RE: [Full-disclosure] blocking Google Desktop

["Charles Heselton" <charles.heselton@xxxxxxxxx>]

> -----Original Message-----
> From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
> [mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf 
> Of Michael Holstein
> Sent: Friday, February 10, 2006 11:37 AM
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Re: [Full-disclosure] blocking Google Desktop
> 
> > I would also venture to say that they should be publicizing
> > information for corporations to be able to block this wholesale
> > (google desktop and gmail chat), since we all know there 
> are financial
> > institutions where people work, and think nothing of saving customer
> > data onto laptops.
> 
> Agreed. I'm actually working on testing it now, to figure out how to 
> write snort sigs to (detect) and/or (block) it -- assuming I 
> can't just 
> blackhole *desktop.google.com on DNS.

This may work.  However it's easily subverted.  I would imagine that it
would become a chore to maintain the block-list.

> 
> I might just block their ads as well (/pagead/iclk? in URLs) out of 
> spite for them doing this stupid trick with their desktop product.
> 
> FWIW, we're sending out notices that this is NOT to be 
> installed on any 
> University-owned PC, violators get their machine re-imaged.
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University

Based on some very basic analysis, it looks like the Google Desktop Search
(GDS) uses a custom User-Agent string.  This can be detected in proxy and/or
IDS logs/signatures.  The string is:

User-Agent: Mozilla/4.0 (compatible; Google Desktop)

This should make it trivial to track systems with it installed.

--
- Charlie
 
5A27 58D2 C791 8769 D4A4  F316 7BF8 D1F6 4829 EDCF
 
 In memoriam:  http://www.militarycity.com/valor/1029976.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/