Re: Linux and spyware?

After a long battle with technology, Anonymous <nobody@bikikii.ath.cx>, an earthling, wrote:
> "CB" == Christopher Browne <cbbrowne@acm.org>:
> CB> And note that the only thing about this that you can forcibly do
> CB> anything about is to choose not to follow the web links.
>
> Things that might also help:
> - use a different account when browsing "unknown" web sites
> - use an anonymyzing web proxy
> - tell your browser not to store cookies and disable javascript
>
> This way, you don't have to mess with your normal browser's
> cookies/javascript settings. Use your normal account for browsing
> "trusted" sites, and a specially hardened environment for "unknown"
> sites.
>
> Of course, using an anonymizing web proxy is a good thing regardless
> of the site you visit...

But this STILL misses the point.

If you follow the link sent in an email message,
<http://www.hotteens.com/start+1023+stuff/>
then they can know that the email address they tried is a "good" one,
irrespective of what "anonymization" techniques you might try.

Using an anonymizing web proxy doesn't "fix" that. Nor does using a
different user account. Nor does disabling cookies or JavaScript.

Sheesh.

The "log all web requests" technique DOES NOT REQUIRE SPECIAL
PROTOCOLS. It DOES NOT REQUIRE BROWSER EXTENSIONS.

This thread has been demonstrating that there are a lot of people that
have somehow bought into some mystical magical notion that "Linux is
Secure" as a result of having Good Fairy Pixies around, whereas
Windows is insecure due to having Bad Fairy Pixies. Or based on
thoughts similarly fanciful.

Reality, of course, is that there is no magic, fairies, pixies, or
such involved. And reality is that things /aren't/ magically secure.

In fact, reality is that even though you may be browsing from a Linux
box, there may be quite a lot of surveillance the Bad Guys can do on
you. If you don't believe that, then look at the logs collected in
/var/log/apache, and see if you can't imagine creative ways to abuse
that information, particularly if you have ways of injecting URLs of
YOUR choice into the mix.
--
(reverse (concatenate 'string "gro.gultn" "@" "enworbbc"))
http://www.ntlug.org/~cbbrowne/rdbms.html
Rules of the Evil Overlord #129. "Despite the delicious irony, I will
not force two heroes to fight each other in the arena."
<http://www.eviloverlord.com/>

Christopher Browne wrote:

> After a long battle with technology, Anonymous <nobody@bikikii.ath.cx>, an
> earthling, wrote:
>> "CB" == Christopher Browne <cbbrowne@acm.org>:
>> CB> And note that the only thing about this that you can forcibly do
>> CB> anything about is to choose not to follow the web links.
>>
>> Things that might also help:
>> - use a different account when browsing "unknown" web sites
>> - use an anonymyzing web proxy
>> - tell your browser not to store cookies and disable javascript
>>
>> This way, you don't have to mess with your normal browser's
>> cookies/javascript settings. Use your normal account for browsing
>> "trusted" sites, and a specially hardened environment for "unknown"
>> sites.
>>
>> Of course, using an anonymizing web proxy is a good thing regardless
>> of the site you visit...
>
> But this STILL misses the point.
>
> If you follow the link sent in an email message,
> <http://www.hotteens.com/start+1023+stuff/>
> then they can know that the email address they tried is a "good" one,
> irrespective of what "anonymization" techniques you might try.
>
> Using an anonymizing web proxy doesn't "fix" that. Nor does using a
> different user account. Nor does disabling cookies or JavaScript.
>
> Sheesh.
>
> The "log all web requests" technique DOES NOT REQUIRE SPECIAL
> PROTOCOLS. It DOES NOT REQUIRE BROWSER EXTENSIONS.
>
> This thread has been demonstrating that there are a lot of people that
> have somehow bought into some mystical magical notion that "Linux is
> Secure" as a result of having Good Fairy Pixies around, whereas
> Windows is insecure due to having Bad Fairy Pixies. Or based on
> thoughts similarly fanciful.
>
> Reality, of course, is that there is no magic, fairies, pixies, or
> such involved. And reality is that things /aren't/ magically secure.
>
> In fact, reality is that even though you may be browsing from a Linux
> box, there may be quite a lot of surveillance the Bad Guys can do on
> you. If you don't believe that, then look at the logs collected in
> /var/log/apache, and see if you can't imagine creative ways to abuse
> that information, particularly if you have ways of injecting URLs of
> YOUR choice into the mix.


For what it's worth, whenever I get a spam I use the "bounce" facility of
KMail to send it back. It simulates a bad address. My ISP also has a
spam-catching facility that records addresses marked as spammers and blocks
them.

I don't get much spam and then rarely from the same address twice.

Of course, bouncing won't help if the spammer is using brute-force tactics.

--Rod

--
Author of "Linux for Non-Geeks--Clear-eyed Answers for Practical Consumers"
and "Boring Stories from Uncle Rod." Both are available at
http://www.rodwriterpublishing.com/index.html

To reply by e-mail, take the extra "o" out of my e-mail address. It's to
confuse spambots, of course.