Sign in with
Sign up | Sign in
Your question

Secure Tunnelling software from a usb drive?

Last response: in Networking
Share
Anonymous
June 6, 2005 8:37:09 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Hi,

I've spent a while looking for this - does anyone know of a program
that can provide ssh and socks5 tunnelling capabilities (for use with a
secure proxy) with port forwarding so that multiple programs can be
directed to it and it will forward these requests on to a set of
specified proxies (depending on whether ssh or socks5)?

Oh, and this software must run without install. :( 

Any help would be fantastic.

Cheers,
ChampagneDP
Anonymous
June 9, 2005 6:35:29 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

champagnedatepack@gmail.com wrote:
> Hi,
>
> I've spent a while looking for this - does anyone know of a program
> that can provide ssh and socks5 tunnelling capabilities (for use with a
> secure proxy) with port forwarding so that multiple programs can be
> directed to it and it will forward these requests on to a set of
> specified proxies (depending on whether ssh or socks5)?
>
> Oh, and this software must run without install. :( 
>
> Any help would be fantastic.
>
> Cheers,
> ChampagneDP
>

So in effect you want a way to do ssh and socks5 tunnelling from a
machine that is locked down and won't allow ytou to run the windows
installer.

If you can't run install on the machine THERE IS A REASON FOR IT and I
for one ain't gonna help you circumvent it.
Anonymous
June 10, 2005 10:38:29 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

I understand your point - if a machine has installation restricted,
it's for a reason... but i'm not trying to install anything by force -
if that were the case I'd just be looking for cracks to attain
administrator privilege.

Instead, I'm looking for a program that, as you say, facilitates SSL
and SOCKS v5 tunneling (including port hiding) that runs without
registry read/writes and so needs no installations. Very different
kettle of fish.

Why? Well as you may know, Primedius offer a USB program that runs a
version of linux with firefox etc... installed, so that people on the
move can utilise public boxes without being monitored, for whatever
reason (the desire for privacy isn't always a bad thing). I was just
looking for the equivalent that doesnt require you to boot off a
removable drive, and which also doesnt tie you to primedius.

I hope I've cleared that up - any ideas would be great. Thanks.
Related resources
Anonymous
June 10, 2005 4:04:54 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

champagnedatepack@gmail.com wrote:
> I understand your point - if a machine has installation restricted,
> it's for a reason... but i'm not trying to install anything by force -
> if that were the case I'd just be looking for cracks to attain
> administrator privilege.
>
> Instead, I'm looking for a program that, as you say, facilitates SSL
> and SOCKS v5 tunneling (including port hiding) that runs without
> registry read/writes and so needs no installations. Very different
> kettle of fish.
>

Um, no, thats exactly what I thought you meant.

> Why? Well as you may know, Primedius offer a USB program that runs a
> version of linux with firefox etc... installed, so that people on the
> move can utilise public boxes without being monitored, for whatever
> reason (the desire for privacy isn't always a bad thing).

The desire to circumvent authorized monitoring IS always a bad thing. If
someone wants to use anonymous proxies they should do it from their own
machine. This sort of thing should not happen without permission from
the owner of the machine. Period.

> I was just
> looking for the equivalent that doesnt require you to boot off a
> removable drive, and which also doesnt tie you to primedius.
>
> I hope I've cleared that up - any ideas would be great. Thanks.

I don't think such an animal exists. Closest I have seen would be the
later versions of HipCrimes news agent, which would run without install
and supported socks5 (as well as TLS), but only does NNTP. And it's been
mostly purged from the net - you can't get a copy of it easily nowadays.
Anonymous
June 10, 2005 8:33:11 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

T. Sean Weintz <strap@hanh-ct.org> wrote:
> The desire to circumvent authorized monitoring IS always
> a bad thing.

Perhaps. But what constitutes "authorized"? Email
snooping? And a desire to circumvent UNauthorized
monitoring IS always a good thing.

> If someone wants to use anonymous proxies they should
> do it from their own machine.

Everything not expressly allowed is presumed forbidden?
Perhaps in Germany but not in America. If an owner
doesn't want others to use anonymous proxies, can't
they just route them to 127.0.0.1?

> This sort of thing should not happen without permission
> from the owner of the machine. Period.

Why? What legitimate owner's interest is being protected?
What requires machine-level monitoring rather than
firewall/gateway monitoring?

On one level, a cybercafe owner or employer has certain rights.
But the user also has certain privacy rights [inalienable
in the EU] that the machine owner simply may not be able
to provide. Maybe then the machine should not be used.
But maybe a smart owner would allow non-damaging use?

-- Robert in Houston
Anonymous
June 10, 2005 9:03:28 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:
> T. Sean Weintz <strap@hanh-ct.org> wrote:
>
>>The desire to circumvent authorized monitoring IS always
>>a bad thing.
>
>
> Perhaps. But what constitutes "authorized"? Email
> snooping? And a desire to circumvent UNauthorized
> monitoring IS always a good thing.


Yes, of course. But this guy explicitly stated he wants something he can
run on public machines (I assume library or cybercafe, maybe school?)
computers without having to do an install. Either the machine is locked
and odesn't allow installs, or he simply does not want to leave evidence
that he was running the program on the PC - either of which would seem
to indicate he is doing something he should not be doing.

BTW, email snooping is not neccessarily a bad thing. And of course on an
employers machine one has no right to expect that it won't be snooped.
And in fact for public companies, Sarbanes-Oxley REQUIRES them to keep
an unaltered arcvhive of every email you send or recieve at your job.

>
>
>>If someone wants to use anonymous proxies they should
>>do it from their own machine.
>
>
> Everything not expressly allowed is presumed forbidden?
> Perhaps in Germany but not in America. If an owner
> doesn't want others to use anonymous proxies, can't
> they just route them to 127.0.0.1?
>

With private property, I'd say yes. Even in the USA. If I loan someone
my car to drive to the store, and they drive accross country instead,
you can sure as hell bet they will be arrested for car theft. Even if I
didn't specifically tell them not to drive cross country in it.

But it seems that in this case, software installation it WAS expressly
forbidden - he wants something that will run without an install. Why?
Either installs are disabled, meaning the owner does not want software
other than what is on the machine run, or this guy wants to hide the
fact he ran the software on the box, which implies he knows the owner
doesn't want him doing it.

>
>>This sort of thing should not happen without permission
>>from the owner of the machine. Period.
>
>
> Why? What legitimate owner's interest is being protected?
> What requires machine-level monitoring rather than
> firewall/gateway monitoring?

The legitimate owner interest being protected is the simple right to
decide what their machine is used for!

>
> On one level, a cybercafe owner or employer has certain rights.
> But the user also has certain privacy rights [inalienable
> in the EU] that the machine owner simply may not be able
> to provide. Maybe then the machine should not be used.
> But maybe a smart owner would allow non-damaging use?
>
> -- Robert in Houston
>
Anonymous
June 11, 2005 1:09:06 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

On Mon, 06 Jun 2005 16:37:09 -0700, champagnedatepack wrote:

> Hi,
>
> I've spent a while looking for this - does anyone know of a program that
> can provide ssh and socks5 tunnelling capabilities (for use with a secure

ssh: yes
socks5: no

Go to google for "putty ssh", and find a nice litte ssh/telnet client. No
problem running it from any maschine

> proxy) with port forwarding so that multiple programs can be directed to
> it and it will forward these requests on to a set of specified proxies
> (depending on whether ssh or socks5)?
>
> Oh, and this software must run without install. :( 

No problem - no install. Only the fingeprint of the targeting server is
saver on the local machine.
Anonymous
June 11, 2005 4:30:19 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

T. Sean Weintz <strap@hanh-ct.org> wrote:
> Either the machine is locked and odesn't allow installs,
> or he simply does not want to leave evidence that he was
> running the program on the PC - either of which would seem
> to indicate he is doing something he should not be doing.

Ah, but the usual reason for locking machines is to
reduce maintenance on fragile MS-Windows systems. And to
facilitate recovery by data-free reimaging.

To answer part of the OP's question, s/he could put Simon
Tatham's `putty.exe` on a USB stick. I really cannot see
what harm running it (a terminal emulator) would cause.

> BTW, email snooping is not neccessarily a bad thing. And of
> course on an employers machine one has no right to expect
> that it won't be snooped.

I do not believe this is true in the EU, where email
privacy is supposed to be guaranteed.

> And in fact for public companies, Sarbanes-Oxley REQUIRES
> them to keep an unaltered arcvhive of every email you send
> or recieve at your job.

IANAL SOx requires no such thing. It requires that any
public-trading relevant emails be retained for specified
periods. Some lazy companies implement it by archiving
everything. Dangerous for later discovery. My divisiion has
been told that we are not material for SOx purposes, but need
to retain anything that might be ourselves. Some companies
may also run afoul of EU privacy law if they retain/archive
emails of EU residents that are not from US employees.

> Even in the USA. If I loan someone my car to drive to the
> store, and they drive accross country instead, you can sure
> as hell bet they will be arrested for car theft. Even if

Not in the USA. Theft is the taking without authorization.
Keep overlong or unauthorized use are very different offenses,
if they exist at all. Some states have recently had to
add laws to cover car renters who kept the cars past due.

-- Robert
Anonymous
June 11, 2005 5:38:34 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

T. Sean Weintz wrote:

(snip)

> Yes, of course. But this guy explicitly stated he wants something he can
> run on public machines (I assume library or cybercafe, maybe school?)
> computers without having to do an install. Either the machine is locked
> and odesn't allow installs, or he simply does not want to leave evidence
> that he was running the program on the PC - either of which would seem
> to indicate he is doing something he should not be doing.

Most unix software can be installed by a user in the users own
directory without root access. Most windows software, even if it
doesn't do anything that needs privilege, needs Administrator
access to install. There is no reason it needs to be that way
as far as security goes, but that is the way it is.

-- glen
Anonymous
June 13, 2005 4:06:33 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

>
> Not in the USA. Theft is the taking without authorization.
> Keep overlong or unauthorized use are very different offenses,
> if they exist at all. Some states have recently had to
> add laws to cover car renters who kept the cars past due.
>
> -- Robert
>

Interesting. However I do know someone who was arrested for car theft
once when doing exactly what I described - borrowing it to go to the
store and deciding to drive to virginia instead.
Anonymous
June 13, 2005 4:06:34 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <11arbo9rasj5t69@news.supernews.com>,
"T. Sean Weintz" <strap@hanh-ct.org> wrote:

> Robert Redelmeier wrote:
>
> >
> > Not in the USA. Theft is the taking without authorization.

Most American criminal law is *state* law, not federal. What constitutes
theft is generally determined from a state-by-state statutory
definition.

For example, the common-law definition of theft is the unlawful taking
of personal property *with the intent to permanently deprive* its
rightful owner. However, in California, there is no such "specific
intent" requirement, and one can be guilty of theft if they "feloniously
steal, take, carry, lead, or drive away the personal property of another
.... ."
Cal. Penal Code § 484 (West 2005).

(I am not a lawyer; I *am* a law student in my last year of study.)

> > Keep overlong or unauthorized use are very different offenses,
> > if they exist at all. Some states have recently had to
> > add laws to cover car renters who kept the cars past due.
> >

California, being a land of cars and car rentals, enacted such a law in
1959 (more than 45 years ago), and it has not been amended since!
"Whenever any person who has leased or rented a vehicle wilfully and
intentionally fails to return the vehicle to its owner within five days
after the lease or rental agreement has expired, that person shall be
presumed to have embezzled the vehicle."
Cal. Veh. Code § 10855 (West 2005).

The presumption affects the burden of evidence. That is, if you keep
your rental car more than five days after you were supposed to return
it, the law presumes that you have embezzled (stolen) it, and the burden
shifts to you to show that you had a legally valid reason to keep
possession beyond the rental contract terms.

>
> Interesting. However I do know someone who was arrested for car theft
> once when doing exactly what I described - borrowing it to go to the
> store and deciding to drive to virginia instead.

The law may be different in that state, or the offense might have
involved a federal statute, having crossed state lines with the car.


--
Rich Seifert Networks and Communications Consulting
21885 Bear Creek Way
(408) 395-5700 Los Gatos, CA 95033
(408) 228-0803 FAX

Send replies to: usenet at richseifert dot com
Anonymous
June 13, 2005 4:09:15 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

> To answer part of the OP's question, s/he could put Simon
> Tatham's `putty.exe` on a USB stick. I really cannot see
> what harm running it (a terminal emulator) would cause.

No harm. But that does not seem to be what the original poster was
looking for. he/she seemed to want something more along the lines of
what sockschain does, but without the need to do an install. The OP
specifically said they were looking for something that other
applications will plug into. I took that to mean something "sockscap" like.
Anonymous
June 13, 2005 6:07:20 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

> T. Sean Weintz <strap@hanh-ct.org> wrote:
>> Either the machine is locked and odesn't allow installs,
>> or he simply does not want to leave evidence that he was
>> running the program on the PC - either of which would seem
>> to indicate he is doing something he should not be doing.
>
> Ah, but the usual reason for locking machines is to
> reduce maintenance on fragile MS-Windows systems.

Well, actually the usual reason is to keep users from writing into the
system area. This effectively prevents software installation because
software developers insist on writing to the system areas even when they
have no legitimate need to do so. If you are installing an application on
a default-configured XP or Server 2K3 system from a nonprivileged account,
and it won't install, think very hard about whether you want to let that
developer make changes to the system files before you log in as
administrator to install.

Unix systems are locked down in the same manner for the same reason, however
Unix has had that security model from the start and so the developers have
learned the hard way that there are things that their user applications
will not be allowed to do, and so application installation is not a
problem.

> And to
> facilitate recovery by data-free reimaging.
>
> To answer part of the OP's question, s/he could put Simon
> Tatham's `putty.exe` on a USB stick. I really cannot see
> what harm running it (a terminal emulator) would cause.
>
>> BTW, email snooping is not neccessarily a bad thing. And of
>> course on an employers machine one has no right to expect
>> that it won't be snooped.
>
> I do not believe this is true in the EU, where email
> privacy is supposed to be guaranteed.

I'm curious as to the specific legislation--I haven't been able to find
anything that says that employers in the EU cannot monitor their employees
mail--I have found some references to specific legislation in specific
member countries but nothing that would apply to the EU as a whole.

I'm not disputing you, I would just like to read the legislation.

>> And in fact for public companies, Sarbanes-Oxley REQUIRES
>> them to keep an unaltered arcvhive of every email you send
>> or recieve at your job.
>
> IANAL SOx requires no such thing. It requires that any
> public-trading relevant emails be retained for specified
> periods. Some lazy companies implement it by archiving
> everything. Dangerous for later discovery. My divisiion has
> been told that we are not material for SOx purposes, but need
> to retain anything that might be ourselves. Some companies
> may also run afoul of EU privacy law if they retain/archive
> emails of EU residents that are not from US employees.
>
>> Even in the USA. If I loan someone my car to drive to the
>> store, and they drive accross country instead, you can sure
>> as hell bet they will be arrested for car theft. Even if
>
> Not in the USA. Theft is the taking without authorization.
> Keep overlong or unauthorized use are very different offenses,
> if they exist at all. Some states have recently had to
> add laws to cover car renters who kept the cars past due.
>
> -- Robert

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)
Anonymous
June 13, 2005 10:56:25 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

T. Sean Weintz <strap@hanh-ct.org> wrote:
> No harm. But that does not seem to be what the original
> poster was looking for. he/she seemed to want something
> more along the lines of what sockschain does, but without
> the need to do an install. The OP specifically said they
> were looking for something that other applications will
> plug into. I took that to mean something "sockscap" like.

Well, humph! I'm not entirely sure what this `sockschain`
does but why would it need an install if the system can read
removable media and run executables from there. A "locked-down"
system might easily be configured this way. Or not, at the
administrators discretion.

Without a "no outside executables" clause in the TOS, I'd
assume a system configured to execute from removable media
also allowed such execution. And a no-exec TOS clause is
unenforceable: What about Javascript that many sites use?
I'm pretty sure a `putty.exe` limited clone could be written
in JS and dropped on some website. Maybe even `sockschain`

There really is nothing special about "Installs" beyond loading
executables and mapping libs & other files. With CoW VM systems,
the media cannot be removed until the process is done.

Of course proxying opens up a whole can of worms. I would
hope no MS-WindowsNT+ system would allow non-Administrator
processes to listen on priviliged ports (<1000). And anyone
hitting non-priviliged ports cannot count on security.

sockschain seems to use 1080 or maybe 8080. There might be some
nefarious ways a black-hat cybercafe user might [further] corrupt
MS-IE to get all users HTTP traffic relayed through their machine.
Nasty, but the crime is not in what their [rented] machine is doing,
but in their sending instructions that accessed others machines.

Not that law enforcement is likely to understand the distinction.
They'd probably say "Spying is RONG unless we're doing it".

-- Robert
Anonymous
June 13, 2005 11:23:07 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:
> T. Sean Weintz <strap@hanh-ct.org> wrote:
>
>>No harm. But that does not seem to be what the original
>>poster was looking for. he/she seemed to want something
>>more along the lines of what sockschain does, but without
>>the need to do an install. The OP specifically said they
>>were looking for something that other applications will
>>plug into. I took that to mean something "sockscap" like.
>
>
> Well, humph! I'm not entirely sure what this `sockschain`
> does but why would it need an install if the system can read
> removable media and run executables from there.

You *nix folks seem to forget a little thing we have in the windoze
world called the registry. Oftentimes installs set up default values in
the registry that thge program needs to have in place to run. Also DLL
registration can be important. Need that for many programs to run.
That's also usually handled by the install.

> A "locked-down"
> system might easily be configured this way. Or not, at the
> administrators discretion.

Or, you can of course disbale the windows installer via group polocy, or
restrict executables (in effect create a list of files the user can
execute - all else is verboten and will gernerate an error dialog)

>
> Without a "no outside executables" clause in the TOS, I'd
> assume a system configured to execute from removable media
> also allowed such execution. And a no-exec TOS clause is
> unenforceable: What about Javascript that many sites use?
> I'm pretty sure a `putty.exe` limited clone could be written
> in JS and dropped on some website. Maybe even `sockschain`

Sure. And similar things have been done. That is EXACTLY why hipcrime
wrote newsagent in Java.

That's also why I have seen java filtered at the firewall in many
places, and no JRE installed on the desktops.


>
> There really is nothing special about "Installs" beyond loading
> executables and mapping libs & other files.

Depends on the OS. Most have some sort of an "execute" flag for file
priveleges. WIth some (windoze, fer instance) there is a bit more
needed than just the ability to read the executable and any libraries in
some cases.

> With CoW VM systems,
> the media cannot be removed until the process is done.
>
> Of course proxying opens up a whole can of worms. I would
> hope no MS-WindowsNT+ system would allow non-Administrator
> processes to listen on priviliged ports (<1000). And anyone
> hitting non-priviliged ports cannot count on security.
>
> sockschain seems to use 1080 or maybe 8080.

For the outgoing connection. Also plain old port 80 is quite common for
http tunneling in addition to the more commmon port 8080 and 3172.

However, it'll use whatever port the proxy is set up on - could be ANY
port. Depends on what the bonehead who set up the open proxy in the
first place did.

> There might be some
> nefarious ways a black-hat cybercafe user might [further] corrupt
> MS-IE to get all users HTTP traffic relayed through their machine.
> Nasty, but the crime is not in what their [rented] machine is doing,
> but in their sending instructions that accessed others machines.
>
> Not that law enforcement is likely to understand the distinction.
> They'd probably say "Spying is RONG unless we're doing it".
>
> -- Robert
>
Anonymous
June 14, 2005 1:51:37 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
> Well, actually the usual reason is to keep users from
> writing into the system area.

Yes, that is a good reason to lock-down. It reduces maintenance.

> This effectively prevents software installation because
> software developers insist on writing to the system areas
> even when they have no legitimate need to do so.

Yes, and I do not understand why. I consider it the mark of
good commercial MS-Windows software that it be fully installable
by a user account unless system control is needed. When I have
the misfortune of setting up an MS-WinXP box, I always set up
multiple users without Administrator priviliges.

> If you are installing an application on a default-configured
> XP or Server 2K3 system from a nonprivileged account, and
> it won't install, think very hard about whether you want to
> let that developer make changes to the system files before
> you log in as administrator to install.

A good point. I presume it is usually because the install
wants to write to \WINDOWS\ somewhere, not necessarily trash
files. Yet the MS-DOS/Windows install model has always been
under /opt/progname and not the Unix scattering of files to
/usr/bin, /usr/lib, and ~/.progname There is no reason to
write to C:\WINDOWS.

> Unix systems are locked down in the same manner for the same
> reason, however Unix has had that security model from the start
> and so the developers have learned the hard way that there are
> things that their user applications will not be allowed to do,
> and so application installation is not a problem.

Well, for full installs, usually you need to do `make install`
as root. But Unix software makes do not assume that you can
or want to be root. MS Windows still has the philosophy of
the user being "Administrator" when this is provably dangerous.

> I'm not disputing you, I would just like to read the
> legislation.

Among other Google hits, see:
http://www.wrf.com/publication_newsletters.cfm?sp=newsl...

-- Robert
Anonymous
June 14, 2005 1:51:38 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

>
> Well, for full installs, usually you need to do `make install`
> as root. But Unix software makes do not assume that you can
> or want to be root. MS Windows still has the philosophy of
> the user being "Administrator" when this is provably dangerous.

Not true. these days the default on windows XP machines in a domain is
to have users have no write access to the c:\windows dir, as well as the
machine hive of the registry.

Unfortunately most lower end and niche market software vendors can't
seem to understand this concept. They act amazed when their install
crash on a default setup.
Anonymous
June 14, 2005 3:29:03 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

T. Sean Weintz <strap@hanh-ct.org> wrote:
>> MS Windows still has the philosophy of the user being
>> "Administrator" when this is provably dangerous.
>
> Not true.

Sure it is.

> these days the default on windows XP machines in a domain
> is to have users have no write access to the c:\windows dir,
> as well as the machine hive of the registry.

Ah, but that only applies when machines are setup as multi-user.
Most consumer machines are set up with one user "Owner"
who also has Administrator access. As usual, MS has chosen
technically inferior but economically superior [for them] defaults.
They reduce tech support calls from "can't do this" at a cost in
"my system has a virus" which they don't handle.

> Unfortunately most lower end and niche market software
> vendors can't seem to understand this concept. They act
> amazed when their install crash on a default setup.

Yes. But the increase in unwriteable c:\windows might
cause them to fix their bugfests.

-- Robert
Anonymous
June 14, 2005 4:28:17 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

In article <11as5as8dhoroce@news.supernews.com>,
T. Sean Weintz <strap@hanh-ct.org> wrote:
:You *nix folks seem to forget a little thing we have in the windoze
:world called the registry.

Oh, we don't forget it, you can be sure ;-)

:o ftentimes installs set up default values in
:the registry that thge program needs to have in place to run.

Hmmm, what's this .ini file doing in my folder?


:Also DLL
:registration can be important. Need that for many programs to run.

The 'D' in 'DLL' standa for 'Dynamic'. Without knowing the details
of Windows, it seems to me rather likely that the search path
to find DLL's is one of the things under the control of the
program.

Or at least in Unix, "dynamic" linking implies dynamic paths.
If the pathes aren't dynamic, then one speaks of "shared" libraries
rather than of "dynamic" libraries.
--
I was very young in those days, but I was also rather dim.
-- Christopher Priest
Anonymous
June 14, 2005 5:52:03 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

> J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
>> Well, actually the usual reason is to keep users from
>> writing into the system area.
>
> Yes, that is a good reason to lock-down. It reduces maintenance.
>
>> This effectively prevents software installation because
>> software developers insist on writing to the system areas
>> even when they have no legitimate need to do so.
>
> Yes, and I do not understand why. I consider it the mark of
> good commercial MS-Windows software that it be fully installable
> by a user account unless system control is needed. When I have
> the misfortune of setting up an MS-WinXP box, I always set up
> multiple users without Administrator priviliges.
>
>> If you are installing an application on a default-configured
>> XP or Server 2K3 system from a nonprivileged account, and
>> it won't install, think very hard about whether you want to
>> let that developer make changes to the system files before
>> you log in as administrator to install.
>
> A good point. I presume it is usually because the install
> wants to write to \WINDOWS\ somewhere, not necessarily trash
> files. Yet the MS-DOS/Windows install model has always been
> under /opt/progname and not the Unix scattering of files to
> /usr/bin, /usr/lib, and ~/.progname There is no reason to
> write to C:\WINDOWS.
>
>> Unix systems are locked down in the same manner for the same
>> reason, however Unix has had that security model from the start
>> and so the developers have learned the hard way that there are
>> things that their user applications will not be allowed to do,
>> and so application installation is not a problem.
>
> Well, for full installs, usually you need to do `make install`
> as root. But Unix software makes do not assume that you can
> or want to be root. MS Windows still has the philosophy of
> the user being "Administrator" when this is provably dangerous.
>
>> I'm not disputing you, I would just like to read the
>> legislation.
>
> Among other Google hits, see:
>
http://www.wrf.com/publication_newsletters.cfm?sp=newsl...

I've found numerous similar--they all discuss the transfer of data from
personnel files, not the monitoring of email. That one mentions it in
passing but doesn't say anything about what is or is not allowed.
>
> -- Robert

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)
Anonymous
June 14, 2005 5:54:13 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

> T. Sean Weintz <strap@hanh-ct.org> wrote:
>>> MS Windows still has the philosophy of the user being
>>> "Administrator" when this is provably dangerous.
>>
>> Not true.
>
> Sure it is.
>
>> these days the default on windows XP machines in a domain
>> is to have users have no write access to the c:\windows dir,
>> as well as the machine hive of the registry.
>
> Ah, but that only applies when machines are setup as multi-user.
> Most consumer machines are set up with one user "Owner"
> who also has Administrator access. As usual, MS has chosen
> technically inferior but economically superior [for them] defaults.
> They reduce tech support calls from "can't do this" at a cost in
> "my system has a virus" which they don't handle.

Actually, Microsoft has been tightening the defaults over time. XP doesn't
force one to create a user account but it "encourages" it. They seem to be
trying to herd the developers rather than bludgeon them, but it's easier to
herd cats.

>> Unfortunately most lower end and niche market software
>> vendors can't seem to understand this concept. They act
>> amazed when their install crash on a default setup.
>
> Yes. But the increase in unwriteable c:\windows might
> cause them to fix their bugfests.
>
> -- Robert

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)
Anonymous
June 14, 2005 4:25:45 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

(snip regarding the ability, or lack thereof, to run programs
under windows without installing them.)

> Without a "no outside executables" clause in the TOS, I'd
> assume a system configured to execute from removable media
> also allowed such execution. And a no-exec TOS clause is
> unenforceable: What about Javascript that many sites use?
> I'm pretty sure a `putty.exe` limited clone could be written
> in JS and dropped on some website. Maybe even `sockschain`

> There really is nothing special about "Installs" beyond loading
> executables and mapping libs & other files. With CoW VM systems,
> the media cannot be removed until the process is done.

> Of course proxying opens up a whole can of worms. I would
> hope no MS-WindowsNT+ system would allow non-Administrator
> processes to listen on priviliged ports (<1000). And anyone
> hitting non-priviliged ports cannot count on security.

While some versions of windows may provide that restriction,
I don't believe that DOS did, and likely not MacTCP either.
I am not sure now about Win3.1 or Win95.

(The DOS networking programs I used to know provided their
own TCP stack, writing directly to the hardware.)

If you allow machines on the net that can run DOS you have
almost no protection against unprivileged users on low
numbered ports.

-- glen
Anonymous
June 14, 2005 5:37:58 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
>> http://www.wrf.com/publication_newsletters.cfm?sp=newsl...
>
> I've found numerous similar--they all discuss the transfer of data from
> personnel files, not the monitoring of email. That one mentions it in
> passing but doesn't say anything about what is or is not allowed.

Actually the para under "EU subs handling HR data"
s very general and includes more than just email.
Unfortunately, it does not include references.

A more general problem is the the European Data Protection
Directive is just that, a directive that is not law until
it is implemented in the various countries. Each will do it
slightly differently. And most are civil code, not common law,
so precedents don't have the same force. Also, employment
is not "at will" but a protected contract.

Unfortunately, nothing is clear in this evolving area.

An employer is probably safe if they monitor for legal compliance
(vicarious liability) or as a result of statutory obligation (SOx).

But they'd better enforce uniformly, even in the US. A clever
US lawyer can allege wrongful dismissal (age or religious
discrimination): [deposition] "You fired Mr Jones for downloading
123 MB of pr0n" "Yes" "How did you know?" "We checked logs"
[discovers logs] "These show Ms Smith dowloaded 4 GB.
What happened to her?"

-- Robert
Anonymous
June 14, 2005 5:37:59 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Robert Redelmeier wrote:

> J. Clarke <jclarke.usenet@snet.net.invalid> wrote:
>>>
http://www.wrf.com/publication_newsletters.cfm?sp=newsl...
>>
>> I've found numerous similar--they all discuss the transfer of data from
>> personnel files, not the monitoring of email. That one mentions it in
>> passing but doesn't say anything about what is or is not allowed.
>
> Actually the para under "EU subs handling HR data"
> s very general and includes more than just email.
> Unfortunately, it does not include references.

But "HR data" is not email generated by the employee, it is personnel files
containing information _about_ the employee generated by the Human
Resources department.

> A more general problem is the the European Data Protection
> Directive is just that, a directive that is not law until
> it is implemented in the various countries. Each will do it
> slightly differently. And most are civil code, not common law,
> so precedents don't have the same force. Also, employment
> is not "at will" but a protected contract.
>
> Unfortunately, nothing is clear in this evolving area.
>
> An employer is probably safe if they monitor for legal compliance
> (vicarious liability) or as a result of statutory obligation (SOx).
>
> But they'd better enforce uniformly, even in the US. A clever
> US lawyer can allege wrongful dismissal (age or religious
> discrimination): [deposition] "You fired Mr Jones for downloading
> 123 MB of pr0n" "Yes" "How did you know?" "We checked logs"
> [discovers logs] "These show Ms Smith dowloaded 4 GB.
> What happened to her?"
>
> -- Robert

--
--John
to email, dial "usenet" and validate
(was jclarke at eye bee em dot net)
Anonymous
June 14, 2005 6:01:12 PM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Rich Seifert <usenet@richseifert.com.invalid> wrote:
> Most American criminal law is *state* law, not federal.
> What constitutes theft is generally determined
> from a state-by-state statutory definition.

Quite true. A simplification on my part. In some
states, theft-by-fraud is fraud/embezzlement, not theft.

> For example, the common-law definition of theft is the
> unlawful taking of personal property *with the intent
> to permanently deprive* its rightful owner

In our "drive to Virginia" example, it might be difficult
to show that "intent to permanently deprive", especially
if he came back.

> (I am not a lawyer; I *am* a law student in my last year
> of study.)

Congrats!

-- Robert
Anonymous
June 16, 2005 4:18:58 AM

Archived from groups: comp.dcom.lans.ethernet (More info?)

Rich Seifert wrote:
[snip]
> (I am not a lawyer; I am a law student in my last year of study.)

Damn...and I used to respect you too! ;) 

--

hsb


"Somehow I imagined this experience would be more rewarding" Calvin
**************************ROT13 MY ADDRESS*************************
Due to the volume of email that I receive, I may not not be able to
reply to emails sent to my account. Please post a followup instead.
********************************************************************
!