How to BLOCK browser toolbars from installing?
May 17, 2012 8:52 PM Subscribe
I need a method to BLOCK browser toolbars from installing.
My dad (elderly widow, lonely, looking for love...) keeps visiting "those sites" and clicking "next" and ending up installing one of "those" toolbars that hijacks your search engine, home page, etc. I'm VERY worried about the possible security consequences of having these toolbars on his computer. I've cleaned off 2 toolbars in the past month (inbox.com, conduit.com). I need a way to BLOCK toolbars from installing on his computer!
He's using Firefox 12 on a MacBook Pro, OS 10.5.8. If necessary we can go with a different browser, but he's really comfortable with the way Firefox works so I'd like to avoid "use this obscure browser because it's security by obscurity" because that only works for so long (as we have seen with his history of using Firefox instead of IE/Safari).
I can't just block him from admin access - he needs to be able to install stuff when appropriate. I don't live near him and can't just go over and help or log in as admin when necessary. He's getting to that age where he forgets instructions, gets mad or frustrated when things don't work as they did before. So I need a way to block "bad" sites (dating sites, p**n sites) from installing these toolbars without messing up the rest of his experience using his computer.
My dad (elderly widow, lonely, looking for love...) keeps visiting "those sites" and clicking "next" and ending up installing one of "those" toolbars that hijacks your search engine, home page, etc. I'm VERY worried about the possible security consequences of having these toolbars on his computer. I've cleaned off 2 toolbars in the past month (inbox.com, conduit.com). I need a way to BLOCK toolbars from installing on his computer!
He's using Firefox 12 on a MacBook Pro, OS 10.5.8. If necessary we can go with a different browser, but he's really comfortable with the way Firefox works so I'd like to avoid "use this obscure browser because it's security by obscurity" because that only works for so long (as we have seen with his history of using Firefox instead of IE/Safari).
I can't just block him from admin access - he needs to be able to install stuff when appropriate. I don't live near him and can't just go over and help or log in as admin when necessary. He's getting to that age where he forgets instructions, gets mad or frustrated when things don't work as they did before. So I need a way to block "bad" sites (dating sites, p**n sites) from installing these toolbars without messing up the rest of his experience using his computer.
Like flabdablet, I don't see an effective way of blocking your dad from installing just toolbars. Here's another option to consider: have you thought about setting up remote access to his computer? I understand that won't do anything about your dad being able to install browser toolbars, but it would give you at least the option of logging in remotely and uninstalling something, without having to make a house visit. LogMeIn has a free membership plan, I believe.
posted by Pontius Pilate at 9:26 PM on May 17, 2012
posted by Pontius Pilate at 9:26 PM on May 17, 2012
Set up two accounts. One has administration rights, and the screen backdrop is brick red. The other has the normal blue, but doesn't have administration rights.
Then tell him how to log into both of them. Tell him to only use the red one when he needs to install something and really knows what he's installing. The rest of the time he uses the blue one, and his lack of administrator privilege keeps him from inadvertantly installing crapware.
posted by Chocolate Pickle at 9:47 PM on May 17, 2012 [4 favorites]
Then tell him how to log into both of them. Tell him to only use the red one when he needs to install something and really knows what he's installing. The rest of the time he uses the blue one, and his lack of administrator privilege keeps him from inadvertantly installing crapware.
posted by Chocolate Pickle at 9:47 PM on May 17, 2012 [4 favorites]
Deep Freeze will allow him to do anything to his computer - delete the library file, install applications, install browser plugins, etc etc. and all you have to do to fix these mistakes is turn the computer off and on again. It's magic.
posted by Brent Parker at 11:27 PM on May 17, 2012
posted by Brent Parker at 11:27 PM on May 17, 2012
Brent, Firefox toolbars are usually packaged as Firefox extensions rather than plugins, and extensions reside in the user's own Firefox profile folder which is a subfolder of the user's own home folder, not in the Firefox application folder. I doubt that Deep Freeze would touch them.
posted by flabdablet at 11:37 PM on May 17, 2012
posted by flabdablet at 11:37 PM on May 17, 2012
Sure it could, you can set any folder as frozen.
posted by Brent Parker at 11:55 PM on May 17, 2012
posted by Brent Parker at 11:55 PM on May 17, 2012
There are two files and a folder inside the Firefox profile associated with extensions: extensions.ini, extensions.sqlite and extensions.
Setting the extensions folder as frozen would help, but unless you can also set individual files as frozen then freezing extensions will cause trouble by causing mismatches between what's in it and what extensions.ini and extensions.sqlite say is supposed to be in it. Freezing the entire Firefox profile folder in order to freeze those two files would screw up history and bookmarks.
But the approach is probably sound. You could write a little bash script called approve-current-extensions and put something like this in it:
and then write a stub launcher for Firefox that did this:
Then every time Firefox was launched via that stub, its extensions would be restored to the set most recently approved using approve-current-extensions.
posted by flabdablet at 12:05 AM on May 18, 2012
Setting the extensions folder as frozen would help, but unless you can also set individual files as frozen then freezing extensions will cause trouble by causing mismatches between what's in it and what extensions.ini and extensions.sqlite say is supposed to be in it. Freezing the entire Firefox profile folder in order to freeze those two files would screw up history and bookmarks.
But the approach is probably sound. You could write a little bash script called approve-current-extensions and put something like this in it:
#!/bin/bash
cd '~/Library/Application Support/Firefox/Profiles/something'
rm -rf approved-extensions
cp -a extensions approved-extensions
cp -af extensions.ini approved-extensions.ini
cp -af extensions.sqlite approved-extensions.sqlite
and then write a stub launcher for Firefox that did this:
#!/bin/bash
cd '~/Library/Application Support/Firefox/Profiles/something'
rm -rf extensions
cp -a approved-extensions extensions
cp -af approved-extensions.ini extensions.ini
cp -af approved-extensions.sqlite extensions.sqlite
/path/to/original/firefox-executable
Then every time Firefox was launched via that stub, its extensions would be restored to the set most recently approved using approve-current-extensions.
posted by flabdablet at 12:05 AM on May 18, 2012
Sorry, those cd commands should be more like
As I originally had them, the single-quotes would prevent expansion of ~ to the actual name of the user's home folder.
posted by flabdablet at 12:07 AM on May 18, 2012
cd ~/'Library/Application Support/Firefox/Profiles/something'
As I originally had them, the single-quotes would prevent expansion of ~ to the actual name of the user's home folder.
posted by flabdablet at 12:07 AM on May 18, 2012
hmm is there a firefox addon to block toolbars? With gpedit.msc you can block toolbars from being installed on IE and with a domain machine you can download a firefox that can be controlled by group policy but locally you might be stuck with a firefox addon.
posted by majortom1981 at 6:10 AM on May 18, 2012
posted by majortom1981 at 6:10 AM on May 18, 2012
What I did for my grandmother was change the admin password to something LONG, with lots of complicated characters, which is written down on a sticky note (I know) for her... Since it's such a pain she doesn't want to have to enter it, so she really thinks whenever it prompts her for the admin password. Of course, you still have to stop him from just logging in as admin every session (maybe make the background not just red, but also put text in the wallpaper reminding him). (Also my grandmother is maybe a little more afraid of her computer breaking.)
posted by anaelith at 6:19 AM on May 18, 2012
posted by anaelith at 6:19 AM on May 18, 2012
There is an extension for this, but it might be old, and I haven't tested it :) https://addons.mozilla.org/en-US/firefox/addon/public-fox/ .
posted by gregglind at 7:31 AM on May 18, 2012
posted by gregglind at 7:31 AM on May 18, 2012
OK, so I've just been fooling around with Firefox on Linux (I don't have a Mac, but I expect the profile handling in the Mac version would be similar) and it looks like it does the right thing if you simply alter the permissions on the extension-related items inside the profile to make them read-only.
In a Terminal,
Press the Tab key where it says [TAB] above should make bash supply the name of the actual profile folder.
After doing that, Firefox will politely fail extension installations, saying that it can't write to some required files. You can make it possible to install extensions again using
posted by flabdablet at 11:34 AM on May 18, 2012
In a Terminal,
cd ~/Library/Application\ Support/Firefox/Profiles/[TAB]
chmod u-w extensions*
Press the Tab key where it says [TAB] above should make bash supply the name of the actual profile folder.
After doing that, Firefox will politely fail extension installations, saying that it can't write to some required files. You can make it possible to install extensions again using
cd ~/Library/Application\ Support/Firefox/Profiles/[TAB]
chmod u+w extensions*
posted by flabdablet at 11:34 AM on May 18, 2012
My typical last resort for the chronically infected is the installation of a hosts file.
posted by TomMelee at 6:29 PM on May 20, 2012
posted by TomMelee at 6:29 PM on May 20, 2012
Response by poster: Tom, the problem with using a hosts file is keeping it updated.
I'm looking for a one-and-done solution that blocks bad sites and tool-bar add-ons. Not something I have to keep updating. I live 1000 miles away from my dad, and can only access his computer by previously-set-up remote login sessions.
The solution can't rely on any cooperation from my dad. He's losing his ability to make good decisions about this sort of thing. He honestly believes he's accessing a legitimate dating site, not a scammer's site. The site supposedly has young foreign women who want to meet older American men. Yeah, right. He has to PAY $7 per email to read or send to these "women". He doesn't believe me when I tell him that he's not talking to real women, he's talking to scripts setup by men. There are no women there. Any real woman from another country who wanted to meet an American man would be able to use okcupid or plentyoffish or dozens of other legitimate dating sites where men can communicate with her for free! These sites are setup to separate lonely old men from their money, and they are doing it to my dad, and in the process they are ALSO infecting his computer with unwanted toolbars.
So, I need a way to block both existing problems and NEW problems. Something I have to keep updating won't work. Something that BLOCKS TOOLBAR INSTALLATIONS is needed.
posted by jcdill at 7:29 AM on May 22, 2012
I'm looking for a one-and-done solution that blocks bad sites and tool-bar add-ons. Not something I have to keep updating. I live 1000 miles away from my dad, and can only access his computer by previously-set-up remote login sessions.
The solution can't rely on any cooperation from my dad. He's losing his ability to make good decisions about this sort of thing. He honestly believes he's accessing a legitimate dating site, not a scammer's site. The site supposedly has young foreign women who want to meet older American men. Yeah, right. He has to PAY $7 per email to read or send to these "women". He doesn't believe me when I tell him that he's not talking to real women, he's talking to scripts setup by men. There are no women there. Any real woman from another country who wanted to meet an American man would be able to use okcupid or plentyoffish or dozens of other legitimate dating sites where men can communicate with her for free! These sites are setup to separate lonely old men from their money, and they are doing it to my dad, and in the process they are ALSO infecting his computer with unwanted toolbars.
So, I need a way to block both existing problems and NEW problems. Something I have to keep updating won't work. Something that BLOCKS TOOLBAR INSTALLATIONS is needed.
posted by jcdill at 7:29 AM on May 22, 2012
Ok, then peerblock with all lists engaged. It can't install if it can't see the remote server to download the software.
Or windows xp/7 Pro with serious group policies engaged.
posted by TomMelee at 10:54 AM on May 22, 2012
Or windows xp/7 Pro with serious group policies engaged.
posted by TomMelee at 10:54 AM on May 22, 2012
What about setting up a cron job that downloads a regularly updated hosts blacklist to /etc/hosts, say once per week? That should be pretty set-and-forget.
posted by flabdablet at 5:31 AM on May 23, 2012
posted by flabdablet at 5:31 AM on May 23, 2012
Response by poster: Tom, he's using a Mac, not Windows.
Flabdablet, I need a one-and-done solution. The hosts page you linked too doesn't seem to have a hosts file - it's a hosts file embedded in an html file. I don't have the ability to code something that will extract the actual hosts file content from that page and then automatically update a hosts file on a computer on a regular basis.
Further, the hosts file doesn't block the sites that added the problematic toolbars! Neither inbox.com nor conduit.com are listed in that hosts file. If I'm going to use a "hosts" solution it needs to be one that proactively blocks sites that are adding the "change your homepage and search engine" toolbars. It doesn't work to just add these sites one-by-one each time AFTER he's already been infected by their toolbars.
I can't be the only person who is dealing with this problem with an aged parent. There HAS to be a better solution.
posted by jcdill at 8:59 AM on May 26, 2012
Flabdablet, I need a one-and-done solution. The hosts page you linked too doesn't seem to have a hosts file - it's a hosts file embedded in an html file. I don't have the ability to code something that will extract the actual hosts file content from that page and then automatically update a hosts file on a computer on a regular basis.
Further, the hosts file doesn't block the sites that added the problematic toolbars! Neither inbox.com nor conduit.com are listed in that hosts file. If I'm going to use a "hosts" solution it needs to be one that proactively blocks sites that are adding the "change your homepage and search engine" toolbars. It doesn't work to just add these sites one-by-one each time AFTER he's already been infected by their toolbars.
I can't be the only person who is dealing with this problem with an aged parent. There HAS to be a better solution.
posted by jcdill at 8:59 AM on May 26, 2012
There's a link on the right hand side of that page (http://someonewhocares.org/hosts/hosts) to a pure hosts file that should work fine on the Mac. The link seems to redirect back to the HTML page when you click on it from a browser, but I've downloaded it using wget and curl and confirmed that what it delivers is straight text, not HTML.
I'm trying all this out on a Linux box because I don't have a Mac, but I believe it should all work the same way. First thing is to make a copy of the original hosts file, like this:
As for conduit.com not showing up in the list: Conduit is a toolbar creation framework rather than one specific toolbar, and it's likely that any sleazeball site offering a Conduit toolbar will be hosting a customized one on its own server. In any case, if there are hosts you think should be blocked that aren't in the someonewhocares hosts file, you can add your own entries for those at the end of /etc/hosts.orig.
posted by flabdablet at 11:03 AM on May 26, 2012
I'm trying all this out on a Linux box because I don't have a Mac, but I believe it should all work the same way. First thing is to make a copy of the original hosts file, like this:
sudo -i #supply your password when prompted, starts root shell cp /etc/hosts /etc/hosts.orig crontab -eand add a line to the crontab that reads
0 18 * * * { cat /etc/hosts.orig; curl http://someonewhocares.org/hosts/hosts; } >/etc/hosts 2>/dev/null
Make sure that this line ends with a newline (stick an extra one in if unsure). Then the machine should automatically acquire an updated hosts file every time it happens to be on at 6pm.As for conduit.com not showing up in the list: Conduit is a toolbar creation framework rather than one specific toolbar, and it's likely that any sleazeball site offering a Conduit toolbar will be hosting a customized one on its own server. In any case, if there are hosts you think should be blocked that aren't in the someonewhocares hosts file, you can add your own entries for those at the end of /etc/hosts.orig.
posted by flabdablet at 11:03 AM on May 26, 2012
Also: for remote controlling his Mac, isn't there some easy way to use iCloud for that? You might need to use your existing remote control process to turn on the required settings, but after that you should be able to click in on him any time you like.
posted by flabdablet at 11:09 AM on May 26, 2012
posted by flabdablet at 11:09 AM on May 26, 2012
Also also: does he need to install Firefox extensions of any sort? Because the simple permissions setting I described earlier will remove his ability to do that, and as far as I know, all Firefox toolbars are Firefox extensions.
posted by flabdablet at 11:15 AM on May 26, 2012
posted by flabdablet at 11:15 AM on May 26, 2012
This thread is closed to new comments.
posted by flabdablet at 8:58 PM on May 17, 2012