Tiny Personal Firewall will perform, to some extent, as you've described
when set in learning mode, and will remember which apps you've allowed to
send/receive TCP/UDP on which ports.
To the best of my knowledge, TPF will not perform the following items on
your wish list:
Connection options:
Just for the next hour
Just for today
Until XYZ.EXE terminates
Action:
Refuse the connection*
Pretend to connect, return no data
Allow the connection, log first 512 bytes
*TPF sends no RST, so the connection will be refused by omission.
TPF also has rather granular support for ICMP traffic, so that you can
allow/disallow specific message types.
Best Regards,
Andrew Garberoglio, CISSP
Wells Fargo Services, Internet Technology Services
"Let us prepare to grapple with the ineffable itself, and see if we may not
eff it after all"
-Douglas Adams
-----Original Message-----
From: Olin Sibert [mailto:wos@oxford.com]
Sent: Friday, March 01, 2002 9:38 PM
To: cmcurtin@interhack.net
Cc: bugtraq@securityfocus.com
Subject: Re: PCFriendly DVD Backchannel
> From: Matt Curtin <cmcurtin@interhack.net>
> Date: Thu, 28 Feb 2002 17:26:58 -0500
> To: <bugtraq@securityfocus.com>
> Subject: PCFriendly DVD Backchannel
...
> Numerous DVD titles from major movie producers between 1996 and 2000
> come enabled with ``PCFriendly,'' an application developed by
> InterActual Technologies that tracks DVD usage. The system is
> designed to identify users persistently, without using an HTTP
> cookie, thus bypassing any privacy-enhancing technologies like
> cookie management software or browser configurations. The
> identifying token is persistent through product registration and
> PCFriendly use.
It's always seemed to me that one good way to deal with this sort of
problem would be a personal firewall that sat around in the background
and popped up with questions like this:
Greetings. It may surprise you to learn that the program XYZ.EXE
which you are running is attempting to connect to port 80 (http) at
web3.wespyonyouallthetime.com (198.61.143.20). Do you want to let it
do that? Last time I asked (3 days ago), you selected "Today only".
Pick one of: Never
Not this time
Always
Just this Once
Just for the next hour
Just for today
Until XYZ.EXE terminates
Answer is for: This host only
Any host in wespyonyouallthetime.com
Action: Refuse the connection
Time out
Pretend to connect, return no data
Allow the connection, log first 512 bytes
Programs like BlackIce get almost all the way there, except they seem to
be only port-based, not address-based. To avoid each user having to
make all the choices, one might distribute configuration files with
known unresirable locations already listed. It might also be possible
for the warning to "score" the warning in some way (e.g., if the program
is not a known browser, it's somewhat more suspicious for it to be
talking to a web server).
Have I missed sme great piece of software that does this already (Linux
or Windows), or is this an unmet need?
Thanks -- Olin Sibert <wos@oxford.com>
