RE: PCFriendly DVD Backchannel

[garberoa () WellsFargo COM]

Tiny Personal Firewall will perform, to some extent, as you've described
when set in learning mode, and will remember which apps you've allowed to
send/receive TCP/UDP on which ports. 

To the best of my knowledge, TPF will not perform the following items on
your wish list:

                        Connection options:
                  Just for the next hour
                  Just for today
                  Until XYZ.EXE terminates

                        Action:
                        Refuse the connection*
                Pretend to connect, return no data
                Allow the connection, log first 512 bytes

*TPF sends no RST, so the connection will be refused by omission.

TPF also has rather granular support for ICMP traffic, so that you can
allow/disallow specific message types. 

Best Regards,

Andrew Garberoglio, CISSP
Wells Fargo Services, Internet Technology Services

"Let us prepare to grapple with the ineffable itself, and see if we may not
eff it after all"
-Douglas Adams


-----Original Message-----
From: Olin Sibert [mailto:wos () oxford com]
Sent: Friday, March 01, 2002 9:38 PM
To: cmcurtin () interhack net
Cc: bugtraq () securityfocus com
Subject: Re: PCFriendly DVD Backchannel


  > From: Matt Curtin <cmcurtin () interhack net>
  > Date: Thu, 28 Feb 2002 17:26:58 -0500
  > To: <bugtraq () securityfocus com>
  > Subject: PCFriendly DVD Backchannel
  ...
  >   Numerous DVD titles from major movie producers between 1996 and 2000
  >   come enabled with ``PCFriendly,'' an application developed by
  >   InterActual Technologies that tracks DVD usage.  The system is
  >   designed to identify users persistently, without using an HTTP
  >   cookie, thus bypassing any privacy-enhancing technologies like
  >   cookie management software or browser configurations.  The
  >   identifying token is persistent through product registration and
  >   PCFriendly use.

It's always seemed to me that one good way to deal with this sort of
problem would be a personal firewall that sat around in the background
and popped up with questions like this:

  Greetings.  It may surprise you to learn that the program XYZ.EXE
  which you are running is attempting to connect to port 80 (http) at
  web3.wespyonyouallthetime.com (198.61.143.20).  Do you want to let it
  do that?  Last time I asked (3 days ago), you selected "Today only".
    Pick one of:  Never
                  Not this time
                  Always
                  Just this Once
                  Just for the next hour
                  Just for today
                  Until XYZ.EXE terminates
    Answer is for:  This host only
                    Any host in wespyonyouallthetime.com
    Action:  Refuse the connection
             Time out
             Pretend to connect, return no data
             Allow the connection, log first 512 bytes

Programs like BlackIce get almost all the way there, except they seem to
be only port-based, not address-based.  To avoid each user having to
make all the choices, one might distribute configuration files with
known unresirable locations already listed.  It might also be possible
for the warning to "score" the warning in some way (e.g., if the program
is not a known browser, it's somewhat more suspicious for it to be
talking to a web server).

Have I missed sme great piece of software that does this already (Linux
or Windows), or is this an unmet need?  

Thanks -- Olin Sibert <wos () oxford com>