it became Windows NT. (Aside: Significant chunks of the PRISM technology ended up as the Alpha architecture.) I remember how there were a number of similarities between the VMS user authorization parameters and the NT ones, Reportedly, the NT kernel and VMS share a number of architectural similarities. I read a 2-page technical analysis once; most of it was over my head but it sure seemed like there was something to it. I've been told NT was so similar DEC threatened MSFT with legal action, and MSFT settled out-of-court; one consequence was that NT was maintained on the Alpha for longer than had MSFT wanted. Or something like that. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
Ben, From an admittedly faulty and ever-aging memory of events: And Cutler moved to Microsoft because DEC just wanted to maintain/extend VMS, while Cutler wanted to write a new OS (MICA) for the new hardware architecture (PRISM) that was being designed. Microsoft needed a better OS (where better included not part-owned by IBM), Cutler wanted to continue MICA... and thus OS/2 NT was born. It was originally going to be the 3.0 release of OS/2. Then the IBM and MSFT alliance fell apart completely, and it became Windows NT. Cutler wanted to leave Massachusetts and live in Washington State a long time before that. KO wanted to keep him on board, so allowed him to set up an advanced development facility in Belleview, overlooking the Olympic Mountains, which Cutler could see perhaps three days a year) funded by Digital. Dave was well on his way to developing an operating system based on Microkernel technology that could run both a VMS personality and a Unix personality at the same time as well as developing the Prism hardware architecture. However, because this was an extensive and expensive operation, Dave's budget was often reduced, and the project sometimes was threatened with closure, but eventually was refunded and continued on. The other problem was that Dave was of the opinion that MICA had to be exactly VMS compatible, whereas Dave could change Unix when there were some conflicts between the two OS designs, or where he could make it better. I know this because I interviewed for a job as product manager of the Unix side, and spent a futile twenty minutes trying to convince him he was wrong...not a very good thing to do in a job interview. Meantime Digital was being pulverized by Sun and Sparc workstations, and an engineer from the east coast, Rob Rodriguez had the idea (inspired by John Hennessy) of porting Ultrix (a VAX-based Digital extension of BSD 4.1) to a MIPs-based little-endian workstation based on the VAXstation 3100 motherboard (and subsequently called the DECstation 3100) giving a several-times performance improvement over then-current VAX architectures. This idea was seized by Armando Stettner, floated to the west coast workstation manager, Joe DiNucci, who then took it to Ken Olsen who immediately funded it. This project (called the PMAX project) was done in complete secrecy, with a minimal engineering team. I still have my PMAX T-shirt some place. On the eve of the announcement of the DecStation 3100, Ken Olsen called a Board of Directors meeting, and invited Dave to fly east and talk about the status of his work. After Dave put all of his charts, drawings, plans and schedules up in front of the Board, KO asked him how fast the new system would be, and would it be any faster than the prototype Decstation that KO rolled out in front of him? Dave left the meeting, flew back to Belleview, and a short time later (within two weeks, I believe) left DEC and joined Microsoft. Some of his engineers went with him. About six months later Microsoft announced a brand new OS called Windows NT, for Windows New Technology, that had been developed by Dave Cutler and his staff. In cleaning up the remains of the advanced development lab, it is rumored that a silicon wafer with some CPU prototypes were found, and when tested were a very fast RISC processor originally called the E-VAX (for Extended VAX but later developed into the Alpha series. Reportedly, the NT kernel and VMS share a number of architectural similarities. I read a 2-page technical analysis once; most of it was over my head but it sure seemed like there was something to it. I've been told NT was so similar DEC threatened MSFT with legal action, and MSFT settled out-of-court; one consequence was that NT was maintained on the Alpha for longer than had MSFT wanted. Or something like that. Whether that OS had any Digital Proprietary IP in it is up to the lawyers to determine, but it is interesting to think about someone (even as brilliant as Dave is) who could write an entire OS in such a short time without using some existing IP. So now you know the rest of the story (or at least as it was remembered by me). md ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
David, Unfortunately the site you mention: http://www.alphant.com/ has a FAQ that is wrong: http://www.alphant.com/ant_faq.shtml#64bits Alpha NT never supported a 64-bit virtual address space. I seem to remember that Digital offered that code to Microsoft in 1992, but Microsoft turned it down because it was not in their best business interests to accept it. I was also told that Digital also offered (perhaps at a royalty cost) an implementation of their clustering software in the same timeperiod, which Microsoft also turned down. Instead Microsoft came out with Wolfpack, which was the only clustering software I ever saw where two processors ran slower than one. Finally, that site did have a bitter-sweet memory for me. In the upper right-hand corner of the page is an ad for Shannon knows DEC the byline of an old friend of mine, Terry Charlie Matco Shannon, may he rest in the peace he deserves. md ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
On Tue, Aug 17, 2010 at 6:36 PM, Jon 'maddog' Hall mad...@li.org wrote: Cutler wanted to leave Massachusetts and live in Washington State a long time before that. KO wanted to keep him on board, so allowed him to set up an advanced development facility in Belleview, overlooking the Olympic Mountains, which Cutler could see perhaps three days a year) funded by Digital. Minor nit: its Bellevue, not Belleview. :) My two oldest kids were both born at Overlake Hospital in Bellevue, WA. -- Jarod Wilson ja...@wilsonet.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
On 08/17/2010 07:56 PM, Jarod Wilson wrote: On Tue, Aug 17, 2010 at 6:36 PM, Jon 'maddog' Hallmad...@li.org wrote: Cutler wanted to leave Massachusetts and live in Washington State a long time before that. KO wanted to keep him on board, so allowed him to set up an advanced development facility in Belleview, overlooking the Olympic Mountains, which Cutler could see perhaps three days a year) funded by Digital. Minor nit: its Bellevue, not Belleview. :) My two oldest kids were both born at Overlake Hospital in Bellevue, WA. Cool I know Bellevue. I used to live in Olympia :-) -- Thanks, Joseph Smith Set-Top-Linux www.settoplinux.org ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
maddog, et. al. Thanks much for that additional history. I am filing it as notes for my eventual 'autobiography' accordingly. I also remember reading Terry Shannon's 'Charlie Matco' columns back then and I believe I even corresponded with him once or twice. May he indeed, fellow 'Nam vet (we were there at the same time, albeit with different tasks, one of which I shared with him during my later tour in TLC) , rest in peace. His web site exists here: http://www.shannonknowshpc.com/ http://www.shannonknowshpc.com/I would cheerfully kill someone now for a Charlie Matco coffee mug. Cheers! On Tue, Aug 17, 2010 at 6:57 PM, Jon 'maddog' Hall mad...@li.org wrote: David, Unfortunately the site you mention: http://www.alphant.com/ has a FAQ that is wrong: http://www.alphant.com/ant_faq.shtml#64bits Alpha NT never supported a 64-bit virtual address space. I seem to remember that Digital offered that code to Microsoft in 1992, but Microsoft turned it down because it was not in their best business interests to accept it. I was also told that Digital also offered (perhaps at a royalty cost) an implementation of their clustering software in the same timeperiod, which Microsoft also turned down. Instead Microsoft came out with Wolfpack, which was the only clustering software I ever saw where two processors ran slower than one. Finally, that site did have a bitter-sweet memory for me. In the upper right-hand corner of the page is an ad for Shannon knows DEC the byline of an old friend of mine, Terry Charlie Matco Shannon, may he rest in the peace he deserves. md ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Quarantining an account from the Internet, or from all networking?
On Tue, 17 Aug 2010 11:35:59 -0400 Benjamin Scott dragonh...@gmail.com wrote: It sounds like what he really wants to do is sandbox an untrusted application. For example, if you don't trust Adobe Reader, you might want to deny all network I/O to it. That's it. [A virtual machine would also do the job. [But just a user account in which to run Adobe Reader, a user account for which the kernel refuses to pass any packets out to the network, is considerably lighter weight. In fact, the machine in question, my laptop, is old enough to not support the virtualization hardware instructions. It does run virtualized machines, but SLOOOWLY.] I promised to report back on iptables. Success! I created an account, then did several ad hoc tests. I used whois, before and after setting -j DROP (reproduced below), ran Firefox before and after ditto, and did some trials of SSH on the LAN and on the WAN. In every case the network is there when the -j DROP rule below isn't in effect, and not accessible when -j DROP is in effect. And evince (which is what I usually use to read PDFs) works without complaint, at least on the first few PDFs (local files!) I tried. I suppose I'll try the real Adobe Reader(tm) at some point, but for now, this is exactly what I hoped for. Test summary: Any program run as the user sconce_nonet, with the iptables rule below in effect, cannot send IP packets to the net, WAN or LAN. Programs running as other users are not affected. Perfect. Thanks again, guys! -Bill __ $ sudo adduser --force-badname --uid 609 sconce_nonet [...] $ sudo -H -u sconce_nonet -s sconce_no...@laura:~$ ls -l total 0 sconce_no...@laura:~$ # Test that the newly-created account can reach the net sconce_no...@laura:~$ whois google.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Server Name: GOOGLE.COM.Z.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM IP Address: 209.126.190.70 Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.ZZ.THE.BEST.WEBHOSTING.AT.WWW.FATUCH.COM IP Address: 209.126.190.70 Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM Whois Server: whois.PublicDomainRegistry.com Referral URL: http://www.PublicDomainRegistry.com Server Name: GOOGLE.COM.Z.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM [...and so on for a while. I am not making this up.] sconce_no...@laura:~$ # Test that iptables can shut off access to the net sconce_no...@laura:~$ sudo iptables -A OUTPUT -o eth0 -m owner --uid-owner 609 -j DROP sconce_no...@laura:~$ whois google.com getaddrinfo(whois.crsnic.net): Name or service not known [...] ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
David, His web site exists here: http://www.shannonknowshpc.com/ It must be residing on a PRO 350 running an early version of V7M-11 (nee Ultrix-11)it took such a long time to load, but was definitely worth the wait. Thanks again for the memories. md P.S. My note about Terry from that site: Shannon knows. Posted by Jon Saturday July 09 2005 @ 01:35PM EDT I, like many other people, had heard of Charlie Matco. The invisible person who was under every desk at Digital Equipment Corporation, and who knew the plans before DEC announced them, and often knew what would happen before DEC did. I met Terry during my days in the Digital Unix group, probably at a DECUS. Very sharp technically, and always thinking of the customer. Terry was one of the first analysts to embrace Linux and what it could do for the world. I hope they have computers in Heaven...otherwise Terry will not be happy. - maddog ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
On Tue, 17 Aug 2010 17:01:50 -0400 Benjamin Scott dragonh...@gmail.com wrote: On Tue, Aug 17, 2010 at 2:31 PM, Bill Sconce sco...@in-spec-inc.com wrote: (*) Sorry, Windows users. The tools you need just aren't available on Windows. Windows NT certainly has user accounts. Always has, since the first version (Version 3.0). (NT is today called Windows 7, and has also been called Vista, XP, and 2000.) (It's still Microsoft; they love playing name games.) Vista also introduces a number of features along the lines of privilege isolation. Before you let me get ripped to shreds, let me say: if NT's user accounts can be made to do what's needed, I want (and my clients want) to know how to make it happen. And I'll be happy to eat crow because I didn't know enough about Windows, if that's the case. I certainly know about NT user accounts But. By do what's needed I don't and can't mean o when you want to go to the Web, log out and log back in; o when you want to view a PDF document, log out and log back in; o when you want to run a program which can't see the files you have open on your desktop, log out and log back in; o and so on. Perhaps I'd have run less risk of shredding if I'd said The tools to make user-privilege separation usable day to day, e.g., the ability to run programs with/without the net and to switch among working environments/desktops/user accounts with a single keypress, and so on just aren't available on Windows. Or perhaps Windows users can do these things, in which case I deserve shredding. (I can surely say I'll be *pissed* if someone shows me that what took me three years' part time to get working usably can be done more easily in Windows!) I can also surely say I've never seen a Windows shop where any of Microsoft's privilege separation was used. The best of them have user accounts set as restricted (a good thing), but I've never seen ACLs used, including in the largest/most professional Windows shop I've worked in, 4000+ desktops. Only saying I've never seen it, not that it doesn't happen somewhere. (Full disclosure: I've never seen a Vista system at all. None of my clients use it. Or Windows 7. [I hope to convert them to Linux before they ever have to!] All Vista shops could be doing security right and I wouldn't know. And if they are all doing it right I hereby volunteer to be shredded, with broken CRT necks.) (I've never seen a Linux shop using ACLs or implementing SELinux either, but those do exist. Just not at the social strata I move in -- not in one-man-admin shops. Which are what I care about these days.) Vista also supports running simultaneous virtual desktops in support of multiple user sessions (Fast User Switching, in Microsoft parlance). OK, that might actually help. If that facility is usable, I was wrong. Thanks. -Bill P.S. It was worth a threat of shredding to have triggered md's telling of the DecWest/Cutler story. The best! I love this list. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: Linux vs Windows, obscure security features (was: Quarantining an account...)
Yep, took a long time to load for me, too. Could be on a VAXstation 3100 or a MicroVAX. In Heaven he will have his choice of computers and a data center to put them in and his own printing press to explain it all to the other denizens. Only a year older than me and already gone these past five years. A major loss. RIP, Terry. But before you rest up, call in one more air strike on Apple. On Tue, Aug 17, 2010 at 9:33 PM, Jon 'maddog' Hall mad...@li.org wrote: David, His web site exists here: http://www.shannonknowshpc.com/ It must be residing on a PRO 350 running an early version of V7M-11 (nee Ultrix-11)it took such a long time to load, but was definitely worth the wait. Thanks again for the memories. md P.S. My note about Terry from that site: Shannon knows. Posted by Jon Saturday July 09 2005 @ 01:35PM EDT I, like many other people, had heard of Charlie Matco. The invisible person who was under every desk at Digital Equipment Corporation, and who knew the plans before DEC announced them, and often knew what would happen before DEC did. I met Terry during my days in the Digital Unix group, probably at a DECUS. Very sharp technically, and always thinking of the customer. Terry was one of the first analysts to embrace Linux and what it could do for the world. I hope they have computers in Heaven...otherwise Terry will not be happy. - maddog ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
dual pci nic with bridging
Anybody have experience with a PCI-based dual-interface NIC that does hardware bridging? This would be for a traffic monitoring application, so the host cpu must be able to snoop traffic. Software bridging is not feasible. Thanks for any pointers. -- Brian St. Pierre ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: dual pci nic with bridging
The only host-based thing I've seen for something like that are the Endace DAG cards. They tout 100% packet capture since they take all the processing off the host CPU. They are not cheap though...I think it was like 6000$ for a dual port. http://www.endace.com/endace-dag-high-speed-packet-capture-cards.html -Shawn On Tue, Aug 17, 2010 at 11:20 PM, Brian St. Pierre br...@bstpierre.orgwrote: Anybody have experience with a PCI-based dual-interface NIC that does hardware bridging? This would be for a traffic monitoring application, so the host cpu must be able to snoop traffic. Software bridging is not feasible. Thanks for any pointers. -- Brian St. Pierre ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: dual pci nic with bridging
On Tue, Aug 17, 2010 at 11:20 PM, Brian St. Pierre br...@bstpierre.org wrote: Anybody have experience with a PCI-based dual-interface NIC that does hardware bridging? This would be for a traffic monitoring application ... Not what you asked for, but: Would it be feasible to use a small managed switch with a monitor/mirror port? That would give you much greater hardware choice, as you wouldn't need a special network card. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/