Lars D. Nood�n wrote: > What is the best way to enlighten the large population of end users that > there are applications that track and report on all their activties and > that OOo is not one of them? > > On Fri, 15 Apr 2005, Alexandro Colorado wrote: > >> How in the world is that the responsability of the Firewall to know? > > The application vendor (OOo) would contact the firewall vendor. > > There are many windows applications and systems that "phone home", (e.g. > WMP, RealPlayer, MS-Explorer, MS-Office 2003), but I assume the firewall > lets that slide or gives a placating warning since there is no mainstream > consumer complaint regarding those applications.
That exactly creates a new problem. Malicious software like some Active-X controls are executed in the browser process and then can do evil[TM] things without any notice because the "firewall" only sees the iexplore.exe process contacting something outside, but doesn't give a warning becuase iexplore.exe is thought to be a "good" one. This concept is broken by design. There is no real security without knowledge - that's hard but that's as it is. Moreover, the "firewalls" we are talking about are the so called "Personal Firewalls", I assume, and additionally I assume that our discussion is about the Windows platform. Such a PFW can only give notifications to users, that a certain process tries to establish a conncection to the Internet. They are not able to handle this situation automatically by themselves, so user interaction (and so user knowledge) is needed. But most PFW not even can do *this* reliably. IMHO even none of them can do this because it's so easy for malicious software that already sits on the machine to evade the "firewall", f.e. by just killing it (at the end a PFW is just a program running on the same computer as the attacker, and only a few people work as restricted users on Windows that might enable to protect important processes). But even if a notification is given, it's up to the user to decide wether an action notified by a PFW is a threat or not. If the user is not able to decide this, the PFW is at best useless, but IMHO even worse than this because it leaves the unexperienced users helpless and confused. PFW are just snake oil software, they don't create real security, but annoy users with a lot of messages they don't understand and usually make them panic. A famous german computer security expert has summarized this in a nice statement (translation from german made by me): Working with Personal Firewalls is like having sex with a condome full of holes. It doesn't really help you but it really spoils the fun for you. I think there is nothing that needs to be added to this. :-) Best regards, Mathias -- Mathias Bauer - OpenOffice.org Application Framework Project Lead Please reply to the list only, [EMAIL PROTECTED] is a spam sink. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
