lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Paul Schmehl)
Subject: Flawed arguments (Was all that other crap
 about PFW day)

--On Friday, January 16, 2004 4:14 AM +0100 Erik van Straten 
<emvs.fd.3FB4D11C@....tn.tudelft.nl> wrote:

> "Chris Harrington" <cmh@....net>:
>> So do you expect Annie to fix these broken locks or doors??
>
> Nope. Annie is not reading this list. Microsoft probably does.
>
I had to laugh at this.  Do you seriously think Microsoft has employees 
reading this list?  I doubt it.  In fact I issue a challenge right now.  If 
*anyone* who works at MS is reading this list, respond when you read this. 
If you don't want to do so publicly, you can email me and I will notify the 
list.  (David, are you there?)

>> What you are saying is that you would not need a wall if the locks
>> worked properly??
>
> Nope. What I'm saying is that the doors to the Internet shouldn't have
> been there by default (135-139, 445, 1026-1030, RDP, UPnP etc. - run
> netstat)

Oh, I get it.  You mean like NFS, X Windows, RPC, portmap, finger, chargen, 
rlogin, rsh, ftp, like those sorts of things?  The things that Unix had 
almost 20 years to disable in the default install before they finally did? 
That sort of stuff?
>
>> This translates to not needing a firewall if the OS flaws are fixed.
>
> Nope. It translates to not needing simple PFW's -for ingress traffic-
> if there are no listening ports. Flaws shouldn't have been there in the
> first place, and any found should be fixed ASAP%001.
>
Well, hell, let's ban iptables, ipfw, pf, ipchains, et. al. from 
"workstation" installs of *nix.  After all, *nix is secure out of the box, 
right?  And PFW's just give people a false sense of security anyway, right?
>
> Yep. But flaws have been found in PFW's, and they do provide a false
> sense of security.

You mean like this?
<http://www.shmoo.com/mail/bugtraq/apr01/msg00028.shtml>
or this?
<http://www.blu.org/pipermail/discuss/1999-July/030040.html>
or this?
<http://www.ciac.org/ciac/bulletins/l-029.shtml>
or this?
<http://www.openbsd.org/errata28.html#ipf_frag>

Of course, I'm absolutely *certain* that there isn't a single *nix user who 
thinks they're more secure with a firewall enabled.  Oh wait, Dan, who 
doesn't even use AV because he uses Unix pointed out that *nix firewalls 
are now enabled by default (obviously making the OS more secure, right?)

The irony is overwhelming me.

> With ABS you can drive much closer to the car in
> front of you. With AV and a PFW people tend to believe it is safe to
> run any exe (or hta). Marketing helps making people believe this.
>
I have to agree with you here.  It's been made obvious to me by the posts 
today in this thread.
>
> Nope. I want all unused ports closed. For inbound connections, there's
> no point blocking 80/tcp if you run a public webserver, right? However,
> permitting access to selected IP's, combined with stateful inspection,
> (provided you can trust all boxes behind your router)

Here's the only hint I'm going to give you.  YOU CANT.

> from connecting
> to certain ports (like DNS), may help. However I do not see any
> advantage for Annie's free/cheap PFW here.
>
You must run a network of one.

>> Windows, Linux, BSD all have services / ports listening by default...
>
> I've never ran BSD. Which way-back-when flavor of Linux are you using?
> With Trustix, out of the box only postfix listens (to 127.0.0.1).
>
> Annie could *learn* how to edit inetd.conf. Or I, or someone like me,
> or you, could help her. However, we cannot disable RPC in XP, and I
> cannot configure it such that it doesn't listen to the Internet iface.
> You guys just don't seem to get the point.
>
Annie can learn inetd.conf but not Windows PFWs?  What planet is annie 
from?  What planet are you from?  You can't disable RPC?  Please!  Search 
the FD archives.

>> The point is the PFW makes it possible for the home user to limit
>> their exposure without having a great deal of technical expertise. Is
>> it perfect? No. But it is an improvement over having nothing between
>> Annie and the Internet.
>
> Maybe. But many people (and companies) have not patched DCOM because
> they thought to be safe behind their firewall. Also apparently they
> don't run AV; lots have been hit by blaster or nachi after someone
> plugged in an infected notebook. My fear is that PFW's will have people
> postone patching, and not upgrade their AV license when it expires.
>
Which would change things how?  Exactly?

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ