Slashdot Mirror
Stopping ChatZilla Installs on FireFox Systems?
TonalSpeller asks: "I'm in charge of a language learning computer lab in an Asian university. We have Windows XP on all machines, but I convinced my superior that I needed to hide Internet Explorer on all student machines (can't remove it entirely because some proprietary software might need access to it). I'm counting on security through obscurity -- I know that a minority of savvy people can still access IE via the command line. I am running the latest version of Opera and Firefox 1.0 PR on all machines, but now I am faced with a dilemma -- extending Firefox is so easy that sooner or later, someone will try to install Chatzilla. Is there any easy way to block Javascript while keeping Firefox's superb usability? I will be running TrustNoExe, but that won't catch Mozilla extensions. Any ideas or suggestions?"
"I have also removed all chat clients, games and Outlook Express so that people can concentrate on language learning (I don't want people using all this expensive hardware to goof off). I work hard to create interesting lessons, but I won't get a chance to teach anything if students are immersed in irrelevant conversations."
How about a software firewall like zonealarm that would block chatzilla from accessing the Internet
you should try to build / get someone to build you a version without Tools - Extensions menu item.
Why not firewall the chat services, if that is seen as a problem?
Second option, make whatever directories firefox installs extensions into non-writable.
Third option, refresh that directory from a fresh copy each time firefox is installed (don't all extensions require a restart?)
Why not ask here, or here??
...if you don't want them to use it?
why not just firewall the classroom to hell and back, do they _need_ to get on the internet?
and why not set it up so that they can only run the apps they need and nothing else?
world was created 5 seconds before this post as it is.
Haven't tried this myself, but couldn't you just setup file permissions so the user accounts don't have permission to write to the config file and change the settings?
A regular user account will not have write permissions to the "Program Files" directory by default. Assuming extensions are written to "Program Files\Mozilla FireFox\blah" I don't see how anyone other than a power user or administrator could install an extension.
Note: I could be talking out my ass if Firefox stores extensions in the user profile directory on Windows.
Do you really need to stop ChatZilla physically?
Think of it this way, how do you handle passing of notes in class? By disallowing paper and pens to enter the room? Didn't think so.
I would think that your life might be easier if you weren't so worried about unnecessarily micromanaging every little detail about these workstations.
Another reason to consider this option: If you've got hackers in there, they are more likely to try to hack something that's been locked down, than something that is installed as expected.
No Comment.
How about turning off the ability to install XPIs? Or some of the many other ways to lockdown your browser. You searched first, right? Did you try the forums? Or IRC? Or Google?
You could try adding the address of the plugin download to your hosts file so they literally can't download it. Of course they could still bring it in on cd or something, but most people won't think of that, and you're counting on security through obscurity anyways. By the way, why are you blocking chatzilla?
This goes beyond what you're asking for, but certainly will do the trick. Every time the computer is rebooted, it's set to a known configuration with everything that was done previously erased. This option is more powerfull that stopping installation of ChatZilla as it prevents installation of any non-approved software after a reboot. Note that I have never used it personally, just have read a lot of good reviews about it.
Deep Freeze home page
If you can't control the software installations, set your firewall to block destination ports of 6660-6669 so no irc clients can connect from those systems. You should do that anyway. :)
Won't setting xpinstall.enabled to false do the trick? (Type about:config in the url-box-location-bar-whatever-it's-called.) Then lock down the configuration.
"Whatever happened to fair use?"
-- Duff-Man
"I know that a minority of savvy people can still access IE via the command line"
Why are you leaving the command line open as an option to them? Why not kill that [cmd, run] from being accessed as well?
"why don't you just slip into something more comfortable...like a coma!"
If you know how permissions work, you can lock down any resource.
Walkthrough:
These are general guidelines only. Keep in mind that you will probably have to change some settings to get everything to work properly -- such as making some of the resources readable by normal user accounts.
When done, clean up; make sure to remove the local test user account files and Firefox after you have something that works. Chances are, the test systems will have some crud left behind that you think isn't important -- but may prompt another support call.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Firefox supports a whitelist of sites that you can xpinstall from. This was added in the Preview Release, I believe. If you look in the release notes of that version, there should be more information on the whitelist and how to change its contents. Emptying the whitelist will effectively disable installing extensions.
Good idea! Might be a way to do that in the about:config, though to be honest I haven't looked there.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I think that is pretty easy, I worked through the XUL tutorial on the xulplanet site, and they show you how to manipulate the XML files that are used to generate the menus. So no rebuilding/compiling is necessary, just h4x0r some text files to remove the install entry from the tools menu. http://www.xulplanet.com/tutorials/xulapp/ Although that doesn't take care of the click-to-install tool. But I am sure you can disable that in some config file
Block outgoing connections to ports 6667-7000. This will stop all but the most net-savvy IRC'ers who have BNCs or something.
You don't need a special build. Unzip the browser.jar file. Edit browser.xul. Comment out the lines that apply to "Tools:Extensions". Rezip the files back into browser.jar. Done. I don't think this will actually stop people from installing extensions though... I could be wrong.
You could probably just disable "xpinstall.enabled" or use the whitelist feature, and not allow users to edit it. This allows you to mirror certain extensions that you may actually want to make available while not allowing Chatzilla.
Why is it useless ? Well, because regardless of whether people can install ChatZilla or not (BTW, I don't think there are that much people that know about Mozilla XPIs), they'll most probably settle for an easier solution : use a Web gateway to IRC or some other messaging system. Faster and easier. Of course, you can block that, too. IIRC, most of those gateways will use Java so you can just remove the Java plug-in (if you don't use it for something else), firewall everything, and just to be sure, use a transparent proxy with some filter like SquidGuard on it...
As for my opinion, since we're talking about an university setting (hence adult people), I suggest that those guys are mature enough to know not to chat during important lessons. And if they do, well, they'll fail their exams, and that's their problem. They're adults, remember ? No need to go out of your way "protecting" them from themselves. IMHO, of course.
Xenu brings order!
...it's not worth worrying about.
How many people out there actually use IRC? Not many. (Compared to AIM, for instance.)
How many of those people are extremely computer literate? Most of them.
How many of them will be able to get around your security if they really want to? Most of them.
How many of them can use a web/java based irc client without even needing to get chatzilla? All of them.
How many of them will be unable to use IRC at all when you block it from the firewall? All of them. (OK, not all. There are still ways around it.)
Don't waste your time by going out of your way to block access to IRC. The people who want to chat on IRC during class will find a way, either by Chatzilla, a java client, or a php/perl html client somewhere. These people aren't children, they're adults. If they want to sit on IRC during class, that's their loss. They're paying for the classes.
This is basically the stance my college takes on computer usage. You can do almost anything you want on the college computers (providing you don't screw 'em up), because if you don't pay attention during class it's your loss.
everyday is another shooter.
What's to stop people from just going to web based chat interfaces? AIM Express etc.
Maybe your best bet is to block site access to chat servers.
Opera's got a kiosk mode that effectively locks-down access to various components. The design for this is built right into the software: it's not some kludge. I think if you were to do a little bit of RTFM, you'd probably find it has what you need moreso than FireFox.
--
Don't like it? Respond with words, not karma.
Use it to set 'xpi.install' = false and force that on everyone.
More info here In fact, that whole thread may be useful to you.
Would making the Mozilla program folder read-only work?
You want to people to concentrate on your language lessons instead of using language to communicate with each other?
How ironic.
How about you install chatzilla for them and required they only use whatever language they are supposed to be learning.
Of course, I'm assuming by language you mean a spoken language - you didn't say.
i don't mean to troll but your post left me confused.
/. advice). i am confused
you want to hide IE to only the few people too dumb to type iexplore in the start > run dialog...
but you are worried about blocking a potential install of a specific obscure chat program?
so you have 2 unexplained goals, with totally different solutions (easy vs. so hard you need
6667 isn't enough. Freenode, for instance, lets stuff through on port 7000. On the other hand, the 6660 series will certainly discourage casual chatters.
The World Wide Web is dying. Soon, we shall have only the Internet.
There is (almost) always a way around something and if you have a very skilled user then you are in for some trouble, so why not take a different approach entirely. Observe the users. Set up some kind of real time remote access/observe utility and use that to watch what the students are doing and when someone is off task you simply put them on task (I trust you can find a proper way to do this). If real time monitoring is not an option then you could also save screen shots at regular intervals and review them later. Another option would be some kind of logging system. e.g. log every file accessed by the user and the accessing process, then you can simply set up short script to parse those logs for unwanted activity and email you w/ the user account date and time of the activity. Finally, depending of money available for such a project, you could set up another monitor on the desk of the teacher that would show the screen of each user for n seconds each then cycle to the next one. This could be implemented over the network or if you are feeling ambitious or don't want a software component for people to mess with then you could do it physically by splitting the video output from each computer and sending it to a KVM-like device that would scroll through computers automatically and if you want even more control you could also switch a mouse and keyboard too, use a USB KVM or hook the local mouse and keyboard up with USB and use a PS/2 KVM, or use USB for both. My school uses a system involving Divace by Tandberg (http://www.tandberg-us.com/) to do something similar in our language lab. Hope that helps!
Look at the bottom of the list. The XPI Install item should do the trick.
You can install extensions just by clicking an in-browser link. Firefox will open up an install dialog for you.
Does anyone know of any tools that allow administration of Firefox via the Active Directory (ideally, using GPOs) ? Having to configure each user profile manually for things like proxy server settings is a PITA. Even getting the damn thing to use the registry (so a given configuration followed the user around) would be tolerable.
Firefox has an option in the "Web Features" panel to allow/disallow web sites to install software. Uncheck it and remove the Options menu item, and clicking a link to install an XPI extension won't do a thing.
live(free) || die;
Under Windows by default the profiles are stored in C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\.FOO\extensions\ (where FOO is 3 random characters). Just set the entire FireFox profile directory to be archived/read-only, and extensions, cache, bookmarks, history, etc will all be unmodifiable.
Preferential contains documentation of most of the Mozilla and FF preferences, but it's almost a year out of date. And you'd of course want to block about:config, which I have no idea how to do.
You might also want to check out this FF build, which is designed for use on a USB drive. It includes an extension that allows you to install XPIs on the drive, but that could be removed. It nixes cookies, bookmarks etc in much the same way.
I work hard to create interesting lessons, but I won't get a chance to teach anything if students are immersed in irrelevant conversation
:)
Uh, irrelevant conversation? Isn't that one of the main ways of learning a foreign language?
Perhaps you should institute a ban (as our teachers did, way back when I was learning French) on English in the class room, rather than a ban on chat apps. That way, some smart kid will work out they can chat in whatever language you're learning, and actually be practicing their new language skills at the same time
Disconnect your lab from the Internet while lecturing.
I would do what I'm doing now at work, SSH'ing home, and proxying VNC/mozilla/irc/games through the SSH tunnel. Unless you lock down any external device reading, and downloading so I can't get to any ssh client or vnc client. Or I could just take the easy route and boot to knoppix if your network uses an open dhcp server.
If all else fails I could use my laptop to connect via ppp to the internet via my Treo600 phone, thus flipping your lab the bird because it's likely so useless after all that locking down that the computers are only good for night lights.
I've encountered bullshit like this in college, and it is nothing but a hinderance to me getting my work done. If I need a C++ compiler, better editor, schoolwork from home, or to get on IRC to ask a question from a likely more informed audience than in-class then I will, and you won't stop me. Really why would you want to stop me? If I wasn't getting the job done or I was disrupting your class then just grow a pair and kick me out of the class rather than punish the students who are paying for a resource.
The best classes never offered time for me to goof off because they challenged me enough that I was exited to be learning what was in the room rather than messing with stuff outside of it.
Sorry if this post was too flamish, but I think if you were serious about students not doing that sort of stuff you would just put the rules in your syllabus, and install vncserver on each of the windows boxes and tell the students you would be monitoring their desktops with it for unauthorized surfing/use.
gizmo-cellphone-gadget-doeverything-things the size of your index finger
which are very capable of surpassing the need for chatzilla.
Superglue + Ethernet port = No shit happens
But to be completely honest, I am a student myself, and I get completely pissed off by all the security measures at my school. Sure, it stopped/made it harder to do things such as what your trying to stop, but ultimately if you try hard enough, anythings possible. Ever heard of Mandrake Move?
At my school they disabled right clicking. It seriously impares one of my classes (digital design), which slows down the class because the teacher has to explain how to copy and paste without right click (yeah, we have got some retards in my class).
Anyway, ultimately, its your problem. You can try whatever you want, but there are so many proxies and there are many other ways to get around it anyway. One day, your students will find a way around it.
Good luck anyway, and I hope you decide to just more closely watch your students.
The only fool proof way to stop the internet is to disconnect....
probabyl by write protecting chrome/installed-chrome.txt and chrome/chrrome.rdf nobody will be able to install extensions. altough the files are downloaded and probably installed the etxensions will not get registered and therefore are not accessable from within moz/FF.
there is one problem, the user might choose to install an extension into his/her personal (home) chrome directory which will not be protected.
what about places policies computer users... setting them as users, so they won't be able to install software or anything fancy like that... another way would be thru a domain...