[browsershots-factories] A few ideas

Sun Dec 23 05:33:22 CET 2007

Hey everyone,

This is the first time that I'm emailing a mailing list, and I really
hope that I don't get on anyone's nerves. I've though of a few
important suggestions that could improve the BrowserShots experience
for all of us. I'll try making the most of this email, so here it
goes:

First and foremost, I think that a ban against screenshotting popular
and/or pointless sites should be considered. I've seen MANY (at least
more than a few a day) times where sites such as google.com,
myspace.com, apple.com and microsoft.com are being submitted to the
factories. This is taking valuable factory time away from legit sites.

I can surely understand someone wanting to screenshot their MySpace
profile to make sure that it looks okay on all browser. However,
wanting to screenshot the frontpage of a site such as google.com is
just pointless and is obviously a user just testing the system and
wanting to see if it really works.

I put forth the proposition to implement a system to ban popular sites
that are taking up valuable factory crunching time. If a user enters a
link to one of these sites, he should be taken to a page saying "Yes,
don't worry... Browsershots works" showing a few screenshot examples
and a nice paragraph of text asking the user not to submit false or
"just testing" request. If Johan likes this idea, we should also get a
thread going for which sites should be banned.

Secondly, I as a factory owner, would really like the ability to
remove (and not just disable) browsers and/or factories. I have about
4 factories under my account (and only one active) because I wasn't
happy of the names that I came up at first. The same should go for the
browsers for a certain factory. New versions are always released, and
it would look more esthetically pleasing if I wouldn't have to see a
page full of grayed out browsers.

Thirdly, I propose some sort of detection algorithm against rooting or
malicious activity. Just today, my VM running Windows XP was rooted
with a trojan backdoor. I was running BrowserShots as a non-privileged
user, but it seems that some site using an IE exploit got through. The
good news is that it's a VM, and with the VM feature's such as
snapshots, it's easy to restore a machine back. I would recommend an
option in the BrowserShots factory to be able to detect that something
went wrong and to shut down the machine. How could malicious activity
be detected? Three things usually happen:

1) A process is spawned which has nothing to do with the web browser.
BrowserShots could scan the process list between each screenshot take
and make sure that no other processes have spawned. It should have a
learning period where it would report which processes are being
spawned to the factory owner. This way, normal processes such as an
Anti-Virus scanner or just some tray tool wouldn't trigger an alarm.
However, if malware.exe would be spawned, it would know right away
that something has gone wrong.

2) A process starts taking the maximum number of CPU cycles.
Most trojans or spyware use the machine to send out spam email or send
out DOS attacks. Both of these activities drive up the CPU usage. In
most cases, when a machine is compromised, it will have a process
running at maximum CPU. BrowserShots could scan the CPU usage of all
processes and detect a problem is a certain process has been using
more than 90% of CPU for more than 10 minutes (or so).

3) A rogue file appears on the desktop.
The desktop, being the default download folder, is a great dumping
ground for malware downloads. In my case, I found an executable file
on my desktop named file.exe. BrowserShots could scan the Desktop and
see if anything new appeared between screenshot takes.

The whole goal of this feature would be to isolate the damage. I run
my factory inside a virtual machine on a server which is in a
datacenter. This means that any piece of spyware that got in would
have about 1gbps of bandwidth to use at it's leisure to send spam or
attack, and I'd be responsible of the damages caused by it. If
anything at all would be fishy, I'd love my VM to shut down and be
investigated by me whenever I have time.

That's all for now. I would really hope that feature one would be
implemented. Two and three are not extremely important, but would be
great additions. I've sent this out to the whole mailing list to see
if there are any other not so hard to implement ideas that could help
out everyone.

Any thoughts?

Cheers,
Paulius