| Author |
Message |
T. Sean Weintz
Guest
|
 Posted:
Tue Jun 14, 2005 12:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Robert Redelmeier wrote:
| Quote: | T. Sean Weintz <strap@hanh-ct.org> wrote:
No harm. But that does not seem to be what the original
poster was looking for. he/she seemed to want something
more along the lines of what sockschain does, but without
the need to do an install. The OP specifically said they
were looking for something that other applications will
plug into. I took that to mean something "sockscap" like.
Well, humph! I'm not entirely sure what this `sockschain`
does but why would it need an install if the system can read
removable media and run executables from there.
|
You *nix folks seem to forget a little thing we have in the windoze
world called the registry. Oftentimes installs set up default values in
the registry that thge program needs to have in place to run. Also DLL
registration can be important. Need that for many programs to run.
That's also usually handled by the install.
| Quote: | A "locked-down"
system might easily be configured this way. Or not, at the
administrators discretion.
|
Or, you can of course disbale the windows installer via group polocy, or
restrict executables (in effect create a list of files the user can
execute - all else is verboten and will gernerate an error dialog)
| Quote: |
Without a "no outside executables" clause in the TOS, I'd
assume a system configured to execute from removable media
also allowed such execution. And a no-exec TOS clause is
unenforceable: What about Javascript that many sites use?
I'm pretty sure a `putty.exe` limited clone could be written
in JS and dropped on some website. Maybe even `sockschain`
|
Sure. And similar things have been done. That is EXACTLY why hipcrime
wrote newsagent in Java.
That's also why I have seen java filtered at the firewall in many
places, and no JRE installed on the desktops.
| Quote: |
There really is nothing special about "Installs" beyond loading
executables and mapping libs & other files.
|
Depends on the OS. Most have some sort of an "execute" flag for file
priveleges. WIth some (windoze, fer instance) there is a bit more
needed than just the ability to read the executable and any libraries in
some cases.
| Quote: | With CoW VM systems,
the media cannot be removed until the process is done.
Of course proxying opens up a whole can of worms. I would
hope no MS-WindowsNT+ system would allow non-Administrator
processes to listen on priviliged ports (<1000). And anyone
hitting non-priviliged ports cannot count on security.
sockschain seems to use 1080 or maybe 8080.
|
For the outgoing connection. Also plain old port 80 is quite common for
http tunneling in addition to the more commmon port 8080 and 3172.
However, it'll use whatever port the proxy is set up on - could be ANY
port. Depends on what the bonehead who set up the open proxy in the
first place did.
| Quote: | There might be some
nefarious ways a black-hat cybercafe user might [further] corrupt
MS-IE to get all users HTTP traffic relayed through their machine.
Nasty, but the crime is not in what their [rented] machine is doing,
but in their sending instructions that accessed others machines.
Not that law enforcement is likely to understand the distinction.
They'd probably say "Spying is RONG unless we're doing it".
-- Robert
|
|
|
| Back to top |
|
 |
T. Sean Weintz
Guest
|
| Posted:
Tue Jun 14, 2005 12:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Robert Redelmeier wrote:
| Quote: |
Well, for full installs, usually you need to do `make install`
as root. But Unix software makes do not assume that you can
or want to be root. MS Windows still has the philosophy of
the user being "Administrator" when this is provably dangerous.
|
Not true. these days the default on windows XP machines in a domain is
to have users have no write access to the c:\windows dir, as well as the
machine hive of the registry.
Unfortunately most lower end and niche market software vendors can't
seem to understand this concept. They act amazed when their install
crash on a default setup. |
|
| Back to top |
|
|
Robert Redelmeier
Guest
|
| Posted:
Tue Jun 14, 2005 12:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
| Quote: | Well, actually the usual reason is to keep users from
writing into the system area.
|
Yes, that is a good reason to lock-down. It reduces maintenance.
| Quote: | This effectively prevents software installation because
software developers insist on writing to the system areas
even when they have no legitimate need to do so.
|
Yes, and I do not understand why. I consider it the mark of
good commercial MS-Windows software that it be fully installable
by a user account unless system control is needed. When I have
the misfortune of setting up an MS-WinXP box, I always set up
multiple users without Administrator priviliges.
| Quote: | If you are installing an application on a default-configured
XP or Server 2K3 system from a nonprivileged account, and
it won't install, think very hard about whether you want to
let that developer make changes to the system files before
you log in as administrator to install.
|
A good point. I presume it is usually because the install
wants to write to \WINDOWS\ somewhere, not necessarily trash
files. Yet the MS-DOS/Windows install model has always been
under /opt/progname and not the Unix scattering of files to
/usr/bin, /usr/lib, and ~/.progname There is no reason to
write to C:\WINDOWS.
| Quote: | Unix systems are locked down in the same manner for the same
reason, however Unix has had that security model from the start
and so the developers have learned the hard way that there are
things that their user applications will not be allowed to do,
and so application installation is not a problem.
|
Well, for full installs, usually you need to do `make install`
as root. But Unix software makes do not assume that you can
or want to be root. MS Windows still has the philosophy of
the user being "Administrator" when this is provably dangerous.
| Quote: | I'm not disputing you, I would just like to read the
legislation.
|
Among other Google hits, see:
http://www.wrf.com/publication_newsletters.cfm?sp=newsletter&year=2002&ID=10&publication_id=10254&keyword=
-- Robert |
|
| Back to top |
|
|
Walter Roberson
Guest
|
| Posted:
Tue Jun 14, 2005 5:28 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
In article <11as5as8dhoroce@news.supernews.com>,
T. Sean Weintz <strap@hanh-ct.org> wrote:
:You *nix folks seem to forget a little thing we have in the windoze
:world called the registry.
Oh, we don't forget it, you can be sure ;-)
:Oftentimes installs set up default values in
:the registry that thge program needs to have in place to run.
Hmmm, what's this .ini file doing in my folder?
:Also DLL
:registration can be important. Need that for many programs to run.
The 'D' in 'DLL' standa for 'Dynamic'. Without knowing the details
of Windows, it seems to me rather likely that the search path
to find DLL's is one of the things under the control of the
program.
Or at least in Unix, "dynamic" linking implies dynamic paths.
If the pathes aren't dynamic, then one speaks of "shared" libraries
rather than of "dynamic" libraries.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest |
|
| Back to top |
|
|
J. Clarke
Guest
|
| Posted:
Tue Jun 14, 2005 8:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Robert Redelmeier wrote:
| Quote: | T. Sean Weintz <strap@hanh-ct.org> wrote:
MS Windows still has the philosophy of the user being
"Administrator" when this is provably dangerous.
Not true.
Sure it is.
these days the default on windows XP machines in a domain
is to have users have no write access to the c:\windows dir,
as well as the machine hive of the registry.
Ah, but that only applies when machines are setup as multi-user.
Most consumer machines are set up with one user "Owner"
who also has Administrator access. As usual, MS has chosen
technically inferior but economically superior [for them] defaults.
They reduce tech support calls from "can't do this" at a cost in
"my system has a virus" which they don't handle.
|
Actually, Microsoft has been tightening the defaults over time. XP doesn't
force one to create a user account but it "encourages" it. They seem to be
trying to herd the developers rather than bludgeon them, but it's easier to
herd cats.
| Quote: | Unfortunately most lower end and niche market software
vendors can't seem to understand this concept. They act
amazed when their install crash on a default setup.
Yes. But the increase in unwriteable c:\windows might
cause them to fix their bugfests.
-- Robert
|
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
|
J. Clarke
Guest
|
| Posted:
Tue Jun 14, 2005 8:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Robert Redelmeier wrote:
| Quote: | J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
Well, actually the usual reason is to keep users from
writing into the system area.
Yes, that is a good reason to lock-down. It reduces maintenance.
This effectively prevents software installation because
software developers insist on writing to the system areas
even when they have no legitimate need to do so.
Yes, and I do not understand why. I consider it the mark of
good commercial MS-Windows software that it be fully installable
by a user account unless system control is needed. When I have
the misfortune of setting up an MS-WinXP box, I always set up
multiple users without Administrator priviliges.
If you are installing an application on a default-configured
XP or Server 2K3 system from a nonprivileged account, and
it won't install, think very hard about whether you want to
let that developer make changes to the system files before
you log in as administrator to install.
A good point. I presume it is usually because the install
wants to write to \WINDOWS\ somewhere, not necessarily trash
files. Yet the MS-DOS/Windows install model has always been
under /opt/progname and not the Unix scattering of files to
/usr/bin, /usr/lib, and ~/.progname There is no reason to
write to C:\WINDOWS.
Unix systems are locked down in the same manner for the same
reason, however Unix has had that security model from the start
and so the developers have learned the hard way that there are
things that their user applications will not be allowed to do,
and so application installation is not a problem.
Well, for full installs, usually you need to do `make install`
as root. But Unix software makes do not assume that you can
or want to be root. MS Windows still has the philosophy of
the user being "Administrator" when this is provably dangerous.
I'm not disputing you, I would just like to read the
legislation.
Among other Google hits, see:
http://www.wrf.com/publication_newsletters.cfm?sp=newsletter&year=2002&ID=10&publication_id=10254&keyword= |
I've found numerous similar--they all discuss the transfer of data from
personnel files, not the monitoring of email. That one mentions it in
passing but doesn't say anything about what is or is not allowed.
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
|
Robert Redelmeier
Guest
|
| Posted:
Tue Jun 14, 2005 4:20 pm Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
| Quote: | http://www.wrf.com/publication_newsletters.cfm?sp=newsletter&year=2002&ID=10&publication_id=10254&keyword=
I've found numerous similar--they all discuss the transfer of data from
personnel files, not the monitoring of email. That one mentions it in
passing but doesn't say anything about what is or is not allowed.
|
Actually the para under "EU subs handling HR data"
s very general and includes more than just email.
Unfortunately, it does not include references.
A more general problem is the the European Data Protection
Directive is just that, a directive that is not law until
it is implemented in the various countries. Each will do it
slightly differently. And most are civil code, not common law,
so precedents don't have the same force. Also, employment
is not "at will" but a protected contract.
Unfortunately, nothing is clear in this evolving area.
An employer is probably safe if they monitor for legal compliance
(vicarious liability) or as a result of statutory obligation (SOx).
But they'd better enforce uniformly, even in the US. A clever
US lawyer can allege wrongful dismissal (age or religious
discrimination): [deposition] "You fired Mr Jones for downloading
123 MB of pr0n" "Yes" "How did you know?" "We checked logs"
[discovers logs] "These show Ms Smith dowloaded 4 GB.
What happened to her?"
-- Robert |
|
| Back to top |
|
|
Robert Redelmeier
Guest
|
| Posted:
Tue Jun 14, 2005 4:20 pm Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Rich Seifert <usenet@richseifert.com.invalid> wrote:
| Quote: | Most American criminal law is *state* law, not federal.
What constitutes theft is generally determined
from a state-by-state statutory definition.
|
Quite true. A simplification on my part. In some
states, theft-by-fraud is fraud/embezzlement, not theft.
| Quote: | For example, the common-law definition of theft is the
unlawful taking of personal property *with the intent
to permanently deprive* its rightful owner
|
In our "drive to Virginia" example, it might be difficult
to show that "intent to permanently deprive", especially
if he came back.
| Quote: | (I am not a lawyer; I *am* a law student in my last year
of study.)
|
Congrats!
-- Robert |
|
| Back to top |
|
|
Robert Redelmeier
Guest
|
| Posted:
Tue Jun 14, 2005 4:20 pm Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
T. Sean Weintz <strap@hanh-ct.org> wrote:
| Quote: | You *nix folks seem to forget a little thing we
have in the windoze world called the registry.
|
Uhm, err ... don't you try to forget Nightmares? :)
| Quote: | Oftentimes installs set up default values in the registry
that thge program needs to have in place to run.
|
It can, if it wants to live in the Nightmare :)
But nothing _forces_ a pgm to write to the Registry.
AFAIK, the Registry is a handy place (can you say /etc?) to
put pointers to data files in such intuitively obvious places
as: HKEY\LocalMachine\Software\CompanyName\AppName\DataLoc
More seriously, this is a thorny problem that unix hasn't
solved either (or MS would've cloned it, badly). Perhaps
because it has no univeral solution. The unix way usually
is to search a datapath.
| Quote: | Also DLL registration can be important. Need that for many
programs to run. That's also usually handled by the install.
|
This should _not_ be necessary. The loader should be able to
find libs! If not, failure is a good option.
| Quote: | That's also why I have seen java filtered at the firewall
in many places, and no JRE installed on the desktops.
|
Ouch! That's work. How do you filter Java from HTTPS?
-- Robert |
|
| Back to top |
|
|
J. Clarke
Guest
|
| Posted:
Tue Jun 14, 2005 8:47 pm Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Robert Redelmeier wrote:
But "HR data" is not email generated by the employee, it is personnel files
containing information _about_ the employee generated by the Human
Resources department.
| Quote: | A more general problem is the the European Data Protection
Directive is just that, a directive that is not law until
it is implemented in the various countries. Each will do it
slightly differently. And most are civil code, not common law,
so precedents don't have the same force. Also, employment
is not "at will" but a protected contract.
Unfortunately, nothing is clear in this evolving area.
An employer is probably safe if they monitor for legal compliance
(vicarious liability) or as a result of statutory obligation (SOx).
But they'd better enforce uniformly, even in the US. A clever
US lawyer can allege wrongful dismissal (age or religious
discrimination): [deposition] "You fired Mr Jones for downloading
123 MB of pr0n" "Yes" "How did you know?" "We checked logs"
[discovers logs] "These show Ms Smith dowloaded 4 GB.
What happened to her?"
-- Robert
|
--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net) |
|
| Back to top |
|
|
glen herrmannsfeldt
Guest
|
| Posted:
Wed Jun 15, 2005 12:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Robert Redelmeier wrote:
(snip regarding the ability, or lack thereof, to run programs
under windows without installing them.)
| Quote: | Without a "no outside executables" clause in the TOS, I'd
assume a system configured to execute from removable media
also allowed such execution. And a no-exec TOS clause is
unenforceable: What about Javascript that many sites use?
I'm pretty sure a `putty.exe` limited clone could be written
in JS and dropped on some website. Maybe even `sockschain`
There really is nothing special about "Installs" beyond loading
executables and mapping libs & other files. With CoW VM systems,
the media cannot be removed until the process is done.
Of course proxying opens up a whole can of worms. I would
hope no MS-WindowsNT+ system would allow non-Administrator
processes to listen on priviliged ports (<1000). And anyone
hitting non-priviliged ports cannot count on security.
|
While some versions of windows may provide that restriction,
I don't believe that DOS did, and likely not MacTCP either.
I am not sure now about Win3.1 or Win95.
(The DOS networking programs I used to know provided their
own TCP stack, writing directly to the hardware.)
If you allow machines on the net that can run DOS you have
almost no protection against unprivileged users on low
numbered ports.
-- glen |
|
| Back to top |
|
|
Hansang Bae
Guest
|
| Posted:
Thu Jun 16, 2005 12:20 am Post subject:
Re: Secure Tunnelling software from a usb drive? |
|
|
Rich Seifert wrote:
[snip]
| Quote: | (I am not a lawyer; I am a law student in my last year of study.)
|
Damn...and I used to respect you too! ;)
--
hsb
"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
******************************************************************** |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in