Re: Is additional firewall necessary?

On Jan 23, 9:20 pm, Sebastian Gottschalk <s...@xxxxxxxxx> wrote:
freesailor wrote:
I simply don't execute any malware. Now, that was easy.

So, you are every time sure it's not a malware.Yes. And I call this a trivial decision process.

Why should it stop something that can't even happen? How should malware get
executed automatically and without my consent? I'm not using any program in
any configuration which would allow such an insanely stupid thing.

Well, this threads has gone so far that I've no time to answers to the
huge bunch of absurdities I've read now.
Also because the guy seems to unable to use his brain.

I'll do a much more opportune thing: I'll explain everyone the
much-confused "Sebastian Gottschalk philosophy". ;-)

Summarizing all your blabbing, what he is suggesting is:

Local security software, such as desktop firewalls and antivirus
scanners, is not only useless, but harmful indeed.
In fact:
1) there is a high chance that those tools are easily circumvented by
malware tools
2) there is a high chance that those local security softwares introduce
more security vulnerabilities than they stop
3) besides the technical unfeasibility, there is no real need of
features that are assumed to be able to control internal tasks
behaviour (e.g. filtering outbound traffic, checking for application
4) there is a high chance they cause instability to your system

You can avoid using them just by:
5) installing just software you are sure is not malware
6) using intrinsecally more secure operating systems (e.g. various
Linux/Unix flavours)
7) being always extremely careful in daily behaviour, e.g. dealing with
emails attachments
8) use just native security tools, like Windows XP SP2 native firewall:
they are able to satisfy the real needs, without increasing complexity
to the system and vulnerabilities.

Those are not good advices, they are silly advices, based on a bunch of
wrong or deceitful assumptions.

1) any software can be compromised, even the OS itself and even
software installed in network security devices like network firewalls.
But the history of known vulnerabilities in local security software
(e.g desktop firewalls like ZoneAlarm) show that they aren't
particularly vulnerable (two vulnerabilities discovered in 2006 for
some versions of ZoneAlarm; for comparison, Cisco PIX firewall has
seven vulnerabilities discovered in 2006!). Moreover, to decrease (not
remove, just decrease ...) the risk of desktop firewall or antivirus
tampering, there is a quite easy way: login in your desktop as a
standard user and not as an administrator, so raising the protection
against programs tampering. This could be a good advice, not the above
bullshit ...

2) given the above mentioned example score, this is a truly ridiculous
statement. In fact, a good desktop firewall (not to mention a good
antivirus) protects effectively your system from *hundreds* of real
threats, in face of very few vulnerabilities. And recent interfaces are
not particularly difficult to manage for the average user (see Zone

3) plain bullshit, again. Desktop firewalls can control, *at least*,
outbound traffic for not-malware application trying to connect to
undesired external sites (in how many cases a fully local program, e.g.
a writing program, should be allowed to reach internet, at least for
privacy reasons?). Moreover, desktop firewalls like ZoneAlarm and
Sygate can check for network local application integrity on execution,
using MD5 signatures, a not trivial and very useful feature.

4) this is a statement that could have been true five or six years ago,
now both desktop firewalls and antivirus usually don't impose any
instability nor performance penalization. So, it seems that who made
that statement stopped using these kind of software many years ago ...

The "remediations" are even more hilarious:

5) this is the most amazing statement (but is the foundation for all
the rest of this bullshit)! What the hell can you be *SURE* that a
piece of software is *NOT* malware, if you haven't its source? Do you
disassemble every executable? Do you consider "trustable" who gave you?
And why? Do you know so well every relevant software maker, directly?

6) this can be done at home, hardly in corporate environment, where
Windows is ubiquitous. Even at home, this means using a platform having
thousand less applications readily available. In practice, this is like
saying "use a neglected system, you'll be able to use just a few
applications ... but very safely!" Of course, if you have to trust just
those applications you "know" aren't malware, you'll have even less
applications to install ...

7) right, but asking the average user not to make mistake is illusory.
Using the right local secutity software prevents many mistakes.

8) it depends: if the native tool does a good enough job, obviously
there is no need to resort to additional software. In many cases, e.g.
Windows XP SP2 native firewall, the native software is not "good
enough". Having available a number of good, proven and not intrusive
software, there is no reason in these cases to stay with limited native

All in all, the "suggestions" can be translated in "real world" as the
"drive-slowly-and-just-into-your-backyard car safety advice":

"Do you want to be safe when driving? It's easy:
- choose a very slow and limited car, better if is a small electric car
- don't use seat belts and air bags: they are useless if you drive
slowly and, moreover, they can hurt or kill you (for example, air bags
can accidentally explode and you could drown if you have seat belts
fastened and your car falls into a pond; these things happens very
- drive just in your home backyard, very carefully and very slowly
- drive just if and when you are absolutely sure nobody will go out the
door and cross the backyard
Simple, isn't it?
And you were thinking you need seat belts and air bags to be safe ..."

Absurd? Yes.
Silly? Yes, a lot.

A good debate about usefulness of outbound filtering in desktop
firewalls can be found at

I fully agree with Michael words:
"I think, the problem is that security experts often think like hackers
or malware writers. They think of ways to crack a certain system. If
they think it is easy for them, then a security solution seems useless
from their point of view. A sysadmin should think differently. If a
security solution helps in some scenarios, it is already useful. In the
end, it doesn't matter how sophisticated the malware was that crashed
my whole network. [...] The problem is that security experts often
don't acknowledge this argument. They assume that all malware avoids
detection by outbound filtering. Experience shows that this assumption
is simply wrong."

This applies perfectly also to the sad case of Sebastian Gottschalk.
Quite understandable why this guy asks for his messages not to be
archived on Google Groups ... :-D




Relevant Pages

  • Re: Is additional firewall necessary?
    ... I simply don't execute any malware. ... using any security software, because you are *sure* it behaves well ... justifies the introduced complexity. ... vulnerabilities and 1000+ deadlock conditions added to the system. ...
  • Re: Continued support for Windows XP
    ... "...updates that concern the security of our PCs to mitigate ... vulnerabilities that can lead to a compromised system and malware." ...
  • Re: Is additional firewall necessary?
    ... If the malware is active on your machine, it can deactivate any ... all this "outgoing traffic checking with desktop firewalls is ... Now you're really showing what's really plain bullshit. ...
  • Re: Is additional firewall necessary?
    ... freesailor wrote: ... If the malware is active on your machine, it can deactivate any ... all this "outgoing traffic checking with desktop firewalls is ...
  • Re: Is additional firewall necessary?
    ... If the malware is active on your machine, it can deactivate any ... all this "outgoing traffic checking with desktop firewalls is ... security software is no excuse for taking any care at all (yes, ...