Condition where LooknStop fails Firehole leak test

Discussion in 'other firewalls' started by Soul_Flame, Apr 23, 2002.

Thread Status:
Not open for further replies.
  1. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    I've found a scenario where, at least on my computer, LooknStop fails the Firehole leak test.   The conditions are:

    1. Opera 6.x is the default browser, AND
    2. An Opera window is already open and active when the Firehole test is launched.

    If no Opera window is open, LnS stops Firehole from establishing communication. If an Opera window is open, Firehole is able to establish communications.

    I can't verify these results on any system except mine. Other Opera/LnS users may have no problem. If there are any LnS users who use Opera as their default browser, I'd love to know if you see the same thing I'm seeing. You can download Firehole here: http://keir.net/firehole.html
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re: Condition where LooknStop fails Firehole leak

    Soul Flame,

    No Opera v6x installed over here, so I can't check for myself.

    Mickey (MTM) does have both LnS and Opera v6x installed if my memory serves me well. Shoot him a PM; he does drop by frequently.

    regards.

    paul
     
  3. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Re: Condition where LooknStop fails Firehole leak

    I've now been able to replicate this problem on my work laptop, which is a Win98SE computer, as opposed to my home machine which runs XP Home.  This tells me two things:

    1.  the problem is not XP specific
    2.  the problem is not a result of some unique configuration issue with my home machine

    I did email Frederic about this problem and here is his reply:


    Hi Rick,

    Thanks for the information.
    We didn't tested Opera.

    Look 'n' Stop just detects applications that have been started by not known or not allowed applications.
    If Opera is not started by firehole, and firehole is using an already loaded instance of Opera, Look 'n' Stop will not detect Opera because it was started probably
    by Explorer.exe.
    I'm not sure there is a simple way to handle that. And discussion is open to know exactly who is responsible for the security hole: Opera, Windows, Look 'n' Stop
    ?


    Now, I find this both troubling and confusing.  Obvioiusly program launch is an important variable of this problem, but if that is so (and it indeed appears to be so), then why does IE not suffer from the same problem?  What is it about attempting to use an already-open IE window that is fundamentally different than attempting to use an already-open Opera window?  I'm not smart enough about this stuff to be able to even speculate, and I hope someone else can provide additional information.

    I find this troubling because, obviously, I'm not protected from this type of exploit.  Now I realize we've yet to see any 'in the wild' direct applications of Firehole or a Firehole-based variant, but that's of little comfort.  I have a security hole I don't know how to plug.  I would really like to see this remedied in some fashion, but if Frederic can't easily ascertain which program has 'ownership' of this defect, I certainly can't.  That said, I would've expected my firewall to protect me from this type of exploit and I find it disturbing that it does not.  I had been planning on purchasing LnS when the trial period expires, and I may well still do so.  However, I do feel compelled to test other firewall applications to see if any of them are successfully able to pass this scenario.  If I find one that does, and if that vendor quickly releases a new version that passes TooLeaky (the one that seems to give most firewalls other than LnS trouble), then I may well go with that package.  

    I hope this security hole doesn't sit without attention, I hope SOMEONE does something about it.  I just wish I new who that someone should be.
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Re: Condition where LooknStop fails Firehole leak

    Interesting to say the least. Since I do not use LNS, it is of no personal concern to me.
    I have to wonder though, how many others are going to make the same kind of mistake, if it is that? I can sympathise with Frederic, for the difficulty in dealing with the problems of leaking.
    At this point in time, I am more inclined to see some pressure put on M$ to help deal with some of these leak test issues.
    I hope it all gets sorted out soon.
     
  5. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re: Condition where LooknStop fails Firehole leak

    Sorry Paul, no opera here !  Won't install it either until they come up with a spyware version free that i can try without having to buy before i try.

    All my tests were done with IE and LNS will pass those.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Re: Condition where LooknStop fails Firehole leak

    Mickey,

    Apologies!

    regards.

    paul
     
  7. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Re: Condition where LooknStop fails Firehole leak

    What spyware is in the free Opera version?  I run the paid Opera version, but I"m almost certain I ran AdAware while I was demoing the free version and it came up clean.
     
  8. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re: Condition where LooknStop fails Firehole leak

    http://yahoo-sucks.hypermart.net/cgi-bin/forums/ikonboard.cgi?s=3cc82ea01685ffff;act=ST;f=4;t=124
     
  9. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re: Condition where LooknStop fails Firehole leak

    Phantom has reported at Becky's having tried opera with LNS and tests were successful.
     
  10. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Re: Condition where LooknStop fails Firehole leak

    Yeah, I saw that Phantom had that result.  Can't explain why his experience differs from mine.  I would think it was machine specific if I hadn't replicated it on two different computers.

    I've emailed Robin Keir asking about it.  Maybe I'm getting a 'false negative' for some reason.  I hope he responds.
     
  11. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Re: Condition where LooknStop fails Firehole leak

    Also, I gotta say, I think it's stretching the bounds of definition to call Opera's freeversion 'spyware'.  It's well stated that it periodically connects and downloads a new block of ads, and then rotates those during surfing so its not taking up bandwidth.  One may not like this behavior, but it's well publicized and there's no 'spying' involved.  If this is 'spyware', the term has been stretched so far to be essentially meaningless.
     
  12. MickeyTheMan

    MickeyTheMan Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    1,016
    Re: Condition where LooknStop fails Firehole leak

    SpyBlocker is Reporting CORRECTLY.  Look at the log file .  It's not a "GET" which would be used to retrieve a simple ad, it's a POST!  Which means it's CALLING HOME
     
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Re: Condition where LooknStop fails Firehole leak

    Yes, Mick, it's calling home. They tell you that, here:
    http://www.opera.com/docs/ads/ (if you bother to click on the 'Privacy' link, read it, and click on and read the links therefrom, that is)
    "Activity reports:

    In order to gain revenue, Opera needs to send a report back on what banners have been shown when and for whom (for which advertisers). Also, clicks on the banners must be reported. The Service Transaction Provider Cydoor decides when it wants these activity reports and Opera stores this time information in the system registry as the number of seconds until the next time Opera should connect to the report server.
    The information that will be transmitted is activity-related data only, which has, up to this time, been stored in each of the ACPO files in binary form, and contains the following data (for each ACPO):

    The banner number (ACPO number), and the date, but no time stamp
    The number of exposures
    The date when the banner was clicked, if it was clicked

    The above information is generated as the activity report and sent out at the specified time as requested."


    If there's any more either of you want to discuss about Opera's 'privacy' aspects, please take it to one of the 'Privacy' forums or TenForward, okay? You're getting way OT here in the "Firewalls" forum. Thanks. Pete
     
Loading...
Thread Status:
Not open for further replies.