| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Re: January 15 is Personal Firewall Day,help the cause Hi "Exibar", Am Fre, den 16.01.2004 schrieb Exibar um 22:40: > I agree, it looked like I was melding the two together into "threats" and > not keeping Viruses/worms separate. Phishing's a new term that's cropped up > for these types of e-mail's. I learnt something new here. I didn't know these emails are referred to as "phishing" in English. Thanks for mentioning. ... > > Minimum usage (only deploy services you use) > ---can be done on a windows box I agree. But Windows isn't delivered in such a minimum state by default. Instead all doors are open. When MS ships Windows shouldn't it deliver it with all doors closed instead of all doors open? I'd rather have an "opt-in" for security risks than an "opt-out". The upcoming XP service pack shows that MS has taken the hint because the service pack will activate the packet filter by default. The Windows Messaging Service had to be blocked by AOL to prevent unwanted ad messages popping up on AOL member screens. Why didn't MS issue a patch, closing the darn thing in a matter of seconds? This is what I'm criticising here. > > File Integrity Checking > Would have to run Trip-wire or similliar. As far as I know there is no open sourced, GPL version of Tripwire available for Windows. Deploying a file integrity test tool on an end user Windows machine is non-trivial because of the lack of freely available tools at affordable prices. Maybe you can correct me here. I'd love to see something as Claymore, Tripwire or AIDE freely available on Windows. > > Rootkit Detectors (this comes closest to virus scanning) > A/V scanner will do the job See? We actually agree ;-) > > Firewalling > Windows XP's builti in ICF, or zonelabs, etc Again, this is not what I am criticising. I am criticising that Windows ships with some sort of packet filtering (though I doubt it can compete with iptables) but it is not enabled by default. ZoneAlarm and all these other products actually may have their positive sides but you can't cure an unpatched Windows XP Home or older unpatched Windows 98 boxes by just installing such a Personal Firewall. The additional downside of Personal Firewalls is that they require tons of user interaction. Every stupid process is interrupting the work-flow of Windows users when it tries to access the Internet and a user is confronted with the name of an executable binary which the average user can't trace back to service or program he knows. Users tend to think in terms like "Internet Explorer" or even shorter "Explorer". When confronted with "iexplore.exe" they simply don't know what that is and forbid access to the Internet for that thing and wonder why their browser doesn't work anymore. Believe me. That's why Personal Firewalls are ineffective to say the least. They are too troublesome for the average end user. The main setback in Windows are all those ad driven freeware programs that the end user tends to love if not even adore. Three or four dialers, the same amount of ad background processes running, countless cookies and ad windows popping up at every occasion when a user opens a new program is really annoying. If you think this can be avoided by telling the end user not to use these programs then you are utterly mistaken. End users are addicted to those ad driven trash like Kazaa, various download managers and other stuff. They'd rather cut off their left hand then not to use such programs. You can certainly imagine that the existence of that many different and unknown processes wanting access to the Internet isn't making the usage of Personal Firewalls any easier. The advantage in Open Source software is that it doesn't run ad driven and doesn't spy on the end user while offering the same functionality and most of the times even more. > > Rigid Management Of User Rights > windows can get pretty granular with user rights and permissions. This is where I have to disagree with might. File permissions with user, group and world levels, processes locked in chroot environments, the possibility of starting single tasks with root access via sudo from within a normal user session are all examples of things lacking in Windows. It is even worse. Prize question. You'll get a hundred points if you answer this correctly. Windows XP Home lets users login by default with what rights? Administrator. Right. Well done. You deserve those 100 points. Every user logging in to Windows XP Home is working with full system rights. This is the state the system is delivered by Microsoft. How should a Windows XP end user know that this is dangerous and how should he know to change this?! Many end user applications are requiring administrator rights to run properly, especially some games. The consequence of this flawed design is that end user tend to work as administrator all the time. Rigid rights management in Windows is a modern myth. This simply can't be compared to Unix/Linux. What user does the IIS webserver run as when you install the IIS the default way? The same goes for other services on Windows servers. How to implement a chroot environment in Windows? > > Encryption > Windows has built in file Encryption. Does it safe user passwords one way encrypted like the shadow password file in Linux? :-) In Linux passwords get encrypted and sent to the shadow password file like that. When a user logs in his input gets encrypted again and the encrypted input is compared against the encrypted password. Windows doesn't have encryption on the level as Open Source because Windows is being restricted by US export regulations. These regulations are void for Open Source projects outside of the US, enabling them to ship stronger encryption than from within the US. Debian has two different CD sets. A US set and a non-US set with more encryption tools. OpenBDS is situated in Canada and is able to supply really useful and very strong encryption software that can't be shipped from within the US. Take a look at the OpenBSD page and follow the links to the page on "encryption" and "cryptography". > Not really missing from Windows, just a bit more cumbersome to do. I agree > that just adding a firewall is not the sole answer, neither is just adding > A/V software. We agree. Maybe "missing" was not the right way to describe it. "Missing by default" or "available but not enabled by default" would have been better. The result though is the same. cheers, Tobias W.
Powered by blists - more mailing lists