Hi Ron,

Am Don, den 15.01.2004 schrieb Ron DuFresne um 18:28:
> cheap

There are cheap personal firewalls, no question about that. But there
also are cheap, yet secure end user operating systems which are better
serving the end users interest than a combination of an insecure
operating system, an insecure webbrowser, an insecure email client and
so on.

> effective

I don't think personal firewalls are effective. People don't want to
spend time learning about personal firewalls and all personal firewalls
I know require the end user to interact with the software frequently.
The end user has to deny requests from programs he doesn't recognise to
access the Internet. The end user has to act on requests from the
personal firewall itself if there are updates and so on. Most end users
can't even make the difference between virus threats and threats
resulting from insecure end user software that requires a wall in front
of it.

> quick

When you don't spend at least an hour to explain to end users that there
is more to security than a virus scanner you deploy once and leave it as
it is for the rest of the decade then nothing will be improved. "quick"
is the opposite of reality here. You may install Zone Alarm (the free
version) on a PC once and measure the time of the installation and leave
house without further explanations and I guarantee that you will be
bombarded with requests for explanations during the next few weeks
because the end user denied Outlook Express access to the Internet as
the Zone Alarm window popped open and so on.

> allows the non-IT-professional to make a new home system safer

This is even further away from reality than the last one. The
non-IT-professional actually believes what the Microsoft commercials
were saying: MS Windows is a secure operating system. Because of this,
it is already hard to explain to them why they would need a virus
scanner if they are already using a secure operating system. The
non-IT-professional end user doesn't even know that Microsoft is
offering Windows XP updates, how is he supposed to know about something
abstract such as the concept of a firewall?

If Microsoft wants people to know that there are patches available then
they have to show a TV ad right before the 20:00 news on all major
channels.

> Or are we seeing another version of FUD-based-job-security-seeking BS
> spewing from these folks who are not going to get $150 an hour fees in at
> least 4 hour increments from the average home users to 'fix' their systems
> that can't be broke/borked as they are brandy-spankin-new.

This is totally out of place reasoning.

Let me show you how this "Personal Firewall Day" idea hit my mind:

[cheap]
The "sponsors" of this campaign don't have "cheap" in mind. They are
aiming for additional income here. This campaign is meant to reduce
image damage for a certain company refusing to take security seriously
and increase profits for manufacturers of software you wouldn't even
need if this certain other company would take better care of its
products.

There are countless alternatives to established desktop solutions that
are way cheaper because you don't have to buy additional software to
safeguard the underlying one.

[effective]
The process of having to watch three different levels of software:
operating system, virus scanner AND personal firewall isn't effective.

Effective means turning on the PC and work away and maybe control ONE
level of software with ONE tool or even better with ONE button.

Most end users can't tell the difference what in the name of Christ they
have to update. They have lost control and they don't care as long as it
still is working. They only act when something is broken.

The solution to effective and end user friendly security in MS Windows
IS NOT a personal firewall that protects against the bugs of end user
applications that shouldn't even be there!

The blame is all on Microsoft. Why did they wait until the upcoming
service pack of Windows XP until they realised that security requires
"secure by default"? Why do all Windows operating systems come with all
doors open by default? Why did countless Windows XP machines have an
open RPC port when this feature REALLY wasn't needed on the average end
user PC?

This is the transition to:

[trust]
Why are there still well known bugs in the Internet Explorer 6 for
longer than two months without a patch?!

What happened about this idea of dear old Steve, who wanted to show us
that MS is releasing patches faster and more reliable than the Open
Source community? I guess, it died. Not only did it die, MS increased
the time we have to wait for patches. We get patches when they are ready
(better "if" they are ready...) and not when we need them. Sure, this
makes patching predictable. But hey, does a script kiddie respect
Microsofts scheduling strategy when he aims for a major worm attack on
the Internet?

Well, the initiator of this ad email (almost spam), pivX must know a
little bit about unpatched MS software until they agreed to take down
the list of bugs in MS software without available patches from their
website. Security by obscurity. Isn't this list about the contrary? And
look who they are doing business with now. Isn't this a coincident?!

Sorry, but any reasonable end user shouldn't trust MS on its serious
attention to security. They say A and do B.

[quick]
By the time I get to install and explain a personal firewall, a virus
scanner and the process of updating the operating system I could have
installed a whole NEW operating system that doesn't have this level of
complicity for the end user.

I really know why the folks named this campaign "Personal Firewall
_DAY_". It sure takes a whole day to promote and establish security on
one end user PC running MS Windows XP.

This is the transition to...

I'll end this rant with a report of a "home visit" of "Dr. PC" and
you'll see why this whole "Personal Firewall Day" idea is rather
pathetic.

I was asked to fix a Windows XP Home PC of a family in the
neighbourhood, a typical family you get to know from TV ads: a happy
middle-class couple, a teen daughter and a younger son. The only thing
missing was the dog. They even had the typical PC with Windows XP Home.

The reason for asking me over was a virus suspicion. OK, I thought. Take
your Linux live CD with f-prot and off you go. The first thing I noticed
was:

No virus scanning software installed of any kind.
No personal firewall software installed of any kind.
Not one single Microsoft patch installed.

This fits into the picture of a typical family with two kids (yet no
dog) and a Windows XP Home PC.

I booted the PC with my clean Linux CD and ran f-prot over all
partitions, finding 7 different viruses and two trojan backdoor programs
in 30 infected files.

In addition, I ran Adaware and Spybot which found about a hundred
different entries in the registry, countless cookies and three or four
dialer programs. I got rid of those too.

Cleaning this stuff and the frequents reboots in between took some time,
but hey! All for a healthy neighbourhood relation, a cookie and a class
of milk.

Finally a clean PC. Damn! I missed the Simpsons! Well, on then. Let's
get connected and download those MS patches, install a recent virus
scanner and install a personal firewall.

Well, guess what happened as soon as I connected to the Internet? Yes,
you're right. Before the MS Windows update page could be fully loaded I
already had a visit from that darn RPC worm. Less than 10 seconds. Is
that a record?!

To summarise the rest, I spent two more hours downloading and rebooting
each time after installing MS patches. I installed a free virus scanner
from antivir.de and Zone Alarm and took the time to explain everything
to the family, making a little howto on a piece of paper what they had
to do.

Today, more than two months later, I still get the same questions why
they have to update the virus signatures every third day and what that
yellow window means that is popping up and asking about some
iexplore.exe wanting to connect to the Internet.

So, excuse me when I say: F*CK YOU, Personal Firewall Day!

regards,
Tobias W.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Reply via email to