Re: Norton Internet Security 2003 blacklist fault?

• Previous message: Marc Maiffret: "Re: Alert: Microsoft Security Bulletin - MS03-039"
• In reply to: Geoff Vass: "Re: Norton Internet Security 2003 blacklist fault?"
• Next in thread: Louis Solomon [SteelBytes]: "Re: Norton Internet Security 2003 blacklist fault?"
• Reply: Louis Solomon [SteelBytes]: "Re: Norton Internet Security 2003 blacklist fault?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Thu, 11 Sep 2003 14:34:13 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

Geoff Vass wrote:

>If Symantec can't see what a useless scheme this is they should get out
>of that market immediately. Are they on a different internet than the
>rest of us?
>
>Why would you want to block a.com but not b.a.com?
>
>
Unfortunately, "a.com" can be both a portion of a domain and a host name.
I use the technique of using a leading dot when referring to domains
as in ".a.com" to mean the domain and "a.com" to mean the host.

There are certainly cases where I would want to differentiate between a
specific host and an entire domain.

Since it is also the case that different subdomains are often under
different administrative control there needs to be the ability to
distinguish between all hosts in a specific domain ".c.a.com",
".b.a.com", ".a.com"; and all hosts in all subdomains "*.a.com".

I believe most novice users would be extremely upset if because they
blocked a single host a large number of hosts in similar domains were
accidentally affected.

>If I want to block x.com why bother storing the IP address? What if the
>blocked site changes its IP address?
>
>
Clearly there is a need to provide both IP address and DNS based
filtering. In the response from Symantec it appears that they attempted
to reduce the large number of DNS queries that would be produced by a
DoS by creating a fairly static local DNS cache. Clearly, this design
is incorrect. A local side cache is appropriate but it must be dynamic
and must adhere to the DNS response lifetimes.

I should point out that on Windows there is no publicly accessible
resolver routines provided by the Operating System. Symantec will need
to incorporate their own resolver and not rely on the Winsock versions
of gethostbyname() and gethostbyaddr().

>Spam and hacking attacks have increased despite all these so-called
>security products. Whose fault do you suppose that is? If the US Justice
>Department should investigate anybody, it's security companies that make
>woefully weak security products simply so they can hook users into an
>upgrade cycle.
>
>
There is no single entity to be blamed. Installation of a consumer
"security" product on Windows is not a replacement for proper system
administration and cannot protect against unsafe end user behavior.
This is not to say that these products cannot do a better job, but in
many ways I would prefer they did not exist. They will not stop the
vast majority of viruses/worms, unwanted e-mails, or hack attacks.
On the unwanted e-mail front I must say that the vast majority of
messages that Mozilla junks for me are not spam and are not viruses.
They are bounce messages from poorly designed or configured spam/virus
filters.

Jeffrey Altman

----
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available.  And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to
http://www.trusecure.com/offer/s0100/
----

• Previous message: Marc Maiffret: "Re: Alert: Microsoft Security Bulletin - MS03-039"
• In reply to: Geoff Vass: "Re: Norton Internet Security 2003 blacklist fault?"
• Next in thread: Louis Solomon [SteelBytes]: "Re: Norton Internet Security 2003 blacklist fault?"
• Reply: Louis Solomon [SteelBytes]: "Re: Norton Internet Security 2003 blacklist fault?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders ! ... The default Enhanced Security Configuration of IE ... access to files and folders on the local machine from the internet. ... With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. ... And now, for a limited time, you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) Re: Workaround for stopping MS2003-030 exploitation via HTML? [VU#561284] ... >Internet Explorer 'Run ActiveX Controls' security setting to disable in ... >appropriate IE security zones would prevent exploitation of this in web ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (Cert) MSTDC Security Configuration Resources ... After some digging into the MSDTC Event issue for people, ... DTC Security Considerations - Overview of Managing Features ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) Re: [Fwd: Re: AIM Password theft] ... if you are going to subscribe to a SECURITY mailinglist you will have ... OutOfOffice bounces are, and would recommend to include a tiny POC in any troll ... Summer's Hottest Certification Just Got HOTTER! ... you can save 33% off of the TICSA certification exam! ... (NT-Bugtraq) Risks Digest 24.59 ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... Workshop on Web Security, ... FDA - MedWatch - Medical Device Safety - Change in Daylight ... Subject: REVIEW: "FISMA Certification and Accreditation Handbook", ... (comp.risks)