What's the best free Firewall?
Steve Terry
for XP
Steve Terry
Johnw
> Anything better than ZoneAlarm?
> for XP
I use the XP firewall.
Is the XP SP2 firewall getting a raw deal?
http://blogs.zdnet.com/Ou/?p=81
http://www.fefe.de/pffaq/
http://home.comcast.net/~SupportCD/XPMyths.html
Hack lets intruders sneak into home routers
http://news.zdnet.com/2100-1009_22-6159938.html?tag=nl.e540
If you haven't changed the default password on your home router, let this
recent threat serve as a reminder.
Saxman
> Anything better than ZoneAlarm?
> for XP
Yes. I like this.
elaich
8ff5742a4a.home.gateway:
> I use the XP firewall.
Trusting that is like trusting the fox to guard the henhouse. That thing is
set up to allow anything through that Microsoft wants allowed through. It's
configuration can also be changed remotely by Microsoft in the guise of a
update.
I have only had the XP firewall alert me twice about anything, and those
were SECURITY programs that I had installed.
Install a real firewall with protection both directions, and you will learn
just how many processes that are embeded in Windows are constantly calling
out. None of them really need to be.
Brian Arthur Robertson
> On Tue, 01 Jul 2008 21:29:51 +0800, Steve Terry <gFOU...@tesco.net> wrote:
>> Anything better than ZoneAlarm?
>> for XP
>
> I use the XP firewall.
>
> Is the XP SP2 firewall getting a raw deal?
> http://blogs.zdnet.com/Ou/?p=81
The raw deal that is referred to is a "...denial of service
vulnerability involving Windows RDP (Remote Desktop Protocol)" that was
apparently falsely blamed on the XP SP2 Firewall.
This is just a ridiculous reference to quote.
"Do Personal Firewalls improve security?
No.
Why do so many people install them, then?
Because those people are all idiots."
> http://home.comcast.net/~SupportCD/XPMyths.html
> Hack lets intruders sneak into home routers
Couldn't find this reference on the quoted page, but I did find "The
Windows XP Firewall is not good enough because it lacks outbound filtering."
This article makes a good point about "...does something very critical:
it protects the system at boot.".
The article also suggests that outbound protection is unnecessary
because "In an interactive attack the attacker can circumvent outbound
filters at will." This may be true of some skilled people, I just don't
see the need to make it easy for everyone to compromise my computer.
> http://news.zdnet.com/2100-1009_22-6159938.html?tag=nl.e540
> If you haven't changed the default password on your home router, let
> this recent threat serve as a reminder.
This is common sense.
There are several free firewalls out there that offer inbound and
outbound protection. So why just settle for only half of the protection
with the XP firewall.
Some useful references:
Pricelessware Home
http://www.pricelesswarehome.org/2007/PL2007SECURITY.php#1.10Firewall
Comodo Firewall has been recommended by several people in this group.
http://www.pricelesswarehome.org/2007/PL2007SECURITY.php#1.10Firewall
You can also find an extensive list of firewalls reviewed by Snap Files
here
http://www.snapfiles.com/downloadfind.php?st=firewall&action=s&search=Find+it&lc=1
HTH
--
Brian Arthur Robertson
Bear Bottoms
Comodo http://www.comodo.com/products/free_products.html
OnlineArmor http://www.tallemu.com/
--
Bear Bottoms
Freeware website: http://bearware.info
VanguardLH
Depends on what you want in a firewall. I've used the following:
Comodo Firewall Pro
Online Armor
These also include HIPS (host intrusion protection system) which lets
you regulate what program can load into memory. If a program, like
malware, isn't allowed to load into memory then it can't run. Yes, you
will get a lot of prompts. Each has a learning mode so you can reboot
the host to auto-record those processes along with starting all your
applications to auto-record them, then you disable learn mode and answer
the prompts thereafter which will be fewer in number. The assumption is
that you've already ensured your host is clean before learning. Online
Armor also provides a whitelist of known good applications (by a hash
value to identify them) to reduce the prompt count. I don't remember if
Comodo has a whitelist but it might. If you don't want to use HIPS, you
can disable it as it will impact the responsiveness of your host. I
used HIPS in both for awhile but noticed my host was noticeably snappier
when it was disabled.
Comodo's v3 firewall is a bit difficult to figure out how to configure.
Not that it is difficult to navigate through the program but to figure
out how to configure it all, plus there is trying to figure out the
application and global rules. They do have active forums for help, as
does Online Armor. Comodo's HIPS will not only regulate what program
can load into memory but also who can call that program to load into
memory. For example, malware could call the web browser to visit a web
site. You'll very likely have the HIPS always allow the load of the web
browser but only by authorized callers. Online Armor doesn't have the
ability to track the parent-child (or caller-callee) relationship but
plans on adding it. The problem is with more prompts. Not only might
you get prompted to allow loading a program (if not in the whitelist)
but you'll get prompted on every program that wants to load that
authorized program, and there can be a lot of different programs that
call another program to load. v2.4 of Comodo's firewall doesn't have
HIPS and is a bit easier to setup and use. Online Armor is easier to
use than Comodo's v3 firewall and about the same as Comodo's v2.4
firewall.
A software firewall really only regulates non-malware programs as to
what can connect out. Malware can still bypass a software firewall (and
why some users and companies don't use them and instead rely on a
firewall appliance or run the software on a different host as a
gateway). I finally gave up on using a firewall to control non-malware
programs regarding which can make connections. At this point, if I
won't tolerate the behavior of a program for its connections for which
it won't let me control or configure it how I want, I get rid of the
misbehaving or nonconfigurable program. HIPS gave me lots of extra
control but I prefer a more quick-responding host. I also have a
firewall in the router. So I opted to get rid of the above firewall
(whichever I was using on my hosts) and just go with the Windows
firewall for inbound-only protection (mostly from other hosts on my
intranet that I don't manage) and the firewall in the router. Too much
security can get in the way of using your computer. Too few leaves you
vulnerable but then you are always vulnerable to some degree no matter
how much security you add. Security and ease-of-use are the antithesis
of each other so you need to find a blend of security with which you are
comfortable.
Craig
> Anything better than ZoneAlarm?
> for XP
>
well. Executive summary: Roll your own firewall. There are a lot of
advantages to this method, one of which is that you can unequivocally
trust the "author" of the firewall.
hth,
-Craig
<http://homepages.wmich.edu/~mchugha/w2kfirewall.htm>
§
Bravo!
Finally, someone added some solid good advice.
Craig
Feel strongly about it, do you? <grin>. Yea, after a few posters
forcefully <ahem> derided PFS's, I started to dig around for the why's &
wherefore's & came up with the above. It's the clearest how-to I've
found on the subject (for NTOS).
For anyone who doesn't mind moderately difficult projects and who has
serious doubts about the need/desirability for 3rd party-produced PFS,
this is a great place to start.
fwiw,
-Craig
§
> § wrote:
>> Craig wrote:
>>> Steve Terry wrote:
>>>> Anything better than ZoneAlarm?
>>>> for XP
>>>>
>>> This DIY article was written for win2k but can be applied to Winxp as
>>> well. Executive summary: Roll your own firewall. There are a lot
>>> of advantages to this method, one of which is that you can
>>> unequivocally trust the "author" of the firewall.
>>>
>>> hth,
>>> -Craig
>>> <http://homepages.wmich.edu/~mchugha/w2kfirewall.htm>
>>
>> Bravo!
>>
>> Finally, someone added some solid good advice.
>
> Feel strongly about it, do you? <grin>. Yea, after a few posters
> forcefully <ahem> derided PFS's, I started to dig around for the why's &
> wherefore's & came up with the above. It's the clearest how-to I've
> found on the subject (for NTOS).
heh, actually I posted that link a few months ago :)
>
> For anyone who doesn't mind moderately difficult projects and who has
> serious doubts about the need/desirability for 3rd party-produced PFS,
> this is a great place to start.
>
I actually made a script at one time that would perform everything
mentioned in that link to simplify things. Now, if I could only find
where I stuck that script...
Rest assured, *if* I find that script I'll post it here.
Craig
> Craig wrote:
>> § wrote:
>>> Craig wrote:
>>>> Steve Terry wrote:
>>>>> Anything better than ZoneAlarm?
>>>>> for XP
>>>>>
>>>> This DIY article was written for win2k but can be applied to Winxp
>>>> as well. Executive summary: Roll your own firewall. There are a
>>>> lot of advantages to this method, one of which is that you can
>>>> unequivocally trust the "author" of the firewall.
>>>>
>>>> hth,
>>>> -Craig
>>>> <http://homepages.wmich.edu/~mchugha/w2kfirewall.htm>
>>
>> found on the subject (for NTOS).
>
> heh, actually I posted that link a few months ago :)
For the life of me, I can't remember where I "dug" it up so it could've
very well been your post: thx.
>
> I actually made a script at one time that would perform everything
> mentioned in that link to simplify things. Now, if I could only find
> where I stuck that script...
>
> Rest assured, *if* I find that script I'll post it here.
That'd be great. Thx.
-Craig
Ron May
wrote:
> Anything better than ZoneAlarm?
> for XP
>
> Steve Terry
>
Depends on your definition of "better" and "best."
For my purposes on XP and prior, Kerio 2.1.5 is very hard to beat.
Rock solid stable, lightweight, easy to use for the novice yet capable
of rulesets as configurable as you need them to be. Does not work
with Vista.
Info:
http://www.pricelesswarehome.org/2007/PL2007SECURITY.php#0409-PW
More info and download link (third program from the top):
http://www.321download.com/LastFreeware/page7.html
Of course, you can't go wrong withn the other recommendations for
bidirectional firewalls made here either, like Sygate, Comodo or (what
I use with Vista) PC Tools, as long as one realizes that a firewall is
only a very small part of a much larger overall security strategy, of
which "safe hex" is always your first and best line of defense.
--
Ron M.
(I filter Googlespam)
alt.comp.freeware information pages:
http://www.pricelesswarehome.org/acf/Index.php
Bear Bottoms
> On Tue, 1 Jul 2008 14:29:51 +0100, "Steve Terry" <gFOU...@tesco.net>
> wrote:
>
>> Anything better than ZoneAlarm?
>> for XP
>
> The best free firewall is the one that makes the least damage.
Why not be your own firewall like Yrrah. Stand R I D G I D!
s|b
> The best free firewall is the one that makes the least damage.
Wise words, Mr.Miyagi...
--
s|b
bay...@gmail.com
I (no expert to be sure) use the older version of Comodo Pro. Still
available & good for Win 2000 (& XP) but not for Vista:
http://www.filehippo.com/download_comodo/tech/2252/
The newer version still seems buggy from what I read, although this is
apparently a system-by-system problem:
http://www.download.com/Comodo-Firewall-Pro/3640-10435_4-10460704.html
It is said to use much less memory than v2.0.
§
> is another issue.
Noow haredew ST?
§
And yet you still seem to be a problem.
s|b
> >> The best free firewall is the one that makes the least damage.
> >Wise words, Mr.Miyagi...
> Indeed. The fact that you probably don't understand why this is true
> is another issue.
Yeah, I'm probably not as smart as you...Hey! Why don't you give
comp.security.firewalls a try? I think Sebastian G. will like you. He's
_very_ smart.
--
s|b
be...@mail.invalid
> On Tue, 01 Jul 2008 15:30:18 +0100, Saxman
> <john.h.willi...@btinternet.com> wrote:
>
>> [...]
>
> I like strawberries.
and cream.
Bear Bottoms
Seems to me there is a reason one would want to change handles from
Straight Talk to Rootkit...but from the demeanor of the current compared
to the former I can't see where it will do much good.
Sparky
Hash: RIPEMD160
Craig wrote:
>>> <http://homepages.wmich.edu/~mchugha/w2kfirewall.htm>
>>
>> Bravo!
>>
>> Finally, someone added some solid good advice.
>
> Feel strongly about it, do you? <grin>. Yea, after a few posters
> forcefully <ahem> derided PFS's, I started to dig around for the why's &
> wherefore's & came up with the above. It's the clearest how-to I've
> found on the subject (for NTOS).
At risk of being labeled a "forceful derider"... ;)
The concept of a personal firewall is flawed at its core. In essence,
you have software 'A' which allows or facilitates some connection. You
apply software 'B' to interject a layer between 'A' and the outside
world. The potential vulnerabilities still exist, they're just "masked".
By something that in effect accepts the connection, and deals with it as
per your instructions. And that mask itself brings an entire additional
layer of potential vulnerabilities. It's not unheard of at all for
personal firewall software to be exploitable directly.
Personal firewalls are a band aid. They'll always be inferior to simply
shutting off all services to any outside contact. Rather than subjecting
stray IP packets to analysis, they should be simply and routinely
rejected by the OS network stack in accordance with RFC, or whatever the
OS defaults are. That's the safest way to deal with "net noise" all the
way around. Lowest possible chance of a nefarious packet breaking
something, and you don't stick out in any way.
Which highlights one of the most snake oily aspects of persona
firewalls. So called "stealth". Probably one of the worst things that
ever happened to personal computer security. Hackers absolutely love
people who blindly drop packets because they stick out like sore thumbs.
Where rejecting packets normally allows you to blend in amongst a block
of IP addresses which respond with various "service unavailable"
messages, disappearing IP packets are a red flag showing exactly where
exploitable machines might reside. :(
> For anyone who doesn't mind moderately difficult projects and who has
> serious doubts about the need/desirability for 3rd party-produced PFS,
> this is a great place to start.
There use to be tutorials out there regarding disabling everything that
might listen on a public facing port. I don't have nay current links it
seems, but I'm sure Google would spit some out. I honestly believe that
would be a better place to start.
-----BEGIN PGP SIGNATURE-----
iEYEAREDAAYFAkhqprwACgkQUZCI41IC43hMCwCeOqsIbyBGxAewd80Eu/27VeF+
y+wAnjhGa0ci11ZBcM/7ygo5FKeWDpG6
=9xeS
-----END PGP SIGNATURE-----
Ron May
How else can he escape from all the twit lists?
Craig
> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160
>
> Craig wrote:
>
>>>> <http://homepages.wmich.edu/~mchugha/w2kfirewall.htm>
>>> Bravo!
>>>
>>> Finally, someone added some solid good advice.
>> Feel strongly about it, do you? <grin>. Yea, after a few posters
>> forcefully <ahem> derided PFS's, I started to dig around for the
>> why's & wherefore's & came up with the above. It's the clearest
>> how-to I've found on the subject (for NTOS).
>
> At risk of being labeled a "forceful derider"... ;)
>
> to be tutorials out there...
Yup. Whenever firewalls are mentioned on this ng, ST and a few others
assert that w/clock-like precision...<grin>. Hence, my earlier post. A
good site for turning off unneeded services is
<http://www.blackviper.com/Articles/articles.htm>. Wrt ports, McHugh's
paper on ipsec-based firewalls is a good start.
hth,
-Craig
elaich
@nlpi064.nbdc.sbc.com:
>> The concept of a personal firewall is flawed at its core... There use
>> to be tutorials out there...
>
> Yup. Whenever firewalls are mentioned on this ng, ST and a few others
> assert that w/clock-like precision...<grin>.
Looks like ST has nym-shifted into Root Kit. The same smarmy, holier then
thou attitude - the same preaching without offering any suggestions. He's
now joined ST in my killfile.
John Corliss
> § wrote:
>> Root Kit wrote:
>>> s|b wrote:
>>>> Root Kit wrote:
>>>>>
>>>>> The best free firewall is the one that makes the least damage.
>>>>
>>>> Wise words, Mr.Miyagi...
>>>
>>> Indeed. The fact that you probably don't understand why this is true
>>> is another issue.
>>
>> Noow haredew ST?
>
> How else can he escape from all the twit lists?
Well, by being responded to I would say. I can't even Google his posts
for some reason.
--
John Corliss BS206. I use nFilter to block all crossposts and all Google
Groups posts because of Googlespam. No ad, cd, commercial, cripple,
demo, dotnet, nag, share, spy, time-limited, trial or web wares OR warez
for me, please.
Ron May
<jcor...@fake.invalid> wrote:
> Ron May wrote:
> > § wrote:
> >> Root Kit wrote:
> >>> s|b wrote:
> >>>> Root Kit wrote:
> >>>>>
> >>>>> The best free firewall is the one that makes the least damage.
> >>>>
> >>>> Wise words, Mr.Miyagi...
> >>>
> >>> Indeed. The fact that you probably don't understand why this is true
> >>> is another issue.
> >>
> >> Noow haredew ST?
> >
> > How else can he escape from all the twit lists?
>
> Well, by being responded to I would say. I can't even Google his posts
> for some reason.
You're right on the first count. As to the second, that may have
something to do with his usual X-No-Archive, but for the next few days
at least you can see the whole thread bere if you really want to:
Johnw
> On Tue, 01 Jul 2008 23:02:55 -0700, John Corliss
> <jcor...@fake.invalid> wrote: but for the next few days
> at least you can see the whole thread bere if you really want to:
> http://tinyurl.com/622uec
Or this way is even easier to read.
Bear Bottoms
>>
>> How else can he escape from all the twit lists?
>
> I'm not trying to escape from anything, clueless.
Why nymshift?
Bear Bottoms
> On Wed, 02 Jul 2008 05:38:50 -0500, "Bear Bottoms"
> <bearbo...@gmail.com> wrote:
>
>> On Tue, 01 Jul 2008 23:24:59 -0500, Root Kit <b__...@hotmail.com>
>> wrote:
>>
>>>>
>>>> How else can he escape from all the twit lists?
>>>
>>> I'm not trying to escape from anything, clueless.
>>
>> Why nymshift?
>
> Just for fun. Some people accused me of being rude, so I decided on
> "Root Kit" which is a well known term within security and people can
> have a little fun while making an audible link to "Rude Kid".
>
> I may change it again anytime I feel like it, but as I said, my e-mail
> address remains unchanged so if people want to kill file me they can
> do so by mail-address.
Sure, right! You've been killfiled and you know it. Rude and liar to boot.
What character! At least Yrrah doesn't lie.
Bear Bottoms
wrote:
> On Wed, 02 Jul 2008 08:33:53 -0500, Root Kit <b__...@hotmail.com> wrote:
>
>> On Wed, 02 Jul 2008 05:38:50 -0500, "Bear Bottoms"
>> <bearbo...@gmail.com> wrote:
>>
>>> On Tue, 01 Jul 2008 23:24:59 -0500, Root Kit <b__...@hotmail.com>
>>> wrote:
>>>
>>>>>
>>>>> How else can he escape from all the twit lists?
>>>>
>>>> I'm not trying to escape from anything, clueless.
>>>
>>> Why nymshift?
>>
>> Just for fun. Some people accused me of being rude, so I decided on
>> "Root Kit" which is a well known term within security and people can
>> have a little fun while making an audible link to "Rude Kid".
>>
>> I may change it again anytime I feel like it, but as I said, my e-mail
>> address remains unchanged so if people want to kill file me they can
>> do so by mail-address.
>
> Sure, right! You've been killfiled and you know it. Rude and liar to
> boot. What character! At least Yrrah doesn't lie.
>
Not too much anyway.
Bear Bottoms
> On Wed, 02 Jul 2008 08:40:01 -0500, "Bear Bottoms"
> <bearbo...@gmail.com> wrote:
>
>> Sure, right! You've been killfiled and you know it. Rude and liar to
>> boot.
>> What character! At least Yrrah doesn't lie.
>
> What exactly is your problem??? - And I mean apart from being
> clueless.
If I had a problem, I would solve it. Pointing out what you are afraid to!
skeerdy kat
John Corliss
> On Tue, 01 Jul 2008 23:02:55 -0700, John Corliss
> <jcor...@fake.invalid> wrote:
>
>> Ron May wrote:
>>> § wrote:
>>>> Root Kit wrote:
>>>>> s|b wrote:
>>>>>> Root Kit wrote:
>>>>>>> The best free firewall is the one that makes the least damage.
>>>>>> Wise words, Mr.Miyagi...
>>>>> Indeed. The fact that you probably don't understand why this is true
>>>>> is another issue.
>>>> Noow haredew ST?
>>> How else can he escape from all the twit lists?
>> Well, by being responded to I would say. I can't even Google his posts
>> for some reason.
>
> You're right on the first count. As to the second, that may have
> something to do with his usual X-No-Archive, but for the next few days
> at least you can see the whole thread bere if you really want to:
>
> http://tinyurl.com/622uec
Thanks Ron. By the way, it's another of my filters that blocks b_nice's
stuff.
I just don't understand his agenda. It basically consists of:
1. Every time you see a thread about personal firewalls, jump in and
badmouth them as being useless.
2. Whenever somebody asks you to better explain the alternative you're
suggesting, scathingly accuse them of too stupid to understand.
3. Whenever somebody points out a flaw in your logic, clam up or change
the subject.
4. When too many people start blocking your posts, get another sock puppet.
Or am I missing something?
Bear Bottoms
wrote:
> Thanks Ron. By the way, it's another of my filters that blocks b_nice's
> stuff.
>
> I just don't understand his agenda. It basically consists of:
>
> 1. Every time you see a thread about personal firewalls, jump in and
> badmouth them as being useless.
>
> 2. Whenever somebody asks you to better explain the alternative you're
> suggesting, scathingly accuse them of too stupid to understand.
>
> 3. Whenever somebody points out a flaw in your logic, clam up or change
> the subject.
>
> 4. When too many people start blocking your posts, get another sock
> puppet.
>
> Or am I missing something?
>
That sums it up nicely. Well done :)
§
All the kid is doing is trolling.
While sitting bored at some large company's help desk, he hangs out at
various security news groups, learns a few things and then comes here to
troll with a attitude.
The place I manage we have a kid very much like like ST/RK at our help
desk. He took some classes on SQL and now has a 'tude that he's god
like on various SQL web forums.
Funny thing is everyone at the help desk has been promoted but not 'the
kid'.
hummingbird
On Wed, 02 Jul 2008 13:33:53 GMT 'Root Kit'
wrote this on alt.comp.freeware:
>On Wed, 02 Jul 2008 05:38:50 -0500, "Bear Bottoms"
><bearbo...@gmail.com> wrote:
>
>>On Tue, 01 Jul 2008 23:24:59 -0500, Root Kit <b__...@hotmail.com> wrote:
>>
>>>>
>>>> How else can he escape from all the twit lists?
>>>
>>> I'm not trying to escape from anything, clueless.
>>
>>Why nymshift?
>Just for fun. Some people accused me of being rude,
RK, fwiw - I've always put that down to people trying to shoot
the messenger. I always read and keep your posts and Kayman's.
Relevant:
--
"All truth passes through three stages.
First, it is ridiculed, second it is violently opposed,
and third, it is accepted as self-evident"
(Arthur Schopenhauer)
hummingbird
On Wed, 02 Jul 2008 08:40:01 -0500 'Bear Bottoms'
wrote this on alt.comp.freeware:
BB, now it's my turn to agree with ano poster ;-)
I have never found RK's or Kayman's posts to be rude and
I read most of them, and keep quite a few too.
What I *do* see is frustration on their part in trying to better
inform people of security issues that conflict with the listeners'
long held belief systems and (in some cases) outright dogmas.
Sadly, that's a well trodden path for truth:
John Corliss
> On Wed, 02 Jul 2008 09:30:45 -0500, John Corliss <jcor...@fake.invalid>
> wrote:
>
>> Thanks Ron. By the way, it's another of my filters that blocks
>> b_nice's stuff.
>>
>> I just don't understand his agenda. It basically consists of:
>>
>> 1. Every time you see a thread about personal firewalls, jump in and
>> badmouth them as being useless.
>>
>> 2. Whenever somebody asks you to better explain the alternative you're
>> suggesting, scathingly accuse them of too stupid to understand.
Should have said at the end: "...and not worth the effort."
>> 3. Whenever somebody points out a flaw in your logic, clam up or
>> change the subject.
>>
>> 4. When too many people start blocking your posts, get another sock
>> puppet.
>>
>> Or am I missing something?
>>
> That sums it up nicely. Well done :)
YW 80)>
Kat Mandu
That sure does sound like a likely scenario, I must say. And that will
be the way I'll envision the kid in the future, too. It explains a lot.
§
No what's funny about all this? For a few minutes I actually thought
ST/RK *was* 'the kid' I have at the help desk.
Craig
> Bear Bottoms wrote:
>> On Wed, 02 Jul 2008 09:30:45 -0500, John Corliss
>> <jcor...@fake.invalid> wrote:
>>
>>> Thanks Ron. By the way, it's another of my filters that blocks
>>> b_nice's stuff.
>>>
>>> I just don't understand his agenda. It basically consists of:
>>>
>>> 1. Every time you see a thread about personal firewalls, jump in and
>>> badmouth them as being useless.
>>>
>>> 2. Whenever somebody asks you to better explain the alternative
>>> you're suggesting, scathingly accuse them of too stupid to understand.
>
> Should have said at the end: "...and not worth the effort."
>
>>> 3. Whenever somebody points out a flaw in your logic, clam up or
>>> change the subject.
>>>
>>> 4. When too many people start blocking your posts, get another sock
>>> puppet.
>>>
>>> Or am I missing something?
>>>
>> That sums it up nicely. Well done :)
>
> YW 80)>
>
You know;
ST/RK's posts are what I'd characterize as impolite and sometimes
disrespectful. That aside, his assertion that 3rd party PFS do not
increase security of a system and may decrease it, is spot on. I wish
he were a better advocate for his view but he isn't.
Regardless, it's pathetic that regulars resort to high-fiving each other
on "successfully" ridiculing posters.
-Craig
Bear Bottoms
wrote:
> BB, now it's my turn to agree with ano poster ;-)
>
> I have never found RK's or Kayman's posts to be rude and
> I read most of them, and keep quite a few too.
>
> What I *do* see is frustration on their part in trying to better
> inform people of security issues that conflict with the listeners'
> long held belief systems and (in some cases) outright dogmas.
>
> Sadly, that's a well trodden path for truth:
>
Maybe, but that is not what I've seen. It's hard to make a good landing
out of a bad approach.
Ron May
<jcor...@fake.invalid> wrote:
> Thanks Ron. By the way, it's another of my filters that blocks b_nice's
> stuff.
Same here. All I saw originally was the reply from "ง" and, like you,
when I tried to pull up the MID on Google (to check header info before
I posted) it didn't work.
> I just don't understand his agenda. It basically consists of:
>
> 1. Every time you see a thread about personal firewalls, jump in and
> badmouth them as being useless.
>
> 2. Whenever somebody asks you to better explain the alternative you're
> suggesting, scathingly accuse them of too stupid to understand.
>
> 3. Whenever somebody points out a flaw in your logic, clam up or change
> the subject.
>
> 4. When too many people start blocking your posts, get another sock puppet.
>
> Or am I missing something?
Nope, you're on target. The only thing I'd add is that the core of
his argument consists of regurgitating snippets from the same handful
of fringe blogs, mostly taken out of context.
The basic principles make some sense if you're managing a medium to
large corporate enterprise and you have a need to maintain control
over things that a few people out of a large user base might engage
in. Since you must *enforce* safe hex on others, allowing individuals
to handle security policy simply won't work, so you're forced to look
for another solution out of necessity.
OTOH, for SOHO or personal use by knowledgeable users, which is what
most posters here are interested in, putting together a multi layer
approach to security that *begins* with practicing safe hex and is
custom designed to fit the tasks you want the individual computers to
perform makes a *lot* more sense in any number of ways than what ST/RK
is trying to sell.
Ron May
> All the kid is doing is trolling.
>
> While sitting bored at some large company's help desk, he hangs out at
> various security news groups, learns a few things and then comes here to
> troll with a attitude.
>
> The place I manage we have a kid very much like like ST/RK at our help
> desk. He took some classes on SQL and now has a 'tude that he's god
> like on various SQL web forums.
>
> Funny thing is everyone at the help desk has been promoted but not 'the
> kid'.
I think you nailed it! <g>
§
> On Wed, 02 Jul 2008 09:43:48 -0500, § <td...@foadspammer.com> wrote:
>
>> All the kid is doing is trolling.
>>
>> While sitting bored at some large company's help desk, he hangs out at
>> various security news groups, learns a few things and then comes here to
>> troll with a attitude.
>>
>> The place I manage we have a kid very much like like ST/RK at our help
>> desk. He took some classes on SQL and now has a 'tude that he's god
>> like on various SQL web forums.
>>
>> Funny thing is everyone at the help desk has been promoted but not 'the
>> kid'.
>
> I think you nailed it! <g>
>
:)
When I first turned pro doing this computer crap back in the mid 80's I
distinctly remember a attitude that a *lot* of young IT pro's at the
time had; 'I know computers and you do not therefor your an idiot'.
I could never understand *why* they had such a attitude. I guess the
nerds/geeks needed something to feel superior about.
Maybe this is why I goof on the nerds still to this day :)
VanguardLH
> Path: border1.nntp.dca.giganews.com!nntp.giganews.com!news-in-01.newsfeed.easynews.com!easynews.com!easynews!easynews-local!fe10.news.easynews.com.POSTED!not-for-mail
> From: Root Kit <b__...@hotmail.com>
> Newsgroups: alt.comp.freeware
> Subject: Re: What's the best free Firewall?
> Message-ID: <fvpk641pdp007u1hc...@4ax.com>
> References: <g4dbk5$idb$1...@news.albasani.net>
> X-Newsreader: Forte Agent 4.2/32.1118
> X-No-Archive: yes
> MIME-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> Lines: 7
> X-Complaints-To: ab...@easynews.com
> Organization: EasyNews, UseNet made Easy!
> X-Complaints-Info: Please be sure to forward a copy of ALL headers otherwise we will be unable to process your complaint properly.
> Date: Tue, 01 Jul 2008 17:23:26 GMT
> Bytes: 1054
> Xref: number1.nntp.dca.giganews.com alt.comp.freeware:666631
>
> "Steve Terry" wrote:
>
>> Anything better than ZoneAlarm? for XP
>
> The best free firewall is the one that makes the least damage.
From seeing his posts (under different monikers), yeah, I can see why he
nymshifts and why he wants his posts to disappear.
<rant title="To Lambaste a User of the X-No-Archive Header">
To deliberately thwart the no-archive request, the original post is
shown above, including its headers. Alas, you really don't want an
answer because you don't even want your original post to stick around
beyond a week.
> X-No-Archive: yes
- It reduces the number of users that will see your post. This is
Usenet which doesn't command the immediacy of a prattling venue, like
some chat room where you won't see responses when you exit a session.
Potential respondents won't see your post after 6 days, or however long
is the no-archive expiration which could be shorter.
- It reduces the value of the thread to other users because the thread
gets punched full of "holes" from posters that use this header.
Responses that are archived may only have a partial quoting of a prior
no-archived post plus all headers are lost from the original post. This
header corrupts the flow of the discussion. The discussion becomes
incomplete due to all the greedy bastards that don't want to share what
they've said.
- What boob self-censors their own posts by asking that they vaporize
before a week has elapsed?
- Spammers, trolls, flamers, cowards, liars, nymshifters, and
malcontents use this header to hide their history (which answers the
previous question as to who uses this header). They don't want anyone
to know just how long and how often they've been around. Is this the
group of users to whom you wish to affiliate yourself?
- Because of the user types that use this no-archive header (boobs,
newbies, greedy posters not willing to share the discussion, spammers,
trolls, cowards), some users will filter out your post. They may either
delete any no-archive posts (as YOU requested) or weight them as spam or
"bad" posts which can reduce the number of potential respondents to your
post. One of those respondents might have had the answer you were
looking for but you chose to hide your post before they visited the
group. They don't see your post so they don't respond. Maybe they
would have been the only one willing to respond. Maybe they would have
been the only one with the expertise to help you. You don't know. To
you, it looks like no one bothered to answer your post when, in fact,
you chose to hide it from them or affiliate yourself with a type of
poster that the respondent filters out.
- You inflame other users by trying to steal away the help that you
received. You want to get help but are unwilling to share it with
others that may later encounter the same or similar problem. They
cannot find your prior post. If respondents were similarly inclined and
also used the X-No-Archive header then the entire thread disappears. If
you don't want anyone to see your post or do not want to keep the thread
intact then don't post. Usenet is for SHARING.
- The use of this header is anti-social and outright rude. It is
employed by cowards.
- You don't consider your post important enough to have it archived.
Likewise, why would anyone participate or help you on a post that you
have deemed valueless?
- While you might consider your post to be valueless or you are just
being greedy in trying not to share with anyone else at a later time,
the archived threads are used to discover existing solutions or just to
see if the topic has been previously discussed. If you don't want your
posts to echo through eternity, speak into a well insulated empty soup
can so no one else can hear you. If you want to keep it to yourself, do
it upfront by not posting.
- Only boobs or newbies believe that this header will prevent their post
from getting archived. There are many forums that use a gateway to
Usenet so your post will get archived there (and may remain archived for
years). It isn't just Google Groups where your post will get archived.
Also, the retention interval of NNTP hosts (of which the vast majority
will not honor the X-No-Archive header) will far outstrip the 6-day
no-archive expiration at Google Groups. The use of this header makes
you look stupid.
- "regular newsgroup participants were concerned about privacy rights"
(http://en.wikipedia.org/wiki/X-No-Archive). Privacy is your
responsibility. Don't use your true e-mail address in your posts if you
don't want it abused. Munge it, require a passcode in the Subject to
bypass an auto-delete filter (as proof that a human used it) that you
mention in your signature (because spambots can't read instructions), or
use a bogus one (but one in which the domain is not registered, or use
.invalid as the top-level domain, as in y...@domain.invalid). Google
carried on a tradition that Deja News employed at the behest of some
frightened users in an environment that is not the same today; however,
not all traditions are sensible when established or remain applicable
over time, especially when based on a trust model.
- You requested your post be deleted from any archive that honors the
X-No-Archive header. Anyone that honors your request chooses their own
expiration interval. You don't get to specify WHEN the no-archive
request is honored. For the vast number of NNTP server, this header is
NOT honored (i.e., it is ignored). For Google Groups, deletion is after
6 days. For me, the deletion is immediate upon recognition or
immediately after responding, whichever is later. Hey, you are the one
that requested your post be automatically deleted, you are the one that
considers your post of no value beyond someone else's configured
expiration interval, you are the one that doesn't want anyone to see
your prior posts, and you are the one that wants to fuck up the
continuity of past threads in which you momentarily participated. Your
wish has been granted: your post is no longer archived by me and it's
just like it never existed. Poof, gone, you were never here.
</rant>
Ron May
wrote:
> ST/RK's posts are what I'd characterize as impolite and sometimes
> disrespectful. That aside, his assertion that 3rd party PFS do not
> increase security of a system and may decrease it, is spot on.
Only in the limited context I explained here:
Message-ID: <318n6419jecj426cc...@4ax.com>
It's not a very practical and certainly not a provably "better"
approach than most of the regular participants here follow, which is
to *start* with safe hex and build a multi-layer strategy around it
for when (not if) the first line of defense fails.
When he (or anyone else for that matter) can explain why (WRT outbound
firewall monitoring) it *improves* security to remain ignorant of what
might try to phone home, I'll listen. Until then, no sale.
John Corliss
> On Wed, 02 Jul 2008 09:13:22 -0700, Craig <netbu...@REMOVEgmail.com>
> wrote:
>
>> ST/RK's posts are what I'd characterize as impolite and sometimes
>> disrespectful. That aside, his assertion that 3rd party PFS do not
>> increase security of a system and may decrease it, is spot on.
>
> Only in the limited context I explained here:
>
> Message-ID: <318n6419jecj426cc...@4ax.com>
>
> It's not a very practical and certainly not a provably "better"
> approach than most of the regular participants here follow, which is
> to *start* with safe hex and build a multi-layer strategy around it
> for when (not if) the first line of defense fails.
>
> When he (or anyone else for that matter) can explain why (WRT outbound
> firewall monitoring) it *improves* security to remain ignorant of what
> might try to phone home, I'll listen. Until then, no sale.
+1
§
> On Wed, 02 Jul 2008 12:47:39 -0500, § <td...@foadspammer.com> wrote
> nothing important - repeatedly.
>
> I'm looking forward to the day you grow up and start posting something
> on topic.
Get back to the help desk son.
Root Kit
long pile of shit which had nothing to do with freeware.
Anyway, I removed the indicator which has obviously kept you sleepless
for weeks. It's really no big deal.
Now I'll just sit and wait for the next thing you'll dig up and rant
about. I'm sure you'll be able to come up with something. I'm also
convinced it will once again be completely off topic.
Craig
> On Wed, 02 Jul 2008 09:13:22 -0700, Craig
> <netbu...@REMOVEgmail.com> wrote:
>
>> ST/RK's posts are what I'd characterize as impolite and sometimes
>> disrespectful. That aside, his assertion that 3rd party PFS do not
>> increase security of a system and may decrease it, is spot on.
>
> Only in the limited context I explained here:
That's hardly "limited," Ron.
>
> Message-ID: <318n6419jecj426cc...@4ax.com>
>
> It's not a very practical and certainly not a provably "better"
gross generalization #1:
> approach than most of the regular participants here follow, which is
gross generalization #2:
> to *start* with safe hex and build a multi-layer strategy around it
> for when (not if) the first line of defense fails.
>
> When he (or anyone else for that matter) can explain why (WRT
> outbound firewall monitoring) it *improves* security to remain
> ignorant of what might try to phone home, I'll listen.
Ron, it has been explained. And since you understand the multi-layer
strategy of security, you already know it: so-called "monitoring" of
outbound connections can lead to a false sense of security. Compromised
systems will not report suspicious outbound activity. Similarly, all the
pop-ups "alerting" users to "potential" issues can create "security
fatigue." In short:
Outbound monitoring is NOT a part of an established security strategy
because it does NOT enhance, and may decrease security.
> Until then, no sale.
I know that's just an expression but, just to set the record straight:
I'm not selling anything and I couldn't care less whether such-and-such
an individual "buys" this argument.
What I do care about is that "security companies," s/w reviewers,
bloggers, et cetera, misrepresent what constitutes "good security." And
that misrepresentation gets repeated in here, a non-security-related ng
where people all too often believe that if they have "the right PFS,"
they'll be "safer."
The most widely known canard in this context is the continued
fascination that people have w/"stealthing ports."
ST/RK is an easy messenger to kill. Really, I find him imminently
killable. Let's just not bury the message with his corpse.
-Craig
Kat Mandu
LOL ;-)
Root Kit
You mean you have left it now?
Kat Mandu
For someone who constantly complains about the posts of others being
off-topic, it is interesting to note that Root Kit's last *nine* posts
in this thread have absolutely nothing at all to do with freeware *or*
firewalls. In fact, Root Kit mostly seems to be occupied here with
talking about himself and/or about what others have to say about
him/her/it, which his style of involvement in any thread typically
causes to become the main ongoing topic, supplanting the topic indicated
in the thread's subject line.
John Corliss
I totally disagree with your "false sense of security" argument, Craig.
As long as a person realizes that nabbing outgoing calls is not going to
happen all the time (although, IME, it does), it's better to have a
firewall checking for outgoing calls than not.
IOW, how can *NEVER* knowing when a program is calling out be better
than knowing *SOMETIMES*, or maybe even *MOST OF THE TIME*?
THIS is the crux of most peoples' frustrations with b_nice's arguments.
§
> On Wed, 02 Jul 2008 13:56:06 -0500, § <td...@foadspammer.com> wrote:
>
>> Root Kit wrote:
>>> On Wed, 02 Jul 2008 12:47:39 -0500, § <td...@foadspammer.com> wrote
>>> nothing important - repeatedly.
>>>
>>> I'm looking forward to the day you grow up and start posting something
>>> on topic.
>> Get back to the help desk son.
>
> You mean you have left it now?
I've warned you once before and I'll warn you again; if you value your
position here in the IT department you *will* go back to the help desk.
I don't think you would like to return to the Geek Squad. Not after
that unfortunate *incident* of yours.
Root Kit
Please get your medication and go to sleep.
Craig
I understand. It sounds like a "soft" argument to me, personally but
it's valid. IOW, I don't like that argument, but it's true. The only
time an outbound feature is a benefit is when our system is not
infected: An app phones home, we don't like that and so we block it or
zap it. But that's not security, not in the actual sense of the term
"computer security."
>
> IOW, how can *NEVER* knowing when a program is calling out be better
> than knowing *SOMETIMES*, or maybe even *MOST OF THE TIME*?
Bear with me: Never, Sometimes, Most of the time... none of these add
to actual security as in "prevention." But they do increase the
likelihood of lessening security.
I want to reiterate that I'm speaking of 3rd party firewalls. MS is off
the hook on this one.
>
> THIS is the crux of most peoples' frustrations with b_nice's arguments.
>
Yea, that and his innate charms. Fwiw, it feels odd to stand in support
of an argument that I don't necessarily "like." But after reading at
the intersection of security strategies and firewalls, I'm convinced
that the position is valid.
Thanks for keeping this on-topic John. It's worthy of us and a hell of
a lot more enjoyable. <grin>
-Craig
P.S. PFSes aren't just a risk to security wrt the psychology of
security. Depending on how they're coded, they can become a vector in
and of themselves and/or render the actual tcp stack vulnerable. It's
happened.
hummingbird
On Wed, 02 Jul 2008 12:05:58 -0500 'Bear Bottoms'
wrote this on alt.comp.freeware:
>On Wed, 02 Jul 2008 10:00:32 -0500, hummingbird <hummi...@127.0.0.1>
>wrote:
Rotfl. That's a brilliant one BB. I give you 10 out of 10!
§
And that *medication* of yours is the reason why you failed the urine
analysis and caused your abrupt departure from The Geek Squad.
You brought this all on yourself by bringing your incident up.
Kids nowadays....
Root Kit
>In fact, Root Kit mostly seems to be occupied here with
>talking about himself and/or about what others have to say about
>him/her/it, which his style of involvement in any thread typically
>causes to become the main ongoing topic, supplanting the topic indicated
>in the thread's subject line.
It's nothing compared to the overwhelming desire of others to discuss
me instead of staying on topic.
You remind me of the bunch of losers denouncing Galileo's opinions on
the motion of the Earth, judging them dangerous and close to heresy.
Bear Bottoms
wrote:
> I understand. It sounds like a "soft" argument to me, personally but
> it's valid. IOW, I don't like that argument, but it's true. The only
> time an outbound feature is a benefit is when our system is not
> infected: An app phones home, we don't like that and so we block it or
> zap it. But that's not security, not in the actual sense of the term
> "computer security."
If you are infected, you may never know then. Also, if you are
infected...that infection may wish to transmit something somewhere...just
let it do so? Center on that issue for a moment.
Bear Bottoms
I don't think Galileo said "you're too stupid to understand what I'm
telling you."
No great man would say such. Only poor little egotistical boys.
§
> On Wed, 02 Jul 2008 12:28:56 -0700, Kat Mandu <K...@Mandu.ne> wrote:
>
>> In fact, Root Kit mostly seems to be occupied here with
>> talking about himself and/or about what others have to say about
>> him/her/it, which his style of involvement in any thread typically
>> causes to become the main ongoing topic, supplanting the topic indicated
>> in the thread's subject line.
>
> It's nothing compared to the overwhelming desire of others to discuss
> me instead of staying on topic.
'Stay on topic.....Stay on topic.....'
>
> You remind me of the bunch of losers denouncing Galileo's opinions on
> the motion of the Earth, judging them dangerous and close to heresy.
Now your comparing yourself to Galileo?!?! Talk about delusions of
grandeur.
§
> On Wed, 02 Jul 2008 14:56:13 -0500, Root Kit <b__...@hotmail.com> wrote:
>
>> On Wed, 02 Jul 2008 12:28:56 -0700, Kat Mandu <K...@Mandu.ne> wrote:
>>
>>> In fact, Root Kit mostly seems to be occupied here with
>>> talking about himself and/or about what others have to say about
>>> him/her/it, which his style of involvement in any thread typically
>>> causes to become the main ongoing topic, supplanting the topic indicated
>>> in the thread's subject line.
>>
>> It's nothing compared to the overwhelming desire of others to discuss
>> me instead of staying on topic.
>>
>> You remind me of the bunch of losers denouncing Galileo's opinions on
>> the motion of the Earth, judging them dangerous and close to heresy.
>
> I don't think Galileo said "you're too stupid to understand what I'm
> telling you."
tee hee
>
> No great man would say such. Only poor little egotistical boys.
>
With little minds that resent working the help desk :)
Craig
Two problems with that belief:
1) PFSes do *not* replace the need to employ /actual/ security measures
such as running on-access scanners or anti-rootkit s/w.
2) PFSes do *not* catch an infection transmitting to the internet.
PFSes catch a new program when it first attempts a connection to the
internet. PFSes catch a service invoked by another app that may call
out to the internet. But only inasmuch as our system is clean. To
assume otherwise is wishful thinking... *not* security management.
Let's step back just for a moment because the larger picture is
important here too:
PFSes have been vectors for attack. That is, not only are they y.a.
vulnerability but, they are a vulnerability that lies at the near-core
of the OS: the OSI stack. Some PFSes actually alter the TCP stack
which, unless that company employed a gajillion testers, introduces yet
more vulnerabilities... that weren't there until the PFS was installed.
PFS is not a part of a security model: it can't be because it depends on
the invulnerability of what it's defending. It's analogous to making
the walls of your house also act as the levee.
Firewall appliances are a part of the security model. Minimizing ports
& services are too. PFSes? I wish they were.*
hth,
-Craig
(*) I'd feel safer but, they aren't. As a matter of fact, I guess
that's why I don't "like" my point of view: it's uncomfortable compared
to believing that PFSes are helpful.
Root Kit
<bearbo...@gmail.com> wrote:
>I don't think Galileo said "you're too stupid to understand what I'm
>telling you."
But that's what he thought. Of course saying so back then would have
had serious consequences.
>No great man would say such. Only poor little egotistical boys.
It must feel good being among the redeemed.
Root Kit
>With little minds that resent working the help desk :)
Oh man... you kill me ..... you're soooooooo funny.
§
What can I say... I like making fun of the help desk nerdboi :)
Bear Bottoms
wrote:
> (*) I'd feel safer but, they aren't. As a matter of fact, I guess
> that's why I don't "like" my point of view: it's uncomfortable compared
> to believing that PFSes are helpful.
Why does every tech recommend, computer manufacturers, and virtually every
single computer sold come with one?
§
> On Wed, 02 Jul 2008 15:45:42 -0500, Craig <netbu...@removegmail.com>
> wrote:
>
>> (*) I'd feel safer but, they aren't. As a matter of fact, I guess
>> that's why I don't "like" my point of view: it's uncomfortable
>> compared to believing that PFSes are helpful.
>
> Why does every tech recommend, computer manufacturers, and virtually
> every single computer sold come with one?
>
huh what?!?!
The only techs I've come across that recommend a third party pfs has
been the Geek Squad, and well, we all know about them.
PC manufacturers shipping a third party pfs are shipping that Symantec
Total Security BS solution that includes a pfs only because of the BS
deal the PC manufacturer has made with Symantec.
I took delivery of 500+ PCs last Spring and none of them came with a
third party pfs. But then again, I ordered the business systems with
minimal BS sw.
Bear Bottoms
I didn't particularly say "third party." I don't know of any shipped with
third party FWs. Why does virtually every security suite recommendation
include at least a good firewall, antivirus, and antispyware software?
Why doesn't every computer come completely hardened without any malware
bundles and leave it up to the user to open what they want to
use...instead of the other way around? Why why why? :)
§
> On Wed, 02 Jul 2008 16:28:44 -0500, § <td...@foadspammer.com> wrote:
>
>> Bear Bottoms wrote:
>>> On Wed, 02 Jul 2008 15:45:42 -0500, Craig
>>> <netbu...@removegmail.com> wrote:
>>>
>>>> (*) I'd feel safer but, they aren't. As a matter of fact, I guess
>>>> that's why I don't "like" my point of view: it's uncomfortable
>>>> compared to believing that PFSes are helpful.
>>> Why does every tech recommend, computer manufacturers, and virtually
>>> every single computer sold come with one?
>>>
>>
>> huh what?!?!
>>
>> The only techs I've come across that recommend a third party pfs has
>> been the Geek Squad, and well, we all know about them.
>>
>> PC manufacturers shipping a third party pfs are shipping that Symantec
>> Total Security BS solution that includes a pfs only because of the BS
>> deal the PC manufacturer has made with Symantec.
>>
>> I took delivery of 500+ PCs last Spring and none of them came with a
>> third party pfs. But then again, I ordered the business systems with
>> minimal BS sw.
>
> I didn't particularly say "third party." I don't know of any shipped
> with third party FWs. Why does virtually every security suite
> recommendation include at least a good firewall, antivirus, and
> antispyware software?
To *sell* you more sw!
>
> Why doesn't every computer come completely hardened without any malware
> bundles and leave it up to the user to open what they want to
> use...instead of the other way around? Why why why? :)
>
That's the business model :)
Bear Bottoms
OK...ok, I give....I'm digging into it more. If Craig was won over, maybe
there is hope for me.
hummingbird
On Wed, 02 Jul 2008 16:46:03 -0500 'Bear Bottoms'
wrote this on alt.comp.freeware:
>On Wed, 02 Jul 2008 16:28:44 -0500, § <td...@foadspammer.com> wrote:
Marketing and media advertising have created the belief that if
you don't have a firewall and AV program running at all times,
you are vulnerable from attack. Paranoia and greed Rools!
Yet I have never run an AV program!
Ron May
wrote:
> Ron May wrote:
> > When he (or anyone else for that matter) can explain why (WRT
> > outbound firewall monitoring) it *improves* security to remain
> > ignorant of what might try to phone home, I'll listen.
>
> Ron, it has been explained. And since you understand the multi-layer
> strategy of security, you already know it: so-called "monitoring" of
> outbound connections can lead to a false sense of security. Compromised
> systems will not report suspicious outbound activity. Similarly, all the
> pop-ups "alerting" users to "potential" issues can create "security
> fatigue." In short:
>
> Outbound monitoring is NOT a part of an established security strategy
> because it does NOT enhance, and may decrease security.
Craig, I have a great deal of respect for what you say, especially
when you express concerns about the frequent drive-by posters looking
for a magic bullet that will protect them from themselves. I agree
with you 100% on those concerns. That's clearly evident in my first
post to this thread in response to the OP where I used the caveat:
> ... as long as one realizes that a firewall is
> only a very small part of a much larger overall security strategy, of
> which "safe hex" is always your first and best line of defense.
OTOH, I find it more than mildly insulting for ST/RK to suggest, and
for you to support the assertion, that my use of software to monitor
unauthorized (i.e., without my knowledge and/or permission) attempts
to connect with an outside location will somehow "lead (me) to a false
sense of security" or that responding to alerts, (which are rare after
the initial training phase) would create "security fatigue" for me.
One can certainly have an honest debate on how *much* outbound
monitoring adds to overall security. I suspect not all that much. I
will suggest to you, however, that on a playing field that's equally
level except for the issue of outbound monitoring, the user who is
alerted to unauthorized connection attempts (even granting that some
might slip by unnoticed) is in a more secure position than one who
chooses to remain blissfully ignorant of those attempts. The value
and reliability of the advantage can be argued. The *existence* of
the advantage is difficult if not impossible to deny.
Bottom line, ST/RK can't make the argument on software grounds, and
essentially the position you outline above doesn't speak to software
issues either, but rather to the human element of how some assumedly
naive and less experienced persons *might* misuse the software.
That's not a legitimate test. I contend that the case for ST/RK's
position can't be made without assuming significantly superior
practice of safe hex on one side more than the other, and that's why
the argument is invalid and will remain so.
I like to think about an outbound firewall in the same way I think
about smoke detector in the home:
* A smoke detector doesn't *prevent* fires and an outbound firewall
doesn't *prevent* malware.
* A smoke detector is only one small part of sn overall home safety
program and it only comes into play to *alert* you after your primary
lines of defense have already failed, which is similar to what an
outbound firewall *alert* is designed to do.
* A smoke detector, like a firewall, may generate a false alarm or
may warn you of something you already know about. No benefit there.
* A smoke detector may not even trip on certain types of fires, or if
it does, it might be too late to save much of what's left of the
house. Same is true of an outbound firewall and an infected system.
* Despite the above stipulations, one has to at least grant the
possibility that a smoke detectot just might save one's butt someday
after years of not doing much in terms of real "protection." The same
can be said of an outbound firewall, and it's one good reason why I
prefer to use one than not.
--
Ron M.
(I filter Googlespam)
alt.comp.freeware information pages:
http://www.pricelesswarehome.org/acf/Index.php
»Q«
Ron May <may...@hotmail.com> wrote:
> One can certainly have an honest debate on how *much* outbound
> monitoring adds to overall security. I suspect not all that much. I
> will suggest to you, however, that on a playing field that's equally
> level except for the issue of outbound monitoring, the user who is
> alerted to unauthorized connection attempts (even granting that some
> might slip by unnoticed) is in a more secure position than one who
> chooses to remain blissfully ignorant of those attempts. The value
> and reliability of the advantage can be argued. The *existence* of
> the advantage is difficult if not impossible to deny.
It's pretty easy to deny. The advantage (if there is any) of being
alerted to outbound connections is an increase in convenience, not an
increase in security. Clearly, that's an opinion, but I can't see it
another way.
"Personal firewall" software necessarily increases the complexity of the
networking system a great deal; you can't get the monitoring without
that, so you can't disregard it in an effort to compare on a level
playing field. It's this increased complexity that reduces security.
(This has been pointed out a few thousand times in the never-ending
flamewars about "personal firewalls" here, but I haven't mentioned it
in a long time, so I figured it was my turn again. Don't worry, I'm not
permanently rejoining the knife-fight. ;)
So, even if one sees outbound connection alerts as giving an increase
in security, that increase would have to be weighed against the
decrease in security that goes along with letting the software monkey
with the workings of the networks stack. AFAIK, all companies making
"personal firewalls" for Windows keep the source to themselves, so I
can't suggest how anyone might weigh the concerns to reach a conclusion.
Since I don't see anything to be weighed against the decrease (see
first paragraph again), it's not a decision I have to make.
John Corliss
> John Corliss wrote:
>> Craig wrote:
>>>
>>> What I do care about is that "security companies," s/w reviewers,
>>> bloggers, et cetera, misrepresent what constitutes "good security." And
>>> that misrepresentation gets repeated in here, a non-security-related ng
>>> where people all too often believe that if they have "the right PFS,"
>>> they'll be "safer."
>>>
>>> The most widely known canard in this context is the continued
>>> fascination that people have w/"stealthing ports."
>>>
>>> ST/RK is an easy messenger to kill. Really, I find him imminently
>>> killable. Let's just not bury the message with his corpse.
>>
>> I totally disagree with your "false sense of security" argument,
>> Craig. As long as a person realizes that nabbing outgoing calls is not
>> going to happen all the time (although, IME, it does), it's better to
>> have a firewall checking for outgoing calls than not.
>
> I understand. It sounds like a "soft" argument to me, personally but
> it's valid. IOW, I don't like that argument, but it's true. The only
> time an outbound feature is a benefit is when our system is not
> infected: An app phones home, we don't like that and so we block it or
> zap it. But that's not security, not in the actual sense of the term
> "computer security."
Craig, I have PERSONALLY had Kerio 2.1.5 save my ass when it caught a
trojan calling out and gave me the option of blocking it. Instead, what
I did was to simply turn off my modem and then find the little fucker so
that I could delete it. It took me about 15 minutes to return everything
back to normal.
Now how in the WORLD can that somehow be worse than not detecting the
trojan calling out?
>> IOW, how can *NEVER* knowing when a program is calling out be better
>> than knowing *SOMETIMES*, or maybe even *MOST OF THE TIME*?
>
> Bear with me: Never, Sometimes, Most of the time... none of these add
> to actual security as in "prevention."
Security does NOT necessarily equal prevention. It can sometimes equal
catching the villain in the act of the breakin if he gets past the
locked door and ripping his nutsack off.
> But they do increase the likelihood of lessening security.
>
> I want to reiterate that I'm speaking of 3rd party firewalls. MS is off
> the hook on this one.
WHAT??? Craig, I really don't understand what you're saying in the
least. How in the *world* can monitoring outgoing calls be a bad thing?
You still haven't provided the least explanation of how this can be,
other than the old "false sense of security" argument, and that is worse
than weak.
Listen, I'm the first to agree that closing unneeded ports and turning
off unnecessary services are good ideas. I've done so. But to say that
2-way PFWs are not a valid part of safe surfing is, IMO, irresponsible
in the extreme. I've had to clean up too many computers that were
running without a firewall
>> THIS is the crux of most peoples' frustrations with b_nice's arguments.
>
> Yea, that and his innate charms. Fwiw, it feels odd to stand in support
> of an argument that I don't necessarily "like."
Then perhaps it might be a good idea to try and figure out better why it
is that you don't like it.
> But after reading at
> the intersection of security strategies and firewalls, I'm convinced
> that the position is valid.
"False sense of security"? The argument then is whether or not it is
indeed "false" or only partially so. If having a PFW installed convinces
a person that they don't still need to disable unneeded services and
processes, don't still need to block certain ports, then YES, I would
agree. But the reverse is also true IMO. If blocking ports, shutting off
services and processes convinces a person that they don't need a
firewall, then they're equally as much a fool.
> Thanks for keeping this on-topic John. It's worthy of us and a hell of
> a lot more enjoyable. <grin>
>
> -Craig
>
> P.S. PFSes aren't just a risk to security wrt the psychology of
> security. Depending on how they're coded, they can become a vector in
> and of themselves and/or render the actual tcp stack vulnerable. It's
> happened.
But not very often and it's a risk I'm willing to live with.
Craig, I just don't understand why you're playing the devil's advocate here.
Bear Bottoms
wrote:
> Craig, I just don't understand why you're playing the devil's advocate
> here.
I just gave up and will continue at my own pace, doing what I think is
best and expressing my own opinion without trying to deeply convert anyone.
Kat Mandu
He does rather think a lot of himself, doesn't he?
§
He is a legend in his own mind :)
elaich
news:VdWdnVeuNt-NvfHV...@posted.ccountrynet:
> Craig, I have PERSONALLY had Kerio 2.1.5 save my ass when it caught a
> trojan calling out and gave me the option of blocking it. Instead,
> what I did was to simply turn off my modem and then find the little
> fucker so that I could delete it. It took me about 15 minutes to
> return everything back to normal.
>
> Now how in the WORLD can that somehow be worse than not detecting the
> trojan calling out?
I used to have the same view until about a month ago. I told this story
in another newsgroup, and was roundly flamed, until someone posted a
webpage that proved that it indeed could happen.
I got a virus or something while my computer was booted in LINUX. I was
playing around with Wine, trying to get things working, and downloading
various things. Wine is the key - an app to run Windows apps in a fake
Windows environment. Looks like that someone has figured out how to give
you a "virus" in Wine that can do no real harm there, but is capable of
crossing over to the Windows partition. That may be because I was in
Ubuntu, which automatically mounts all your hard drives. Now I see why
Linux people think that is a bad idea.
When I booted back into Windows, I had a hell of a mess. All kinds of
new folders and files, all which showed a size of 0 bytes, and all of
which could not be deleted. Windows could not find any of my installed
apps without searching for them first.
And, all of my security software was inoperable. Anti-virus, firewall,
you name it. On line malware scans locked up. Something had buggered me
real good. The only cure was to wipe and reinstall.
This was a very obvious example, and it was obvious that something had
shut down all my security apps. There is other malware that doesn't play
so nice. You will never know that it has rendered your security useless,
because it will appear to still be working, except with regard to the
malware, which you don't know you have anyway.
So, they are correct in saying that a person should not depend on this
line of defense as if it is inpenetrable. Where they are incorrect is
saying that it has no value at all. It certainly has a value, but not as
the first line of defense.
I practice safe hex, and the only 2 times I ever was compromised was
when I let my guard down because I thought I was safe. Nobody would ever
expect to get a Windows virus while working in Linux. But, I did.
The other time was when I was expecting to get an image file from
someone on a mailing list. I got an image file, but unbeknownst to me,
his computer had been infected. The image file I got contained a virus.
Ron May
> On Wed, 02 Jul 2008 18:56:30 -0500
> Ron May <may...@hotmail.com> wrote:
>
> > One can certainly have an honest debate on how *much* outbound
> > monitoring adds to overall security. I suspect not all that much. I
> > will suggest to you, however, that on a playing field that's equally
> > level except for the issue of outbound monitoring, the user who is
> > alerted to unauthorized connection attempts (even granting that some
> > might slip by unnoticed) is in a more secure position than one who
> > chooses to remain blissfully ignorant of those attempts. The value
> > and reliability of the advantage can be argued. The *existence* of
> > the advantage is difficult if not impossible to deny.
>
> It's pretty easy to deny. The advantage (if there is any) of being
> alerted to outbound connections is an increase in convenience, not an
> increase in security. Clearly, that's an opinion, but I can't see it
> another way.
At least you recognize it's an opinion. My opinion is that it's
better to know than *NOT* know, and I only have to be right one time
to make the case. You, OTOH, only have to be *wrong* once as far as
an outbound firewall's ability to detect some malware attempting to
call out to make my case for me. I like my odds better. <g>
> "Personal firewall" software necessarily increases the complexity of the
> networking system a great deal; you can't get the monitoring without
> that, so you can't disregard it in an effort to compare on a level
> playing field. It's this increased complexity that reduces security.
> (This has been pointed out a few thousand times in the never-ending
> flamewars about "personal firewalls" here, but I haven't mentioned it
> in a long time, so I figured it was my turn again. Don't worry, I'm not
> permanently rejoining the knife-fight. ;)
That's good to know, so I'll address it in response to the next
paragraph.
> So, even if one sees outbound connection alerts as giving an increase
> in security, that increase would have to be weighed against the
> decrease in security that goes along with letting the software monkey
> with the workings of the networks stack. AFAIK, all companies making
> "personal firewalls" for Windows keep the source to themselves, so I
> can't suggest how anyone might weigh the concerns to reach a conclusion.
I'm familiar with "increased complexity" as a theoretical argument,
but I'm not aware of any docmented incidents where malware has been
able to exploit it, so from where does the "decrease in security"
arise as a practical matter?
> Since I don't see anything to be weighed against the decrease (see
> first paragraph again), it's not a decision I have to make.
At the end of the day, each of us does what we feel is best for our
purposes. Even though I've been running behind a NAT router that's
locked down pretty tight since I was running Win98 more than six years
ago, I prefer the "belt and suspenders" approach when it comes to this
topic.
Ron May
> So, they are correct in saying that a person should not depend on this
> line of defense as if it is inpenetrable. Where they are incorrect is
> saying that it has no value at all. It certainly has a value, but not as
> the first line of defense.
And why those on the other side of this issue fail to see that is
beyond me. It really is as simple and concise as you've stated it
above.
Bear Bottoms
> On 3 Jul 2008 02:58:19 GMT, elaich <x@y.z> wrote:
>
>> So, they are correct in saying that a person should not depend on this
>> line of defense as if it is inpenetrable. Where they are incorrect is
>> saying that it has no value at all. It certainly has a value, but not as
>> the first line of defense.
>
> And why those on the other side of this issue fail to see that is
> beyond me. It really is as simple and concise as you've stated it
> above.
>
It is fairly common knowledge even among noobs that software security
programs cannot protect you from yourself or the unfortunate event that
you run into a particularly nasty piece of malware. Not even the so called
experts can truly be safe. It is a crap shoot and there will always be the
possibility of becoming infected no matter who you are.
Fortunately, that likelyhood is still relatively rare...and I do speak
from experience as many here can also. I've never been seriously infected,
and chalk much of that to luck. However, what is not luck is those
occassions where the security software I use catches or alerts me to
malware that is trying to invade and stops it or gives me enough
information to clean it.
Much of the rest ballyhooing is just that. Millions of people are not
experiencing armageddon on their computers for very long periods of time,
without sophisticated alternatives being discussed here.
»Q«
Ron May <may...@hotmail.com> wrote:
> On Wed, 2 Jul 2008 19:34:16 -0500, »Q« <box...@gmx.net> wrote:
>
> > On Wed, 02 Jul 2008 18:56:30 -0500
> > Ron May <may...@hotmail.com> wrote:
> >
> > > One can certainly have an honest debate on how *much* outbound
> > > monitoring adds to overall security. I suspect not all that
> > > much. I will suggest to you, however, that on a playing field
> > > that's equally level except for the issue of outbound monitoring,
> > > the user who is alerted to unauthorized connection attempts (even
> > > granting that some might slip by unnoticed) is in a more secure
> > > position than one who chooses to remain blissfully ignorant of
> > > those attempts. The value and reliability of the advantage can
> > > be argued. The *existence* of the advantage is difficult if not
> > > impossible to deny.
> >
> > It's pretty easy to deny. The advantage (if there is any) of being
> > alerted to outbound connections is an increase in convenience, not
> > an increase in security. Clearly, that's an opinion, but I can't
> > see it another way.
>
> At least you recognize it's an opinion. My opinion is that it's
> better to know than *NOT* know, and I only have to be right one time
> to make the case.
I haven't argued that that it's better not to know than to know, and no
part of the case depends on that.
> You, OTOH, only have to be *wrong* once as far as an outbound
> firewall's ability to detect some malware attempting to call out to
> make my case for me. I like my odds better. <g>
Neither does any part of the case depend on whether one ever detects a
malicious outbound connection.
> > "Personal firewall" software necessarily increases the complexity
> > of the networking system a great deal; you can't get the
> > monitoring without that, so you can't disregard it in an effort to
> > compare on a level playing field. It's this increased complexity
> > that reduces security. (This has been pointed out a few thousand
> > times in the never-ending flamewars about "personal firewalls"
> > here, but I haven't mentioned it in a long time, so I figured it
> > was my turn again. Don't worry, I'm not permanently rejoining the
> > knife-fight. ;)
>
> That's good to know, so I'll address it in response to the next
> paragraph.
>
> > So, even if one sees outbound connection alerts as giving an
> > increase in security, that increase would have to be weighed
> > against the decrease in security that goes along with letting the
> > software monkey with the workings of the networks stack. AFAIK,
> > all companies making "personal firewalls" for Windows keep the
> > source to themselves, so I can't suggest how anyone might weigh the
> > concerns to reach a conclusion.
>
> I'm familiar with "increased complexity" as a theoretical argument,
> but I'm not aware of any docmented incidents where malware has been
> able to exploit it, so from where does the "decrease in security"
> arise as a practical matter?
I'm not digging them up. Straight Talk has posted a few exploited
vulnerabilities. Maybe he will again. If not, I'm content to leave it
as theoretical in your mind. :)