From: "Bryan Phinney" <[EMAIL PROTECTED]>
> On Tuesday 05 April 2005 06:26, Anne Wilson wrote:
>
> > > An app that knows the difference between these two things? That's not
> > > asking for much now, is it? If I could build such a thing, nobody on
> > > this group could afford it, Cisco and the other router manufacturers
> > > would be in a bidding war to buy it for themselves.
> >
> > No, a user that knows the difference.
>
> Should have been more clear here. Two scenarios, first a user that has
access
> which I covered below, second, an app that can do it at root level without
> user access which I was pointing out is quite a stretch.
>
> > > If you have a single personal firewall-like app for Linux, that
problem
> > > is solved. If you install such an app and count on it to protect you
> > > from insecure software, you are living in a fool's paradise.
> > >
> > > Again, I don't have any problem with someone coding this, nor with
> > > running it, I simply don't see the point. It is "Windows" dressing,
> > > nothing more.
> >
> > I don't think so. I accept that it is not good control, but the
> > alternative seems to be complete absence of control. If an application
> > needs to reach out to get data, as Acrobat Reader does, then it has to
have
> > that ability, and I see no reason why it could not equally well send out
> > packets. Perhaps that's because I don't understand firewalling deeply
> > enough, but the discussions on both lists are not explaining the things
we
> > need to understand, like this point.
>
> Well, let's cover that really quickly. If Acroread is only being used to
> access local data, it needs no Internet access at all. Thus, you could
> firewall it off and still use it. However, as I understand things, it
> integrates into a browser and may actually pull the pdf file itself.
> Assuming that is the functionality you want, there is an outgoing request
to
> pull the data from the web, and then incoming packets that contain the pdf
> file. You could probably block posts which is what is being suggested,
but
> this implies an intimate knowledge of the workings of the app, knowing
what
> to block versus accept. Given the audience for this, I think that assumes
> entirely too much.
>
> Also, if Acroread is really using embedded javascript/java for this type
of
> thing, it is possible that someone can code the web bug such that
> communication is sent on a port other than port 80 and well above what
would
> be considered a security area that fits within the first 1024 ports.
Again,
> this requires some type of intimate knowledge of what is being done and
thus
> what needs to be blocked.
So you simply block all ports for AcroRead. That's as easy as only
blocking port 80.
The cute problem is when you want to read a pdf file in your browser.
It is probably better to save the pdf file and only allow AcroRead to
access local files. So watch, the Acrobat people will include a little
app that AcroRead talks to and that little app accesses the net. It has
a different name so it can still communicate. You get into an arms race
quite literally.
It may be that the way to handle this is in the court of public opinion.
Spray this information around to all your friends. If they stop using
AcroRead and use other tools instead maybe Adobe will get the message.
(For that matter - why use AcroRead on Linux, anyway?)
{^_^} Joanne
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
