Personal Internet Moderation Script - ruby

What approach should I take to develop software to block traffic at the desktop level (windows) to sites based on their domain name.
Messing with a host file was easy, but the browser seems to have too long of a delay before it recognizes changes in the host file.
My ideal solution would be a simple ruby script to disable sites during work hours and then re-enable them later.

I think this is just what you're looking for: The LeechBlock Firefox extension can block domains or even paths on domains (e.g. google.com/reader/) during set hours.

Mouslehole is proxy written in ruby. You can easily customize it to block pages, and even rewrite page contents while surfing. You run the proxy on your own machine and configure your favorite browser to not connect directly to the internet. More info about that at http://github.com/whymirror/mousehole/tree.

IE does not ignore the hosts file. You should double check that you modified the right one, and added the entry correctly.

Personally, depending on your location you might look at doing this at the router level. You can filter on many of them based on MAC address, and that would be a better way of doing it.
I know that my DLink has abilities to do this, including the on at X and off at Y.
Also, you might ask this over at ServerFault for more answers.

Related

Configure system wide proxy setting

I want to set system wide proxy settings on my windows machine. I know about the settings from Internet Explorer but dont want to do it that way. Is there a way to set up a proxy which will be used by all the applications on my machine(especially firefox, I dont want to have to set Use System proxy Settings in the Firefox options menu)?
In windows, that is the preferred way to set up the proxy settings.
But you can have a look at this for command line options
https://superuser.com/questions/419696/in-windows-7-how-to-change-proxy-settings-from-command-line
How can this be achieved theoretically
I am going to provide a somewhat unusual answer, because I've noticed that this particular 'way' of solving this problem has (for some reason) not crossed people's minds so far.
If you want to really make all apps without exception send internet traffic through your proxy, you are going to have to use a special technology known as TUN/TAP devices.
In short, these are special drivers, which when installed appear to a system as a network adapter (just like your local Ethernet or Wireless card), but they are in fact built in such a way so as to be easy to control from a software level.
Basically, when you install such a driver on the system, the system now regards that device as a fully functional Network Adapter. Therefore, if you now set this network adapter as the default gateway, all apps (without knowing it or being able to prevent it) will automatically pass through it, the same way as all apps pass through a generic Wireless Adapter / Ethernet.
Practical ways of achieving this / How can I use this with proxies?
Now that you have a basic idea of what redirecting system traffic through a TAP/TUN device means, there are a couple of ways of doing this.
Before I start, I really recommend that even if you stray from the suggested resources here, you stick to using OpenVPN's open source TAP device, since it has been extensively tested and confirmed to work on many systems, and is very widely used now (Some basics are available at https://openvpn.net/tuntap, and I trust you should find it embedded in any latest version of OpenVPN, the only files you need are the compiled drivers (.inf), you don't need to have the entirety of OpenVPN installed to use them).
The project that instantly comes to mind when thinking of using SOCKS proxies as the endpoint of a TAP device is badvpn/tun2socks. The project basically does exactly what is outlined here, so I definitely recommend you read the source code, or use it as a standalone utility (If you need some help with usage, I suggest you check out this wiki page.
What if any are the drawbacks of using this approach?
First of all, speaking of compatibility, performance and bugs, there are no drawbacks of using this approach at all, it is if anything more reliable and easier to use then even the ways of doing this provided by the system.
The only two drawbacks I can see at this point would be:
You have to be careful to make sure whatever proxy/intermediate host you are using, it is capable of handling at least the majority of system traffic, because if an app sends incompatible internet traffic, it will still be redirected through the TAP device (that is it's purpose).
The code base may be larger than in other cases
An alternative, 'unclean' way of doing this for Firefox in particular
If you are interested in only setting this proxy for Firefox, there are a couple of unclean ways of doing this: For instance, via the command line. It is, however (in my opinion), a very cheap and dirty way of achieving this, as this does not provide any compatibility whatsoever (basically a hack).
Conclusion
While implementing this may take a while, and the code base may be large:
It is not really possible, through any other means to achieve the same effect as VPNs achieve when they tunnel the entirety of your machine's traffic through the OpenVPN server.
If you want to achieve this kind of behavior, it is recommended that you use the approach outlined above, as it is a lot cleaner then 'alternative' methods of doing so (e.g. Socksifying traffic by intercepting it at a software level)

Block website without forcing user to restart browser?

I know blocking a website is a popular question but none of the answers I've seen address my particular situation:
I want to block a website (to be selected by the user, which must also have Admin rights, on Windows XP), without forcing her to restart her browser.
The well known technique of modifying the hosts file requires some browsers to be restarted. I want to accomplish that in a way that is browser-independent (e.g. Content Advisor works in IE but not in FF) and which doesn't require the user to restart his browser.
Please note that I am interested in knowing how to do this programmatically, so http://superuser.com or http://serverfault.com aren't really the right places for this question, as they mostly suggest tools and services, while I am interested in the underlying knowledge so that I can implement it myself.
Ideas?
Thanks.
Please note that I am interested in
knowing how to do this
programmatically, so
http://superuser.com or
http://serverfault.com aren't really
the right places for this question, as
they mostly suggest tools and
services, while I am interested in the
underlying knowledge so that I can
implement it myself.
Such tools would filter traffic by implementing a NDIS Intermediate Driver. See also this other question.

Can Subversion limit a developer to accessing only certain files?

I need to outsource some programming. I was thinking of setting up a computer the programmers could Remote Desktop into with a full test environment set up on that computer.
I have never used subversion and was wondering if I could give them access to only certain modules so that could not even see the code to modules they did not need?
Thanks in Advance,
... if I could give them access to only certain modules so that could not even see the code to modules they did not need?
Sure, at least on directory level when serving Subversion through Apache.
See the http chapter in The Book.
If you're on Windows, Subversion server wrappers like free VisualSVN Server make access control brain-dead easy.
I know that in Windows, the user they use to access the Subversion system can be a normal Windows user, and you can just set up permissions to allow access to folders that way.
Yes, take a look in the conf/authz file.
Plenty of examples in there.
However, if you are giving them full access to the machine with subversion on it then that won't help stop them...

Is a launchd daemon the best route to go for reading/writing to privileged files in Cocoa?

I have an application which needs to be able to write to Any User/Current host preference files (which requires admin privileges per Preferences Utilities Reference) and also to enable/disable a launchd agent via its plist (writable only by root).
I'm using SFAuthorizationView to require users to authenticate as an admin before altering these values.
I'm trying to decide on the best way to do the actual altering of these values.
The cheap hackish option seems to be to use AuthorizationExecuteWithPrivileges() and mv or defaults, either via BLAuthentication or creating something similar myself. The downside to this is not getting the return value of whatever command line app I'm executing, plus some odd esoteric bugs I've encountered (such as getting a -60008 error in certain situations). This is strongly recommended against by Apple, obviously, but people do seem to do it and have some success with it.
The second most hackish option would seem to be the whole create a helper app with the suid bit set and the --self-repair option as discussed in various places. This seems possible, but like it's probably not much less trouble than the third option.
The third option is to create a fully fledged launchd daemon which will run as root and communicate with my application via a socket. This seems like a bit of overkill to read and write some plist files, but it's also possible I may find other uses for it down the road, and it wont be the only daemon for my application, so it doesn't seem unreasonable to just add another.
I'm thinking about modifying this sample code for my purposes.
My two questions are:
Does the launchd daemon option seem like the best route to go for this, or is there a much easier route I'm missing?
Has anybody else successfully used that code as a basis for something similar, and does anybody see any glaring issues with it I'm missing? I've used it successfully in a test app, but I'd be curious to hear you guys' opinion on it.
launchd is definitely the best and safest way to go: you’ll need an installer package to get your helper into place. Do be sure that your helper does and can do absolutely nothing except edit the files you wish to target.
No experience w/the code, but it’s based off of BetterAuthorizationSample, so that’s a nice start.
There's also the openauth API, which allows you to open files that require root privileges.

How do I make Remote Assistance as painless as possible?

I need to provide remote assistance to the users of my app, through the Internet. I need a reference for doing this, and I need to make the whole connecting to remote desktop process as easy as clicking a menu of my app for my users.
I don't want them to get too involved with the procedure. I believe the built-in remote assistance features of Windows XP and Vista are fine, I just need to make it very simple.
Anyone any ideas?
P.S. A comprehensive reference on the whole Windows Remote Assistance would also be appreciated.
I highly recommend Mikogo. It's free, fast to install and setup, works great, and is very simple. I actually prefer it to the more expensive services ($30-$40/month) because of it's simplicity. Only thing is, I'm not sure how they make money, they have some advertising when you visit the home page, but it's very minimal.
There are many commercial tools that do make this operation effortless. I won't mention any names because this isn't an advertising forum. A quick search should turn up a handful of possibilities; I've used many of the more popular ones and found them satisfactory.
Our support desk typically uses WebEx which works really well.
There are a large number of tools which will do this. Your best is to pick a tool which has a reverse connection from the person who needs help back to the helper. This will make sure that you do not have users try and configure firewalls/open ports etc. Webex is a good recommendation by Old Nick. Another option is GotoAssist, there is also Gotomeeting which can have the same remote control functionality and is cheaper i believe. The main thing is making sure it is as easy as it can be for your users, trying to walk a user through installing an active-x control can be hard enough.
I'd suggest trying LogMeIn. It's nice because once you have the user set up the client software, you can arrange with them a time to leave their PC unattended so that you can remote in and take a look (with the option to disable local keyboard/mouse and monitor access). You can also connect such that the local peripherals are enabled and watch "over their shoulder" as they replicate a problem.
There is of course also Copilot by Fog Creek. Have never used it myself, but it looks pretty easy to use, also for non-technical people.
I use CrossLoop for that kind of thing

Resources