| Author |
Message |
Leythos
Guest
|
 Posted:
Tue Dec 13, 2005 5:21 pm Post subject:
Re: Recurrent question |
|
|
In article <pan.2005.12.13.14.56.36.512710@shconnect.de>,
wolfgang@shconnect.de says...
| Quote: | Leythos wrote:
Funny, I've seen a PFW stop a virus with it's own SMTP engine as the
virus was not permitted outbound access.
The particular malware was not sufficiently evil enough.
Guess that proves you wrong again.
No.
I would not call a virus with it's own SMTP engine harmless.
The particular malware was not evil enough to try to attack or circumvent
the PFW. Some malware does this (sometime successfully, sometimes not),
some does not, Bugbear was quite successful in attacking or shutting down
Personal Firewalls.
|
Then we agree - it's a "Maybe" type situation. Some PFW software DOES
work against most everything, some doesn't, and some depends strongly on
the user to know what they are doing when they set it up and create
rules.
I've not see a properly configured PFW solution, on a properly
configured machine, with a user that has been explained the rules, be
compromised inbound or outbound yet - but I can sure say that I've seen
many a Windows XP Firewall user compromised, as well as many people that
don't run PFW products.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
 |
E.
Guest
|
| Posted:
Wed Dec 14, 2005 1:05 am Post subject:
Re: Recurrent question |
|
|
Wolfgang Kueter wrote:
| Quote: | E. wrote:
Ansgar -59cobalt- Wiechers wrote:
/me detects: Quaestor is in dire need of dried frog pills.
Catching the dried frog is the hard part.
Nope, getting the formula for the frog pills from nurse Johanna is.
Wolfgang
|
I guess we read different authors. My quote was a direct pilferage of
Terry Pratchett.
Cheers,
E. |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Wed Dec 14, 2005 1:30 am Post subject:
Re: Recurrent question |
|
|
"Leythos" <void@nowhere.lan> wrote in message
news:mfAnf.187164$tD4.34505@tornado.ohiordc.rr.com...
| Quote: | In article <439ece1e@news.uni-ulm.de>, bumens@dingens.org says...
Kerodo <loopback@localhost.com> wrote:
Let's be *practical* though. I would say that in 95% of the cases, the
personal firewall would prevent the outbound attempt. Well, might be
99%, I don't know.
In 100% of the cases, where an outbound connection is harmless, the
"Personal Firewall" will prevent it, because it can control applications,
which don't prevent being controlled.
In exact 0% of the cases, where data is being transmitted by a dangerous
malware, whose programmer does want to do harmful things, and the
programmer is not an idiot and knows, that there are "Personal Firewalls"
in the wild now, the "Personal Firewall" can prevent this communication.
Funny, I've seen a PFW stop a virus with it's own SMTP engine as the
virus was not permitted outbound access. Guess that proves you wrong
again. I would not call a virus with it's own SMTP engine harmless.
There are some cases left in between, where the programmers are dumb (and
therefore mostly harmless) or where the malware is from times, when no
"Personal Firewalls" where known.
|
I believe your example falls into the "programmers are dumb" category. Or,
more likely, just lazy. They know that they will still get by most
firewalls, because the users have already configured them to let smtp
through so that they can send/recieve mail. The ones that didn't, they just
don't care.
Just because you can find an example where the PFW works, doesn't mean there
are lots of times when it won't. Counting on the PFW because it works
sometimes, leaves you in a very precarious position.
-Russ. |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Dec 14, 2005 1:38 am Post subject:
Re: Recurrent question |
|
|
In article <RjFnf.4999$43.650@nnrp.ca.mci.com!nnrp1.uunet.ca>, somebody.
@spamout.russdoucet.com says...
| Quote: | Just because you can find an example where the PFW works, doesn't mean there
are lots of times when it won't. Counting on the PFW because it works
sometimes, leaves you in a very precarious position.
|
There are many examples in both cases, got through, didn't get through.
I disagree with the blanket statement that PFW do not stop outbound. If
the statement had been that been conditioned with Some Outbound, or with
improperly configured system, etc... then I would not have taken
exception with it.
I personally never trust a single source solution, and never trust a
Microsoft solution for security.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
|
Kerodo
Guest
|
| Posted:
Wed Dec 14, 2005 1:52 am Post subject:
Re: Recurrent question |
|
|
Leythos wrote:
| Quote: |
There are many examples in both cases, got through, didn't get through.
I disagree with the blanket statement that PFW do not stop outbound. If
the statement had been that been conditioned with Some Outbound, or with
improperly configured system, etc... then I would not have taken
exception with it.
|
This is how I feel also. The stance that Volker and friends take is one
that is much too black and white. They are saying that since 1 evil
malware can get thru a personal firewall, then we should dump ALL
personal firewalls and that they are completely useless. This is
obviously silly and not true. Not to mention irresponsible.
--
Kerodo |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 3:24 am Post subject:
Re: Recurrent question |
|
|
Kerodo <loopback@localhost.com> wrote:
| Quote: | The stance that Volker and friends take is one
that is much too black and white. They are saying that since 1 evil
malware can get thru a personal firewall, then we should dump ALL
personal firewalls and that they are completely useless. This is
obviously silly and not true. Not to mention irresponsible.
|
Silly and irresponsible is to tell the opposite.
I heard for months and years on d.c.s.* (the German sister groups of this
news-group), that "Personal Firewalls" are preventing from "outbound
connections" and "phoning home".
Of course, I told people, that this cannot be true. It cannot be true
because of the existance of tunnelling as a concept. It cannot be true
because of the architecture of Windows. Choose one of the both.
I never saw a "Personal Firewall" in action before. But this was obvious,
it is obvious for every person, who is understanding security concepts in
networking and/ or is knowing how Windows works.
And I heard: "if you never saw a Personal Firewall, you just don't have a
clue of this topic - there is no proof that they're useless!!!1!!!111"
So I took a few minutes of my time and hacked http://breakout.c
This code just ignores any "Personal Firewall".
I publicized it. And: exactly _NONE_ of the "Personal Firewalls" in the
market at this point of time managed to prevent this communication.
I _never_ _saw_ a "Personal Firewall" in action before, I didn't own one
or had one for writing this code or even for testing it, and it takes me
a _few_ _minutes_ to take _every_ "Personal Firewall" for a ride with 27
lines of code?!
WTF you're thinking, a security system has to achieve?
WTF you're thinking, _is_ a security system?
Perhaps you should think about it.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Leythos
Guest
|
| Posted:
Wed Dec 14, 2005 3:30 am Post subject:
Re: Recurrent question |
|
|
In article <439f3c27@news.uni-ulm.de>, bumens@dingens.org says...
| Quote: | So I took a few minutes of my time and hacked http://breakout.c
This code just ignores any "Personal Firewall".
|
Your breakout application is something that makes use of an OPEN
Internet Explorer handle (the last time I looked) and is not a proof of
concept for anything serious. As a matter of fact, it didn't work on my
Windows XP system with the firewalls disabled even.
--
spam999free@rrohio.com
remove 999 in order to email me |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Wed Dec 14, 2005 3:32 am Post subject:
Re: Recurrent question |
|
|
Kerodo <loopback@localhost.com> wrote:
| Quote: | The stance that Volker and friends take is one
that is much too black and white. They are saying that since 1 evil
malware can get thru a personal firewall, then we should dump ALL
personal firewalls and that they are completely useless. This is
obviously silly and not true. Not to mention irresponsible.
|
Silly and irresponsible is to tell the opposite.
I heard for months and years on d.c.s.* (the German sister groups of this
news-group), that "Personal Firewalls" are preventing from "outbound
connections" and "phoning home".
Of course, I told people, that this cannot be true. It cannot be true
because of the existance of tunnelling as a concept. It cannot be true
because of the architecture of Windows. Choose one of the both.
I never saw a "Personal Firewall" in action before. But this was obvious,
it is obvious for every person, who is understanding security concepts in
networking and/ or is knowing how Windows works.
And I heard: "if you never saw a Personal Firewall, you just don't have a
clue of this topic - there is no proof that they're useless!!!1!!!111"
So I took a few minutes of my time and hacked
http://www.dingens.org/breakout.c
This code just ignores any "Personal Firewall".
I publicized it. And: exactly _NONE_ of the "Personal Firewalls" in the
market at this point of time managed to prevent this communication.
I _never_ _saw_ a "Personal Firewall" in action before, I didn't own one
or had one for writing this code or even for testing it, and it takes me
a _few_ _minutes_ to take _every_ "Personal Firewall" for a ride with 27
lines of code?!
WTF you're thinking, a security system has to achieve?
WTF you're thinking, _is_ a security system?
Perhaps you should think about it.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Somebody.
Guest
|
| Posted:
Wed Dec 14, 2005 5:21 pm Post subject:
Re: Recurrent question |
|
|
"Leythos" <void@nowhere.lan> wrote in message
news:QqFnf.187221$tD4.46854@tornado.ohiordc.rr.com...
| Quote: | In article <RjFnf.4999$43.650@nnrp.ca.mci.com!nnrp1.uunet.ca>, somebody.
@spamout.russdoucet.com says...
Just because you can find an example where the PFW works, doesn't mean
there
are lots of times when it won't. Counting on the PFW because it works
sometimes, leaves you in a very precarious position.
There are many examples in both cases, got through, didn't get through.
I disagree with the blanket statement that PFW do not stop outbound. If
the statement had been that been conditioned with Some Outbound, or with
improperly configured system, etc... then I would not have taken
exception with it.
I personally never trust a single source solution, and never trust a
Microsoft solution for security.
|
The thing is, every time you use a PFW product, you *are* in fact trusting a
Microsoft solution for security. Such products can do *nothing* without
riding on top of Microsoft code. Break the MS code (easy, frequent), and
you have broken the PFW. You should really look at running linux instead if
this is how you feel.
PFW's can stop *some* outbound activity in my opinion. So, even granting
that's true, you simply must understand that when you're using them, you can
*easily* be victimized by code that does unauthorized outbound connections,
even if it does stop some of them.
Simply locking your car doors in Harlem, might keep some of the thieves out
if you leave your car there for a week. It really might. It stopped a guy
from opening my car doors last week in a parking lot.
-Russ. |
|
| Back to top |
|
|
Ric
Guest
|
| Posted:
Thu Dec 15, 2005 6:34 am Post subject:
Re: Recurrent question |
|
|
On 11 Dec 2005 09:55:03 +0100, Volker Birk <bumens@dingens.org> wrote:
| Quote: | Sla#s <phil@knotslatts.fsworld.co.uk> wrote:
Just use the Windows-Firewall, and that's it.
Windows Firewall only blocks incoming, it does not block outgoing.
Yes, and it's completely useless to try to block "outgoing", as you
can read here in my postings, together with the reasons for this and
some proofs.
Yours,
VB.
|
By this reasoning an anti-virus program would be completely useless
because it can't stop all viral infections.
I can see your point though. There is a lot of code out there for
defeating personal firewalls. But I think people use them for what
they can do rather than what they can't do, because most of the time
they do the job in hand. They are useful on laptops for example.
I think one of the best uses for a rules based personal firewall is to
interactively teach users what is happening on their computers, and
tell them when it is happening. If you delete all the default rules
and start from scratch, you soon build up a picture of the ports in
use on your system, and the processes that use them. I know this
information can be gathered in other ways, but personal firewalls
bring it all together and allow detailed logging.
Personal firewalls are popular. I think people will continue to use
them no matter how insecure they are, or how many insecurities they
add to the system, purely because they like them. Kerio 2.1.5 is a
good example of that. It's easily bypassed using fragrouter, but some
people don't seem to mind because it's unlikely to happen to them.
Ric
WARNING: Prolonged use of personal firewalls can lead to use of harder
tools like Ethereal. |
|
| Back to top |
|
|
Kerodo
Guest
|
| Posted:
Thu Dec 15, 2005 6:57 am Post subject:
Re: Recurrent question |
|
|
In article <j5d1q1dv81ncccp11ebpqfcofnotonnehl@4ax.com>, me@privacy.net
says...
| Quote: | On 11 Dec 2005 09:55:03 +0100, Volker Birk <bumens@dingens.org> wrote:
Sla#s <phil@knotslatts.fsworld.co.uk> wrote:
Just use the Windows-Firewall, and that's it.
Windows Firewall only blocks incoming, it does not block outgoing.
Yes, and it's completely useless to try to block "outgoing", as you
can read here in my postings, together with the reasons for this and
some proofs.
Yours,
VB.
By this reasoning an anti-virus program would be completely useless
because it can't stop all viral infections.
I can see your point though. There is a lot of code out there for
defeating personal firewalls. But I think people use them for what
they can do rather than what they can't do, because most of the time
they do the job in hand. They are useful on laptops for example.
I think one of the best uses for a rules based personal firewall is to
interactively teach users what is happening on their computers, and
tell them when it is happening. If you delete all the default rules
and start from scratch, you soon build up a picture of the ports in
use on your system, and the processes that use them. I know this
information can be gathered in other ways, but personal firewalls
bring it all together and allow detailed logging.
Personal firewalls are popular. I think people will continue to use
them no matter how insecure they are, or how many insecurities they
add to the system, purely because they like them. Kerio 2.1.5 is a
good example of that. It's easily bypassed using fragrouter, but some
people don't seem to mind because it's unlikely to happen to them.
|
Yep, just because something isn't perfect 100% of the time doesn't mean
it's useless. And true, personal firewalls are used by millions, and I
doubt that will ever change..
--
Kerodo |
|
| Back to top |
|
|
Quaestor
Guest
|
| Posted:
Thu Dec 15, 2005 8:50 am Post subject:
Re: Recurrent question |
|
|
Ric wrote:
| Quote: | On 11 Dec 2005 09:55:03 +0100, Volker Birk <bumens@dingens.org> wrote:
Yours,
VB.
By this reasoning an anti-virus program would be completely useless
because it can't stop all viral infections.
|
Consider the source. I plonked that guy a long time ago. So have a lot
of others.
--
Godwin is a net-nazi |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Thu Dec 15, 2005 5:21 pm Post subject:
Re: Recurrent question |
|
|
Ric <me@privacy.net> wrote:
| Quote: | By this reasoning an anti-virus program would be completely useless
because it can't stop all viral infections.
|
No. An Anti-Virus program is useful exactly the same way a SPAM filter
is.
An Anti-Virus program DOES NOT PROTECT FROM EVERY VIRUS infection. But it
does help to filter out the annoying trials of so many malwares, which are
in the wild.
Protection against viruses only is achived by wise behaviour of PEBKAC
(and not using Windows, but OSes, which have much fewer problems in this
field).
So Anti-Virus programs can _help_ to prevent malware from running on your
PC. So can firewalls.
But it's completely useless to try to prevent malware, which already is
running, from doing what it wants to do, with the exception of concepts
like capability based systems (which are designed to do this) and
virtualization technics (which are designed to do this) or at least
technics like BSD's jail or Linux' seccomp (which are designed to to
this).
The latter technics (or something like that) are impossible with Windows,
because of the fact, that Windows messages are a pushing IPC without any
security system, and that all Windows applications are relying upon this.
| Quote: | I can see your point though. There is a lot of code out there for
defeating personal firewalls.
|
Yes. And it's trivial to write it.
| Quote: | I think one of the best uses for a rules based personal firewall is to
interactively teach users what is happening on their computers
|
The opposite is true.
It is completely useless to teach somebody about technical aspects of
what's going on, who is not able to understand even the basics.
A security system for end users has to do its job _invisible_ for the
user, it has to _secure_ the user whatever he does, and the worst mistake
is to depend on user's decisions.
All what I can (or must) read on c.s.* and d.c.s.* documents this: users
even don't understand, that a "port" is not a "door" or a "harbour", but
just a maintenance number. They don't understand, what a process is -
of course they don't, because how should they? Without hearing about
operating systems and the concepts of userland and kernelspace, and why
implementing protection, and what is meant with "protection" here, how
should they at all?
Without knowing about the TCP/IP protocol family, and knowledge about
the BSD sockets API, how should anybody understand what's going on here?
Teaching users by alerting "The process svchost.exe tries to open port 53,
do you want to allow this?" - IBTD.
Even an IT professional cannot answer this question correctly, and
%USERNAME% cannot understand what's going on here at all.
| Quote: | Personal firewalls are popular.
|
Yes. This is the problem Microsoft brought to us by being so stupid to
open sockets and even offer DCE RPC to the Internet with every home user's
Windows box _before_ Windows XP SP2.
And since then, there is the Windows-Firewall. It is only the second best
concept, because it's ridiculous and dumb from Microsoft not just to stop
offering TCP servers and RPC to the complete world, but at least they're
filtering away this afterwards.
So now "Personal Firewalls" are completely useless, even if one does not
stop those TCP servers and DCE RPC manually.
And: they often are dangerous, too, because many of them open additional
security leaks, you don't have with just stopping TCP servers and RCP or
by using the Windows-Firewall.
| Quote: | I think people will continue to use
them no matter how insecure they are
|
I fear, you're right here.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Thu Dec 15, 2005 5:21 pm Post subject:
Re: Recurrent question |
|
|
Kerodo <loopback@localhost.com> wrote:
| Quote: | Yep, just because something isn't perfect 100% of the time doesn't mean
it's useless.
|
"Personal Firewalls" aren't "not 100% perfect". They're completely useless
because of being superseeded by the Windows-Firewall, but many of them are
dangerous because of their security breaches, especially Symantec Norton,
Outpost and Sygate. And they're very dangerous, because their "security"
relies on user's decisions, which is a b0rken concept and a security
breach itself, as with Zone Alarm, for example.
Yours,
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
Volker Birk
Guest
|
| Posted:
Thu Dec 15, 2005 5:21 pm Post subject:
Re: Recurrent question |
|
|
Quaestor <no-spam@my.place> wrote:
| Quote: | Consider the source. I plonked that guy a long time ago. So have a lot
of others.
|
Hm... Again, Questor is soliloquizing.
VB.
--
"Ich bin ein freier Mensch und werde jetzt von meinen Freiheitsrechten
Gebrauch machen - und zwar ausgiebig - natürlich nur in dem Rahmen, den
Otto Schily mir noch zur Verfügung stellt."
Wolfgang Clement am 10.10.05 als Noch-Superminister |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in