Jetico Personal Firewall freeware asks way to many questions

[Maximus the Mad]

"Sebastian G." <seppi@seppig.de> after much thought,came up with
this jewel in news:5orcc8Fo7d60U1@mid.dfncis.de:

> Maximus the Mad wrote:
>
>
>>> When you assume that the user is logged in as an administrator,
>>> the entire discussion about security is void.
>>
>> Out here in the real world,that is what most users do.
>
>
> That doesn't make the discussion at this point any less void.

But that is reality.
>
>>
>>>> You don't need to restart the
>>>> system to take advantage. Windows will access the host file
>>>> anytime it sees a dns request...*shrug*
>>>
>>> It won't reloaded cached requests though.
>>>
>>>> So you practice safe hex and use a limited account for most of
>>>> your day to day tasks right?
>>>
>>> Dunno what exactly you mean with safe hex,
>>
>> Safe-Hex
>> http://www.claymania.com/safe-hex.html
>
>
> As I said: Might be different from my understanding. Just #1
> (Install, use and update anti-virus software) has hardly anything
> to do with real security. Even considering to keep on abusing MSIE
> and MSOE as webbrowser and mail client under #2 isn't secure
> either, what's about "# Install a good firewall"? One should
> definitely wonder why "Backup your data regularly" isn't the
> listed as #1...
>
> > I don't know. What does stop you? Afraid of getting caught
> > perhaps?
>
> I meant technically. I can tell you that the bad guy per se isn't
> afraid to get caught. As from the user side: Why should I start
> playing a cat-and-mouse game where I'm always the loser?

I thought that was the idea.
>
>> If you look up MVPS hosts file
>> http://www.mvps.org/winhelp2002/hosts.htm
>> and scroll down,the page says to "Disable DNS Client" if using
>> W2K/XP/Vista.
>
>
> Which is even more stupid, at least for the given arguments.
> But still less stupid than the entire HOSTS file approach.
>

Turning off DNS Client prevents breakage.

--
Virus Removal http://max.shplink.com/removal.html
Keep Clean http://max.shplink.com/keepingclean.html
Tools http://max.shplink.com/tools.html
Change nomail.afraid.org to gmail.com to reply by email.

[goarilla]

Sebastian G. wrote:
> goarilla wrote:
>
>
>>> Depends on which systems. Those with higher security margins have a
>>> global no-exec policy implemented, thus they simply can't anything
>>> but the preinstalled software, and as long as this is up-to-date an
>>> in-memory process compromise of the network is extremely unlikely.
>>>
>>
>> how does one do that ?
>> have any concrete information pertaining these security measures ?
>
>
> On Windows XP and later, it's called "Software Restriction Policy". For
> Windows 2000 and NT4 there's "PolicyMaker Application Security",
> "Antihook Workstation" or the costy Winternals System Manager.
>
> On Linux and Solaris, it's simple kernel setting.
>

sysctl?

>> in a perfect world yes
>> that's how i do it here
>> and well it's not uncommon for malware to use local (root) exploits
>> to escalate privilege
>
>
> After you have successfully implemented such a policy, your focus should
> exactly be on privilege escalation vulnerabilities. But don't tell me
> these would be inherent and unavoidable.
>
>> huh please explain. do you have some information on how to create
>> 'restore images' since when ... i think image i think hardware
>> specific root filesystem (windows)
>
>
> Sysprep

[Dustin Cook]

goarilla <"kevin DOT paulus AT skynet DOT be"> wrote in news:47280037$0
$22317$ba620e4c@news.skynet.be:

> Dustin Cook wrote:
>> "Sebastian G." <seppi@seppig.de> wrote in
>> news:5olhodFnfd9dU1@mid.dfncis.de:
>>
>>> Max M.Wachtel III wrote:
>>>
>>>>>> MVPS hosts file
>>>>> A very bad start for a proposedly good start. What should this
>>>>> **** be good for, other than ****ing up the system?
>>>> what???? a good hosts file doesn't f*ckup anything.
>>>
>>> It does. It slows down the resolver and, in case of Windows, even
>>> partitially breaks it. Aside from that, it's simply superfluos.
>>>
>>> Even further, it simply doesn't work, as a normal user doesn't have
>>> write access to the HOSTS file, and doesn't have the privilege to
>>> restart the system either - neither would this be reasonable.
>>
>> On Vista, no. On XP and down, a normal user usually is an
administrator
>> and does have write access by default. You don't need to restart the
>> system to take advantage. Windows will access the host file anytime it
>> sees a dns request...*shrug*
>>
>>>>> This is not even a solution at all.
>>>> what do you use?
>>>
>>> A real solution: a global non-exec policy enforced by the kernel.
>>
>> So you practice safe hex and use a limited account for most of your
day
>> to day tasks right?
>>
>>> Any added software increases complexity and therefore decreases
>>> security. Unless it can actually justify this, it is a bad thing.
>>> Spyware scanners definitely are bad, and this immunization stuff has
>>> only one purpose: ****ing up the system.
>>
>> I write a spyware scanner, so I'm very interested in why you feel they
>> are bad?
>>
>>>> Why do you say anything is broken????
>>>
>>> Because it usually is. Just like your concept.
>>
>> Can you explain further please?
>>
>>
>>
>>
>
> what's up with this 'practice safe hex' fad ?
>

It's a neat buzzword?


--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Dustin Cook]

"Sebastian G." <seppi@seppig.de> wrote in
news:5or7vqFo8b6nU1@mid.dfncis.de:

> Dustin Cook wrote:
>
>> On XP and down, a normal user usually is an administrator
>> and does have write access by default.
>
>
> When you assume that the user is logged in as an administrator, the
> entire discussion about security is void.
>
>> You don't need to restart the
>> system to take advantage. Windows will access the host file anytime
>> it sees a dns request...*shrug*
>
>
> It won't reloaded cached requests though.
>
>> So you practice safe hex and use a limited account for most of your
>> day to day tasks right?
>
>
> Dunno what exactly you mean with safe hex, but surely I won't use
> administrative privileges for anything else but administrative tasks.
>
>> I write a spyware scanner, so I'm very interested in why you feel
>> they are bad?
>
>
> As I already mentioned: Complexity is the exact contrary of security.
> As for your spyware scanner: What exactly stops me from writing a
> piece of malicious software that modifies itself without any
> detectable pattern? That works purely by side effects of the API?

I don't dispute that BugHunter is retroactive in what it does, and I
wouldn't want anyone to think they are 100% safe regardless of the
software they use, but I still believe some protection, even if it's
retroactive in nature is better than none.

>>> Because it usually is. Just like your concept.
>>
>> Can you explain further please?
>
> What he mentioned doesn't even partitially address the problem, is
> based on horrible assumptions, has horrible side effects and is
> typically the most stupid way to achieve the intended.
>



--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Dustin Cook]

"Sebastian G." <seppi@seppig.de> wrote in
news:5or7lsFo7ldiU1@mid.dfncis.de:

> Dustin Cook wrote:
>
>
>> You've got my curiosity. What problem do you have with the listed
>> applications?
>
>
> Beside the obvious?

I don't know the obvious problems you have with the programs listed,
hence my question. Would you elaborate please?

>> And, you mentioned most router's these days aren't in fact firewalls.
>> I'm fairly certain this Linksys router does indeed have a firewall.
>
>
> With a third-party linux-based firmware that allows you full access to
> the underlying netfilter/IPTables rules, you can indeed build a
> firewill with a Linksys router.
> But with just the preinstalled firmware: No, definitely not.

Okay then. Thanks for answering my question in any event.

>> Can you elaborate on what specifically you are calling a firewall?
>
>
> A firewall is a concept to separate network segments.


> In the current context: A device is a firewall if it's capable to
> implement a bridging firewall or a routing firewall.

My linksys is a routing firewall, sir. I specify the ports I want
redirected inside the lan and it does so. It's not nearly as advanced as
a cisco full fledged router or anything, but it certainly does the job I
ask of it. Keep this computer's ports safe, until/unless I open some.



--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[Dustin Cook]

"Sebastian G." <seppi@seppig.de> wrote in news:5or713Fnqrn9U1
@mid.dfncis.de:

> Dustin Cook wrote:
>
>
>> I wouldn't outright say a waste of resources, you can use one to keep
>> some applications from calling home.. for whatever reason.
>
> You'd wish.

Unless the application is designed to evade whatever firewall a person
might be using, that's usually how it goes. If you know something I don't,
feel free to share it, we can all learn.




--
Dustin Cook, Author of BugHunter - MalWare Removal Tool - v2.2d
Email.: bughunter.dustin@gmail.com
Web...: http://bughunter.it-mate.co.uk
Pad...: http://bughunter.it-mate.co.uk/pad.xml
PGP...: http://bughunter.it-mate.co.uk/bughunter.dustin.txt

[s|b]

On Wed, 31 Oct 2007 12:31:56 +0100, Sebastian G. wrote:

> > I'm quite happy with my system, so there's really no need for you to
> > sulk about it...

> As long as you unplug it from the internet, I won't complain.

Then I guess you'll keep on sulking then.

--
s|b

[Sebastian G.]

Dustin Cook wrote:


>>> I wouldn't outright say a waste of resources, you can use one to keep
>>> some applications from calling home.. for whatever reason.
>> You'd wish.
>
> Unless the application is designed to evade whatever firewall a person
> might be using, that's usually how it goes.


If the application isn't malicious, then you don't need to enforce that it
does what exactly it does. On the contrary, if you think that it does
something that it shouldn't do, then you're already considering it as malicious.

> If you know something I don't,
> feel free to share it, we can all learn.


Hm... what about applications seeming non-malicious? A well-known example is
commercial software from Adobe, whereas the Adobe License Manager Service
uses the Raw Sockets API to successfully bypass about any typical "personal
firewall".

[Sebastian G.]

Maximus the Mad wrote:


>>>> When you assume that the user is logged in as an administrator,
>>>> the entire discussion about security is void.
>>> Out here in the real world,that is what most users do.
>>
>> That doesn't make the discussion at this point any less void.
>
> But that is reality.


And therefore the voidness of this discussion point is reality. Now do you
want to discuss the impossible or could we come back to reasonable
assumptions on how things should be?

>> As from the user side: Why should I start
>> playing a cat-and-mouse game where I'm always the loser?
>
> I thought that was the idea.


The idea of signature-based scanning to address the problem of malicious
software was, as usual, to promote something that on the first run seems to
work even though it actually doesn't, and to get people paying for it. The
lack of education drives this discrepancy even further.

> Turning off DNS Client prevents breakage.

No, it doesn't. Anyway, this is a stupid idea since you're effectively
throwing away a lot of performance for achieving absolutely nothing.
Hint: If you were the bad guy and you'd be running your own server on your
own domain with your own DNS server, how would you avoid single hostnames
being blacklisted? Simply by using wildcards in your zone!

[Sebastian G.]

Dustin Cook wrote:


> I don't dispute that BugHunter is retroactive in what it does, and I
> wouldn't want anyone to think they are 100% safe regardless of the
> software they use, but I still believe some protection, even if it's
> retroactive in nature is better than none.


Aside from the added complexity and the inability of the user to judge the
output of the mentioned program, what exactly is a ****load of false
positives worth? Say it, f.e., claims that there's some oh-so-bad "tracking
cookie", and as well a trojan horse in user32.dll (because it doesn't match
the original one any more, probably due to a normal update). Now it deletes
both, demands a shutdown, and the system doesn't boot up anymore.

Just try running it over a completely fresh install of Windows, or even over
a well secured system with a lot of known-good third-party software, and the
shame of its report. Same goes for almost any malware scanner under the sun.