> I moved to Online Armor mainly because Comodo was asking me about files I
> did not recognise. It seems OK thus far.
> However Shields-Up spotted port 0 as being closed, but went on to say port
> 0 is never used. Can anyone explain?
> And while I'm here, whatever happened to PCflank and is there anything
> similar?
If on WinXP or Vista, steer away from any 3rd party software firewall
programs; They are useless to say the least. Stick with the built-in
application.
Yeah, the "cool" firewall from Microsoft is the best firewall there is
(especially for hackers).
>However Shields-Up spotted port 0 as being closed, but went on to say port
>0 is never used. Can anyone explain?
The fact that port 0 doesn't exist should be your first clue as to
Shields-Up's technical competence.
Nonsense. Software firewalls are an important part of your security
(unless you're doing all your online work in a sandbox or VPN, which is
significantly more complicated for the average user).
ShieldsUp! is an excellent tool to test your system. If you get
something that you don't understand, go to grc.com forums. The people
are extremely helpful.
If its reports are still as misleading as they were in the past, then
it still can't replace a decent port scanner.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
They aren't an important part of my security. In fact they aren't part
of my security at all. Because there's no reason at all to use them.
If you think you need a firewall to shield open ports, the Windows
Firewall is absolutely sufficient. If you want sensible monitoring of
connections: install Port Reporter.
It left port 135 open too, so it's gone.
By the way, here's a little info about port 0 and why it is mentioned:
http://compnetworking.about.com/od/tcpip/l/blports_0.htm
http://www.grc.com/port_0.htm
If you want to be helpful, then suggest a different tool for the average
user. Criticizing ShieldsUp! and leaving it at that doesn't do much
good. I'm not suggesting anyone should be dependent upon a single
source. But it will definitely show whether your firewall is working.
Windows firewall is inbound only.
Are you using Windows, cobalt?
Are you even understanding what he is saying?
Yes, I understand what he's saying. However, this thread started with
someone who is using Online Armour and had a question about port 0.
Cobalt's immediate response was to get rid of any 3rd party firewall on
XP or Vista. That isn't exactly the best advice, considering he doesn't
know anything about the user's system or experience. Is Jim S behind a
router? Does he know anything about security? Is he the only user of the
computer? To just make a blanket statement about not using a 3rd party
software firewall and stick to the one built into windows is just wrong.
Port Reporter is a nice tool, but all it does is log information. And it
isn't exactly for the novice.
The reason I asked whether he is using Windows is because the vast
majority of people I encounter who reject software firewalls outright
are *nix users.
Tell news. Outbound control doesn't work reliably anyway, so why would I
want to rely on it?
> Are you using Windows, cobalt?
Sure I do.
Which is exactly what it's supposed to do.
> And it isn't exactly for the novice.
Neither are logs/messages of the various personal firewalls.
Log files isn't usually the primary reason someone uses a software
firewall.
Rather than continue this back & forth, why don't you just share exactly
how an average Windows user on an internet-connected computer can fully
protect himself?
One reason I hear rather frequently is that personal firewall would tell
people what's going on on their systems. Logfiles exist exactly for that
purpose.
> Rather than continue this back & forth, why don't you just share
> exactly how an average Windows user on an internet-connected computer
> can fully protect himself?
Because there is no "one size fits all" solution. A good starting point
would be:
- Think before acting.
- Never be root. Use an administrator account only for administrative
tasks. Use a normal user account for everything else.
- Configure software that requires admin privileges for non-admin tasks
to run with limited user privileges [1].
- Keep your operating sytem and all of your softwar up-to-date.
Automatic updates help.
- Don't provide services you don't want to provide [2,3]. Or use the
Windows Firewall to block inbound connections.
- Disable autostarts for removable media (via gpedit).
- Use AV software to prevent known malware from being executed by
mistake.
- Don't use IE, at least not without locking it down tightly. Better use
Firefox/SeaMonkey with NoScript or Opera, as they are easier to
secure.
- Before installing software think twice about whether you really need
it. Less is more.
Additional steps could be:
- Use sandboxed environments (preferrably virtual machines) for
evaluating software.
- Revoke "execute" permission from caches and temp directories.
- Use Software Restriction Policies to allow only whitelisted software
to be executed.
- ...
[1] http://www.planetcobalt.net/sdb/submission.shtml
[2] http://www.ntsvcfg.de/ntsvcfg_eng.html
[3] http://www.dingens.org/index.html.en
How about nmap-online.com?
> Criticizing ShieldsUp! and leaving it at that doesn't do much good.
ShieldsUp! might actually be a decent port scanner, if it weren't used
to spread Gibson's gross misunderstanding of networking concepts.
> I'm not suggesting anyone should be dependent upon a single source.
> But it will definitely show whether your firewall is working.
The problem with ShieldsUp! isn't the actual results of the scan, but
Gibson's interpretation of them. For instance: there is no such thing as
"stealth" in TCP/IP.
That all sounds great. But I said for the average Windows user. Do you
really expect aunt Esther to understand how lock things down through the
registry and group policy editor? Or figure out how to set up a VPN?
I agree with everything you recommend. But executing several of those
steps is well above the knowledge level of the average Windows user.
Hence, software firewalls as a simpler, reasonably secure alternative to
add to the OS updates, more secure browser, AV, etc.
Thank you. I'll give nmap-online a try.
Education G, it's called EDUCATION!
A sensible aunt Esther would not drive a motor vehicle without prior
familiarization in relation to correct operating procedures of her car and
traffic/street rules.
> I agree with everything you recommend. But executing several of those
> steps is well above the knowledge level of the average Windows user.
> Hence, software firewalls as a simpler, reasonably secure alternative to
> add to the OS updates, more secure browser, AV, etc.
No, it's not! Admittedly, the hype of snake oil is more readily available
(marketing at its 'best').
Yeah right.. tell that to my mom who doesn't even know how to send an
email and every time we told her how to, the very next day she asks again.
> A sensible aunt Esther would not drive a motor vehicle without prior
> familiarization in relation to correct operating procedures of her car and
> traffic/street rules.
The analogy is irrelevant. A more appropriate analogy is whether a
sensible aunt Esther should be taught the about whole legal system in
the country before doing anything since what she is doing may break any
arbitrary law.
>In article <pkukr4p2tvuhc61jv...@4ax.com>,
>b__...@hotmail.com says...
>>
>> On Fri, 13 Mar 2009 15:43:49 +0200, Geoff Smith <geof...@yahoo.com>
>> wrote:
>>
>> >In article <gpdjcj...@news.in-ulm.de>, usene...@planetcobalt.net
>> >says...
>> >> If you think you need a firewall to shield open ports, the Windows
>> >> Firewall is absolutely sufficient. If you want sensible monitoring of
>> >> connections: install Port Reporter.
>> >>
>> >> cu
>> >> 59cobalt
>> >
>> >Windows firewall is inbound only.
>> >
>> >Are you using Windows, cobalt?
>>
>> Are you even understanding what he is saying?
>
>Yes, I understand what he's saying.
Replying that WF is inbound only, gives the impression you didn't
understand a word of what he said.
Do you really expect aunt Esther to understand the nonsense presented
to her by a PFW?
I agree that it would be great to educate others on these issues. But we
also have to be realistic. Windows' greatest benefit (simplicity for the
masses) is also its greatest security issue.
The average user will only go so far when it comes to learning about
security. I realize that software firewalls aren't perfect. But they DO
provide benefit for the average user. And when someone posts a question
about the operation of the firewall they're using, I think it's a lot
more productive to help them make sure it's working properly than to
just blindly steer everyone away from them.
In most modern firewalls, rules are learned for what should be
permitted. So you only have to agree for your browser once, etc.
My dad is a senior citizen (not tech-savvy at all) and has no problem
with it. He can read the warnings (although they are extremely rare for
him now). If he doesn't recognize the program, he just denies it. It has
already learned to allow for software updates for his OS, AV, etc.
>My dad is a senior citizen (not tech-savvy at all) and has no problem
>with it.
Malware usually has no problem with it either.
>He can read the warnings (although they are extremely rare for
>him now).
Good.
>If he doesn't recognize the program, he just denies it.
Ouch.. another problem right there.
> It has already learned to allow for software updates for his OS, AV, etc.
And when your dad gets hit by a real malware, chances are he will
either get no warning at all or he will make wrong decisions based on
it.
[ quote restored & trimmed ]
So? It's still aunt Esther who has to make the decision based on what
the personal firewall tells her.
Take a look at Mac OS X to understand that this is simply not true.
The person who installs the personal firewall for aunt Esther could just
as well take the above mentioned steps.
[ quote restored & trimmed ]
So? It's still aunt Esther who has to make the decision based on what
the personal firewall tells her.
> My dad is a senior citizen (not tech-savvy at all) and has no problem
> with it. He can read the warnings (although they are extremely rare
> for him now). If he doesn't recognize the program, he just denies it.
M-hm. So you think he'll be able to distinguish explorer.exe from
exp1orer.exe or explore.exe? Or the services.exe in C:\Temp from the
services.exe in C:\WINDOWS\system32 (if the personal firewall doesn't
show the full path)? Somehow I'm not convinced.
Great ;-) GRC is demonstrating his unwillingness to learn again and
again.
> 0 is never used. Can anyone explain?
With common BSD socket based implementations (like Windows or Linux are
using), the usage of port 0 is not possible with the regular functions
for TCP and UDP sockets.
But one can use this port using a raw socket. And many filter
implementations fail to filter that correctly.
> And while I'm here, whatever happened to PCflank and is there anything
> similar?
To try this is useless. If malware is running on your PC, your PC
usually is a zombie in a botnet already.
Yours,
VB.
--
Bitte beachten Sie auch die Rückseite dieses Schreibens!
I doubt that. If you would understand, you would recommend to not offer
network services instead of filtering them.
> Port Reporter is a nice tool, but all it does is log information. And it
> isn't exactly for the novice.
A "novice" will not understand anything what is logged, if it is logged
by a "Personal Firewall" or by another tool. No one can who does not
understand network protocols.
That's true. The primary reason most commonly seen is that people
don't understand that they make their PC more insecure with "Personal
Firewalls" instead of making it more secure.
> Rather than continue this back & forth, why don't you just share exactly
> how an average Windows user on an internet-connected computer can fully
> protect himself?
He has nearly no chance to "fully protect". In spite of all these
"Personal Firewalls" and virus scanners, have a look on all those
botnets. Probably your PC is a zombie, too. What do you think why
they're here? What do you think how Spam is sent today, how the DDoS and
blackmailing attackes are carried out?
Microsoft had the chance to make Windoze much more secure by not
offering network services in the default configuration instead of
filtering, by not using ActiveX as a browser plugin concept because
depending on IUnknown is hara-kiri, by not using the worst browser ever
named "Internet Explorer", by making a sensible concept for privilege
separation the default instead of everyone being "Administrator" and
by not opening useless popups like with Windows Vista.
By becoming sensible.
The user has no chance. People like you are telling him, that he can buy
security in boxes. And he wants to beleive that, he does believe.
The opposite is true.
Security is nothing, which can be added to a system in any way. It is
an aspect in the design of a system, which has to be regarded while
system design and implementation.
People who are using Windows can only try to fix the worst of the design
flaws - deactivating network services instead of filtering like Torsten
is telling on <http://www.ntsvcfg.de>, not using Internet Exploder,
being very careful with Java Applets, JavaScript and Flash because of
their b0rken security concept which relies on DNS, not believing too
much in HTTPS because of the b0rken design of depending on DNS for
certificate assigning, too, and being conscious of how to handle
certificates and how to manage keys properly.
Most people are not able to do this. And this is the reason for the
millions of Windows PCs which are all zombies.
Probably like your Windows PC, too.
Yes.
And who is the decision maker for all that rules? The only person, who
cannot make sensible decisions here for sure. The only person, who
should be protected, is now the person who is responisble to protect:
the user.
What a nonsense!
> My dad is a senior citizen (not tech-savvy at all) and has no problem
> with it. He can read the warnings (although they are extremely rare for
> him now). If he doesn't recognize the program, he just denies it. It has
> already learned to allow for software updates for his OS, AV, etc.
Ridiculous.
As a matter of fact, as well in TCP as well as in UDP port 0 does exist.
It cannot be used without a raw socket in common BSD API, though.
This does not mean that I'm thinking GRC is understanding what he's
doing and telling at all, of course ;-)
Better exchange "excellent" with "bullshit".
Of course, no network server can test your own system, because of the
problem that the network in between your host and the server can and
will filter and modify. You're testing the net, not your host.
And of course, using netstat is enough on Windows, too, to find out
what's really going on. Of course, you don't need some network server
based tool at all.
> something that you don't understand, go to grc.com forums. The people
> are extremely helpful.
Better exchange "helpful" with "dumb" or "incompetent, but friendly".
And of course, this information is wrong. Better don't believe in GRC.
You could read RFC 793 and RFC 768 yourself instead of helping GRC
spreading his nonsense.
> If you want to be helpful, then suggest a different tool for the average
> user.
For Windoze?
C:\> netstat -ano
or <http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx> if
you want to have a GUI.
What else?
Of course the average user cannot understand what's going on on his PC
anyways, and GRC offers a warm and fancy feeling to him, like smoking a
doobie.
> But it will definitely show whether your firewall is working.
The opposite is true: it can't for obvious reasons.
It can't, too. How do you know if the network in between is filtering or
not using such a network based tool?
Of course, this one is much better than GRCs crap because of being
technically correct.
How else would Joe Average test his border router from the outside?
By using netstat or lsof or $TOOL (or %TOOL%) locally and not from the
outside, or by directly connecting a second host to the network
interface which afterwards will be connected to the outside and doing a
port scan, i.e. with nmap.
But to be clear: Joe Average should not try to test border routers. He
should ask someone who understands.
Volker, you're talking nonsense, and you know that. netstat, TCPView,
lsof, openports, fport and other tools like that show the status of
ports on the local system from the INSIDE. Unless no services are
listening on the external interface (which is desirable, but not always
feasible) The output of these tools doesn't say anything at all about
which ports are accessible from the OUTSIDE.
A local packet filter may or may not allow connections to port X. A SOHO
router may or may not forward selected or all inbound connections to a
particular host/port. None of the tools know the least about this.
> or by directly connecting a second host to the network interface which
> afterwards will be connected to the outside and doing a port scan,
> i.e. with nmap.
Unfortunately Joe Average doesn't necessarily have a second computer he
can plug into the router's external port. Or is familiar enough with
commandline tools like nmap, scanline or PortQuery. Your advice also
doesn't account for hosts that are directly on a dialup connection.
> But to be clear: Joe Average should not try to test border routers. He
> should ask someone who understands.
Although Joe Average shouldn't conduct a penetration test, there is
nothing wrong at all with him running a port scan against his own border
router to see, if all ports are closed (except for those he configured
to be open).
Yes. And this is not nonsense, but the better way to check.
> The output of these tools doesn't say anything at all about
> which ports are accessible from the OUTSIDE.
If so, throw away your operating system.
> A local packet filter may or may not allow connections to port X.
Clear. If you're using a filtering implementation, read the config and
check the status of it additionally.
>> or by directly connecting a second host to the network interface which
>> afterwards will be connected to the outside and doing a port scan,
>> i.e. with nmap.
> Unfortunately Joe Average doesn't necessarily have a second computer he
> can plug into the router's external port. Or is familiar enough with
> commandline tools like nmap, scanline or PortQuery.
Then he cannot test. Sometimes it's so easy.
> Your advice also
> doesn't account for hosts that are directly on a dialup connection.
Your recommendation for remote testing servers misleads the reader; in
your own words:
The output of these tools doesn't say anything at all about which are
accessible from the outside. They're just showing, what is filtered away
and what's faked in on the line.
>> But to be clear: Joe Average should not try to test border routers. He
>> should ask someone who understands.
> Although Joe Average shouldn't conduct a penetration test, there is
> nothing wrong at all with him running a port scan against his own border
> router to see, if all ports are closed (except for those he configured
> to be open).
The wrong thing with it is, that he may believe that what this tool
shows is how his box is behaving. The reality often is, that on the way
to the testing server the net is being modified by the inter-connecting
networks.
We're living in the "filtering is cool" ages, Ansgar. Just if
you didn't notice. This is true for internet providers, too.
Unfortunately.
Does she need to be able to install software at all? She's a perfect
candidate for a limited user access account.
This will limit what she can do with her PC without assistance, but I'd
argue that she probably can't install a new stereo into her car without
a trained professional's assistance either.
Note that Vista does most of the configuration related suggestions made
here out of the box. Vista can't help you think, but you start out with
limited user privileges, the OS nags you until you update automatically
or take several conscious steps to turn off the nags, the firewall
blocks all inbound requests by default, removable media prompts before
execution.
IE is fairly well locked down, and even if IE is completely and wholly
pwned, protected mode keeps the malware from going far.
(Don't get me wrong, I'm a Firefox user myself, but IE in Protected Mode
isn't a particularly unsafe browser.
The problem is going the next step as it involves the user. A sandboxed
environment isn't impossible to implement at an OS level (again, IE
protected mode is one such example -- You can run other apps with less
privileges too if you desire, but you'll probably be disappointed with
Excel when it can't open existing documents.)
The iPhone version of OSX is one example of an OS built and managed in a
relatively sandboxed fashion.
As long as users are capable of installing their own software, they'll
be capable of jumping through whatever hoops the OS puts in their way
before installing the latest Trojan in an attempt to access whatever
shiny new toy shows up, as most malware authors will just have to get
smarter at engineering the human side of the equation.
For less technical users this will be alerts from their system
administrator that they need to install a patch manually. For more
technically capable end-users it will be a fake codec pack to access
some media that they sought out (and therefore assume the codec is safe)
>Geoff Smith <geof...@yahoo.com> wrote:
>> ShieldsUp! is an excellent tool to test your system.
>
>Better exchange "excellent" with "bullshit".
>
>Of course, no network server can test your own system, because of the
>problem that the network in between your host and the server can and
>will filter and modify. You're testing the net, not your host.
Depending on where the filtering is done, this may be good enough. A
port isn't a threat just because it's open, it also needs to be remotely
accessible and exploitable.
The obvious problem shows up if your ISP filters from their edge routers
and the attacker is another customer of your ISP (or more likely, a
zombied machine within your ISP's network owned by a botmaster in some
foreign country)
>And of course, using netstat is enough on Windows, too, to find out
>what's really going on. Of course, you don't need some network server
>based tool at all.
That isn't really true either, netstat can show a port as listening when
a software packet filter wouldn't actually allow an inbound connection
through to that port.
In other words, netstat will report all open ports, but is subject to
false positives. Netstat is a useful tool, but it's not an exhaustive
solution.
Still, this is a significant improvement over the false sense of
security that GRC may leave you with if your ISP's edge routers filter
some traffic that your local security would otherwise let through.
>G <geof...@yahoo.com> wrote:
>> I agree that it would be great to educate others on these issues. But
>> we also have to be realistic. Windows' greatest benefit (simplicity
>> for the masses) is also its greatest security issue.
>
>Take a look at Mac OS X to understand that this is simply not true.
OSX is a classic case of security by obscurity in practice. Why attack
some ~10% of the market when you can just as easily go after some 85% of
the desktop market?
Also remember that a significant percentage of OSX users also run
Windows and are therefore vulnerable to Windows based malware, driving
the percentage of otherwise-unreachable OSX users even lower.
There certainly are exceptions, but the vast majority of the recent
malware outbreaks have been things installed by users without realizing
that they're installing a trojan, this is not really a technological
attack, but rather an attack exploiting vulnerabilities in the human.
Move 50% of the least technical users from Windows over to OSX and the
exploits will follow.
At least, the default number of network services a Macintosh offers
to the rest of the internet is zero.
In contrast to Windows.
Unfortunately you're wrong. Also Vista starts network services and
filters them away as the default configuration.
> IE is fairly well locked down, and even if IE is completely and wholly
> pwned, protected mode keeps the malware from going far.
> (Don't get me wrong, I'm a Firefox user myself, but IE in Protected Mode
> isn't a particularly unsafe browser.
Barring it's a piece of shit, because its the only browser left which
breaks CSS2 seriously, it can be used (and therefore abused) to communicate
with any COM object on the machine. If one of them has security flaws,
Internet Exploder inherits them all.
> The problem is going the next step as it involves the user. A sandboxed
> environment isn't impossible to implement at an OS level (again, IE
> protected mode is one such example -- You can run other apps with less
> privileges too if you desire, but you'll probably be disappointed with
> Excel when it can't open existing documents.)
"IE Protected Mode" would be a sandbox only, if it would not support COM
objects any more.
> The iPhone version of OSX is one example of an OS built and managed in a
> relatively sandboxed fashion.
OSX on the iPhone is far from a sandbox concept. It's just the Darwin
kernel without the BSD personality. Did you ever have a look onto this
architecture before you're holding forth about it?
Or are you just unfamiliar with the concept which is commonly known as
"sandboxing"?
May.
And how can the user judge this?
> A
> port isn't a threat just because it's open, it also needs to be remotely
> accessible and exploitable.
A port is neither a door nor a gate nor a harbour above all. It's just a
maintenance number.
If people say, that a "port" is "open", usually they mean that there is
a process running on the kernel, which allocated the port and offers a
network service using this port.
It is best practise to offer network services only, which have to be
offered, because exploits in code which is not being executed are not
endangering the system.
And there are zero day exploits everytime.
> The obvious problem shows up if your ISP filters from their edge routers
> and the attacker is another customer of your ISP (or more likely, a
> zombied machine within your ISP's network owned by a botmaster in some
> foreign country)
That is one of the problems, exactly.
>>And of course, using netstat is enough on Windows, too, to find out
>>what's really going on. Of course, you don't need some network server
>>based tool at all.
> That isn't really true either, netstat can show a port as listening when
> a software packet filter wouldn't actually allow an inbound connection
> through to that port.
Yes, but filtering is not reliable in many cases. Commonly, there are
exceptions like FTP helpers, which can be easily abused to ignore any
filter.
> In other words, netstat will report all open ports, but is subject to
> false positives. Netstat is a useful tool, but it's not an exhaustive
> solution.
netstat shows what's going on exactly. There are no false positives in
any way. It's just the wrong concept to try to filter away what could
use the network services your box is offering. Just shut them down, and
you don't need to filter.
> Still, this is a significant improvement over the false sense of
> security that GRC may leave you with if your ISP's edge routers filter
> some traffic that your local security would otherwise let through.
Yes.
*sigh* This is regardless of the operating system. Because none of these
tools know anything about packet filters. Neither local, nor remote.
>> A local packet filter may or may not allow connections to port X.
>
> Clear. If you're using a filtering implementation, read the config and
> check the status of it additionally.
As you know quite well, the proper way to do that is a port scan.
[...]
> The wrong thing with it is, that he may believe that what this tool
> shows is how his box is behaving. The reality often is, that on the
> way to the testing server the net is being modified by the
> inter-connecting networks.
I'd like to see proof for that claim.
>>Kayman wrote:
>>> That all sounds great. But I said for the average Windows user. Do you
>>> really expect aunt Esther to understand how lock things down through the
>>> registry and group policy editor? Or figure out how to set up a VPN?
>> Education G, it's called EDUCATION!
>
>Yeah right.. tell that to my mom who doesn't even know how to send an
>email and every time we told her how to, the very next day she asks again.
>
>> A sensible aunt Esther would not drive a motor vehicle without prior
>> familiarization in relation to correct operating procedures of her car and
>> traffic/street rules.
>
>The analogy is irrelevant. A more appropriate analogy is whether a
>sensible aunt Esther should be taught the about whole legal system in
>the country before doing anything since what she is doing may break any
>arbitrary law.
I prefer the analogy in which the user should only be allowed to
drive the car if they can take apart the engine, and then put it back
together.
Geo
>DevilsPGD <Death...@crazyhat.net> wrote:
>>>Take a look at Mac OS X to understand that this is simply not true.
>> OSX is a classic case of security by obscurity in practice.
>
>At least, the default number of network services a Macintosh offers
>to the rest of the internet is zero.
>
>In contrast to Windows.
This is consistent with the default configuration of every
version/service pack of Windows released within the last four and a half
years.
The issue isn't users driving, users are allowed to drive without too
much of a problem, the problem is only when they start tinkering under
the hood installing or removing components they don't understand.
>A more appropriate analogy is whether a sensible aunt Esther should be
>taught the about whole legal system in the country before doing anything
>since what she is doing may break any arbitrary law.
YABA (Yet Another Bad Analogy)
Car analogies are the worst of all ;-) They never work.
Unfortunately, including Vista, Windows runs programs in the default
configuration, which offer network services, and then filters them away.
Maybe you want to correct that then.
>>> A local packet filter may or may not allow connections to port X.
>> Clear. If you're using a filtering implementation, read the config and
>> check the status of it additionally.
> As you know quite well, the proper way to do that is a port scan.
Not only. As you know, most filtering implementations are dynamic, i.e.
with FTP helpers or even port knocking. You cannot see that with a port
scan.
> [...]
>> The wrong thing with it is, that he may believe that what this tool
>> shows is how his box is behaving. The reality often is, that on the
>> way to the testing server the net is being modified by the
>> inter-connecting networks.
> I'd like to see proof for that claim.
In many cases, you're scanning not your box but some NAT box outside
or even some proxy server from the outside.
It's so easy, Ansgar: many Internet providers are filtering. People are
using such remote scanning and are thinking, that the words "your
computer has the following ports closed" mean, that their computer has
them closed. It just means, that someone sent a TCP NACK or some ICMP
port unreachable.
Someone.
And with "stealth" it's even worse: that means, someone on the line,
maybe the box itself, did throw away packets.
Your users don't recognize the difference in scanning results. But I saw
the other way arround, too:
I was in a hotel in Spain. When I was scanning from the outside, my Box
had port 25 open. What?
Wenn I was scanning from the inside, every box in the outside had port
25 open.
The reason was, that this hotel did redirect any transport of any IP
address to their filtering mail server. It did not matter which mail
server you were trying to reach, they connected your TCP socket to any
IP address port 25 to their own box.
In this case, NAT did not make a difference, because they had none.
And of course, their mail server was as b0rken as their network setup,
so I used my own to send mail through an SSH tunnel to my server.
>Root Kit <b__...@hotmail.com> wrote:
>> YABA (Yet Another Bad Analogy)
>
>Car analogies are the worst of all ;-) They never work.
Never say never. A few of them work in the right context :-)
No, it isn't. Unlike every version of Windows released up to now, OS X
in the default configuration does not have any services listening on the
external interface (and very few services running at all). Windows OTOH
still has lots of services listening on all interfaces, and is just
denying access to them via the Windows firewall.
However, only a service that is not running cannot be attacked. A
service that is running can still be attacked, even if direct access
is denied by the firewall. See e.g. [1].
[1] http://www.enyo.de/fw/security/java-firewall/
No, I don't. Seeing which ports are open on the inside of a system does
not tell you which of them are actually accessible from the outside. It
may give you an idea which of them might be accessible at most, but
that's about it.
>>>> A local packet filter may or may not allow connections to port X.
>>>
>>> Clear. If you're using a filtering implementation, read the config
>>> and check the status of it additionally.
>>
>> As you know quite well, the proper way to do that is a port scan.
>
> Not only. As you know, most filtering implementations are dynamic,
> i.e. with FTP helpers or even port knocking. You cannot see that with
> a port scan.
You don't see that with netstat either. Your point being?
>> [...]
>>> The wrong thing with it is, that he may believe that what this tool
>>> shows is how his box is behaving. The reality often is, that on the
>>> way to the testing server the net is being modified by the
>>> inter-connecting networks.
>>
>> I'd like to see proof for that claim.
>
> In many cases, you're scanning not your box but some NAT box outside
> or even some proxy server from the outside.
>
> It's so easy, Ansgar: many Internet providers are filtering.
I'd still like to see proof for that claim. And no, your hotel example
does not count, because hotels aren't regular ISPs. I wouldn't expect
unfiltered Internet from a hotel just like I wouldn't expect unfiltered
Internet from some company Intranet. I do expect unfiltered Internet
from my ISP, though.
> People are using such remote scanning and are thinking, that the words
> "your computer has the following ports closed" mean, that their
> computer has them closed. It just means, that someone sent a TCP NACK
> or some ICMP port unreachable.
>
> Someone.
Yes. However, since that someone usually is either the host in question
or its border router, online port scans still suffice in most
situations. If you're worried about a middle man: there's still
tcptraceroute.
This is far away from "has to do nothing at all with it", but it's your
decision, of course.
>> Not only. As you know, most filtering implementations are dynamic,
>> i.e. with FTP helpers or even port knocking. You cannot see that with
>> a port scan.
> You don't see that with netstat either. Your point being?
This is the reason, why I recommended to read the config of the
filtering implementation and check the actual status of it, Ansgar.
>> In many cases, you're scanning not your box but some NAT box outside
>> or even some proxy server from the outside.
>> It's so easy, Ansgar: many Internet providers are filtering.
> I'd still like to see proof for that claim.
Try to have an smtpd working on port 25 in a net of the German T-Online,
then you have the proof. Ansgar, I know that you know the discussion
about "SMTP submission".
> And no, your hotel example
> does not count, because hotels aren't regular ISPs.
You wanted to have an example, I gave you one. Hotels are ISPs which are
not only used by me in a regular way.
> I wouldn't expect
> unfiltered Internet from a hotel just like I wouldn't expect unfiltered
> Internet from some company Intranet. I do expect unfiltered Internet
> from my ISP, though.
Then don't go to the big ones. But my claim wasn't, that every ISP is
filtering, only that some do. And I may add: unfortunately some of the
big ones.
> Yes. However, since that someone usually is either the host in question
> or its border router, online port scans still suffice in most
> situations. If you're worried about a middle man: there's still
> tcptraceroute.
Yes, of course. But we're not talking about people who know those tools,
do we?
That's baloney. It only does a poor job of traceing incoming malware.
Since when has it become the job of a firewall to trace incoming
malware?
>> I prefer the analogy in which the user should only be allowed to
>>drive the car if they can take apart the engine, and then put it back
>>together.
>
>The issue isn't users driving, users are allowed to drive without too
>much of a problem, the problem is only when they start tinkering under
>the hood installing or removing components they don't understand.
But isn't it that using a computer means that the user has to always
tinker somehow with his/her computer? ( From Skype to Google's
toolbar) Of course, as you say, the user could pay someone more
knowledgable to do it for them , but then it would be quite expensive
for most people.
Would you say that installing updates would qualify as installing
components?
Geo
>On Sat, 14 Mar 2009 22:27:43 -0700, DevilsPGD
><Death...@crazyhat.net> wrote:
>
>>> I prefer the analogy in which the user should only be allowed to
>>>drive the car if they can take apart the engine, and then put it back
>>>together.
>>
>>The issue isn't users driving, users are allowed to drive without too
>>much of a problem, the problem is only when they start tinkering under
>>the hood installing or removing components they don't understand.
>
> But isn't it that using a computer means that the user has to always
>tinker somehow with his/her computer? ( From Skype to Google's
>toolbar) Of course, as you say, the user could pay someone more
>knowledgable to do it for them , but then it would be quite expensive
>for most people.
Indeed, and that's the crux of it. People want the convenience without
the responsibility.
> Would you say that installing updates would qualify as installing
>components?
Probably. I'm not suggesting a hard and fast rule, to stick with the
arguably bad analogy, some drivers don't know how to add fuel to their
vehicles, some can do windshield fluid and add oil but not change oil,
others do their own oil changes, some rebuild engines.
In the same vein, there is a difference between automatic updates
(Windows Update, Chrome, Firefox, AV definitions), approved automatic
updates (Adobe Reader, Flash, most other software), manually updating
software, installing new software, and choosing what software to
install.
This is true in most areas of life, my mom needs help hooking up a new
DVD player, my dad hooks up his own DVD players but needs help pulling
new coax and crimping ends, I do all of the above myself.
Making installing new software a bigger deal in terms of user interface
might help, since it would stress to users the difference between "do
whatever you want, you won't break anything" user mode and "you might
screw up your system" administrative mode.