Stefan
Sun Jul 31 16:32:09 CDT 2005
"Karl Levinson, mvp" <levinson_k@despammed.com> wrote:
>
> "Stefan Kanthak" <postmaster@1.0.0.127.in-addr.arpa> wrote in message
> news:OukBfcblFHA.2608@TK2MSFTNGP14.phx.gbl...
> > "Karl Levinson, mvp" <levinson_k@despammed.com> schrieb:
> >
> > Karl, your line breaks suck!
>
> Well, I'm just using Outlook Express 6 with the default settings. The only
> relevant setting I see is "wrap at 76 characters."
Yes, that's one of the problems when using OLEXP with the braindead default
settings: it will break ANY line at the set margin. The only workaround is:
set "wrap at 132 characters" (that's the max) and insert the returns by hand.
The other problem is that OLEXP doesn't use MIME, neither in the body nor
the header. If I'd use one single umlaut or 8bit char your reply would break
that.
Take a look at
http://home.arcor.de/skanthak/presetoe.html
> > > probably block this stuff from hitting your computer from the Internet,
> if
> > > you have a high-speed internet connection. www.kerio.com,
> www.sygate.com
> > > and www.zonealarm.com are three free firewall software programs.
> >
> > And each of these other toys won't cry "wolf" too and bother the user with
> > useless alarms?
>
> They won't if the user will RTFM and configure it correctly.
Correct. But will Joe Average RTFM and configure it? In most cases (as can
be read here): no. The OP is simply confused: s/he believes the "attack
warnings" will be fought with the patches s/he mentions. This lack of
knowledge, paired with the ability to modify the "firewall" rules will
lead to damage some day.
> Besides, I
> never said you need a hostbased software firewall. It's just that those are
> free, so most people are more likely get a firewall if they have a free
> option.
Hmmm... why should any XP user install a third party "firewall" and deactivate
the "Windows Firewall". The latter does it's job W/O disturbing dialog boxes
which Joe Average is normally unable to decipher and understand. Since the
"Windows Firewall" won't open any dialog boxes and thus can't be tampered by
malware running under the non-privileged user account it's safer too!
> My original statement that you generally want some kind of firewall to
> control who can access what port remains true. Especially when talking
> about low server ports inbound from the Internet to a home PC.
You know that a firewall or packet filter ain't necessary if one configures
Windows 2000/XP carefully: uninstall all unwanted/unused applications and
Windows components, then deactivate all unwanted/unused services and drivers
or configure them to listen on the "intranet" only, not the dialup connection.
If the PC is stand alone, not connected to an LAN, then disable all the
Windows networking including RPC and DCOM!
The script available from
http://www.ntsvcfg.de/ performs the latter, as well
as my HARDEN2K.INF from
http://home.arcor.de/skanthak/harden.html (which works
for XP too).
All this minimizes the attack surface, which savvy people from Microsoft also
propose to do!
> > Get serious: all these personal^Wpseudo firewalls are more of a lightshow
> > than a firewall. They'll fool the user with: hey, look how good I am, I've
> > just blocked another attack.
>
> Then use a hardware firewall. I don't care which one you or the OP uses.
I don't use one at all. I never used one. I configured my NT4 in 1997 properly,
and I configure W2K and XP nowadays properly.
I won't mind if Joe Average uses the "Windows Firewall", which is automatically
activated when SP2 is installed. That is ONE step in the right direction and
completely sufficient against inbound "attacks".
> > And each of these toys adds significant code paths to critical parts of
> > Windows and thus make the system more vulnerable.
> > Remember Witty?
>
> Witty is one example of a worm that attacked a particular firewall.
> However, you know I could give you several dozen other examples of worms
> [Blaster, SQL Slammer, etc.] that would have been prevented had the person
> had some kind of firewall in place.
ARGH! Blaster, Slammer and Sasser would all have been prevented if those
idi^Wpeople running Windows installed the patches in time. Automatic Updates
was "invented" for Joe Average, the patches were available for months/weeks
before the fact. Still no need for a "firewall".
> One example alone doesn't prove the point that firewalls are bad.
Witty is ONE example. There are more!
> > Most of them are vulnerable to a self-DoS: send enough IP packets with an
> > IP source address of the DNS server or the default gateway and the pseudo
> > firewall will block traffic to/from the suspected attacker.
>
> Pretty much every PC on the Internet is vulnerable to multiple different DoS
> attacks. Such DoS attacks against software firewalls on home PCs are rare.
Yes, these classic DoS attacks are rare, since the attacker must have more
bandwidth than his victim. With asymmetric DSL lines this is difficult.
> The DoS attack you mention only works if active blocking is turned on. I
> don't believe it's true that "most" of these software firewalls have this
> enabled by default. Many hardware firewalls have this feature as well, so
> this is not a problem unique to software firewalls.
Correct, both hardware and software firewalls are susceptible to these kind
of attacks. But these attacks can be carried out with just a handfull of
faked IP packets! The attacker doesn't need to have "the big pipe" any more!
> > And to invalidate the other "arguments" pro personal firewalls beforehand:
>
> I'm familiar with these arguments. Security isn't about choosing the most
> secure solution, but the one that fits the particular needs for that
> situation. Most home users don't like spending money and have trouble
> installing and configuring hardware firewalls, so they choose a software
> firewall, and for most home users, that's good enough. If you have a 56K
> dialup, a hardware firewall probably isn't an option.
The same Joe Average who has problems to install and configure a hardware
firewall has no problems with a software firewall?
This posting here tells but another story.
Unfortunately Joe Average aint able to judge whether the marketroids
selling either with slogans "perfect and complete protection" are right.
When the consumers are told "you need a firewall" over and over again, but
almost never the proper system setup, a risk analysis or a change in
behaviour is mentioned, that's truely sad.
Well, it's an industry which earns money because the consumers wont learn,
aint able or are unwilling to learn, but want to use the internet.
Almost all compromised PC I come to see are "protected" by anti virus and
firewall. The anti virus aint but updated (or the abonnement or signatures
expired), and the firewall was (partially) turned off, because a game or
"the internet" didn't work any more.
Navigare necesse est!
> > 2a. if it's malware:
> > How was that able to execute on my PC?
> > All of my protection was useless then, including brain.
> >
> > You can see personal firewalls with "outbound" control like an IDS and
> > almost like virus scanners: the can't guarantee that your PC is NOT
> > infected, they will only kick in AFTER the fact.
>
> So? You don't like knowing when you've been compromised? Why?
The null hypothesis is: I configure my system properly, I don't execute
suspicious software, so my PC won't get compromised.
If I get hands on a compromised system I wont run any software from its
harddisk, because this system ain't trustworthy any more. All that I can
do is to boot from a WinPE oder Knoppix CD and perform forensics on the
other PC, or attach the harddisk to my PC and analyze it there.
Root kits exist, as does malware which turns off common anti-virus or
"firewalls" or poisons the /etc/hosts with 127.0.0.1 for the update
servers of these programs.
> If you're running antivirus or firewall, you're acknowledging that your
> security countermeasures, including brain, may fail to protect you from time
> to time, and you want to add a "reactive" countermeasure to detect
> compromises after the fact, for defense in depth.
Partially correct. As said above, I don't run antivirus or firewall
software. I have an on-demand virus scanner here to be able to identify
malware, either coming attached to emails or on harddisks of infected PCs.
> > Just read the articles titled "bouncing malware" (or so) from Tom
> > Liston of the
http://www.isc.org/
>
> Yes, I'm familiar with those.
I expected that :-)
> > > The other possible solution would then be to disable alerts on your
> > > antivirus, although this may or may not be desirable.
> >
> > Nope.
> > The BEST thing to do: get rid of ANY third party "firewall" and activate
> > the builtin "Windows Firewall": this won't disturb the user with
> ridiculous
> > alert boxes while protect him to the extend possible.
>
> I disagree.
You have the right to.
> WF has fewer features.
I disagree. The additional features of the "other" firewalls ain't reliable.
See
http://www.ulm.ccc.de/chaos-seminar/personal-firewalls/ and
http://copton.net/vortraege/pfw/ and
http://www.dingens.org/pf-bericht/
When Joe Average trusts in these tools and /believes/ to be protected but
(for example) hasn't turned of ActiveX in the internet zone of Internet
Explorer he /definitely/ will get caught sooner or later: all browsers
download contents first, "open" it and write it to their cache in parallel.
An on-access virus scanner might detect the malware when it's written to the
cache, but the damage has already been done then!
> The OP already paid for a tool that has
> more features. The OP can throw that tool away, sure, or s/he can read the
> manual and figure out how to checkmark a box to fix the problem and keep the
> additional features. Either one are possible options, depending on what the
> OP prefers to do.
Yes, but tertium datur: the OP can configure her/his Windows properly and use
the net with caution and brain. It needs learning, but brain performs in the
longg run better than (outbound) personal firewalls and anti virus.
Stefan