Jetico Personal Firewall freeware asks way to many questions

[Sebastian G.]

Dustin Cook wrote:

> "Sebastian G." <seppi@seppig.de> wrote in
> news:5or7lsFo7ldiU1@mid.dfncis.de:
>
>> Dustin Cook wrote:
>>
>>
>>> You've got my curiosity. What problem do you have with the listed
>>> applications?
>>
>> Beside the obvious?
>
> I don't know the obvious problems you have with the programs listed,
> hence my question. Would you elaborate please?


Firefox: the worst thing you could made out of the Gecko platform
NOD32: virus scanner... highly incomplete approach and high potential for
parsing vulnerabilities and privilege escalation
Spyware Blaster: spyware scanner... totally stupid approach, horrible amount
of false positives, and of cause it's too stupid to do a simple unprivileged
task without administrative privileges
Spybot Search+Destroy immunization: aside from cluttering the
HKEY_LOCAL_MACHINE hive full of useless ClassID, it achieves exactly what?
malware authors simply use randomly generated GUIDs or simply
registrationless COM. MSIE still remains fully vulnerable to ActiveX-based
attacks as well as other well-documented security holes^W^W design features,
and real webbrowser simply won't care at all.
Windows Messenger: another documented security hole by design


> My linksys is a routing firewall, sir. I specify the ports I want
> redirected inside the lan and it does so.


So what? Can you specify something like:

queue: prerouting:
route TCP syn from any to me
queue postrouting:
check-state
deny TCP syn from any to me 1-1023
allow TCP syn from any to any keep-state
allow TCP syn,ack from any to me keep-state
allow TCP ack from any to me keep-state

If not, then obviously didn't ask anything that would be sufficient for a
firewall concept yet.

[Sebastian G.]

s|b wrote:

> On Wed, 31 Oct 2007 12:31:56 +0100, Sebastian G. wrote:
>
>>> I'm quite happy with my system, so there's really no need for you to
>>> sulk about it...
>
>> As long as you unplug it from the internet, I won't complain.
>
> Then I guess you'll keep on sulking then.


But only to your ISP, which might decide to simply disconnect your machine
until you stop it from flooding the internet with spam.

[Dustin Cook]

"Sebastian G." <seppi@seppig.de> wrote in
news:5osj6pFnsfqvU1@mid.dfncis.de:

> Dustin Cook wrote:
>
>
>> I don't dispute that BugHunter is retroactive in what it does, and I
>> wouldn't want anyone to think they are 100% safe regardless of the
>> software they use, but I still believe some protection, even if it's
>> retroactive in nature is better than none.
>
>
> Aside from the added complexity and the inability of the user to judge
> the output of the mentioned program, what exactly is a ****load of
> false positives worth? Say it, f.e., claims that there's some
> oh-so-bad "tracking cookie", and as well a trojan horse in user32.dll
> (because it doesn't match the original one any more, probably due to a
> normal update). Now it deletes both, demands a shutdown, and the
> system doesn't boot up anymore.

Hmm. While I don't dispute the fact that BugHunter has suffered from
false positives in the past, I'm unaware of any serious windows dlls
being targetted by accident. I don't believe you've actually examined the
program tho, as your assuming it bothers with cookies; and is interested
in files that have changed. It's not interested in either of those, and
it's documentation clearly does state what it scans for, and what it
ignores.

> Just try running it over a completely fresh install of Windows, or
> even over a well secured system with a lot of known-good third-party
> software, and the shame of its report. Same goes for almost any
> malware scanner under the sun.

I have, numerous times in development and testing. I fix the false alarms
as I find them, but like I said, it doesn't flag on.. "****loads" and
doesn't find anything on a freshly loaded box. This machine is here a
fairly decent example of 3rd party apps, it has tons, including various
programming languages for dos and windows. Guess what? No false alarms on
those executables either.

Have you actually examined the program I mentioned yourself? I ask this
because BugHunter doesn't do the things you mention, and you seem to
imply that it's a danger to a users system. I'd like to clear that
misunderstanding up.




--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Dustin Cook]

"Sebastian G." <seppi@seppig.de> wrote in
news:5oskh0FocibuU1@mid.dfncis.de:

> Dustin Cook wrote:
>
>> "Sebastian G." <seppi@seppig.de> wrote in
>> news:5or7lsFo7ldiU1@mid.dfncis.de:
>>
>>> Dustin Cook wrote:
>>>
>>>
>>>> You've got my curiosity. What problem do you have with the listed
>>>> applications?
>>>
>>> Beside the obvious?
>>
>> I don't know the obvious problems you have with the programs listed,
>> hence my question. Would you elaborate please?
>
>
> Firefox: the worst thing you could made out of the Gecko platform

Examples please?

> NOD32: virus scanner... highly incomplete approach and high potential
> for parsing vulnerabilities and privilege escalation

NOD32 is considered one of the best engines available, Would you mind
explaining further these issues you have with it?

> Spyware Blaster: spyware scanner... totally stupid approach, horrible
> amount of false positives, and of cause it's too stupid to do a simple
> unprivileged task without administrative privileges

Spyware Blaster...isn't a scanner, at all. How can it get any false
positives sir? It doesn't scan for anything. And, it can't do it's thing
without admin rights, due to the registry keys which have to be modified.
That's a good thing. I wouldn't want a program being able to set those
keys if I was on the guest account.

> Spybot Search+Destroy immunization: aside from cluttering the
> HKEY_LOCAL_MACHINE hive full of useless ClassID, it achieves exactly
> what? malware authors simply use randomly generated GUIDs or simply


Blocks installation of older malware applications with GUID's that are
already known and used.

> registrationless COM. MSIE still remains fully vulnerable to

I certainly don't dispute the security risks present with MSIE.

> all. Windows Messenger: another documented security hole by design

I've never been a fan of windows messenger either, sir.

>
>> My linksys is a routing firewall, sir. I specify the ports I want
>> redirected inside the lan and it does so.
>
>
> So what? Can you specify something like:
>
> queue: prerouting:
> route TCP syn from any to me
> queue postrouting:
> check-state
> deny TCP syn from any to me 1-1023
> allow TCP syn from any to any keep-state
> allow TCP syn,ack from any to me keep-state
> allow TCP ack from any to me keep-state

Nope, I certainly can't.

> If not, then obviously didn't ask anything that would be sufficient
> for a firewall concept yet.

I asked you specifically what you felt was a firewall, I didn't ask for a
trolling response. And I thank you for the time you spent responding
to me.




--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Dustin Cook]

"Sebastian G." <seppi@seppig.de> wrote in
news:5osig1FohfakU4@mid.dfncis.de:

> Dustin Cook wrote:
>
>
>>>> I wouldn't outright say a waste of resources, you can use one to
>>>> keep some applications from calling home.. for whatever reason.
>>> You'd wish.
>>
>> Unless the application is designed to evade whatever firewall a
>> person might be using, that's usually how it goes.
>
>
> If the application isn't malicious, then you don't need to enforce
> that it does what exactly it does. On the contrary, if you think that
> it does something that it shouldn't do, then you're already
> considering it as malicious.

Hmm, we seem to be thinking along different lines here. If I don't want
so and so application to call home, malicious intentions or not, it's not
going too on this box. If I am testing software, and/or running software
that automatically checks for updates and won't let me turn it off, I
like the ability to block outgoing internet requests from that
application. And as I said originally, software firewalls unless
specifically targetted aren't going to let the data pass.

>> If you know something I don't,
>> feel free to share it, we can all learn.

> Hm... what about applications seeming non-malicious? A well-known
> example is commercial software from Adobe, whereas the Adobe License
> Manager Service uses the Raw Sockets API to successfully bypass about
> any typical "personal firewall".

Even when using raw socket calls, if the lsp layer has firewall
components, the firewall still gets the final say. Ask anyone who's had
to repair a system's tcpip stack due to a nasty removal of zone alarm.

Do you have anything of value to contribute to the discussion, or is your
intent to troll?



--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Maximus the Mad]

Dustin Cook <bughunter.dustin@gmail.com> after much thought,came up
with this jewel in news:Xns99DAD7562BE88HHI2948AJD832@69.28.186.121:

> Have you actually examined the program I mentioned yourself?

I doubt it
--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

[John Adams]

Aaron wrote:

> Look carefully, Jetico can generate multiple prompts for one action (for
> example there is a generic request for network access first, followed by
> the normal request that most firewalls will warn on). v1 freeware is
> IMHO one of the most complicated personal firewalls to use out there.
>
And the most annoying. Only firewall I ever found more annoying was
Safety.NET when I set it to full security mode, but that is more than
just a firewall.

[s|b]

[Followup-To set to alt.dev.null]

On Thu, 01 Nov 2007 01:23:38 +0100, Sebastian G. wrote:

> >>> I'm quite happy with my system, so there's really no need for you to
> >>> sulk about it...
> >> As long as you unplug it from the internet, I won't complain.
> > Then I guess you'll keep on sulking then.

> But only to your ISP, which might decide to simply disconnect your machine
> until you stop it from flooding the internet with spam.

Sulk away...

--
s|b

[Dustin Cook]

Maximus the Mad <maxwachtel@nomail.afraid.org> wrote in
news:Xns99DAE28EE1865whatsinaname@207.115.33.102:

> Dustin Cook <bughunter.dustin@gmail.com> after much thought,came up
> with this jewel in news:Xns99DAD7562BE88HHI2948AJD832@69.28.186.121:
>
>> Have you actually examined the program I mentioned yourself?
>
> I doubt it

Even so, with all of the packages out there, it's completely understandable
that he might assume BugHunter was like the rest. I hope to have cleared
that up with my responses, but who really knows...


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Sebastian G.]

Dustin Cook wrote:

>> Firefox: the worst thing you could made out of the Gecko platform
>
> Examples please?


- global namespace pollution
- cookie, P3P and SSL options not exposed for configuration and with
horrible defaults
- all kinds of internal mandatory policies to cashade symptoms instead of
fixing the actual issue
- horrible component layering
- horrible compatibility issues with extensions

>> NOD32: virus scanner... highly incomplete approach and high potential
>> for parsing vulnerabilities and privilege escalation
>
> NOD32 is considered one of the best engines available,


That still doesn't make it better than not using any virus scanner at all.
Now again: the bad guys typically use self-modifying and self-encrypting
code to not omit any signature pattern, use side effects to not omit any
specific behaviour. Pattern matching and behaviour analysis totally fail in
practice, now why exactly should I have the program crumping thorugh every
little file on every little file system activity? I'd know much better ways
to burn resources for nothing.

> And, it can't do it's thing without admin rights, due to the registry

> keys which have to be modified.

Very very wrong. As a non-admin user, I can tell for sure that no-one messed
with HKLM. Now, it has full access to HKCU where possible damage could have
been done. Why doesn't degrade it gracefully to work on only that?

> That's a good thing. I wouldn't want a program being able to set those
> keys if I was on the guest account.


The bad programs won't care. I'd like a normal program to not even try it,
since it simply can't do it anyway without sufficient privileges.

>> Spybot Search+Destroy immunization: aside from cluttering the
>> HKEY_LOCAL_MACHINE hive full of useless ClassID, it achieves exactly
>> what? malware authors simply use randomly generated GUIDs or simply
>
> Blocks installation of older malware applications with GUID's that are
> already known and used.


OK, and why would I mind if the newer malware already hoses the system?

>> registrationless COM. MSIE still remains fully vulnerable to
>
> I certainly don't dispute the security risks present with MSIE.


Risk? It's insecure by design, and fully documented as such. One could argue
that abusing it as a webbrowser is a user control error since it was never
promised to be securely usable in a hostile environment, and was documented
like that, so it's not a security violation by definition.

So, again, why should I care for the GUIDs of old malware if even the old
malware already marches in through well-documented functionality that some
people would consider a security vulnerability?

>> If not, then obviously didn't ask anything that would be sufficient
>> for a firewall concept yet.
>
> I asked you specifically what you felt was a firewall, I didn't ask for a
> trolling response. And I thank you for the time you spent responding
> to me.

It was not a trolling response, it was a well-specified example of what
language constructs are necessary to complete express the intended ruleset
of a routing firewall. Without such constructs, there are cases whereas you
can fully specify what you consider as wanted traffic but never implement it
in rules without additionally allowing unwanted traffic or denying wanted
traffic.