Re: [Full-Disclosure] January 15 is Personal Firewall Day, help the cause

From: Tobias Weisserth (tobias_at_weisserth.de)
Date: 01/15/04

  • Next message: Christopher Downs: "Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause" 
    To: full-disclosure@lists.netsys.com
Date: Thu, 15 Jan 2004 21:47:41 +0100

    Hi Ron,

    Am Don, den 15.01.2004 schrieb Ron DuFresne um 18:28:
    > cheap

    There are cheap personal firewalls, no question about that. But there
    also are cheap, yet secure end user operating systems which are better
    serving the end users interest than a combination of an insecure
    operating system, an insecure webbrowser, an insecure email client and
    so on.

    > effective

    I don't think personal firewalls are effective. People don't want to
    spend time learning about personal firewalls and all personal firewalls
    I know require the end user to interact with the software frequently.
    The end user has to deny requests from programs he doesn't recognise to
    access the Internet. The end user has to act on requests from the
    personal firewall itself if there are updates and so on. Most end users
    can't even make the difference between virus threats and threats
    resulting from insecure end user software that requires a wall in front
    of it.

    > quick

    When you don't spend at least an hour to explain to end users that there
    is more to security than a virus scanner you deploy once and leave it as
    it is for the rest of the decade then nothing will be improved. "quick"
    is the opposite of reality here. You may install Zone Alarm (the free
    version) on a PC once and measure the time of the installation and leave
    house without further explanations and I guarantee that you will be
    bombarded with requests for explanations during the next few weeks
    because the end user denied Outlook Express access to the Internet as
    the Zone Alarm window popped open and so on.

    > allows the non-IT-professional to make a new home system safer

    This is even further away from reality than the last one. The
    non-IT-professional actually believes what the Microsoft commercials
    were saying: MS Windows is a secure operating system. Because of this,
    it is already hard to explain to them why they would need a virus
    scanner if they are already using a secure operating system. The
    non-IT-professional end user doesn't even know that Microsoft is
    offering Windows XP updates, how is he supposed to know about something
    abstract such as the concept of a firewall?

    If Microsoft wants people to know that there are patches available then
    they have to show a TV ad right before the 20:00 news on all major
    channels.

    > Or are we seeing another version of FUD-based-job-security-seeking BS
    > spewing from these folks who are not going to get $150 an hour fees in at
    > least 4 hour increments from the average home users to 'fix' their systems
    > that can't be broke/borked as they are brandy-spankin-new.

    This is totally out of place reasoning.

    Let me show you how this "Personal Firewall Day" idea hit my mind:

    [cheap]
    The "sponsors" of this campaign don't have "cheap" in mind. They are
    aiming for additional income here. This campaign is meant to reduce
    image damage for a certain company refusing to take security seriously
    and increase profits for manufacturers of software you wouldn't even
    need if this certain other company would take better care of its
    products.

    There are countless alternatives to established desktop solutions that
    are way cheaper because you don't have to buy additional software to
    safeguard the underlying one.

    [effective]
    The process of having to watch three different levels of software:
    operating system, virus scanner AND personal firewall isn't effective.

    Effective means turning on the PC and work away and maybe control ONE
    level of software with ONE tool or even better with ONE button.

    Most end users can't tell the difference what in the name of Christ they
    have to update. They have lost control and they don't care as long as it
    still is working. They only act when something is broken.

    The solution to effective and end user friendly security in MS Windows
    IS NOT a personal firewall that protects against the bugs of end user
    applications that shouldn't even be there!

    The blame is all on Microsoft. Why did they wait until the upcoming
    service pack of Windows XP until they realised that security requires
    "secure by default"? Why do all Windows operating systems come with all
    doors open by default? Why did countless Windows XP machines have an
    open RPC port when this feature REALLY wasn't needed on the average end
    user PC?

    This is the transition to:

    [trust]
    Why are there still well known bugs in the Internet Explorer 6 for
    longer than two months without a patch?!

    What happened about this idea of dear old Steve, who wanted to show us
    that MS is releasing patches faster and more reliable than the Open
    Source community? I guess, it died. Not only did it die, MS increased
    the time we have to wait for patches. We get patches when they are ready
    (better "if" they are ready...) and not when we need them. Sure, this
    makes patching predictable. But hey, does a script kiddie respect
    Microsofts scheduling strategy when he aims for a major worm attack on
    the Internet?

    Well, the initiator of this ad email (almost spam), pivX must know a
    little bit about unpatched MS software until they agreed to take down
    the list of bugs in MS software without available patches from their
    website. Security by obscurity. Isn't this list about the contrary? And
    look who they are doing business with now. Isn't this a coincident?!

    Sorry, but any reasonable end user shouldn't trust MS on its serious
    attention to security. They say A and do B.

    [quick]
    By the time I get to install and explain a personal firewall, a virus
    scanner and the process of updating the operating system I could have
    installed a whole NEW operating system that doesn't have this level of
    complicity for the end user.

    I really know why the folks named this campaign "Personal Firewall
    _DAY_". It sure takes a whole day to promote and establish security on
    one end user PC running MS Windows XP.

    This is the transition to...

    I'll end this rant with a report of a "home visit" of "Dr. PC" and
    you'll see why this whole "Personal Firewall Day" idea is rather
    pathetic.

    I was asked to fix a Windows XP Home PC of a family in the
    neighbourhood, a typical family you get to know from TV ads: a happy
    middle-class couple, a teen daughter and a younger son. The only thing
    missing was the dog. They even had the typical PC with Windows XP Home.

    The reason for asking me over was a virus suspicion. OK, I thought. Take
    your Linux live CD with f-prot and off you go. The first thing I noticed
    was:

    No virus scanning software installed of any kind.
    No personal firewall software installed of any kind.
    Not one single Microsoft patch installed.

    This fits into the picture of a typical family with two kids (yet no
    dog) and a Windows XP Home PC.

    I booted the PC with my clean Linux CD and ran f-prot over all
    partitions, finding 7 different viruses and two trojan backdoor programs
    in 30 infected files.

    In addition, I ran Adaware and Spybot which found about a hundred
    different entries in the registry, countless cookies and three or four
    dialer programs. I got rid of those too.

    Cleaning this stuff and the frequents reboots in between took some time,
    but hey! All for a healthy neighbourhood relation, a cookie and a class
    of milk.

    Finally a clean PC. Damn! I missed the Simpsons! Well, on then. Let's
    get connected and download those MS patches, install a recent virus
    scanner and install a personal firewall.

    Well, guess what happened as soon as I connected to the Internet? Yes,
    you're right. Before the MS Windows update page could be fully loaded I
    already had a visit from that darn RPC worm. Less than 10 seconds. Is
    that a record?!

    To summarise the rest, I spent two more hours downloading and rebooting
    each time after installing MS patches. I installed a free virus scanner
    from antivir.de and Zone Alarm and took the time to explain everything
    to the family, making a little howto on a piece of paper what they had
    to do.

    Today, more than two months later, I still get the same questions why
    they have to update the virus signatures every third day and what that
    yellow window means that is popping up and asking about some
    iexplore.exe wanting to connect to the Internet.

    So, excuse me when I say: F*CK YOU, Personal Firewall Day!

    regards,
    Tobias W.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Christopher Downs: "Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"