Internet Explorer, again

From: Chris Carlen (crobc_at_BOGUS_FIELD.earthlink.net)
Date: 08/15/04

  • Next message: beatnik: "Re: Hiding the real ip address" 
    Date: Sun, 15 Aug 2004 18:09:56 GMT

    Hi:

    A while ago I asked about how to secure a LAN with one client running IE
    to access a site using Active X controls. In the past we ran Windows in
    VMware on Linux, so most of the time my wife used Linux.

    The solution I came to was this:

    My wife's computer now has a hardware switch to allow her to select hard
    drives. One for Linux, and one for Windows.

    The way the switch works is it switches the power to either the Linux
    hard drive, or the Windows one. The intention was that if she wants to
    use the Thai TV web site, she boots Windows, and the Linux hard drive is
    unpowered. Also, the other Linux box on the LAN would not be running
    when she uses Windows/IE.

    So Windows with IE would only ever run in a completely isolated
    environment, while when she runs Linux, then the other hard drive would
    be used, and the LAN would be in "trusted" mode. In that mode, only
    very limited Windows access to the internet (MSN messenger only) and
    none with IE would be permitted.

    Problem: Now that the switch is installed she only uses Windows, and it
    is impossible to have her use of her computer not coincide with my use
    of my computer. Thus the problem is now worse in terms of security, and
    worse in that my wife's usage patterns have now drifted almost entirely
    to Windows.

    I think the following might be the only way to save the situation:

    1. Let her use IE in VMware again to access the Thai TV web site (only)
    and to use MSN chat.

    2. Diable the VMware host-only network that allows it access to her
    Linux filesystem. File transfer would only be allowed by a USB cigar
    drive or something like that.

    3. Firewall the Linux boxes (including the host Linux for the VMware
    machine) from all accesses from the IP of the Windows machine.

    4. Continue to run NFS on the LAN, but disallow ftp and telnet since a
    snooper on the VMware Windows could see traffic. Use only ssh to gain
    remote access to the other Linux box.

    Things have further deteriorated since my wife bought a webcam, which
    doesn't appear to work with VMware (even the latest version) because it
    uses isochronous USB transfers. Thus she must use the real Windows for
    this. But she doesn't plan to use it all the time.

    She actually prefers Linux for it's spaciousness, mainly, the extra
    virtual desktops. But she wants to do things that Linux just cannot do,
    thanks to Microsoft's disgusting anticompetitive acts. She wants to
    chat in Thai with her sister. Her sister uses MSN and won't be
    persuaded to change, since "all their friends use MSN."

    Last time I killed many hours trying to get any Linux chat client to
    work in Thai, I failed. I will try again, and maybe it can work now (I
    doubt it), but then again MSN allows webcam and sound functionality, all
    with the effort of...well just about no effort at all. And that is the
    sad fact that is making me loose a Linux convert back to Windows. I
    just cannot get Linux to compete with the functionality of Windows.

    Note: There is no alternative to using Windows and IE to access the web
    site, so don't even suggest just "dumping Windows". I know IE and
    Windows suck, but I want my wife to have the only access to Thai TV that
    she can get, which is through IE and that web site. Digital cable is
    expensive and has only one channel which she doesn't want. The Thai TV
    web site uses Active X controls, and will not work with Mozilla. She is
    also uninterested in contacting the site developers to complain because
    she is convinced that they don't care and won't care. They have no
    shortage of customers. Their customers don't care about Windows viruses
    and such, since they are totally conditioned to accept all that
    bull***. In general I think it is true that for 95% of people, they
    are perfectly willing to put up with the insecurity of Windows and IE.
    They just don't care. They just want it to be *easy and fun*. They
    aren't interested in making sacrifices for matters of principle. That
    is the reality. My job is to find a reasonably secure solution to
    protect my LAN and Linux boxes from Windows.

    Bummed out. 

    -- 
_____________________
Christopher R. Carlen
crobc@earthlink.net
SuSE 9.1 Linux 2.6.5
  • Next message: beatnik: "Re: Hiding the real ip address"