adblock subscriptions

[beetzing]

is there a facility to enable one to 'subscribe' to ABE lists in much the same way one can subscribe to filter lists for ADP?

[therube]

Appears that is coming.
(Don't ask when. Or was that NoScript lists?)

NoScript lists it looks like.

[BoerenkoolMetWorst]

Are there subscription lists for ABE already? Or do you have a rough idea when they might be there?

[GµårÐïåñ]

No there are not. This has been previously discussed and the reasons for why it is not pragmatic and practical from a security perspective have been extensively commented on. At the moment you have the ability since .77 to allow the inclusion of your NoScript whitelist/blacklists into the rules, so that's a place to start but I doubt it will ever become available in the form of a managed global list.

Simple recap: 1) everyone's perspective and consideration of security with respect to each site is a personal choice, 2) no two people agree as many are fine whitelisting some of the oddest things while a security oriented individual would not be caught dead allowing it, 3) what is safe to one person is not to another and vice versa, 4^n) etc, etc...

[BoerenkoolMetWorst]

Ok, thanks for the explanation.

[GµårÐïåñ]

You are welcome. I wish I had access to my bookmarks to get you the link to the other thread where it was extensively discussed for more perspective but you should be able to search for it and if not, I will post it as soon as I am able.

[needsabath]

Make an ABE subscription out of the data from the following site:
http://maliciousnetworks.org/index.php

for example, select a recent day, and here you go:
http://maliciousnetworks.org/ipinfo.php ... 2010-05-21

more info:
http://maliciousnetworks.org/info.php
http://krebsonsecurity.com/2010/03/nami ... -bad-isps/

Especially with an option to allow individually, on the fly, blocked IPs, the above could be very helpful.

[pogue]

Make an ABE subscription out of the data from the following site:
http://maliciousnetworks.org/index.php

Wouldn't it be more ideal to simply block those sites entirely?

[GµårÐïåñ]

One thing you are overlooking is that you don't need a blacklist when by default NoScript blocks EVERYONE and EVERYTHING. So when you WANT something to run, just white-list it and its a smaller number of sites to track than to just go the other way and block all of them, being there are more bad sites than good ones. It defeats the purpose as there are false positives, especially anything that is "community" voted, there is performance considerations, and above all why go overkill when you can run more lean and efficient and customize your own black/white lists based on your OWN browsing habits? These kind of lists, as used by Spybot and many other "malware" and "antispyware" software out there are creating more of a performance issue for many systems and are mostly obsolete and the worst part of it is that it creates a false sense of security and creates complacency, which in security means death, because you won't see it until its too late.

[tiredtoday]

So when you WANT something to run, just white-list it

Therein lies the rub: how does a real-world user decide whether to run something? Answer: The user is led to believe the content is something he/she wants.

Count me among those users who would like to have such content blocked if I try to run it, unless and until I manually override such block, IF the active content is being provided by a persistently malicious IP/server that has been reliably and timely identified.

Having read the paper at the following link, http://maliciousnetworks.org/fire.pdf I believe the FIRE, Finding RoguE Networks, project provides actionable intelligence that should be the basis of a ABE subscription, at least on a test basis.

I understand some are strongly attached to opposing opinions. That doesn’t eliminate my desire to be warned if the content I seek to run is being served from an IP address believed to host malicious content, provided the false positive likelihood is reasonably low.

If only the 400 most persistently malicious IPs are included, still the ‘attack surface’ would be substantially reduced.

[GµårÐïåñ]

You do realize that servers that deliver "bad" content don't always sit on the same IP? So identifying IPs is futile and counterproductive. One day they may belong to a "bad" company, the next its assigned to another person on that virtual share. Most 99% of the people running servers are using virtual or shared hosting, meaning no static IP (one that doesn't change) and instead get assigned dynamic IP (changes regularly) which means that blocking them could result in actually blocking legitimate content served by another poor sap who happens to be assigned that IP. This is the first failure of your idea and your desire; it has nothing to do with anyone being attached to an opposing opinion, its fact, it becomes opinion when the other side seemingly argues something they don't understand.

The second problem with your theory is that WHO decided its bad? I mean think about it, you may love to subscribe and go to sex.com but there might be a majority of those who are ranking it as bad, therefore it would be blocked for those who don't mind the content and wish to be there, hence the problem with WOT, since its community based opinion, whoever happens to have the most number of reports wins the argument and gets the site marked as bad, just look around their database and see that many sites that regularly are not a problem are marked as unsafe. Its the flaw of mob mentality and the puritan majority who will always skew the facts. The fact is that a site's safe/unsafe/bad/good status is a purely subjective and personal decision factor. No matter how people argue it, there are no two people on the planet who think alike, its a fact. What will you do if someone marks xyz.com as a good site and you go there and get screwed, who are you going to blame? them? yourself? I would say you for putting your trust in the hands of others to make that decision for you.

Lastly, if its something you NEED or are led to believe you need, and you don't know to trust them or not. Try Google. Search for the site name and see what the predominant opinion is. Or better yet, run it in a sandbox and vet it yourself and then you know its safe for future use. Again, the process is there, people are just lazy to do anything about it and want it hand fed to them.

[tiredtoday]

My contention is that for many there would be a net benefit to being informed in advance of allowing active content to run that the content is originating from an IP address that has been serving exploits within the past 24 hours, as proven by scientific testing.

Here is a link to the full FIRE: FInding RoguE Networks blocklist, should anyone care to do some experimenting http://www.maliciousnetworks.org/fire-blocklist.txt

“A single solution will never catch all spyware and malware. A layered, defense-in-depth approach is needed. This includes antivirus/antispyware protection, proxy servers, domain blocking via blackhole-DNS, and blocking by IP addresses and netblock.
Blocking by IP address or netblock is a compliment to any domain or url-based blocklist.”
--dglosser, The DNS-BH project http://www.malwaredomains.com/wordpress/?p=143


@ GµårÐïåñ I'd be happy to discuss more with you, but perhaps it would be better if you showed a bit more knowlege about about the FIRE: FInding RoguE Networks project first, as I do not believe several of your comments are accurate with respect to data arising from the FIRE project.

[GµårÐïåñ]

My contention is that for many there would be a net benefit to being informed in advance of allowing active content to run that the content is originating from an IP address that has been serving exploits within the past 24 hours, as proven by scientific testing.

There is no scientific process about it, they get reported, they get put on a list, that's all. If there was a scientific method, then it would be canned and used to automate the process on its own, there isn't one. What you are stating is already included in Fx and through Google's search engine already, which sites that have been reported or seen to have committed bad acts are in a list that you are notified about.

Here is a link to the full FIRE: FInding RoguE Networks blocklist, should anyone care to do some experimenting http://www.maliciousnetworks.org/fire-blocklist.txt

I am aware of it and I have looked at it already a while back. Nothing different or more impressive about it than any other hundreds of "solutions" out there claiming to have figured out how bad things work, but to each their own.

“A single solution will never catch all spyware and malware. A layered, defense-in-depth approach is needed. This includes antivirus/antispyware protection, proxy servers, domain blocking via blackhole-DNS, and blocking by IP addresses and netblock.
Blocking by IP address or netblock is a compliment to any domain or url-based blocklist.”
--dglosser, The DNS-BH project http://www.malwaredomains.com/wordpress/?p=143

Its funny how you quote someone else saying the same thing I am and that's supposed to somehow supersede what I said. I already told you that security is a multi-pronged approach and cannot be done with any one solution and needs to be vetted by individuals based on their own activity. Where this person fails to make clear is that any blocking by IP is a major mistake and will ALWAYS result in legitimate content being affected.

@ GµårÐïåñ I'd be happy to discuss more with you, but perhaps it would be better if you showed a bit more knowlege about about the FIRE: FInding RoguE Networks project first, as I do not believe several of your comments are accurate with respect to data arising from the FIRE project.

Such as? You claim I am wrong but fail to provide anything concrete. Please break down "several" of my comments and tell me on each step what is wrong with it. Don't make a blanket statement, especially that I understand more about the FIRE project or at least what they are hoping to achieve than you would ever know. In the end, its up to each person, do what you want, don't do what you want, consensus or agreement is not necessary for things to be true or valid, it just is what it is. You are welcome to believe and put your faith in whatever you wish and I will use my more than 2 decades of experience to do what has worked 100% for me and has never left me vulnerable. EVER.

[tiredtoday]

Such as? You claim I am wrong but fail to provide anything concrete. Please break down "several" of my comments and tell me on each step what is wrong with it.

read the paper here http://maliciousnetworks.org/fire.pdf and you will be able to correct your own work.

[Alan Baxter]

Count me among those users who would like to have such content blocked if I try to run it, unless and until I manually override such block, IF the active content is being provided by a persistently malicious IP/server that has been reliably and timely identified.

Fortunately, current security products already provide that service. For me, Firefox blocks known attack sites. I believe the the list is maintained by stopbadware.org and hosted by Google. Secondly, the Avast realtime Internet Shield blocks access to all sites that Avast knows about.