Slashdot Mirror

Would it be really hard to throw together a 1TB file store with the latest patches, demos, ISOs and the like?

If only there were some sort of way to intelligently cache the content that users really wanted to access...

My Linksys WRT54G (not GS) is a transparent Squid proxy already. I don't see why this ASUS machine can't do the same.

It points to a secondary FreeBSD machine for that, because I have a 5GiB cache on the Squid side. Everything is anonymized through Privoxy + Tor, with no configuration changes on the client side.

Users don't even know (or care) that their traffic is being proxied or anonymized at all.

For user data stored on the FreeBSD machine, I also use rsnapshot to do backups of another disk slice that is GELI encrypted as well, which works out very nicely for the overall solution.

Everything that goes out port 80 (or comes back in on the response) through the Linksys is redirected through the Squid server on the FreeBSD machine. iptables(1) on the Linksys does all the magic for me, as follows:

iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.6 -p tcp --dport 80 -j DNAT --to 10.0.1.6:3128
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.6 -j SNAT --to 10.0.1.2
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.1.6 -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT

There's more to it, but that should get you started. Its really easy to implement, and I'd trust my FreeBSD machine to process those packets faster than the processor on the Linksys ever could (not even considering the storage requirements for such a caching mechanism).

The Squid cache on the FreeBSD side resides on a partition that is GELI encrypted. Do I have anything to hide? No, but I do have a right to protect the identity of my users, their browsing habits and their data.

Everyone else should do the same (or similar).

My Linksys WRT54G (not GS) is a transparent Squid proxy already. I don't see why this ASUS machine can't do the same.

It points to a secondary FreeBSD machine for that, because I have a 5GiB cache on the Squid side. Everything is anonymized through Privoxy + Tor, with no configuration changes on the client side.

Users don't even know (or care) that their traffic is being proxied or anonymized at all.

For user data stored on the FreeBSD machine, I also use rsnapshot to do backups of another disk slice that is GELI encrypted as well, which works out very nicely for the overall solution.

Everything that goes out port 80 (or comes back in on the response) through the Linksys is redirected through the Squid server on the FreeBSD machine. iptables(1) on the Linksys does all the magic for me, as follows:

iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.6 -p tcp --dport 80 -j DNAT --to 10.0.1.6:3128
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.6 -j SNAT --to 10.0.1.2
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.1.6 -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT

There's more to it, but that should get you started. Its really easy to implement, and I'd trust my FreeBSD machine to process those packets faster than the processor on the Linksys ever could (not even considering the storage requirements for such a caching mechanism).

The Squid cache on the FreeBSD side resides on a partition that is GELI encrypted. Do I have anything to hide? No, but I do have a right to protect the identity of my users, their browsing habits and their data.

Everyone else should do the same (or similar).

My Linksys WRT54G (not GS) is a transparent Squid proxy already. I don't see why this ASUS machine can't do the same.

It points to a secondary FreeBSD machine for that, because I have a 5GiB cache on the Squid side. Everything is anonymized through Privoxy + Tor, with no configuration changes on the client side.

Users don't even know (or care) that their traffic is being proxied or anonymized at all.

For user data stored on the FreeBSD machine, I also use rsnapshot to do backups of another disk slice that is GELI encrypted as well, which works out very nicely for the overall solution.

Everything that goes out port 80 (or comes back in on the response) through the Linksys is redirected through the Squid server on the FreeBSD machine. iptables(1) on the Linksys does all the magic for me, as follows:

iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.6 -p tcp --dport 80 -j DNAT --to 10.0.1.6:3128
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.6 -j SNAT --to 10.0.1.2
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.1.6 -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT

There's more to it, but that should get you started. Its really easy to implement, and I'd trust my FreeBSD machine to process those packets faster than the processor on the Linksys ever could (not even considering the storage requirements for such a caching mechanism).

The Squid cache on the FreeBSD side resides on a partition that is GELI encrypted. Do I have anything to hide? No, but I do have a right to protect the identity of my users, their browsing habits and their data.

Everyone else should do the same (or similar).

My Linksys WRT54G (not GS) is a transparent Squid proxy already. I don't see why this ASUS machine can't do the same.

It points to a secondary FreeBSD machine for that, because I have a 5GiB cache on the Squid side. Everything is anonymized through Privoxy + Tor, with no configuration changes on the client side.

Users don't even know (or care) that their traffic is being proxied or anonymized at all.

For user data stored on the FreeBSD machine, I also use rsnapshot to do backups of another disk slice that is GELI encrypted as well, which works out very nicely for the overall solution.

Everything that goes out port 80 (or comes back in on the response) through the Linksys is redirected through the Squid server on the FreeBSD machine. iptables(1) on the Linksys does all the magic for me, as follows:

iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.6 -p tcp --dport 80 -j DNAT --to 10.0.1.6:3128
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.6 -j SNAT --to 10.0.1.2
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.1.6 -i br0 -o br0 -p tcp --dport 3128 -j ACCEPT

There's more to it, but that should get you started. Its really easy to implement, and I'd trust my FreeBSD machine to process those packets faster than the processor on the Linksys ever could (not even considering the storage requirements for such a caching mechanism).

The Squid cache on the FreeBSD side resides on a partition that is GELI encrypted. Do I have anything to hide? No, but I do have a right to protect the identity of my users, their browsing habits and their data.

Everyone else should do the same (or similar).

Of course now with all the right tunnels, I can use FireFox on my Linux box

Are you trying to make your network administrators hate you? Here's what you do instead:

1. Install Squid at home. Configure it to only accept connections from localhost and make sure your firewall blocks its port (3128 by default) anyway - which any default-deny firewall that hasn't been explicitly opened will.
2. Add this section to your ~/.ssh/config file:

   Host myhouse
   . Hostname whatever.example.com
   . LocalForward 3128 127.0.0.1:3128
   . Compression yes

3. Run "ssh myhouse"
4. Configure your browser to use "localhost:3128" as its proxy server.
5. Surf at will.

The huge difference is that you're only pulling a page's contents across the network, not an image of those contents. They'll even be compressed on their way to you, so your work computer will actually be downloading less data than if requested those pages directly.

For those that are struggling to understand how the author of this article is accomplishing his approach, here is some further information.

The author obviously has a Linux server in his house, that is running DHCPD

To selectively send some clients to some locations, and others to the normal internet, he assigns an IP address on a different network to clients that don't have MAC Addresses that he knows about.

Forwarding on to sites of his choice is done by using IPTables, which is a utility that allows you to configure the packet filtering components of the Linux TCP/IP Stack. In this instance, the Linux box is just functioning as a firewall, and he is selectively sending requests from certain IP addresses to different hosts of his chosing.

Finally, the Up-side-down and blurry-image conversions is accomplished by sending page requests from those before-mentioned IP addresses to a proxy server, which in this case is Squid - and then allowing the proxy server to run a script which calls an ImageMagick command called mogrify which allows you to resize an image, blur, crop, despeckle, dither, draw on, flip, join, re-sample, and much more.

And that folks, is the rest of the story.

You make the relatively large assumption that every person using OSS software is using Linux or *BSD. I try to use OSS in almost every aspect of my life except the OS. (Just to head off any questions as to why: I'm a gamer. I play games that *I* enjoy. These games are *only* found on Windows. I'm not going to not play these games just because someone else thinks they have better alternatives. If I thought as they did, I wouldn't be using Windows. But I don't. So I do. Okay? Good.)

OSS projects don't exactly have to kill themselves giving this information, you know. Take squid, for example. It says what it is, it tells you what it supports. Straight up, in your face, nice and easy. The main page is not a simple HTML list of appended patch notes for the last 3 years. It's not too hard to make your main page be a very brief, but telling synopsis of what your software does, while still maintaining your precious bug fixes and other release notes on another page. If your goal is to make the 5 people already using your software happy, then sure, continue with what you've been doing. If you're trying to get another 5000 people to use your software, you're probably going about it all wrong.

This would help a bit with your patch issue, but helps with all web traffic.

If you have a box to spare, install a web proxy (I like squid myself) and configure it with a large (multi-gig) disk cache. This would speed up everybody's web browsing & downloads, since people tend to visit the same sites (cnn, hotmail, espn, etc) often. It also acts as a chokepoint (all web browsing has to go through the proxy) where you can apply security rules & filters if you wanted.

I think Squid is better prior art. A key feature is that the "firewall" implements a full TCP/IP stack and the decisions are made the application level.

We have worked with Astaro support, and they have narrowed down the problem and sent the information to Amazon, but there has been no response yet.

In researching the issues, I have found posts all the way back to 1999 regarding incompatibilities with Squid and Amazon. Both ends have worked on the problem, but there has not been a 100% successful fix.

The issue only seems to affect far less than 5% of squid users, and even then it's sometimes inconsistent. So, it's almost impossible to fix because it's so hard to demonstrate. We can repeat the problem consistently, but it is the first case Astaro has had, and their systems are pretty much identical across the board, so it might even be a hardware compatibility issue with specific NICs. Who knows.

Problem description
Amazon employee post

If anybody has had problems in the past and was successful in resolving them, please reply!

Thanks,
Brian

We have worked with Astaro support, and they have narrowed down the problem and sent the information to Amazon, but there has been no response yet.

In researching the issues, I have found posts all the way back to 1999 regarding incompatibilities with Squid and Amazon. Both ends have worked on the problem, but there has not been a 100% successful fix.

The issue only seems to affect far less than 5% of squid users, and even then it's sometimes inconsistent. So, it's almost impossible to fix because it's so hard to demonstrate. We can repeat the problem consistently, but it is the first case Astaro has had, and their systems are pretty much identical across the board, so it might even be a hardware compatibility issue with specific NICs. Who knows.

Problem description
Amazon employee post

If anybody has had problems in the past and was successful in resolving them, please reply!

Thanks,
Brian

So DNS doesn't help at all. This means we should probably use content based filtering. And I mean probably, I propose: bayesian spam filtering for websites! I havn't got the time to write the plugin for Firefox, but I would be willing to run it. Or, maybe it would be better to write an extension to the squid proxy?

sorry for making the links right here they are again...:(
Too Quick on the Trigger...
http://www.squid-cache.org/
http://vlsi.cornell.edu/~rajit/fbsd/bridge.htm1

Sorry, but you have no idea what you're talking about.

Second method is too expensive to implement by ISPs, ie, check all packets pass thru the ISP for known IP addresses of sites they want to block.

Many ISPs use caching proxy servers such as Squid because it makes things CHEAPER for the ISP. Squid cuts down on bandwidth usage, while improving speed - I even use it on my LAN at home. Some ISPs silently redirect all traffic on port 80 through a proxy server transparently, so customers don't have to set anything up; WPAD is a better alternative.

I wrote a redirect script for Squid called BannerFilter, which blocks advertisements. Several ISPs are using it.

Tomahawk Desktop is probably the first desktop Operating System comes with its own DNS server. Therefore, Tomahawk Desktop, does not use your ISP's DNS server. It does its own DNS resolution. Its too expensive to block the Tomahawk Desktop :)

Just because it happens to be the first one you've encountered, doesn't mean it's the first one. Most Linux distributions ship with BIND, although it's not usually enabled by default because it's not normally a good idea on a desktop system (DNS resolution will be faster if you use your ISP's DNS servers, unless your ISP sucks ass).

>Say...you don't have the name of the IE ad-blocking tool handy, do you?

I'm not aware of an IE ad-blocking plugin, but you can use a proxy for this purpose, and it will work with all the browsers configured to use it. JunkBusters maintains a page that offers two products, both free: Guidescope ("easy"), and the Internet JunkBuster.

If you're interested in an even more powerful solution, you could leverage the free Squid Caching Proxy to block offenders.

Two words for you... rsync and squid. Not error proof, but with checksums and redundancy, pretty close so long as errors are not introduced at the root server.

But wouldn't it be fun to hack the root server and make sure all your old enemies are listed as currently under treatment for syphilis and Dick Chafing (not to be confused with Dick Cheney, which is much worse). ;-)

- Greg

for reference (and those too lazy to google):
http://www.squid-cache.org/

Can anyone point to a recent study that would support my theory, and help me convince my management that we just plain need more bandwidth?

Using DansGuardian with Squid is not a difficult to set up. The default blocks are quite comprehensive, and completely customizable. There are even gateway/firewall distros like Smoothwall and IPCop that have drop-in support for DansGuardian.

Now, if more people would just learn the need for a real firewall, and how to configure the darn thing...

Shit we will just change / to \ ... and ifconfig to ipconfig, and leave just about everything else the same. Sorry my mistake, someone else already did, along with some concepts from Digital, 'cept they left the friggin' barn door open! All we have to do is rename the variables in the function statements and bingo we can create Squindows, a secure operating system that uses squid like secure internet functionality! What a concept.

We set up a list of about 20 acl url_regex deny lines for the largest ad hosting sites (doubleclick.net, etc). Make the error file white text on a white background. Only VERY rarely does this become a problem for users, and we treat those as one-offs, and we load that page/site for them on a different PC. This way users get EXTREMELY faster browsing, from the cache, and sans ads!

Given the ability of squid to join together with other "squids" the potential for the size of these groups (or "caches" as I prefer to call them) of squid is almost limitless! For maximum effeciancy in these groups the squid talk to each other and help each other out. The communication between each squid relies primarily on each squids role in the "cache" and can be anything from a "parent" or "child" squid to "siblings" (please note these relationships no not denote the lineage of family groups, but simply the authoritive role each squid plays). From what I have seen you could be quite close to one of these "caches" right now and not even be aware of it!

For API, how about Google? I know, I know, the API is 0wn3d, but it is cross-platform.

Something interesting could be built from using a browser plug-in or proxy (say, squid) to collect every searched keyword, time, hit-frequency, pathgraph of URLs clicked taken whenever I do a
http://www.google.com/search?q=YourTermHere
so that dynamic graphs could be built up as alternatives to static filesystems.

Then, instead of coming up with a crappy static set of folders/subdirectories, I'd let this application build up
~/YourTermHere
~/YourPreviousTermHere
all cached up.

Kind of combining my Google Search history with my Bookmarks(indicate I think something is important), with my History (with the longest connected graphs in the URL click history showing the most interesting lines to pursue).

And, to decrease dependence on Google, one could simply create a GoogleIntercept proxy that normally refers out to Google, but can do other things should the need arise.

I've also set up sshd on port 443 so that I can punch through the corporate firewall where I work, and port forward the http proxy - hence browsing without being monitored...

Anyway, you can use the content filter to strip Dvorak drivel.

Yeah, it's impossible to add extra database servers.

It's also unlikely that one could find a database server that can cache the results of identical queries when the data hasn't changed, significantly speeding up access to nearly-static data.

It's downright insane to consider using proper cache-control headers and a caching proxy in front of a web server farm.

It's sure too bad that these solutions can't be solved by merely hiring a competent sysadmin who's willing to relocate, 'cause that's be far too convenient. :)

It'd probably be easier to teach everyone in the company good HTML.

One $40k mistake is not a reason to not invest in a bank. Seriously. Banks have million dollar rounding errors and that's ok; the year after I joined (and I stayed 5 years), the bank had like a $1.4 billion dollar profit, then proceeded to trim 10,000 jobs because they weren't making enough money. :) As important as the proxy debate was to me, it didn't have any material effect on the bank's financials one way or the other.

OMG, someone who can admit that their job don't rule a $507 billion, 94,000-employee organization!

Anyways, the decisionmaker involved has since left the bank. We went with something from CacheFlow (now BlueCoat), something similar to this, because they were appliances, not subject to the OS limitation.

Not bad equipment, but guess what those things actually run inside? Linux and squid. LOL..

Looking at tethereal capture while using the GWA showed that it doesn't compress HTTP request headers, and no encryption is used to talk to the GWA servers. It does send the X-Forwarded-For header so no real anonymizing is done.

I'll still prefer running encrypted OpenVPN tunnel over switched Ethernet to to a router that is connected to a Squid server that uses ISP proxy as cache_peer.

Also ping RTT to GWA European servers is ~73 ms (11 hops) while to ISP proxy ~19 ms (3 hops) that could count for something too.

We use Net Squid to do that. Essentially it's a PC acting as a transparent bridge sitting in the middle of the fiber uplink from each dorm. It uses a combination of Snort, Squid , and IPTables. If a computer starts misbehaving, it'll get added to a block list for 15 minutes, which will allow access only to a web page that downloads our site-liscensed copy of Sophos Antivirus.

Speculation runs rife. I guess security through well... not very obscurity's bound to get someone chatting in the end.

The deal in the short to medium term with wikipedia is expected to be the provision of about a dozen caching servers. No actual database work would be done by google. There is already a small (3) squid cluster in Paris that does this for users in the UK and France saving on some transatlantic bandwidth.

Is it just me ?

I really think slackware linux should include some BASIC server apps like PostgreSQL, Squid, Socks5, UnrealIRCd, etc.

do you ?

Or here. I just ran the test from work. All of my http traffic goes through a transparent squid proxy. When you click on the link, all I receive is an error. Seems to me that if you go through a transparent proxy, the vulnerability does not effect you. I'm running the fully patched IE 6 on a W2K pro workstation. My IE security settings are medium, and I have java and active x enabled. I'm running squid 2.5 stable. Has anyone eles seen this, or is it just me? Kind of cool that I can use an open source product transparently to protect my users at work.

If you're worried that owners of the linked sites won't get usage statistics, the cache could be set up to count how many times it was accessed, and the statistics could be emailed to the site owner. The email would look something like this:

To: webmaster@slashdotted.site.com
From: CmdrTaco@slashdot.org
Subject: You were /.ed!
Date: Today

From the because-your-site-rocks-and-we-cached-the-damn-thi ng department:

Guess what? Your site was /.ed! But don't worry, our cache prevented millions of users from bringing your servers to their knees. Here are your usage statistics:

.
.
.
.

PS - why the _HELL_ is Slashdot having an applet in the ads? It freezes up my browser in Windows for a while. It's getting to be a pain. At the very least, provide some way of turning off Applet ads.

One word for you: squid... Never seen ads again since the installation of squid together with a nice redirector script effectively replacing all picture and applet ads with something less distractive.

You may try to filter/block with squid. Try this sites:

http://www.squid-cache.org/related-software.html

http://sites.inka.de/sites/bigred/devel/squid-filt er.html

There is a proxy called Privoxy with some advanced filtering capabilities.

Superglue + Ethernet port = No shit happens

But to be completely honest, I am a student myself, and I get completely pissed off by all the security measures at my school. Sure, it stopped/made it harder to do things such as what your trying to stop, but ultimately if you try hard enough, anythings possible. Ever heard of Mandrake Move?

At my school they disabled right clicking. It seriously impares one of my classes (digital design), which slows down the class because the teacher has to explain how to copy and paste without right click (yeah, we have got some retards in my class).

Anyway, ultimately, its your problem. You can try whatever you want, but there are so many proxies and there are many other ways to get around it anyway. One day, your students will find a way around it.

Good luck anyway, and I hope you decide to just more closely watch your students.

The only fool proof way to stop the internet is to disconnect....

Or if you have a proxy, and you want everybody who connects to it to benefit from it you can use bannerfilter. It works with squid. Alot of rules are automaticly created and you can set your own rules as well ofcourse. Works as a filter for banners as well as popups (it replaces the popup with a self-closing javascript page). I'm using it for quite some time now and haven't been able to detect any flaws.

What is to stop someone from using a proxy from the UK?

I guess you've answered your own question... sorta.

Nothing is there to stop someone from using a proxy - but there's plenty in place to keep people from using proxies. If you spend 6 hours at it, you *might* find an anonymous proxy that doesn't include headers that the great folks at the BBC could recognize to find that you are in the good old "bastion of freedom" US of A.

But is that going to happen en masse?

Definitely not.

So, what will stop SOMEBODY? Nothing. Will it stop most people?

Yep.

For example, most proxies add additional headers to indicate who they're proxying for. For example, X-forwarded-for

So, in most cases, it's not too difficult to tell that: 1) You are using a proxy, and 2) You aren't in Great Britain.

As Scott McNealy said, so eloquently: You already have zero privacy. Get over it.

I don't have any kids, but if I did, I wouldn't filter a thing. I would install squid, write a perl script to parse out the domain names and report to me a count of each domainname reached.

I would tell the child that I had records of every site they visit, and step on them if they kept "making mistakes".

Take a good hard look at the default settings, I found them to be way too locked down. You will want to tweak them. This way the users can work with Safari and you can make sure what is and isn't (likely) to show up.

The kids never seem to mind but the parents are gonna freak. "You're letting my precious on tha innernet? What are you some [insert long string of epithets] freak!" You can wave the filter at them and the parents will settle down.

Whoops, that should be squid cache faq.

Squid homepage

It might be a bit excessive, but it will get the job done.

• Abiword - Word processor, supports .doc, .rtf, GPL.
• Open Office - Whole Office suite, including a database frontend and BASIC macro language.
• Perl - Scripting language
• Python - Scripting language
• Cygwin - UNIX emulator. Can create Windows programs, reliant on a cygwin1.dll.
• MinGW - Port of some of the UNIX utilities (BASH, gcc, vi...) to Windows.
• djgpp - UNIX emulator for DOS.
• Mozilla, Firefox, Thunderbird - Web browser, e-mail client, IRC client, lots more.
• Filezilla - FTP client.
• xchat - IRC client.
• putty, pscp, psftp and others - Telnet/SSH clients.
• Gaim - Client for IRC/Yahoo/MSN/ICQ/AIM and more.
• gzip - Compression (usually better than .zip).
• tar - Extracts/Makes tar archives.
• bzip2 - Totally ace compression (usually better than gzip).
• Info-ZIP - Support for .zip. Good free substitute for Winzip.
• 7-zip - Support for multiple compression formats.
• frhed - Hex editor
• Ext2fs - Several programs for doing Ext2 under Windows.
• Antiword - Converts documents out of the proprietary .doc format.
• MySQL - RDBMS.
• Apache - Web/Proxy server
• sendmail - Mail server
• squid - Proxy server
• freeamp - Audio player
• winlame - MP3 encoder
• cd-ex - MP3/OGG encoder?
• gimp - Very detailed graphics program.
• imagemagick - Graphic manipulation. Provides the 'convert' utility under UNIX.
• freeciv - Civilisation clone.
• gnuplot - Plotting package.
• TightVNC - A fork of VNC, with enhancements.
• RealVNC - The original VNC.
• rdesktop - Access Windows Terminal Services and Remote Desktops.
• Nmap - Well known port scanner.
• John the Ripper - Password cracker. Does NT and MD5.

dont forget using a proxy server in conjunction with a redirector if you have multiple browsers and/or users and like the idea of just updating new regexps via cron.

echo -e 'GET / HTTP/1.1\nHost: slashdot.org\n' |
nc slashdot.org 80

Check out this analysis of the slashdot effect:
http://www.geology.smu.edu/~dpa-www/attention_span /
You've just described caching. Everyone caches.

Squid caches trivially.http://www.squid-cache.org/

That won't save you from being slashdotted. Look into such topics as load balancing and high availability linux.

Privoxy makes it pretty easy to boycott ads...

Now, if it was easy/cheap to set up a transparent proxy (so that your grandma could do it) then ad/commercial boycotting could be so effective that you'd have to start swiping your credit card to surf a site (pay-per-page).

Like many others, I use Privoxy along with Squid so that I cache everything that is static non-ads.

On the flip site, my wife and I have a different setup. Squid can base permissions on user login. I have a list of banned sites (no you may not have a copy). It comes from the web activities of a child molester at one of our clients (collecting evidence for the police). I add any annoying obscene crap that pops up occasionally. For instance, the last entry occured while googling for info on some history project for school and clicking a link for nero-online.org.

Supported Software: Explorer, Netscape, Kazaa, Morpheus, Freenet, Emule, Gnutella, Imesh, Shareaza, BitTorrent, Limewire, Trillian, AIM, MSN Messenger, Yahoo Messenger, IRC, WSFTP, CuteFTP, Windows Media Player and Real Player

Cheap Windows shots aside, there are many ways to get crap on your non-Windows machines. Cookies, web-bugs cross-site banners etc etc are ways to track a user. My OpenBSD boxes are secure from known hacks but I still surf with a Privoxy filter and a Squid cache at the head of my home LAN..

Security and privacy are like an onion, no need to repeat the whole analogy here.