Interesting sandbox hypothetical

[deadly7]

Let's say you have a binary that "phones home". The machine on which it resides you have SSH access to, but cannot log in via root [or sudo]. How would you sandbox it so that all outgoing network traffic from the executable gets blocked?

[iago]

on windows, I wrote a loader that would start a process suspended and modify some of the calls (send/recv/etc) to go through my code before going out. It would probably work without admin access, and the same type of thing should be possible on Linux. It's function hooking or writing a loader.

I've never done it on Linux, sadly. I mostly do this type of thing from Windows.

[nslay]

I've never seen a Unix firewall that can block based on process. Although, I'm mostly a pf user myself.

[Joe]

I can't say without more details, but is unplugging the Ethernet a possible fix? It'll stop the program from phoning home, at least.

[Blaze]

If he has to ssh in, and he doesn't have root, it's likely that he does not have physical access to the box.

[Joe]

Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?

[iago]

Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?

Sure, but it might have a large false positive rate.

[Blaze]

Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?

Sure, but it might have a large false positive rate.

Hahaha.

[Sidoh]

HOLD ON, HOLD ON. WAIT A MINUTE

did someone just get told?