[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1074337828.17472.37.camel@coruscant.weisserth.net>
From: tobias at weisserth.de (Tobias Weisserth)
Subject: Re: January 15 is Personal Firewall Day,help
the cause
Hi "Exibar",
Am Fre, den 16.01.2004 schrieb Exibar um 22:40:
> I agree, it looked like I was melding the two together into "threats" and
> not keeping Viruses/worms separate. Phishing's a new term that's cropped up
> for these types of e-mail's.
I learnt something new here. I didn't know these emails are referred to
as "phishing" in English. Thanks for mentioning.
...
> > Minimum usage (only deploy services you use)
> ---can be done on a windows box
I agree. But Windows isn't delivered in such a minimum state by default.
Instead all doors are open. When MS ships Windows shouldn't it deliver
it with all doors closed instead of all doors open? I'd rather have an
"opt-in" for security risks than an "opt-out". The upcoming XP service
pack shows that MS has taken the hint because the service pack will
activate the packet filter by default. The Windows Messaging Service had
to be blocked by AOL to prevent unwanted ad messages popping up on AOL
member screens. Why didn't MS issue a patch, closing the darn thing in a
matter of seconds? This is what I'm criticising here.
> > File Integrity Checking
> Would have to run Trip-wire or similliar.
As far as I know there is no open sourced, GPL version of Tripwire
available for Windows. Deploying a file integrity test tool on an end
user Windows machine is non-trivial because of the lack of freely
available tools at affordable prices. Maybe you can correct me here. I'd
love to see something as Claymore, Tripwire or AIDE freely available on
Windows.
> > Rootkit Detectors (this comes closest to virus scanning)
> A/V scanner will do the job
See? We actually agree ;-)
> > Firewalling
> Windows XP's builti in ICF, or zonelabs, etc
Again, this is not what I am criticising. I am criticising that Windows
ships with some sort of packet filtering (though I doubt it can compete
with iptables) but it is not enabled by default.
ZoneAlarm and all these other products actually may have their positive
sides but you can't cure an unpatched Windows XP Home or older unpatched
Windows 98 boxes by just installing such a Personal Firewall.
The additional downside of Personal Firewalls is that they require tons
of user interaction. Every stupid process is interrupting the work-flow
of Windows users when it tries to access the Internet and a user is
confronted with the name of an executable binary which the average user
can't trace back to service or program he knows. Users tend to think in
terms like "Internet Explorer" or even shorter "Explorer". When
confronted with "iexplore.exe" they simply don't know what that is and
forbid access to the Internet for that thing and wonder why their
browser doesn't work anymore. Believe me. That's why Personal Firewalls
are ineffective to say the least. They are too troublesome for the
average end user.
The main setback in Windows are all those ad driven freeware programs
that the end user tends to love if not even adore. Three or four
dialers, the same amount of ad background processes running, countless
cookies and ad windows popping up at every occasion when a user opens a
new program is really annoying. If you think this can be avoided by
telling the end user not to use these programs then you are utterly
mistaken. End users are addicted to those ad driven trash like Kazaa,
various download managers and other stuff. They'd rather cut off their
left hand then not to use such programs.
You can certainly imagine that the existence of that many different and
unknown processes wanting access to the Internet isn't making the usage
of Personal Firewalls any easier.
The advantage in Open Source software is that it doesn't run ad driven
and doesn't spy on the end user while offering the same functionality
and most of the times even more.
> > Rigid Management Of User Rights
> windows can get pretty granular with user rights and permissions.
This is where I have to disagree with might. File permissions with user,
group and world levels, processes locked in chroot environments, the
possibility of starting single tasks with root access via sudo from
within a normal user session are all examples of things lacking in
Windows.
It is even worse. Prize question. You'll get a hundred points if you
answer this correctly.
Windows XP Home lets users login by default with what rights?
Administrator. Right. Well done. You deserve those 100 points.
Every user logging in to Windows XP Home is working with full system
rights. This is the state the system is delivered by Microsoft. How
should a Windows XP end user know that this is dangerous and how should
he know to change this?!
Many end user applications are requiring administrator rights to run
properly, especially some games. The consequence of this flawed design
is that end user tend to work as administrator all the time.
Rigid rights management in Windows is a modern myth. This simply can't
be compared to Unix/Linux.
What user does the IIS webserver run as when you install the IIS the
default way? The same goes for other services on Windows servers.
How to implement a chroot environment in Windows?
> > Encryption
> Windows has built in file Encryption.
Does it safe user passwords one way encrypted like the shadow password
file in Linux? :-)
In Linux passwords get encrypted and sent to the shadow password file
like that. When a user logs in his input gets encrypted again and the
encrypted input is compared against the encrypted password.
Windows doesn't have encryption on the level as Open Source because
Windows is being restricted by US export regulations. These regulations
are void for Open Source projects outside of the US, enabling them to
ship stronger encryption than from within the US.
Debian has two different CD sets. A US set and a non-US set with more
encryption tools.
OpenBDS is situated in Canada and is able to supply really useful and
very strong encryption software that can't be shipped from within the
US. Take a look at the OpenBSD page and follow the links to the page on
"encryption" and "cryptography".
> Not really missing from Windows, just a bit more cumbersome to do. I agree
> that just adding a firewall is not the sole answer, neither is just adding
> A/V software.
We agree. Maybe "missing" was not the right way to describe it. "Missing
by default" or "available but not enabled by default" would have been
better. The result though is the same.
cheers,
Tobias W.
Powered by blists - more mailing lists