Microsoft Windows Vista includes a two-way firewall. TO THE TOP

February 19, 2009

On Wed, 18 Feb 2009 13:49:42 -0500, Jack the Ripper <Jack@Rripper.com>

wrote:

>Is this suppose to be some kind of a joke here, because you seem serious?

You sure post under a lot of different names. Is that a joke?

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

+Bob+ wrote:

> On Wed, 18 Feb 2009 13:49:42 -0500, Jack the Ripper <Jack@Rripper.com>

> wrote:

>

>> Is this suppose to be some kind of a joke here, because you seem serious?

>

> You sure post under a lot of different names. Is that a joke?

You didn't answer the question. Therefore, I know that you don't know

what you are talking about.

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

+Bob+ wrote:

> On Wed, 18 Feb 2009 19:59:31 -0500, "FromTheRafters"

> <erratic@nomail.afraid.org> wrote:

>

>> Thanks for the link, although I'm not sure why you posted it

>> here. This poster seemed to imply that there is middle

>> ground to cover for programs that you trust to play your

>> video files, yet don't trust to access the internet for

>> instance. My point is that there is no middle ground - if

>> you don't trust it to access the internet, don't have it on

>> your system (who knows what other horrible things it could

>> be doing that you aren't aware of).

>

> Nonsense. I run programs that have no need to access the Internet - at

> least not unless I want them too. They aren't intrinsically evil

> programs, but they also don't need to do internet access unless there

> is a specific need for it.

Nonesense, you either know what is running on the computer or you don't.

If you trust the program, then you should have no problems in allowing

that program to access the Internet. If you don't trust the program,

then you shouldn't have the program on the computer period.

It's as simple as that, and it doesn't take a rocket scientist to figure

it out.

>

>> In the case of foistware/malware, there is no reason to

>> assume outbound filtering would catch it in egression.

>

> Some is very sharp (in an evil sense) and no doubt will sneak through.

> THen again, some isn't and will be easily trapped. This is like having

> a dead bolt on your front door - some thieves are sharp enough to pick

> such a lock and will get in. Most will not and move on to easier prey.

No, some are sharp in a technical sense, and the developer of the

exploit knew where the holes are at, while some are still learning and

have to practice on someone before moving to bigger game.

February 19, 2009

"mayayana" <mayayaXXna@rcXXn.com> wrote in message

news:%23FbIbxdkJHA.1340@TK2MSFTNGP06.phx.gbl...

>

> Complicating matters, Microsoft shrouds a number of

> services in the svchost.exe process, which can run in

> multiple instances. So if you allow svchost through the

> firewall it's not so easy to know exactly what you're

> allowing. And ZA can't differentiate between the actual

> processes running under the svchost "hat".

Actually it is possible to determine what each instance of svchost is doing.

WMI can show what is executed by each instance and you can use the Task

Manager interactively to determine that information (you probably need to

modify the view to show the columns). The sysinternals site in Microsoft has

a process monitor that can show the information.

The ZoneAlarm people are technical enough that they could hook each instance

of svchost if necessary.

February 19, 2009

"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

news:%23gqTT1ikJHA.4912@TK2MSFTNGP04.phx.gbl...

>

> My point is that there is no middle ground - if you don't trust it to

> access the internet, don't have it on your system (who knows what other

> horrible things it could be doing that you aren't aware of).

Using that logic, most users of SQL Server should not use it. SQL Server can

communicate over a network, including the network, but Microsoft recommends

not allowing SQL Server to access the internet unless there is a need for

it. I think the MBSA suggests closing the SQL Server ports if they are open.

MySQL is worse, unless they fixed it in the past few years. It does, or at

least did, require access to the internet in order to communicate among

processes in a single system. I think it used localhost and therefore

perhaps it is possible to configure firewalls to only allow localhost but

that is still more than what you are suggesting to allow, correct?

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

FromTheRafters wrote:

> "Jack the Ripper" <Jack@Rripper.com> wrote in message

> news:%235XoHyhkJHA.1172@TK2MSFTNGP04.phx.gbl...

>> FromTheRafters wrote:

>>> "John Doe" <jdoe@usenetlove.invalid> wrote in message

>>> news:6dTml.10887$hc1.1606@flpi150.ffdc.sbc.com...

>>>> "FromTheRafters" <erratic@nomail.afraid.org> wrote:

>>>>

>>>>> "Richard Mueller [MVP]" wrote

>>>>>> "FromTheRafters" <erratic@nomail.afraid.org> wrote

>>>>>>> "I.C. Greenfields" <none@nospam.net> wrote

>>>>>>>> Some of us want to choose what "gets out" and what

>>>>>>>> doesn't.

>>>>>>>> And this info doesn't work since there is nowhere to

>>>>>>>> make such

>>>>>>>> a change in the Windows Firewall window that comes

>>>>>>>> up.

>>>>>>>> Configure it - HOW? Can someone explain how it's

>>>>>>>> configured to

>>>>>>>> actually work without being a programmer writing

>>>>>>>> strange

>>>>>>>> unknown confusing rules for everything that wants to

>>>>>>>> connect to

>>>>>>>> the net? If not, can someone recommend a good free

>>>>>>>> easy to

>>>>>>>> use two-way FireWall like ZoneAlarm that's

>>>>>>>> compatible with

>>>>>>>> Vista? Thanks.

>>>>>>>>

>>>>>>>> http://www.vistastic.com/2007/03/09/window...ound-filtering/

>>>>>>>> I bet you didn't know that Microsoft Windows Vista

>>>>>>>> includes a

>>>>>>>> two-way firewall.

>>>>>>> Windows Firewall with Advanced Security includes an

>>>>>>> API that

>>>>>>> allows services, applications, and installers to

>>>>>>> write their own

>>>>>>> ticket through the firewall. In other words, they can

>>>>>>> add

>>>>>>> themselves to the exclusions list.

>>>>>>>

>>>>>>> http://msdn.microsoft.com/en-us/library/aa366453(VS.85).aspx

>>>> Thanks for the information.

>>>>

>>>>>>> So, it doesn't really do what most people think it

>>>>>>> does.

>>>>>>>

>>>>>>> The key to not having programs make outbound

>>>>>>> connections, or

>>>>>>> opening up ports for receiving unsolicited inbound

>>>>>>> traffic, is

>>>>>>> to not run those programs on

>>>>>>> the machine.

>>>>>>>

>>>>>>> Third party firewalls don't make it that easy - but

>>>>>>> they don't

>>>>>>> make it much

>>>>>>> harder either. They provide the illusion that they

>>>>>>> can stop

>>>>>>> outbound traffic.

>>>> Apparently the makers of ZoneAlarm fixed such a problem

>>>> by

>>>> preventing ZoneAlarm from being shut down. After that ,

>>>> I have never

>>>> heard an authoritative claim that an application snuck

>>>> through

>>>> ZoneAlarm.

>>>>

>>>>>> Which is why I never use the Windows firewall. Every

>>>>>> app thinks

>>>>>> they are special and should be able to contact big

>>>>>> brother with

>>>>>> news about me and retrieve info on things they feel I

>>>>>> need. Some

>>>>>> companies are especially bad. I know because I don't

>>>>>> use Windows

>>>>>> firewall so I see the requests and deny them. Over the

>>>>>> years it

>>>>>> seems to have gotten much worse.

>>>>> I think it comes down to trust. If you don't trust a

>>>>> program -

>>>>> don't execute it. If you do trust it, let it do

>>>>> whatever it is

>>>>> programmed to do.

>>>> Sounds like a symptom of the ones and zeros disease.

>>> When there is no "grey area" ones and zeroes describe

>>> things accurately.

>> http://www.securityfocus.com/infocus/1839/1

>

> Thanks for the link, although I'm not sure why you posted it

> here. This poster seemed to imply that there is middle

> ground to cover for programs that you trust to play your

> video files, yet don't trust to access the internet for

> instance. My point is that there is no middle ground - if

> you don't trust it to access the internet, don't have it on

> your system (who knows what other horrible things it could

> be doing that you aren't aware of). There is no problem

> having an API that allows a program you have given

> permission to execute the ability to configure your

> firewall. You indicated your trust when you installed or

> executed the program.

If one doesn't trust the program in this case, then one shouldn't have

it on the machine. Who has time to be playing Russian roulette, because

that's what is happening when one starts playing that game?

Those programs are smart enough to find

other ways of punching out by piggy-backing off of other legit processes

running on the machine.

>

> In the case of foistware/malware, there is no reason to

> assume outbound filtering would catch it in egression.

> Houdini demonstrated that a safe isn't designed to keep a

> person locked in . When he repeatedly managed to escape

> from them, it didn't cause the manufacturers to redesign

> their safes to be escape proof. You just have to work within

> the safe's specifications.

>

Malware can have several back doors and other means to punch its way

out, undetected.

You know, a malware maker can set-up a honey-pot situation sort of

speaking, where as, they expose the exploit and let it be seen so that

it can be caught, giving someone a false sense of accomplishment that

they caught it.

In the meantime, they are being back-doored somewhere else, undetected.

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

Sam Hobbs wrote:

> "mayayana" <mayayaXXna@rcXXn.com> wrote in message

> news:%23FbIbxdkJHA.1340@TK2MSFTNGP06.phx.gbl...

>>

>> Complicating matters, Microsoft shrouds a number of

>> services in the svchost.exe process, which can run in

>> multiple instances. So if you allow svchost through the

>> firewall it's not so easy to know exactly what you're

>> allowing. And ZA can't differentiate between the actual

>> processes running under the svchost "hat".

>

> Actually it is possible to determine what each instance of svchost is

> doing. WMI can show what is executed by each instance and you can use

> the Task Manager interactively to determine that information (you

> probably need to modify the view to show the columns). The sysinternals

> site in Microsoft has a process monitor that can show the information.

>

> The ZoneAlarm people are technical enough that they could hook each

> instance of svchost if necessary.

>

Look man, those users using ZA (home users most likely) or any other

personal FW solutions are not savvy enough to find a hidden process,

because I have talked with them in other NG(s) including ZA users about

using PE, how to use it and they couldn't find a thing, probably looking

right at it in their face.

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

Sam Hobbs wrote:

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in message

> news:%23gqTT1ikJHA.4912@TK2MSFTNGP04.phx.gbl...

>>

>> My point is that there is no middle ground - if you don't trust it to

>> access the internet, don't have it on your system (who knows what

>> other horrible things it could be doing that you aren't aware of).

>

> Using that logic, most users of SQL Server should not use it. SQL Server

> can communicate over a network, including the network, but Microsoft

> recommends not allowing SQL Server to access the internet unless there

> is a need for it. I think the MBSA suggests closing the SQL Server ports

> if they are open.

>

If someone is in communications with SQL server from a SQL Server

management standpoint remotely, then they are behind a network FW doing

it in a LAN situation or a VPN solution it's over the Internet.

With SQL server 2005 and now 2008 using CLR for even the express

editions let alone the server editions of SQL Server, SQL server can be

in communications with another SQL Server as a client over the

Internet, which has nothing to do with TCP port 1434 I think it is, by

means of queue processing.

http://www.eggheadcafe.com/articles/20040703.asp

So ports are open on SQL server and a FW, if a remote Internet client

solution calls for it and one knows how to protect SQL server.

February 19, 2009

On Wed, 18 Feb 2009 20:52:49 -0800, "Sam Hobbs"

<Gateremovethis@SamHobbs.org> wrote:

>"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

>news:%23gqTT1ikJHA.4912@TK2MSFTNGP04.phx.gbl...

>>

>> My point is that there is no middle ground - if you don't trust it to

>> access the internet, don't have it on your system (who knows what other

>> horrible things it could be doing that you aren't aware of).

>

>Using that logic, most users of SQL Server should not use it. SQL Server can

>communicate over a network, including the network, but Microsoft recommends

>not allowing SQL Server to access the internet unless there is a need for

>it. I think the MBSA suggests closing the SQL Server ports if they are open.

I'm convinced that's configurable and therefore doesn't need a PFW to

"control" it.

>MySQL is worse, unless they fixed it in the past few years. It does, or at

>least did, require access to the internet in order to communicate among

>processes in a single system. I think it used localhost and therefore

>perhaps it is possible to configure firewalls to only allow localhost but

>that is still more than what you are suggesting to allow, correct?

Since when did localhost reside on the Internet?

February 19, 2009

On Wed, 18 Feb 2009 23:33:13 -0500, Jack the Ripper <Jack@Rripper.com>

wrote:

>+Bob+ wrote:

>> On Wed, 18 Feb 2009 13:49:42 -0500, Jack the Ripper <Jack@Rripper.com>

>> wrote:

>>

>>> Is this suppose to be some kind of a joke here, because you seem serious?

>>

>> You sure post under a lot of different names. Is that a joke?

>

>You didn't answer the question. Therefore, I know that you don't know

>what you are talking about.

Seems like you are the one avoiding the question. Why do you post

under so many different monikers?

February 19, 2009

On Wed, 18 Feb 2009 19:59:31 -0500, "FromTheRafters"

<erratic@nomail.afraid.org> wrote:

>My point is that there is no middle ground - if

>you don't trust it to access the internet, don't have it on

>your system (who knows what other horrible things it could

>be doing that you aren't aware of).

Agreed.

>There is no problem having an API that allows a program you

>have given permission to execute the ability to configure your

>firewall. You indicated your trust when you installed or

>executed the program.

Exactly. People tend to forget that configuring the firewall requires

proper privileges. Configuring the windows firewall programmatically

requires admin or at least network admin rights. If you run/install a

program as administrator YOU are responsible. That's what an

administrator account is all about and what most people don't

understand.

February 19, 2009

On Wed, 18 Feb 2009 23:41:00 -0500, Jack the Ripper <Jack@Rripper.com>

wrote:

>+Bob+ wrote:

>> On Wed, 18 Feb 2009 19:59:31 -0500, "FromTheRafters"

>> <erratic@nomail.afraid.org> wrote:

>>

>> Nonsense. I run programs that have no need to access the Internet - at

>> least not unless I want them too. They aren't intrinsically evil

>> programs, but they also don't need to do internet access unless there

>> is a specific need for it.

>

>Nonesense, you either know what is running on the computer or you don't.

I know what's running.

> If you trust the program, then you should have no problems in allowing

>that program to access the Internet. If you don't trust the program,

>then you shouldn't have the program on the computer period.

Your opinion, not mine. Many people disagree with you.

>It's as simple as that, and it doesn't take a rocket scientist to figure

>it out.

Certainly no one will ever mistake you for a scientist as you are

incapable of objectively analyzing anything.

February 19, 2009

On Wed, 18 Feb 2009 22:54:30 -0500, +Bob+ <nomailplease@example.com>

wrote:

>Nonsense. I run programs that have no need to access the Internet - at

>least not unless I want them too.

How do you know? Did you code them yourself? Or did you thoroughly

investigate exactly what they are doing online? - Or are you just

assuming that it must be bad?

>They aren't intrinsically evil

>programs, but they also don't need to do internet access unless there

>is a specific need for it.

If a program does something against your will or policy and this is

not programmatically configurable it is by definition malicious.

>>In the case of foistware/malware, there is no reason to

>>assume outbound filtering would catch it in egression.

>

>Some is very sharp (in an evil sense) and no doubt will sneak through.

>THen again, some isn't and will be easily trapped. This is like having

>a dead bolt on your front door - some thieves are sharp enough to pick

>such a lock and will get in. Most will not and move on to easier prey.

Are we debating trustworthy security measures or trial-and-error

approaches?

February 19, 2009

"Jack the Ripper" <Jack@Rripper.com> wrote in message

news:OM2Q6ClkJHA.5980@TK2MSFTNGP06.phx.gbl...

> Sam Hobbs wrote:

>> "mayayana" <mayayaXXna@rcXXn.com> wrote in message

>> news:%23FbIbxdkJHA.1340@TK2MSFTNGP06.phx.gbl...

>>>

>>> Complicating matters, Microsoft shrouds a number of

>>> services in the svchost.exe process, which can run in

>>> multiple instances. So if you allow svchost through the

>>> firewall it's not so easy to know exactly what you're

>>> allowing. And ZA can't differentiate between the actual

>>> processes running under the svchost "hat".

>>

>> Actually it is possible to determine what each instance of svchost is

>> doing. WMI can show what is executed by each instance and you can use the

>> Task Manager interactively to determine that information (you probably

>> need to modify the view to show the columns). The sysinternals site in

>> Microsoft has a process monitor that can show the information.

>>

>> The ZoneAlarm people are technical enough that they could hook each

>> instance of svchost if necessary.

>>

>

> Look man, those users using ZA (home users most likely) or any other

> personal FW solutions are not savvy enough to find a hidden process,

> because I have talked with them in other NG(s) including ZA users about

> using PE, how to use it and they couldn't find a thing, probably looking

> right at it in their face.

I said nothing about users. I said "ZoneAlarm people", not ZoneAlarm users.

February 19, 2009

"Root Kit" <b__nice@hotmail.com> wrote in message

news:r2tpp4pg39qpald3h3b42cvgv92gu45hm6@4ax.com...

> On Wed, 18 Feb 2009 20:52:49 -0800, "Sam Hobbs"

> <Gateremovethis@SamHobbs.org> wrote:

>

>>"FromTheRafters" <erratic@nomail.afraid.org> wrote in message

>>news:%23gqTT1ikJHA.4912@TK2MSFTNGP04.phx.gbl...

>>>

>>> My point is that there is no middle ground - if you don't trust it to

>>> access the internet, don't have it on your system (who knows what other

>>> horrible things it could be doing that you aren't aware of).

>>

>>Using that logic, most users of SQL Server should not use it. SQL Server

>>can

>>communicate over a network, including the network, but Microsoft

>>recommends

>>not allowing SQL Server to access the internet unless there is a need for

>>it. I think the MBSA suggests closing the SQL Server ports if they are

>>open.

>

> I'm convinced that's configurable and therefore doesn't need a PFW to

> "control" it.

The statement made by FromTheRafters did not make an exception for anything

that can be configured.

>>MySQL is worse, unless they fixed it in the past few years. It does, or at

>>least did, require access to the internet in order to communicate among

>>processes in a single system. I think it used localhost and therefore

>>perhaps it is possible to configure firewalls to only allow localhost but

>>that is still more than what you are suggesting to allow, correct?

>

> Since when did localhost reside on the Internet?

Any software that uses localhost can use and/or be used by thousands of

other IP addresses, simply by changing the IP address or domain name.

Localhost is just an IP address (127.0.0.1); it is nothing more than an IP

address. What I am saying is that use of MySQL requires that MySQL be

allowed access to the internet, unless that has been changed in the past few

years. Some firewalls probably provide the ability to limit internet access

to just the localhost but localhost is the internet. MySQL uses RPC for

inter-process communication and RPC is an internet protocol. RPC is also

used by DCOM but only for inter-system communication.

See: http://en.wikipedia.org/wiki/Localhost

February 19, 2009

"+Bob+" <nomailplease@example.com> wrote in message

news:fnlpp4tu7ej6omqg0mq9qdic9vb47k61t1@4ax.com...

> On Wed, 18 Feb 2009 19:59:31 -0500, "FromTheRafters"

> <erratic@nomail.afraid.org> wrote:

>

>>Thanks for the link, although I'm not sure why you posted

>>it

>>here. This poster seemed to imply that there is middle

>>ground to cover for programs that you trust to play your

>>video files, yet don't trust to access the internet for

>>instance. My point is that there is no middle ground - if

>>you don't trust it to access the internet, don't have it

>>on

>>your system (who knows what other horrible things it could

>>be doing that you aren't aware of).

>

> Nonsense. I run programs that have no need to access the

> Internet - at

> least not unless I want them too. They aren't

> intrinsically evil

> programs, but they also don't need to do internet access

> unless there

> is a specific need for it.

Nice argument - they don't need to unless they need to.

>>In the case of foistware/malware, there is no reason to

>>assume outbound filtering would catch it in egression.

>

> Some is very sharp (in an evil sense) and no doubt will

> sneak through.

Yes, which is why I feel PFW's outbound filters are very

nearly useless. The malware is running on the same machine

the filtering is. A dedicated external device would be a

different matter. While filtering on an external device

makes sense, it doesn't follow that the same software

running on the machine it hopes to protect makes any sense.

Inbound filtering can help keep things out (to some extent),

but once you have untrustworthy programs running on the

local machine - it's "game over".

> THen again, some isn't and will be easily trapped.

Some, yes. So having additional software running all the

time so that some of the less adept malwares that want

access to the internet can be caught in the act is something

you value, then by all means filter away. I think it is

better to choose what programs are allowed to run.

> This is like having

> a dead bolt on your front door - some thieves are sharp

> enough to pick

> such a lock and will get in. Most will not and move on to

> easier prey.

Actually it is more like having a "loop and hook" on the

door with a sign saying "Protected by Titanium locking

mechanism".

February 19, 2009

"Sam Hobbs" <Gateremovethis@SamHobbs.org> wrote in message

news:E54361D4-189B-4A05-9A80-62599967A850@microsoft.com...

> "FromTheRafters" <erratic@nomail.afraid.org> wrote in

> message news:%23gqTT1ikJHA.4912@TK2MSFTNGP04.phx.gbl...

>>

>> My point is that there is no middle ground - if you don't

>> trust it to access the internet, don't have it on your

>> system (who knows what other horrible things it could be

>> doing that you aren't aware of).

>

> Using that logic, most users of SQL Server should not use

> it.

Absolutely, if they don't trust it they shouldn't use it.

> SQL Server can communicate over a network, including the

> network, but Microsoft recommends not allowing SQL Server

> to access the internet unless there is a need for it.

A user's need, not a program's need. If the program needed

it, do you think they would have it user configurable?

> I think the MBSA suggests closing the SQL Server ports if

> they are open.

>

> MySQL is worse, unless they fixed it in the past few

> years. It does, or at least did, require access to the

> internet in order to communicate among processes in a

> single system. I think it used localhost and therefore

> perhaps it is possible to configure firewalls to only

> allow localhost but that is still more than what you are

> suggesting to allow, correct?

Localhost? Internet? Not even a LAN. So, your firewall heard

your computer talking to itself?

Basically my point is that users shouldn't feel the need to

run untrustworthy programs and then attempt to mitigate the

consequences.

February 19, 2009

"Sam Hobbs" <Gateremovethis@SamHobbs.org> wrote in message

news:29772EAC-EC0E-4D9B-9362-7CBFEAF57848@microsoft.com...

> "Root Kit" <b__nice@hotmail.com> wrote in message

> news:r2tpp4pg39qpald3h3b42cvgv92gu45hm6@4ax.com...

>> On Wed, 18 Feb 2009 20:52:49 -0800, "Sam Hobbs"

>> <Gateremovethis@SamHobbs.org> wrote:

>>

>>>"FromTheRafters" <erratic@nomail.afraid.org> wrote in

>>>message

>>>news:%23gqTT1ikJHA.4912@TK2MSFTNGP04.phx.gbl...

>>>>

>>>> My point is that there is no middle ground - if you

>>>> don't trust it to

>>>> access the internet, don't have it on your system (who

>>>> knows what other

>>>> horrible things it could be doing that you aren't aware

>>>> of).

>>>

>>>Using that logic, most users of SQL Server should not use

>>>it. SQL Server can

>>>communicate over a network, including the network, but

>>>Microsoft recommends

>>>not allowing SQL Server to access the internet unless

>>>there is a need for

>>>it. I think the MBSA suggests closing the SQL Server

>>>ports if they are open.

>>

>> I'm convinced that's configurable and therefore doesn't

>> need a PFW to

>> "control" it.

>

> The statement made by FromTheRafters did not make an

> exception for anything that can be configured.

I consider configurable items to be items you are (or at

least should be) aware of. For instance, an earlier version

of media player would fire up IE to access a website whos

URL was contained in the media file. When they made this

configurable, they regained my trust somewhat. Why should I

make an exception for anything that can be configured when

that very configuration is what that trust hinges upon?

I really didn't expect that uttering a security platitude

would be so much like poking a stick into a beehive. I

thought the API thing would cause readers to gasp and

exclaim "Doesn't that defeat the whole purpose of an

outbound firewall!?". The idea is to not compromise the

machine. Once you have compromised the machine then how much

can you trust what other applications on that same machine

are telling you?

I'm not invested in this in any way, so if a user wants to

stop consent.exe from accessing the internet because he or

she doesn't think it should need to - then they can if it

makes them happy. If you want to execute programs that you

trust a little bit - go right ahead. Cripple it to your

heart's content with additional applications if that is what

you like to do. Just don't disable a better firewall just

because it doesn't do some nearly useless function that you

think you need.

February 19, 2009

"Jack the Ripper" <Jack@Rripper.com> wrote in message

news:%23nDJk9kkJHA.1288@TK2MSFTNGP02.phx.gbl...

> FromTheRafters wrote:

>> Thanks for the link, although I'm not sure why you posted

>> it here. This poster seemed to imply that there is middle

>> ground to cover for programs that you trust to play your

>> video files, yet don't trust to access the internet for

>> instance. My point is that there is no middle ground - if

>> you don't trust it to access the internet, don't have it

>> on your system (who knows what other horrible things it

>> could be doing that you aren't aware of). There is no

>> problem having an API that allows a program you have

>> given permission to execute the ability to configure your

>> firewall. You indicated your trust when you installed or

>> executed the program.

>

> If one doesn't trust the program in this case, then one

> shouldn't have it on the machine.

Yes. Say someone sends you a supposedly "freeware" program.

Once you click past that pesky EULA thingy and install the

program you find it "phones home" - (your trusty firewall

catches it) so its just gotta be spying on you. You set a

rule to stop this behavior. Turns out that it was legitimate

"adware" or more correctly "advertising supported software".

You have defeated the advertisements (which you agreed to in

the EULA) and have also defeated the ability to be notified

of critical security vulnerabilities in the software.

....or was it really spyware?

No mention in the EULA of any umbilical cord to the mother

ship (as if anybody actually reads them). You install the

program and it sends banking information

to a criminal organization - without the firewall alerting

to anything untoward.

Bottom line, you had no reason to trust the program in

either case. Your filters didn't save you, in fact in the

first case your filters retrograded security.

> Who has time to be playing Russian roulette, because

> that's what is happening when one starts playing that

> game?

With a six shooter loaded with five bullets. style_emoticons/)

> Those programs are smart enough to find

> other ways of punching out by piggy-backing off of other

> legit processes running on the machine.

Ah, so that was the point of the URL

http://www.securityfocus.com/infocus/1839/1 .

>> In the case of foistware/malware, there is no reason to

>> assume outbound filtering would catch it in egression.

>> Houdini demonstrated that a safe isn't designed to keep a

>> person locked in . When he repeatedly managed to escape

>> from them, it didn't cause the manufacturers to redesign

>> their safes to be escape proof. You just have to work

>> within the safe's specifications.

>

> Malware can have several back doors and other means to

> punch its way out, undetected.

A person trying to get into a safe is living outside the

box. Malware running on a machine is living inside, and

the box wasn't designed to keep escape artists from getting

out. Having other security software inside the box is not as

effective as having security outside the box (a real

firewall) - even Houdini couldn't escape from within a

locked safe if the safe had locked chains wrapped around the

outside .

> You know, a malware maker can set-up a honey-pot situation

> sort of speaking, where as, they expose the exploit and

> let it be seen so that it can be caught, giving someone a

> false sense of accomplishment that they caught it.

Yes, or this could be just the side effect of having a

blended threat. Three ingress methods, one of which gets

caught out by a PFW.

> In the meantime, they are being back-doored somewhere

> else, undetected.

Yes, in which case the PFW user has had his paranoia

misplaced. He should be more wary of what he allows to

execute rather than to try to control or detect what actions

the malware is taking.

February 19, 2009

"Root Kit" <b__nice@hotmail.com> wrote in message

news:fdupp4dnjupmimcdm5lc2nr16brfks73ia@4ax.com...

> On Wed, 18 Feb 2009 19:59:31 -0500, "FromTheRafters"

> <erratic@nomail.afraid.org> wrote:

>

>>My point is that there is no middle ground - if

>>you don't trust it to access the internet, don't have it

>>on

>>your system (who knows what other horrible things it could

>>be doing that you aren't aware of).

>

> Agreed.

>

>>There is no problem having an API that allows a program

>>you

>>have given permission to execute the ability to configure

>>your

>>firewall. You indicated your trust when you installed or

>>executed the program.

>

> Exactly. People tend to forget that configuring the

> firewall requires

> proper privileges. Configuring the windows firewall

> programmatically

> requires admin or at least network admin rights. If you

> run/install a

> program as administrator YOU are responsible. That's what

> an

> administrator account is all about and what most people

> don't

> understand.

I was looking for an analogy, the best I could come up with

is those instances where someone doesn't want their admins

to have access to a command prompt. If you can't trust your

admins with a command prompt - they shouldn't be admins in

the first place. If you can't trust a program, you shouldn't

execute it.

February 19, 2009

"mayayana" <mayayaXXna@rcXXn.com> wrote in message

news:%23FbIbxdkJHA.1340@TK2MSFTNGP06.phx.gbl...

> >

>> >Apparently the makers of ZoneAlarm fixed such a problem

>> >by

>> >preventing ZoneAlarm from being shut down.

>>

>> What makes you believe shutting it down is the only

>> possible way to

>> circumvent it? And why would malware writers choose a

>> method which

>> makes you as a user suspicious to what is going on. No,

>> no. They will

>> of course just circumvent your illusionware why letting

>> you continue

>> to believe all is fine and well.

>>

>

> That's quite a strong statement to make, implying

> that 2-way firewalls are basically useless. If you're

> going to claim that you should provide some evidence

> and explanation. Otherwise you're just adding confusion.

Maybe Jack meant to post this to you rather than to me.

http://www.securityfocus.com/infocus/1839/1

> In my experience, ZA has no trouble blocking unauthorized

> software from going online

Why are you running unauthorized software?

> There is a wrinkle, though,

> with XP. XP, and NT systems in general, are a security

> risk

> in that they're designed as corporate workstations, with

> various vulnerable network-related services that are

> unnecessary on Win9x but are typically running, and may

> even be critical, on NT (RPC, for example.)

What they call "attack surface" - NT has more attack surface

with more security, W9x has lesser attack surface with

almost no security.

[...]

February 19, 2009

> Actually it is possible to determine what each instance of svchost is

doing.

> WMI can show what is executed by each instance and you can use the Task

> Manager interactively to determine that information (you probably need to

> modify the view to show the columns). The sysinternals site in Microsoft

has

> a process monitor that can show the information.

>

> The ZoneAlarm people are technical enough that they could hook each

instance

> of svchost if necessary.

>

That would be nice, but they haven't done it

that I know of. Maybe there are better options

than ZA out there, though. I haven't looked into

what's available for XP and/or Vista.

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

+Bob+ wrote:

> On Wed, 18 Feb 2009 23:33:13 -0500, Jack the Ripper <Jack@Rripper.com>

> wrote:

>

>> +Bob+ wrote:

>>> On Wed, 18 Feb 2009 13:49:42 -0500, Jack the Ripper <Jack@Rripper.com>

>>> wrote:

>>>

>>>> Is this suppose to be some kind of a joke here, because you seem serious?

>>> You sure post under a lot of different names. Is that a joke?

>> You didn't answer the question. Therefore, I know that you don't know

>> what you are talking about.

>

> Seems like you are the one avoiding the question. Why do you post

> under so many different monikers?

If it was any of your business as to what I do, how I do it, when I do

it or why I do it, that would be one thing. But since its none of your

business as to what I am doing and I don't answer to you, then your

question means absolutely nothing to me concerning this.

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

Sam Hobbs wrote:

> "Jack the Ripper" <Jack@Rripper.com> wrote in message

> news:OM2Q6ClkJHA.5980@TK2MSFTNGP06.phx.gbl...

>> Sam Hobbs wrote:

>>> "mayayana" <mayayaXXna@rcXXn.com> wrote in message

>>> news:%23FbIbxdkJHA.1340@TK2MSFTNGP06.phx.gbl...

>>>>

>>>> Complicating matters, Microsoft shrouds a number of

>>>> services in the svchost.exe process, which can run in

>>>> multiple instances. So if you allow svchost through the

>>>> firewall it's not so easy to know exactly what you're

>>>> allowing. And ZA can't differentiate between the actual

>>>> processes running under the svchost "hat".

>>>

>>> Actually it is possible to determine what each instance of svchost is

>>> doing. WMI can show what is executed by each instance and you can use

>>> the Task Manager interactively to determine that information (you

>>> probably need to modify the view to show the columns). The

>>> sysinternals site in Microsoft has a process monitor that can show

>>> the information.

>>>

>>> The ZoneAlarm people are technical enough that they could hook each

>>> instance of svchost if necessary.

>>>

>>

>> Look man, those users using ZA (home users most likely) or any other

>> personal FW solutions are not savvy enough to find a hidden process,

>> because I have talked with them in other NG(s) including ZA users

>> about using PE, how to use it and they couldn't find a thing, probably

>> looking right at it in their face.

>

> I said nothing about users. I said "ZoneAlarm people", not ZoneAlarm users.

You make no sense none whatsoever. If one using the ZA application, then

one is a user of ZA. style_emoticons/

February 19, 2009

Re: Microsoft Windows Vista includes a two-way firewall. TO THETOP

+Bob+ wrote:

> On Wed, 18 Feb 2009 23:41:00 -0500, Jack the Ripper <Jack@Rripper.com>

> wrote:

>

>> +Bob+ wrote:

>>> On Wed, 18 Feb 2009 19:59:31 -0500, "FromTheRafters"

>>> <erratic@nomail.afraid.org> wrote:

>>>

>

>>> Nonsense. I run programs that have no need to access the Internet - at

>>> least not unless I want them too. They aren't intrinsically evil

>>> programs, but they also don't need to do internet access unless there

>>> is a specific need for it.

>> Nonesense, you either know what is running on the computer or you don't.

>

> I know what's running.

>

>

>> If you trust the program, then you should have no problems in allowing

>> that program to access the Internet. If you don't trust the program,

>> then you shouldn't have the program on the computer period.

>

> Your opinion, not mine. Many people disagree with you.

>

>

>> It's as simple as that, and it doesn't take a rocket scientist to figure

>> it out.

>

> Certainly no one will ever mistake you for a scientist as you are

> incapable of objectively analyzing anything.

>

>

You are an idiot. Why I bother with you is beyond me?

Sign In

Microsoft Windows Vista includes a two-way firewall. TO THE TOP

Recommended Posts

Guest +Bob+

Popular Days

Popular Days

Guest Jack the Ripper

Guest Jack the Ripper

Guest Sam Hobbs

Guest Sam Hobbs

Guest Jack the Ripper

Guest Jack the Ripper

Guest Jack the Ripper

Guest Root Kit

Guest +Bob+

Guest Root Kit

Guest +Bob+

Guest Root Kit

Guest Sam Hobbs

Guest Sam Hobbs

Guest FromTheRafters

Guest FromTheRafters

Guest FromTheRafters

Guest FromTheRafters

Guest FromTheRafters

Guest FromTheRafters

Guest mayayana

Guest Jack the Ripper

Guest Jack the Ripper

Guest Jack the Ripper

Join the conversation

Browse

Activity

Support