| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: January 15 is Personal Firewall Day, help the cause Hi Ron, Am Don, den 15.01.2004 schrieb Ron DuFresne um 18:28: > cheap There are cheap personal firewalls, no question about that. But there also are cheap, yet secure end user operating systems which are better serving the end users interest than a combination of an insecure operating system, an insecure webbrowser, an insecure email client and so on. > effective I don't think personal firewalls are effective. People don't want to spend time learning about personal firewalls and all personal firewalls I know require the end user to interact with the software frequently. The end user has to deny requests from programs he doesn't recognise to access the Internet. The end user has to act on requests from the personal firewall itself if there are updates and so on. Most end users can't even make the difference between virus threats and threats resulting from insecure end user software that requires a wall in front of it. > quick When you don't spend at least an hour to explain to end users that there is more to security than a virus scanner you deploy once and leave it as it is for the rest of the decade then nothing will be improved. "quick" is the opposite of reality here. You may install Zone Alarm (the free version) on a PC once and measure the time of the installation and leave house without further explanations and I guarantee that you will be bombarded with requests for explanations during the next few weeks because the end user denied Outlook Express access to the Internet as the Zone Alarm window popped open and so on. > allows the non-IT-professional to make a new home system safer This is even further away from reality than the last one. The non-IT-professional actually believes what the Microsoft commercials were saying: MS Windows is a secure operating system. Because of this, it is already hard to explain to them why they would need a virus scanner if they are already using a secure operating system. The non-IT-professional end user doesn't even know that Microsoft is offering Windows XP updates, how is he supposed to know about something abstract such as the concept of a firewall? If Microsoft wants people to know that there are patches available then they have to show a TV ad right before the 20:00 news on all major channels. > Or are we seeing another version of FUD-based-job-security-seeking BS > spewing from these folks who are not going to get $150 an hour fees in at > least 4 hour increments from the average home users to 'fix' their systems > that can't be broke/borked as they are brandy-spankin-new. This is totally out of place reasoning. Let me show you how this "Personal Firewall Day" idea hit my mind: [cheap] The "sponsors" of this campaign don't have "cheap" in mind. They are aiming for additional income here. This campaign is meant to reduce image damage for a certain company refusing to take security seriously and increase profits for manufacturers of software you wouldn't even need if this certain other company would take better care of its products. There are countless alternatives to established desktop solutions that are way cheaper because you don't have to buy additional software to safeguard the underlying one. [effective] The process of having to watch three different levels of software: operating system, virus scanner AND personal firewall isn't effective. Effective means turning on the PC and work away and maybe control ONE level of software with ONE tool or even better with ONE button. Most end users can't tell the difference what in the name of Christ they have to update. They have lost control and they don't care as long as it still is working. They only act when something is broken. The solution to effective and end user friendly security in MS Windows IS NOT a personal firewall that protects against the bugs of end user applications that shouldn't even be there! The blame is all on Microsoft. Why did they wait until the upcoming service pack of Windows XP until they realised that security requires "secure by default"? Why do all Windows operating systems come with all doors open by default? Why did countless Windows XP machines have an open RPC port when this feature REALLY wasn't needed on the average end user PC? This is the transition to: [trust] Why are there still well known bugs in the Internet Explorer 6 for longer than two months without a patch?! What happened about this idea of dear old Steve, who wanted to show us that MS is releasing patches faster and more reliable than the Open Source community? I guess, it died. Not only did it die, MS increased the time we have to wait for patches. We get patches when they are ready (better "if" they are ready...) and not when we need them. Sure, this makes patching predictable. But hey, does a script kiddie respect Microsofts scheduling strategy when he aims for a major worm attack on the Internet? Well, the initiator of this ad email (almost spam), pivX must know a little bit about unpatched MS software until they agreed to take down the list of bugs in MS software without available patches from their website. Security by obscurity. Isn't this list about the contrary? And look who they are doing business with now. Isn't this a coincident?! Sorry, but any reasonable end user shouldn't trust MS on its serious attention to security. They say A and do B. [quick] By the time I get to install and explain a personal firewall, a virus scanner and the process of updating the operating system I could have installed a whole NEW operating system that doesn't have this level of complicity for the end user. I really know why the folks named this campaign "Personal Firewall _DAY_". It sure takes a whole day to promote and establish security on one end user PC running MS Windows XP. This is the transition to... I'll end this rant with a report of a "home visit" of "Dr. PC" and you'll see why this whole "Personal Firewall Day" idea is rather pathetic. I was asked to fix a Windows XP Home PC of a family in the neighbourhood, a typical family you get to know from TV ads: a happy middle-class couple, a teen daughter and a younger son. The only thing missing was the dog. They even had the typical PC with Windows XP Home. The reason for asking me over was a virus suspicion. OK, I thought. Take your Linux live CD with f-prot and off you go. The first thing I noticed was: No virus scanning software installed of any kind. No personal firewall software installed of any kind. Not one single Microsoft patch installed. This fits into the picture of a typical family with two kids (yet no dog) and a Windows XP Home PC. I booted the PC with my clean Linux CD and ran f-prot over all partitions, finding 7 different viruses and two trojan backdoor programs in 30 infected files. In addition, I ran Adaware and Spybot which found about a hundred different entries in the registry, countless cookies and three or four dialer programs. I got rid of those too. Cleaning this stuff and the frequents reboots in between took some time, but hey! All for a healthy neighbourhood relation, a cookie and a class of milk. Finally a clean PC. Damn! I missed the Simpsons! Well, on then. Let's get connected and download those MS patches, install a recent virus scanner and install a personal firewall. Well, guess what happened as soon as I connected to the Internet? Yes, you're right. Before the MS Windows update page could be fully loaded I already had a visit from that darn RPC worm. Less than 10 seconds. Is that a record?! To summarise the rest, I spent two more hours downloading and rebooting each time after installing MS patches. I installed a free virus scanner from antivir.de and Zone Alarm and took the time to explain everything to the family, making a little howto on a piece of paper what they had to do. Today, more than two months later, I still get the same questions why they have to update the virus signatures every third day and what that yellow window means that is popping up and asking about some iexplore.exe wanting to connect to the Internet. So, excuse me when I say: F*CK YOU, Personal Firewall Day! regards, Tobias W.
Powered by blists - more mailing lists