Internet Explorer, again

Hi:

A while ago I asked about how to secure a LAN with one client running IE
to access a site using Active X controls. In the past we ran Windows in
VMware on Linux, so most of the time my wife used Linux.

The solution I came to was this:

My wife's computer now has a hardware switch to allow her to select hard
drives. One for Linux, and one for Windows.

The way the switch works is it switches the power to either the Linux
hard drive, or the Windows one. The intention was that if she wants to
use the Thai TV web site, she boots Windows, and the Linux hard drive is
unpowered. Also, the other Linux box on the LAN would not be running
when she uses Windows/IE.

So Windows with IE would only ever run in a completely isolated
environment, while when she runs Linux, then the other hard drive would
be used, and the LAN would be in "trusted" mode. In that mode, only
very limited Windows access to the internet (MSN messenger only) and
none with IE would be permitted.

Problem: Now that the switch is installed she only uses Windows, and it
is impossible to have her use of her computer not coincide with my use
of my computer. Thus the problem is now worse in terms of security, and
worse in that my wife's usage patterns have now drifted almost entirely
to Windows.

I think the following might be the only way to save the situation:

1. Let her use IE in VMware again to access the Thai TV web site (only)
and to use MSN chat.

2. Diable the VMware host-only network that allows it access to her
Linux filesystem. File transfer would only be allowed by a USB cigar
drive or something like that.

3. Firewall the Linux boxes (including the host Linux for the VMware
machine) from all accesses from the IP of the Windows machine.

4. Continue to run NFS on the LAN, but disallow ftp and telnet since a
snooper on the VMware Windows could see traffic. Use only ssh to gain
remote access to the other Linux box.

Things have further deteriorated since my wife bought a webcam, which
doesn't appear to work with VMware (even the latest version) because it
uses isochronous USB transfers. Thus she must use the real Windows for
this. But she doesn't plan to use it all the time.

She actually prefers Linux for it's spaciousness, mainly, the extra
virtual desktops. But she wants to do things that Linux just cannot do,
thanks to Microsoft's disgusting anticompetitive acts. She wants to
chat in Thai with her sister. Her sister uses MSN and won't be
persuaded to change, since "all their friends use MSN."

Last time I killed many hours trying to get any Linux chat client to
work in Thai, I failed. I will try again, and maybe it can work now (I
doubt it), but then again MSN allows webcam and sound functionality, all
with the effort of...well just about no effort at all. And that is the
sad fact that is making me loose a Linux convert back to Windows. I
just cannot get Linux to compete with the functionality of Windows.

Note: There is no alternative to using Windows and IE to access the web
site, so don't even suggest just "dumping Windows". I know IE and
Windows suck, but I want my wife to have the only access to Thai TV that
she can get, which is through IE and that web site. Digital cable is
expensive and has only one channel which she doesn't want. The Thai TV
web site uses Active X controls, and will not work with Mozilla. She is
also uninterested in contacting the site developers to complain because
she is convinced that they don't care and won't care. They have no
shortage of customers. Their customers don't care about Windows viruses
and such, since they are totally conditioned to accept all that
bullshit. In general I think it is true that for 95% of people, they
are perfectly willing to put up with the insecurity of Windows and IE.
They just don't care. They just want it to be *easy and fun*. They
aren't interested in making sacrifices for matters of principle. That
is the reality. My job is to find a reasonably secure solution to
protect my LAN and Linux boxes from Windows.

Bummed out.







--
_____________________
Christopher R. Carlen
crobc@earthlink.net
SuSE 9.1 Linux 2.6.5

Chris Carlen <crobc@BOGUS_FIELD.earthlink.net> dedi ki:

> Hi:
>
> A while ago I asked about how to secure a LAN with one client running IE
> to access a site using Active X controls. In the past we ran Windows in
> VMware on Linux, so most of the time my wife used Linux.
>
> The solution I came to was this:
>
> My wife's computer now has a hardware switch to allow her to select hard
> drives. One for Linux, and one for Windows.
>
> The way the switch works is it switches the power to either the Linux
> hard drive, or the Windows one. The intention was that if she wants to
> use the Thai TV web site, she boots Windows, and the Linux hard drive is
> unpowered. Also, the other Linux box on the LAN would not be running
> when she uses Windows/IE.
>
> So Windows with IE would only ever run in a completely isolated
> environment, while when she runs Linux, then the other hard drive would
> be used, and the LAN would be in "trusted" mode. In that mode, only
> very limited Windows access to the internet (MSN messenger only) and
> none with IE would be permitted.
>
> Problem: Now that the switch is installed she only uses Windows, and it
> is impossible to have her use of her computer not coincide with my use
> of my computer. Thus the problem is now worse in terms of security, and
> worse in that my wife's usage patterns have now drifted almost entirely
> to Windows.

IMHO your solution was a bit fussy both socially and technically.
Technically so because it depends on mutual exclusion. Socially so because
you shouldn't be trying to keep a convert when she doesn't care. Oh, I
forgot about multiple desktops. If a user points out virtual desktops as
an important feature in selecting a working environment, then it's better
let her do whatever she likes.

What I would suggest is this, FWIW :

Forget VMware and two-way power switch, even dual hard disks. Just install
her a dual boot system and configure the Linux part as user friendly as
you can do (don't know what distro you use, but I suggest Mandrake for her).

For the security, you appear to connect through NAT (ADSL/Cable router?),
so you are not exposed to direct outside attack. And I wouldn't be
worrying a spyware or agent running on her box would be able to get at
your box. However a spyware could wreak havoc on her side (no problem, see
below) and sniff the LAN and report home whatever it deems valuable. I
would be worried though, for my passwords used on *internet* (not local
passwords), so use https whenever applicable, don't let her access an
important bank account from her Windows box, optionally setup your
firewall and you're done.

As for her, I would only advocate on the merits of Linux, help on Linux
matters whenever called for, but don't touch her Windows partition no
matter what happens. Better yet, never use Windows at home and gradually
give the impression that you are a complete Windows-illiterate, but a
Linux-genius. Let her hire a technician to deal with her Windows woes.
Help her in carrying the PC to the local computer repair shop, but don't
be able to help her in dealing with the problem in the first place. Try
hard, if you must, pathetically hard, but unfortunately without success.
Well, maybe your dignity gets a scratch or two down the road, but it's
better than trying to pull someone to your side without success. Let her
get infected as much as she likes. If her machine grinds to a crawl, if
she loses her months of work, if she can not run a couple of apps
concurrently anymore, c'est la vie. Your Linux, which you have setup and
customized for her, sits there all brilliant, fully functional and
woe-free. Then she would have strong motivations to use Linux, if only
that Thai TV, and her sister and friends et cetera didn't insist on
Microsoft-only technologies. Then it would be her, not you, who complains
about these and fights (even if feebly) against them. And she would pay
attention to Linux compatibility next time she buys a peripheral. There
you are, instead of you trying to pull her into Linux, now she is trying
to push her correspondences out of Microsoft-only world. You have not only
won a user, but also won an indirect advocate.

Be a helpful Linux-genius but a hopeless Windows-illiterate. This is how
my sister switched to Linux. ;)

--8<--
--
Abdullah | aramazan@ |
Ramazanoglu | myrealbox |
________________| D-O-T cöm |

Chris Carlen (crobc@BOGUS_FIELD.earthlink.net) wrote:
: Hi:

: My wife's computer now has a hardware switch to allow her to select hard
: drives. One for Linux, and one for Windows.
Overkill IMO

: Problem: Now that the switch is installed she only uses Windows, and it
: is impossible to have her use of her computer not coincide with my use
: of my computer. Thus the problem is now worse in terms of security, and
: worse in that my wife's usage patterns have now drifted almost entirely
: to Windows.
It sounds like you shutdown your whole network when windows is running.
Most viruses (commonly written for the most popular OS) won't know what to
do with linux. As well, a virus should need to obtain executable
permissions before bieng able to run.

: 4. Continue to run NFS on the LAN, but disallow ftp and telnet since a
: snooper on the VMware Windows could see traffic. Use only ssh to gain
: remote access to the other Linux box.
Prudent, if you are really worried about it.

: Things have further deteriorated since my wife bought a webcam, which
: doesn't appear to work with VMware (even the latest version) because it
: uses isochronous USB transfers. Thus she must use the real Windows for
: this. But she doesn't plan to use it all the time.

I disagree with the other poster on this point: you should make every
effort to make windows as secure and as functional as possible.
Enable firewall included in XP. Possibly install Zone Alarm (firewall that
screens outgoing programs) Install an anti-virus (AVG (grisoft) is free
for 1 computer). Make her a "user" instead of "administrator" (disallow
users from installing programs). Try to find a program of video driver
that will allow her to use multiple desktops under windows.

The point is you will eventually run into a brick wall of artificial
restrictions imposed on the OS by Microsoft; they cripple their own
software so they can charge more for the "professional" or "server"
versions. Many linux distros try to emulate windows. This is stupid. Linux
has to do things Windows can't. (personally, I find the ability to run
from read-only media promising)

It also takes a lot of effort to make windows secure, meaning that it is
NOT easy to use. IMO menu based interfaces are easy to lean, but hard to
use: they get in your way once you learn where everything is.


: She actually prefers Linux for it's spaciousness, mainly, the extra
: virtual desktops. But she wants to do things that Linux just cannot do,
: thanks to Microsoft's disgusting anticompetitive acts. She wants to
: chat in Thai with her sister. Her sister uses MSN and won't be
: persuaded to change, since "all their friends use MSN."

: Last time I killed many hours trying to get any Linux chat client to
: work in Thai, I failed. I will try again, and maybe it can work now (I
: doubt it), but then again MSN allows webcam and sound functionality, all
: with the effort of...well just about no effort at all. And that is the
: sad fact that is making me loose a Linux convert back to Windows. I
: just cannot get Linux to compete with the functionality of Windows.

Do you have a Thai keyboard/keymap set up?

If you want specific functionallity in the near future, you have to pay for
it. Volunteers take time. Part of the problem is large companies (with
money) implementing either proprietary or patented standards. IMO, it is
too easy to get a patent.

: Windows suck, but I want my wife to have the only access to Thai TV that
: she can get, which is through IE and that web site. Digital cable is
: expensive and has only one channel which she doesn't want. The Thai TV
: web site uses Active X controls, and will not work with Mozilla. She is
: also uninterested in contacting the site developers to complain because
: she is convinced that they don't care and won't care. They have no
: shortage of customers. Their customers don't care about Windows viruses

I have been planning to write a "browser abuse demonstration page" for
about a year now. Unfortunately, I have been bogged down in other things.
I am thinking of pairing this with a petition to all web-developpers to
avoid requiring client-side scripting (simply gives too much power to
untrusted web-site operators). Initially the abuse would be restricted to
strict HTML4.01 and JavaScript. Then I would tackle JScript, ActiveX,
Simulate a Trojan Virus (cross-platform!), allow people to request
script-laden e-mail, Flash, Exploit Software bugs, etc.

The problem is naive users are being conditioned into risky behavior. It
is common to see web-sites request that you install "free" software to
view a site. When a malicious site tells people to do the same thing, most
users don't question it.

: Bummed out.

Regards,

James Phillips





: --
: _____________________
: Christopher R. Carlen
: crobc@earthlink.net
: SuSE 9.1 Linux 2.6.5

Hi their. As far as MSN clients, a good version is Centericq. This works
both on Linux as well as Linux, as its a POSIX-based application. I use
it every day and I have no problems. Your wife will be able to
communicate just fine with her existing contacts. Another client is AMSN,
which is a GUI-based client and runs within KDE and I think Gnome also.
GAIM is another client, but as its name suggest, it supports AIM
exclusivelly through its Toc protocol, which is widely documented. A not
on centericq, it supports multiple protocols, as well as an integrated RSS
reader, as well as an integrated LJ client, if your wife is into that sort
of thing.

--
Erik Heil <eheil@va3duk.serveftp.com>
Phone: (865) 673-0542

nephill@ecn.ab.ca wrote:

> It sounds like you shutdown your whole network when windows is running.
> Most viruses (commonly written for the most popular OS) won't know what to
> do with linux. As well, a virus should need to obtain executable
> permissions before bieng able to run.

Mainly it's not that viruses are written for the most popular OS, but for
the easiest target, which happens to be Windows. Windows is in need of
some redesigning to make it more resistant to viruses in the first place.

> I disagree with the other poster on this point: you should make every
> effort to make windows as secure and as functional as possible.

Exactly. I also agree: if you use an OS, make it secure as you possibly
can.

> Enable firewall included in XP. Possibly install Zone Alarm (firewall that
> screens outgoing programs) Install an anti-virus (AVG (grisoft) is free
> for 1 computer). Make her a "user" instead of "administrator" (disallow
> users from installing programs). Try to find a program of video driver
> that will allow her to use multiple desktops under windows.
>
> The point is you will eventually run into a brick wall of artificial
> restrictions imposed on the OS by Microsoft; they cripple their own
> software so they can charge more for the "professional" or "server"
> versions. Many linux distros try to emulate windows. This is stupid. Linux
> has to do things Windows can't. (personally, I find the ability to run
> from read-only media promising)

I agree. Linux tries to imitate Windows too much, and to imitate something
is to eventually become it. Linux does need to capitalize on its
strengths.

> It also takes a lot of effort to make windows secure, meaning that it is
> NOT easy to use. IMO menu based interfaces are easy to lean, but hard to
> use: they get in your way once you learn where everything is.

Well Linux can be a pain to secure as well, unless the Distribution you are
using did the work for you :D

> If you want specific functionallity in the near future, you have to pay
> for it. Volunteers take time. Part of the problem is large companies (with
> money) implementing either proprietary or patented standards. IMO, it is
> too easy to get a patent.

Also true. Supposedly, Microsoft patented home entertainment.

> The problem is naive users are being conditioned into risky behavior. It
> is common to see web-sites request that you install "free" software to
> view a site. When a malicious site tells people to do the same thing, most
> users don't question it.

Yeah, I'd think most of Microsoft's bad rap would be ignorant users and/or
users that have been conditioned into thinking and doing wrong. The rest
of the "blame" goes to Microsoft for failing to protect the ignorant that
they like to earn money from.

--
BOFH excuse #236:

Fanout dropping voltage too much, try cutting some of those little traces

Erik Heil wrote:

> Hi their. As far as MSN clients, a good version is Centericq. This works
> both on Linux as well as Linux, as its a POSIX-based application. I use
> it every day and I have no problems. Your wife will be able to
> communicate just fine with her existing contacts. Another client is AMSN,
> which is a GUI-based client and runs within KDE and I think Gnome also.
> GAIM is another client, but as its name suggest, it supports AIM
> exclusivelly through its Toc protocol, which is widely documented.

Hmmm, is this why on GAIM I'm logged into Yahoo, ICQ, AOL, and MSN
simultaneously? It doesn't support AIM "exclusively". It is not even
affiliated with AIM.

> A not
> on centericq, it supports multiple protocols, as well as an integrated RSS
> reader, as well as an integrated LJ client, if your wife is into that sort
> of thing.

--
BOFH excuse #334:

50% of the manual is in .pdf readme files

You will find game-vv Which is Game with video and voice works real well

( a little complex to get working but well worth it since on MSN you can
do voice or video chat via linux desktop )

Kaffeine will do what Windows Media Player


Chris Carlen wrote:

> Hi:
>
> A while ago I asked about how to secure a LAN with one client running IE
> to access a site using Active X controls. In the past we ran Windows in
> VMware on Linux, so most of the time my wife used Linux.
>
> The solution I came to was this:
>
> My wife's computer now has a hardware switch to allow her to select hard
> drives. One for Linux, and one for Windows.
>
> The way the switch works is it switches the power to either the Linux
> hard drive, or the Windows one. The intention was that if she wants to
> use the Thai TV web site, she boots Windows, and the Linux hard drive is
> unpowered. Also, the other Linux box on the LAN would not be running
> when she uses Windows/IE.
>
> So Windows with IE would only ever run in a completely isolated
> environment, while when she runs Linux, then the other hard drive would
> be used, and the LAN would be in "trusted" mode. In that mode, only
> very limited Windows access to the internet (MSN messenger only) and
> none with IE would be permitted.
>
> Problem: Now that the switch is installed she only uses Windows, and it
> is impossible to have her use of her computer not coincide with my use
> of my computer. Thus the problem is now worse in terms of security, and
> worse in that my wife's usage patterns have now drifted almost entirely
> to Windows.
>
> I think the following might be the only way to save the situation:
>
> 1. Let her use IE in VMware again to access the Thai TV web site (only)
> and to use MSN chat.
>
> 2. Diable the VMware host-only network that allows it access to her
> Linux filesystem. File transfer would only be allowed by a USB cigar
> drive or something like that.
>
> 3. Firewall the Linux boxes (including the host Linux for the VMware
> machine) from all accesses from the IP of the Windows machine.
>
> 4. Continue to run NFS on the LAN, but disallow ftp and telnet since a
> snooper on the VMware Windows could see traffic. Use only ssh to gain
> remote access to the other Linux box.
>
> Things have further deteriorated since my wife bought a webcam, which
> doesn't appear to work with VMware (even the latest version) because it
> uses isochronous USB transfers. Thus she must use the real Windows for
> this. But she doesn't plan to use it all the time.
>
> She actually prefers Linux for it's spaciousness, mainly, the extra
> virtual desktops. But she wants to do things that Linux just cannot do,
> thanks to Microsoft's disgusting anticompetitive acts. She wants to
> chat in Thai with her sister. Her sister uses MSN and won't be
> persuaded to change, since "all their friends use MSN."
>
> Last time I killed many hours trying to get any Linux chat client to
> work in Thai, I failed. I will try again, and maybe it can work now (I
> doubt it), but then again MSN allows webcam and sound functionality, all
> with the effort of...well just about no effort at all. And that is the
> sad fact that is making me loose a Linux convert back to Windows. I
> just cannot get Linux to compete with the functionality of Windows.
>
> Note: There is no alternative to using Windows and IE to access the web
> site, so don't even suggest just "dumping Windows". I know IE and
> Windows suck, but I want my wife to have the only access to Thai TV that
> she can get, which is through IE and that web site. Digital cable is
> expensive and has only one channel which she doesn't want. The Thai TV
> web site uses Active X controls, and will not work with Mozilla. She is
> also uninterested in contacting the site developers to complain because
> she is convinced that they don't care and won't care. They have no
> shortage of customers. Their customers don't care about Windows viruses
> and such, since they are totally conditioned to accept all that
> bullshit. In general I think it is true that for 95% of people, they
> are perfectly willing to put up with the insecurity of Windows and IE.
> They just don't care. They just want it to be *easy and fun*. They
> aren't interested in making sacrifices for matters of principle. That
> is the reality. My job is to find a reasonably secure solution to
> protect my LAN and Linux boxes from Windows.
>
> Bummed out.
>
>
>
>
>
>
>

You will find game-vv Which is Game with video and voice works real well

( a little complex to get working but well worth it since on MSN you can
do voice or video chat via linux desktop )

Kaffeine will do what Windows Media Player


Chris Carlen wrote:

> Hi:
>
> A while ago I asked about how to secure a LAN with one client running IE
> to access a site using Active X controls. In the past we ran Windows in
> VMware on Linux, so most of the time my wife used Linux.
>
> The solution I came to was this:
>
> My wife's computer now has a hardware switch to allow her to select hard
> drives. One for Linux, and one for Windows.
>
> The way the switch works is it switches the power to either the Linux
> hard drive, or the Windows one. The intention was that if she wants to
> use the Thai TV web site, she boots Windows, and the Linux hard drive is
> unpowered. Also, the other Linux box on the LAN would not be running
> when she uses Windows/IE.
>
> So Windows with IE would only ever run in a completely isolated
> environment, while when she runs Linux, then the other hard drive would
> be used, and the LAN would be in "trusted" mode. In that mode, only
> very limited Windows access to the internet (MSN messenger only) and
> none with IE would be permitted.
>
> Problem: Now that the switch is installed she only uses Windows, and it
> is impossible to have her use of her computer not coincide with my use
> of my computer. Thus the problem is now worse in terms of security, and
> worse in that my wife's usage patterns have now drifted almost entirely
> to Windows.
>
> I think the following might be the only way to save the situation:
>
> 1. Let her use IE in VMware again to access the Thai TV web site (only)
> and to use MSN chat.
>
> 2. Diable the VMware host-only network that allows it access to her
> Linux filesystem. File transfer would only be allowed by a USB cigar
> drive or something like that.
>
> 3. Firewall the Linux boxes (including the host Linux for the VMware
> machine) from all accesses from the IP of the Windows machine.
>
> 4. Continue to run NFS on the LAN, but disallow ftp and telnet since a
> snooper on the VMware Windows could see traffic. Use only ssh to gain
> remote access to the other Linux box.
>
> Things have further deteriorated since my wife bought a webcam, which
> doesn't appear to work with VMware (even the latest version) because it
> uses isochronous USB transfers. Thus she must use the real Windows for
> this. But she doesn't plan to use it all the time.
>
> She actually prefers Linux for it's spaciousness, mainly, the extra
> virtual desktops. But she wants to do things that Linux just cannot do,
> thanks to Microsoft's disgusting anticompetitive acts. She wants to
> chat in Thai with her sister. Her sister uses MSN and won't be
> persuaded to change, since "all their friends use MSN."
>
> Last time I killed many hours trying to get any Linux chat client to
> work in Thai, I failed. I will try again, and maybe it can work now (I
> doubt it), but then again MSN allows webcam and sound functionality, all
> with the effort of...well just about no effort at all. And that is the
> sad fact that is making me loose a Linux convert back to Windows. I
> just cannot get Linux to compete with the functionality of Windows.
>
> Note: There is no alternative to using Windows and IE to access the web
> site, so don't even suggest just "dumping Windows". I know IE and
> Windows suck, but I want my wife to have the only access to Thai TV that
> she can get, which is through IE and that web site. Digital cable is
> expensive and has only one channel which she doesn't want. The Thai TV
> web site uses Active X controls, and will not work with Mozilla. She is
> also uninterested in contacting the site developers to complain because
> she is convinced that they don't care and won't care. They have no
> shortage of customers. Their customers don't care about Windows viruses
> and such, since they are totally conditioned to accept all that
> bullshit. In general I think it is true that for 95% of people, they
> are perfectly willing to put up with the insecurity of Windows and IE.
> They just don't care. They just want it to be *easy and fun*. They
> aren't interested in making sacrifices for matters of principle. That
> is the reality. My job is to find a reasonably secure solution to
> protect my LAN and Linux boxes from Windows.
>
> Bummed out.
>
>
>
>
>
>
>