Fluff was: RE: Audit Tools

From: H C (keydet89@yahoo.com)
Date: 08/30/01 

Message-ID: <20010830182046.69352.qmail@web14607.mail.yahoo.com>
Date: Thu, 30 Aug 2001 11:20:46 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: Fluff was: RE: Audit Tools
To: Evan Mann <emann@questinc.org>, focus-ms@securityfocus.com

> BlackICE Defender as a home based firewall reports
> 99.5% of the time false
> positives, showing you port probes and pings as
> "attacks". Most home
> firewall users blast the program for doiung that
> claiming false sense of paranoia on home users.

My experience, from watching these lists, Usenet, and
from handling "abuse@" reports, has been that most
home users LOVE BlackICE Defender. Most of the folks
I've dealt with directly are already paranoid about
the 'Net from the media, so they love BID b/c it just
feeds that paranoia.

> For someone who knows what
> they're doing and has some form of a clue about
> security, all those false
> positives and fluff are good indicators of what is
> happening to your system and what it's doing to
> react.

I'd like to clarify that a little bit with "anyone who
really knows what they're doing doesn't need any of
that stuff." I use a f/w purely for the NAT and
routing capabilities (so I only have to pay for one IP
from my DSL provider). Prior to that, I had my NT box
up on the DSL 24x7, and it's never been hacked. If I
was at all interested in what was passing by on the
wire, I'd fire up Win32-snort.

My point is that anyone who knows what they are doing
is going to know how to disable services, etc. Since
I don't need to provide shares on the 'Net, I just
shut off the Server service. For added protection, I
also disabled the automatic creation of admin shares.
Other than that, I didn't have any services
running...and there was nothing for anyone to 'hack'.

> I wouldn't call a product bad or not
> effective just because it wastes a little bit of my
> time.

If someone is going to say something negative about a
product, especially when the company that produced the
product hyped it, I'd be very interested to know the
specifics. For example, was the bad experience
intermittent, or is it reproduceable?

To "tiburon_fc@hotmail.com"...

> Retina is full of false positives.

Care to elaborate? Do you have any of these
documented? I'd be very interested in seeing them.

> Many of the "Security Risks" it
> identifies, requires sifting through too much fluff
> to actually get to the
> items that are pertinent. The reporting is far from
> "Top Notch".

How so?

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com