Re: Someone is testing my firewall

[ABrady <kcsmart kc rr com>]

On Tue, 16 Oct 2001 10:02:37 +0900 "Karen Ellrick"
<k-ellrick sctech co jp> imparted to us:
> > Your IP address can be gathered via a page whether you click a link
> or
> > not. Someone like doubleclick can follow you around without you ever
> > clicking one of their ads. So, you go to site Z and don't even touch
> the
> > ad. A cookie gets added. You go to another site, the cookie gets
> found.
> > You get followed without ever knowing it.
> 
> Are you saying that everybody who allows a doubleclick ad on their
> page
> agrees to more than an image and an <a> entry to go to doubleclick
> site, but
> also code in their page that I can't see (i.e. server-side or maybe
> JavaScript) that sets and receives cookies on behalf of doubleclick? 
> I want
> to know more than just what they can do - I want to know *how* they do
> it,
> because otherwise I don't really know how to defend against it.  If
> what
> you're saying is true, and I don't have any more information about
> what code
> they are using to do this and why there is a conspiracy between
> doubleclick
> and all the people who allow the ads on their pages, then if I don't
> want to
> be followed I would need to avoid all sites that have doubleclick ads
> (which
> seems to be practically everybody), not just avoid the ads themselves
> -
> that's just a tad impractical.

First off, I don't know first hand HOW they do it. I used to have a link
to a page that said how to defeat it, but it required creating a
read-only file to keep them from inserting a new cookie from other
sites. And being read-only, they had a harder time tracking surfers,
especially if more than one is using the same ploy on their PCs.

Secondly, I've written to several places I've found serving their ads.
They say, and I can't prove otherwise, almost unanimously that they only
have superficial control over who serves what through their banner ads
(I specifically recall appwatch [now extinct] and freshmeat giving this
reply, but there were others) and they were essentially renting the
space where the ads appear. I  Tend to believe that may be the case,
though, again, I can't state anything factual in this case. My
presumption is (and that's all it is) that they do business with someone
who then turns and sells it to others doing business with doubleclick.

Doubleclick has an opt-out policy. I doubt they seriously follow it,
sorta like a collection agency promising never to bother you at
dinnertime again. 

http://www.doubleclick.net/us/corporate/privacy/privacy/default.asp?asp_object_1=&;

(sorry if that wraps). I'd say that based on what I still run across,
there's nothing to the policy they state under the opt-out provision. Or
if there is substance, it's to begin a new round of info-gathering when
you have the gonads to actually tell them to stop it.

> > Netscape and IE both store certain information in files. Things like
> the
> > history of sites you've typed in manually, a cahce of places
> visitied,
> > info from search engines, etc. With netscape you can usually delete
> > everything in a netscape folder and get it all. There might be the
> odd
> > bit of information stored in various areas, but those are fairly
> rare.
> > M$ files are even worse and just emptying the favorites/history
> folders
> > won't get all of it. I'm not sure how to fix it up in 'Doze or any
> other
> > Gate$ware product because it's been a few years since I had to do
> it. I
> > know it can be done.
> 
> Hmm, maybe the third-party book on 'Doze was not overreacting when
> they
> recommended a "scorched-earth" reinstall of the whole OS every year or
> so.
> (:-o)

I'd go one firther. Using MS-anything invites intrusion of this sort. I
have NT server installed here. It's a joke! (That's why I only use it to
toy with and to help strighten out some problems the IT "EXPERTS" are
having.)Security only means anything ON the machine, and then very
little.

NT is more secure than 95, 98 or ME, and likely XP. I don't vouch for
2K, but I'd bet it's still a long way off. Unfortunately, most people
have assumed virus checkers were all they needed. Now it's moved up to
firewalls. But, they still have no idea what the things do or what
should be opened or closed. Talking the majority here: some know more
and still can't get it quite right.

Most of these things can be run via java or javascript. Lots of people
like dancing little do-nothings all over their screens, animations,
sounds and lots and lots of eye-candy. The price they pay is the opening
of holes in the system.

> > Anyway, all that site did was read the information stored on your
> hard
> > drive. That's why friends should never let friends use microsoft: it
> > doesn't have security holes, it has security canyons. By default,
> every
> > Win98 and before was wide open. They can look at password files,
> > checking account info, addressbooks, dirty pictures, diaries,
> anything
> > stored. No matter what they try to claim, it has improved

That should have read HASN'T, not has

> considerably
> > with NT, ME or 2K, and I won't buy the claims on XP until they're
> > proven.
> 
> I understand security canyons in OS's - what I don't understand is how
> the
> HTTP protocol allows this to happen.  How can, for example, a CGI
> program,
> request files from a client's hard drive?  Hmm, while writing this, it
> occurred to me that maybe it's not using HTTP to get the files but
> temporarily trying some port that Windoze typically leaves open for
> some
> other service - I know there are some - and hacking that.  The case I
> know
> about (the search engine that knew everything we had ever searched on
> on any
> site) happened on our laptop, which doesn't yet have firewall
> software.  I
> didn't try it on our desktop, which has firewall software that
> disallows any
> SYN packets to come in (I have no need for anything to run as a server
> on
> it).  Unless what you are saying is somehow possible through HTTP
> itself, I
> would assume that refusing all new connections from the outside would
> plug
> this particular hole.  Of course, most ordinary people running M$ have
> never
> heard of firewalls...

I can't explain the "how" of a lot of this. I can say I've seen it in
action (similar to places you mentioned about reading the history) where
they read the hard drive and displayed all of the contents. Again, if
they can see 'em, they can get 'em from an M$ machine.

Refusing all connections from outside is about the best way. One can
protect from most of these things by closing the system off. But, some
sites require you to have cookies on and the ability to write/read them
or you can't do business. Others are needed for convenience (I use ebay,
paypal, my credit union and some others that require cookies). Some
refuse to work unless you have the right plugins in place, inviting
forms of mischief if you install them. If you can manage to avoid any of
that, you're in business. I think. I can't guarantee since I don't know
every little trick they come up with to get around the fixes people put
in place for the last intrusion.

I use junkbuster. I used to be able to put

ads.doubleclick.net
connect.247media.ads.link4ads.com

and that would block things from both of them. It would also kill the
cookies. Now I find it several times in the same document with numerous
variations. I find out how to block them again by finding the secret
link in the page and adding it to the blockfile and cookie file. A
couple of weeks later I find out I'm getting banner ads from them again.
I search around the page source and find the new secret. That works for
another week or two. Now, those links are still spelled out explicitly
in the new trick links, but junkbuster is only able (why, I don't know)
to block the first instance. If hit immediately with another or a slight
variation, it passes it on. Ok, I add squidguard. Same thing. Add
dansguardian (note, this is adding them in series, not seperately) and
that works a little. Still not enough. Add squid_redirect. Ditto. Before
long I'm sending every link through 8 proxies and slowing things to a
crawl, only to have these things slip through again.

That's just banner ads. Cookies are still getting through separately and
need to be handled in other ways.

> > Security is a particular M$ weakness. Someday people will learn
> that.
> > Many buinesses already are learning it. Firewalls help, virus
> checkers
> > help, patching everything every day (ala NT and 2K) can help. But,
> they
> > aren't secure enough and can never be made secure enough IMHO.
> 
> Unfortunately even some of us who know the dangers have no choice yet
> - I'm
> waiting on software for Linux that does the various things I need, and
> it
> looks like it may be awhile. :-(

Such as? They might exist and you haven't been treated to them just yet.

Just make sure you close off everything you can, maybe network the 'Doze
box through a linux firewall with various other security measures
installed and in use (procmail to disable or remove executables, for
instance, maybe a virus checker as well).

-- 
99% of lawyers give the rest a bad name.