Re: Is additional firewall necessary?

Sebastian Gottschalk wrote:
Super Lemon wrote:

Sebastian Gottschalk wrote:
Todd H. wrote:

Yes, a *well written* malware already installed on the PC *COULD*
deactivate any desktop firewall, but by not using such a firewall
you open the door even to *simpler malware written by kids* ...
Now you're really showing what's really plain bullshit.
Were you referring to this as well? If so, you should reconsider your
statement seriously.

The "strange" thing is that nobody goes around blabbing about
"antivirus software is useless"! :-D
Oh, I do.
Which tells you pretty much all you need to know about how heavily to
weigh Sebastian's views when it comes to managaging risk on a home or
business PC that lacks a user of utmost care and paranoia.
Eh, no. You really don't need much care to NOT execute a program, to
NOT use a feature or to NOT trust some random stranger.
Without every executing anything or to never use anything the computer
shouldn't even be purchased. Maybe the key is to know where trust lies
instead of blindly trusting or not trusting others.

Ah, you finally got the point. Indeed, there's absolutely nothing that
could replace the implications of estimating trust.

When it comes to deciding the level of security to be taken, consciously
deciding your level of trust is necessary. I trust all s/w authors to be human
and therefore I never trust a program to be perfect. I see nothing wrong with
using a layered defense to catch something that passes by another layer.


To someone who will click every link possible knowing what to NOT click
is a difficult task. Over trust seems installed by ... seems to be a
major downfall

Indeed. The problem is PEBKAC, and it makes all the PFWs' and
virusscanners' security efforts worthless until addressed.

I doubt if human flaws will be corrected anytime soon. But I do hear VISTAs SP98
will address the human firewall and the holes in necessary wetware.

since no security written in the TCP/IP suite. If it was
a difficult task for the ARPANET team, it is probably even more so for
most people who use a computer.

Nonsense. Do you know the ISO/OSI model? Now point at the layers which are
to provide routing and connection abstraction, and which one is to provide
security.

If I remember correctly I'm basing that statement on Eric Raymond's "Art of Unix
Programming".

Are you speaking of SSL which was added many years later?

Are you talking about the possibility of encryption at the presentation level?

Beside that, ARPANET had different boundary criteria. Some which might not
hold for its current state of development.


And users failing to understand the home computer as a highly complex
universal machine which must be well administrated when being
interconnected with a big network is purely ignorance.

And telling me the obvious (the file crack.exe inside
the archive "My favorite album.MP3.192.zip" is malware, for sure!).
So you make your decisions based on file names? Smart move!

Filenames are generally an index criteria. Thus they're supposed to be a
decision base, but not be relied on. If the content actually matches the
criteria can only be decided after actually aqquiring that content.



I fail to see any need if the user just behaves reasonable.
What if "reasonably" is a rare commodity that few have?

Then those people should pay someone for administrating their computer. Or
get some easy-to-use ones, like a MacMini running Mac OSX. Unless then,
they should rather stick to a Gameboy.

I guess that would guarantee work for the likes of you and me.


And I think that legislation should support demanding a minimal state of
knowledge and administration for running computers. Same as cars.

For (at least) the last 4 decades, Cars have been regulated and a minimal state
of knowledge and skill is tested. Doesn't work very well.

People still don't know basic maintenance or intermediate mechanics like how to
change their valve-cover-gasket.

People still don't seem to understand that a brake can be dangerous (when used
incorrectly).

So let's quit worrying about the false security created by outlawing
cell-phones. We need to focus on banning the use of potentially dangerous
mechanisms like brakes. 8^)

And you know, malware generally slips by. For incompetent users, virus
scanners usually just shift the time till first infection a little bit.
Depends on whether it is caught by an on-demand or resident scanner.

In case of incompetent users you should always assume that only on-access
scanners are meant. After all, they're too stupid to invoke on-demand
scanning when required.

We are all "stupid" in some arena. Don't be so harsh to others where you're
competent. You just might meet some of those same people when they have the
upper hand.


I'm running FreeBSD. With Xgl and fat GNOME. And the last lines of my
ipfw ruleset are: allow tcp,udp,esp,ah from any to any; deny ip from
any to any (icmp with some specific types was allowed earlier)
What about a Java program that can subvert the Sun JVM?

I have the Java VM in my webbrowser deactivated by default. After all,
you'll rarely if never need it.

That is becoming truer than it was in the recent past.


But indeed, when was the latest 0day exploit for the Sun Java VM (thus a
vulnerability becoming known that hasn't already been fixed in the latest
versions)? According to my documentation (and I'm really deep into the
security of Java) as well as CVE, this was... eh... 1.4.0.02? Has been 44
updates and more than two years since then.

Probably not as many as MS's JVM but many don't know the difference.
.

Relevant Pages

  • Re: win xp firewall
    ... Trust me a friend of mine and I tested it. ... Closing popup after popup would, IMO, qualify since ... I also never referred to it in particular as a 'security ... > The firewall is not ment to block services that are already on. ...
    (comp.security.firewalls)
  • Re: Security and the User experience
    ... Why should we trust Verisign, ... Microsoft should be placed square in the resource funding for starting this ... Trimming the firewall down or pumping it up is still ... having to deal with security. ...
    (microsoft.public.security)
  • Re: win xp firewall
    ... Trust me a friend of mine and I tested it. ... Closing popup after popup would, IMO, qualify since ... I also never referred to it in particular as a 'security ... > trust the XP firewall... ...
    (comp.security.firewalls)
  • Re: Security and the User experience
    ... Why should we trust any one/group? ... cannot get their "blessing" up or down until my submission has, ... Trimming the firewall down or pumping it up ... having to deal with security. ...
    (microsoft.public.security)
  • Subject line remains empty in received e-mail messages
    ... I use LevelOne WBR-3402B ADSL router with built-in firewall, Norton Internet ... Security 2004 including Norton Firewall. ... No matter which firewall I activate or deactivate, ...
    (microsoft.public.outlook)