COMMAND

    WebWasher

SYSTEMS AFFECTED

    WebWasher

PROBLEM

    James Nickson found  following.  WebWasher  is a proxy  server for
    Win/xx systems with  3 million users  (not downloads according  to
    their  web  site  -  9  OCT  00).   Webwasher filters graphics and
    defeats "webbugs" and double-click commercials, enhancing  privacy
    and bandwidth efficiency.   With the webbug publicity  WebWasher's
    download rate seems to be accelerating.

    The problem  is that  it establishes  a general  http proxy server
    that anyone connected  may use.   This may present  an opportunity
    for anonymous browsing  for people with  nefarious purposes and  a
    possible   problem    for   the    evidentiary   credibility    of
    Carnivore/Omnivore/NoSuchAnimal records if the target has  allowed
    proxy use by mistake or design.

    This is  neither a  WebWasher design  nor implementation  problem,
    WebWasher has more  than met standards  by having a  click the box
    to  allow/disallow  server  use  and  it  apparently  defaults  to
    disallow.

    However  with  an  increasing  number  of  home networks many will
    "allow server"  to let  family members  share a  high speed  line.
    Again  this  is  not  a  problem  if a firewall has been correctly
    configured.   But home  network firewalls  are least  likely to be
    configured correctly.

    Ergo: There is likely to be a significant number of SOHO  networks
    with wide open proxy servers.   There is likely to be an  increase
    in probes on 8080 and an increase in anonymous browsing.

    Does this work?  Of  course it does, it is  straightforward TCP/IP
    proxy use.

    Besides James stripped his firewall off one system, call it system
    A, set WebWasher to serve and attached to the net.  Then he dialed
    another system, B, into a  different ISP and directed Netscape  to
    use  A's   temporary  IPAddr.:8080  for  a  proxy and then went to
    Yahoo.   When he  was getting  Yahoo on  B there  was activity  on
    system A's modem and when he was not - there was no activity.

    James did not snif-log to force  the proof, but all the signs  are
    that the proxy  mechanism worked just  as it always  does and dual
    ISP connections for  anonymous surfing are  quite feasible if  not
    easy.  It  remains an exercise  for the reader  to use EQL  (or is
    it EQU?)  to attach  to several  proxies simultaneously  so as  to
    avoid detection by multiplexed trickle bandwidth stealing.

    It would be very interesting  to have samples from a  DSL provider
    testing the  percentage of  users who  were making  a proxy server
    available to general  use.  Perhaps  a cable company  or MCI could
    enlighten  us  on  the  degree  of  the  problem by sampling their
    employees' home systems.

SOLUTION

    Just a wild  guess but maybe  because no matter  how you slice  it
    the program is still a proxy server.  With "use as a server" unset
    it's  just  no  longer  accepting  connections  from  anything but
    localhost.